Canonical Releases New Ubuntu Linux Kernel Security Updates to Fix 16 Vulnerabilities

Ubuntu 16 Vulnerabilities

Canonical released today new Linux kernel security updates for all supported Ubuntu LTS releases to address up to 16 vulnerabilities discovered by various security researchers.

The new Linux kernel security updates are about one month after the previous kernel update, which patched the recently disclosed Wi-Fi driver stack vulnerabilities, and are available only for all supported Ubuntu LTS (Long-Term Support) versions, including Ubuntu 22.04 LTS (Jammy Jellyfish), Ubuntu 20.04 LTS (Focal Fossa), and Ubuntu 18.04 LTS (Bionic Beaver).

Fixed in this new Linux kernel update are a total of 16 vulnerabilities, including five that are common to all supported Ubuntu releases. These are CVE-2022-2978, a use-after-free vulnerability discovered by Hao Sun and Jiacheng Xu in the NILFS file system implementation that could allow a local attacker to crash the system or execute arbitrary code, CVE-2022-3028, a race condition discovered by Abhishek Shah in the PF_KEYv2 implementation that could allow a local attacker to expose sensitive information (kernel memory) or crash the system, and CVE-2022-3635, a use-after-free vulnerability discovered in the IDT 77252 ATM PCI device driver that could allow a local attacker to crash the system or execute arbitrary code.

The same goes for CVE-2022-20422, a race condition discovered in Linux kernel’s instruction emulator on AArch64 (ARM64) systems, which could allow a local attacker to cause a denial of service (system crash), as well as CVE-2022-40768, a flaw discovered by Xingyuan Mo and Gengjia Chen in the Promise SuperTrak EX storage controller driver, which could allow a local attacker to expose sensitive information (kernel memory).

Only for Ubuntu 22.04 LTS and Ubuntu 20.04 LTS systems running Linux kernel 5.15 LTS, as well as Ubuntu 20.04 LTS and Ubuntu 18.04 LTS systems running Linux kernel 5.4 LTS, the new Ubuntu kernel security update also fixes CVE-2022-3625, a flaw discovered in the Netlink device interface implementation that could lead to a use-after-free vulnerability with some network device drivers by allowing a local attacker with admin access to the network device to cause a denial of service (system crash) or possibly execute arbitrary code.

Two other flaws were patched for Ubuntu 22.04 LTS and Ubuntu 20.04 LTS systems running Linux kernel 5.15 LTS, namely CVE-2022-2905, an out-of-bounds read vulnerability discovered by Hsin-Wei Hung in the BPF subsystem and the x86 JIT compiler, which could allow a local attacker to crash the system by causing a denial of service or expose sensitive information (kernel memory), and CVE-2022-39190, a flaw discovered by Gwangun Jung in the netfilter subsystem that could allow a local attacker to cause a denial of service (system crash).

Only for Ubuntu 20.04 LTS and Ubuntu 18.04 LTS systems running Linux kernel 5.4 LTS, as well as Ubuntu 18.04 LTS and Ubuntu 16.04 ESM systems running Linux kernel 4.15, the new kernel update also addresses CVE-2022-2153, a security issue discovered in the KVM implementation that could allow a local attacker to crash the system.

Only for Ubuntu 20.04 LTS and Ubuntu 18.04 LTS systems running Linux kernel 5.4 LTS, this update fixes CVE-2022-29901, a flaw discovered by Johannes Wikner and Kaveh Razavi that affected some Intel x86_64 CPUs by making Linux kernel’s protections against speculative branch target injection attacks insufficient, allowing a local attacker to expose sensitive information, as well as CVE-2022-39188 and CVE-2022-42703, two flaws discovered by Google Project Zero’s Jann Horn in the Linux kernel when unmapping VMAs, which could allow a local attacker to cause a denial of service (system crash) or execute arbitrary code.

The same goes for CVE-2022-41222, a race condition discovered in the memory address space accounting implementation that could allow a local attacker to cause a denial of service (system crash) or execute arbitrary code, as well as CVE-2022-42719, a use-after-free vulnerability discovered by Sönke Huster in the Wi-Fi driver stack that could allow a physically proximate attacker to cause a denial of service (system crash) or execute arbitrary code.

Last but not least, the new Ubuntu kernel security update addresses CVE-2022-36879, a flaw discovered in the Netlink Transformation (XFRM) subsystem that could allow a local attacker to cause a denial of service (system crash). This flaw only affected the kernel packages of Ubuntu 18.04 LTS and Ubuntu 16.04 ESM systems running Linux kernel 4.15.

Canonical urges all users Ubuntu LTS users to update their kernel packages to the new versions available in the stable software repositories, namely linux-image 5.15.0.53.53 for Ubuntu 22.04 LTS systems, linux-image - 5.15.0-53.59~20.04.1 for Ubuntu 20.04 LTS systems running Linux kernel 5.15 LTS, linux-image 5.4.0.132.132 for Ubuntu 20.04 LTS systems running Linux kernel 5.4 LTS, linux-image-hwe-18.04 5.4.0.132.148~18.04.109 for Ubuntu 18.04 LTS systems running Linux kernel 5.4 LTS, and linux-image 4.15.0.197.182 for Ubuntu 18.04 LTS systems running Linux kernel 4.15.

To update your Ubuntu installations, run the sudo apt update && sudo apt dist-upgrade command in the Terminal app or use the Software Updater utility. After installing the new kernel versions, you will have to reboot your computers, as well as to rebuild and reinstall any third-party kernel modules that you may have installed.

Last updated 1 year ago

Buy Me a Coffee at ko-fi.com