New Ubuntu Linux Kernel Updates Fix 19 Vulnerabilities, Patch Now

Affected systems include Ubuntu 22.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 18.04 LTS.
Ubuntu 19 Vulnerabilities

Canonical published today new Linux kernel updates for all supported Ubuntu LTS systems to address a total of 19 security vulnerabilities.

The new Ubuntu kernel updates are available only for long-term supported Ubuntu systems, including Ubuntu 22.04 LTS (Jammy Jellyfish), Ubuntu 20.04 LTS (Focal Fossa), and Ubuntu 18.04 LTS (Bionic Beaver).

These Ubuntu kernel updates are here to patch up to 19 vulnerabilities, including CVE-2022-41849 and CVE-2022-41850, two race conditions discovered in the Roccat HID and SMSC UFX USB drivers that could lead to use-after-free vulnerabilities. These affect all Ubuntu LTS systems mentioned above and could allow local and physically proximate attackers to cause a denial of service (system crash) or execute arbitrary code.

Three other vulnerabilities affected Ubuntu 22.04 LTS and Ubuntu 20.04 LTS systems running Linux kernel 5.15 LTS, as well as Ubuntu 20.04 LTS and Ubuntu 18.04 LTS systems running Linux kernel 5.4 LTS.

These are CVE-2022-3640, a use-after-free vulnerability in the Bluetooth stack that could allow a local attacker to cause a denial of service (system crash) or execute arbitrary code, CVE-2022-3628, a security flaw in the Broadcom FullMAC USB WiFi driver that could allow a physically proximate attacker to craft a malicious USB device causing a denial of service (system crash) or executing arbitrary code, and CVE-2022-42895, a flaw in the Bluetooth L2CAP implementation that could allow a physically proximate attacker to expose sensitive information (kernel memory).

Ubuntu 22.04 LTS and Ubuntu 20.04 LTS systems running Linux kernel 5.15 LTS were also affected by CVE-2022-3623, a race condition found in the hugetlb implementation that could allow a local attacker to cause a denial of service (system crash) or expose sensitive information (kernel memory), as well as CVE-2022-3543, a memory leak discovered in the Unix domain socket implementation that could allow a local attacker to cause a denial of service (memory exhaustion).

The same goes for CVE-2022-3619, a security issue found in the Bluetooth HCI implementation that could allow an attacker to cause a denial of service (memory exhaustion), and CVE-2023-0590, a race condition discovered in the qdisc implementation that could allow a local attacker to cause a denial of service (system crash) or execute arbitrary code.

Also, CVE-2022-47940 was patched for Ubuntu 22.04 LTS and Ubuntu 20.04 LTS systems running Linux kernel 5.15 LTS. This is a security flaw discovered by Arnaud Gatignol, Quentin Minster, Florent Saudel, and Guillaume Teissier in Linux kernel’s KSMBD implementation, which could allow an authenticated attacker to cause a denial of service (system crash), expose sensitive information (kernel memory), or execute arbitrary code.

Ubuntu 20.04 LTS and Ubuntu 18.04 LTS systems running Linux kernel 5.4 LTS, as well as Ubuntu 18.04 LTS systems running Linux kernel 4.15 were also affected by CVE-2022-3649, a use-after-free vulnerability discovered by Khalid Masum in the NILFS2 file system implementation, which could allow a local attacker to cause a denial of service or execute arbitrary code.

The new Ubuntu kernel updates also patch eight other security flaws affecting only Ubuntu 18.04 LTS systems running Linux kernel 4.15. These include CVE-2022-20369, an out-of-bounds write vulnerability found in the Video for Linux 2 (V4L2) implementation, CVE-2022-2663, a flaw discovered by David Leadbeater in the netfilter IRC protocol tracking implementation, as well as CVE-2022-29900 and CVE-2022-29901, two vulnerabilities discovered by Johannes Wikner and Kaveh Razavi in Linux kernel鈥檚 protections against speculative branch target injection attacks for AMD and Intel x86-64 processors that could allow a local attacker to expose sensitive information.

The same goes for CVE-2022-43750, a security issue discovered in the USB monitoring (usbmon) component, CVE-2022-3646, a flaw found in the NILFS2 file system implementation, CVE-2022-39842, an integer overflow vulnerability discovered by Hyunwoo Kim in the PXA3xx graphics driver, and CVE-2022-26373, a flaw affecting some Intel processors with eIBRS (Enhanced Indirect Branch Restricted Speculation). These could allow local attackers to expose sensitive information, cause a denial of service (system crash or memory exhaustion), or execute arbitrary code.

Canonical urges all Ubuntu LTS users to update their installations as soon as possible to the new kernel versions (linux-image 5.15.0-60.66 for Ubuntu 22.04 LTS, linux-image 5.15.0-60.66~20.04.1 and linux-image 5.4.0.139.137 for Ubuntu 20.04 LTS, as well as linux-image 4.15.0.204.187 for Ubuntu 18.04 LTS).

To update your systems, run the sudo apt update && sudo apt full-upgrade command in the Terminal app or use the Software Updater utility. Please keep in mind to reboot your installations after installing the new kernel versions, as well as to rebuild and reinstall any third-party kernel modules you might have installed.

Last updated 1 year ago

Buy Me a Coffee at ko-fi.com