RHEL (Red Hat Enterprise Linux) 7 and CentOS 7 operating system series received an important Linux kernel security and bug fix update that addressees four vulnerabilities and several other issues.
Probably the most important vulnerability patched in this new Linux kernel security update for RHEL and CentOS 7 systems is a flaw (CVE-2020-10757) discovered in the way mremap handled DAX Huge Pages, which could allow a local attacker with access to a DAX enabled storage to escalate their privileges on the system.
Also important is the buffer overflow (CVE-2020-12653) discovered in Linux kernel’s Marvell WiFi-Ex driver, which could allow a local user to escalate their privileges on the system. This was patched as well in the new kernel security update, but you can protect yourself by blacklisting the mwifiex kernel module.
The Marvell WiFi-Ex driver was plagued by another important security flaw, namely (CVE-2020-12654). This allows a remote WiFi access point to trigger a heap-based memory buffer overflow due to an incorrect memcpy operation, which could let attackers to compromise data integrity and system availability. Again, users can blacklist the mwifiex kernel module to mitigate the flaw.
Last but not least, the security update addresses a use-after-free vulnerability (CVE-2019-19527) discovered in Linux kernel’s USB Human Interface Device class subsystem. This could allow an attacker with physical access to the system to possibly escalate his/her privileges.
A bunch of bugs were squashed as well in this kernel update, addressing high CPU consumption when performing BMC firmware upgrade, a dpdk regression, as well as various other bugs affecting the EXT4 file system, virtio-blk virtual block device, NFS implementation, libaio asynchronous I/O library, and other components.
It also provides the infrastructure needed to support dual-signing of the kernel, which is needed to correctly mitigate the recent BootHole vulnerability in the GRUB2 bootloader.
All CentOS Linux 7 and Red Hat Enterprise Linux 7 users running the 3.10.0 kernel are urged to update their systems as soon as possible to kernel-3.10.0-1127.18.2.el7, which, of course, is only available for 64-bit (x86_64) architectures. Do reboot your computers after installing the new kernel version.
Affecting systems include Red Hat Enterprise Linux Server 7, Red Hat Enterprise Linux Workstation 7, Red Hat Enterprise Linux Desktop 7, Red Hat Enterprise Linux for IBM z Systems 7, Red Hat Enterprise Linux for Power, big endian 7, Red Hat Enterprise Linux for Scientific Computing 7, Red Hat Enterprise Linux for Power, little endian 7, Red Hat Virtualization Host 4 for RHEL 7, and CentOS Linux 7.
Last updated 1 year ago