Ubuntu Users Get a Massive Linux Kernel Update, 35 Security Vulnerabilities Patched

Ubuntu Massive Kernel Update

Today, Canonical published new Linux kernel security updates for all supported Ubuntu releases and it looks like it’s a massive update that addresses more than 30 security vulnerabilities.

The new Linux kernel security updates come about two weeks after the previous updates, which were minor ones patching only three security flaws, and are available for all supported Ubuntu releases, including Ubuntu 22.04 LTS (Jammy Jellyfish), Ubuntu 21.10 (Impish Indri), Ubuntu 20.04 LTS (Focal Fossa), Ubuntu 18.04 LTS (Bionic Beaver), as well as the Ubuntu 16.04 and 14.04 ESM releases.

There are more than 30 security vulnerabilities patched in this massive Ubuntu kernel update. Common to all Ubuntu releases is CVE-2022-1966, a use-after-free vulnerability discovered by Aaron Adams in the netfilter subsystem that could allow a local attacker to cause a denial of service (system crash) or execute arbitrary code, as well as CVE-2022-21499, a kernel flaw that could allow privileged attackers to bypass UEFI Secure Boot restrictions, and CVE-2022-28390, a double-free vulnerability discovered in the EMS CAN/USB interface implementation, allowing a local attacker to cause a denial of service (memory exhaustion).

Affecting the kernels of Ubuntu 22.04 LTS, Ubuntu 21.10, Ubuntu 20.04 LTS, and Ubuntu 18.04 LTS systems, the new Linux kernel security patch also addresses CVE-2022-1158, a flaw discovered by Qiuhao Li, Gaoning Pan, and Yongkang Jia in the KVM implementation, which could allow an attacker in a guest VM to crash the host OS.

Other common security vulnerabilities patched in this massive update are CVE-2022-1972, a security issue affecting Ubuntu 22.04 LTS systems running Linux kernel 5.15 LTS, as well as Ubuntu 21.10 and Ubuntu 20.04 LTS systems running Linux kernel 5.13, discovered by Ziming Zhang in the netfilter subsystem, and CVE-2022-24958, a use-after-free vulnerability discovered in the USB Gadget file system interface and affecting the Linux 5.13 kernel of Ubuntu 21.10 and 20.04 LTS systems, as well as the Linux 5.4 LTS kernel of Ubuntu 20.04 LTS and 18.04 LTS systems. Both these flaws could allow a local attacker to cause a denial of service (system crash) or execute arbitrary code.

The same goes for CVE-2022-28356, a security vulnerability discovered by 赵子轩 in Linux kernel’s 802.2 LLC type 2 driver, CVE-2022-28389, a double-free vulnerability discovered in the Microchip CAN BUS Analyzer interface implementation, CVE-2022-1198, a use-after-free vulnerability discovered by Duoming Zhou in the 6pack protocol implementation, CVE-2022-1516, a flaw discovered in the implementation of X.25 network protocols, and CVE-2022-1353, a security issue found in the PF_KEYv2 implementation. These issues affected the kernels of Ubuntu 22.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 18.04 LTS systems and could allow a local attacker to cause a denial of service (system crash) or expose sensitive information (kernel memory).

Another common security vulnerability patched in this new Ubuntu kernel update, this time affecting the kernels of Ubuntu 20.04 LTS and Ubuntu 18.04 LTS systems, is CVE-2021-3772, a flaw discovered in Linux kernel’s SCTP protocol implementation that could allow a remote attacker to cause a denial of service (connection disassociation).

Only for Ubuntu 22.04 LTS systems running Linux kernel 5.15 LTS, the new security update addresses 10 other vulnerabilities, including CVE-2022-1671, a flaw discovered in the RxRPC session socket implementation allowing a local attacker to cause a denial of service (system crash) or possibly expose sensitive information (kernel memory), CVE-2022-1204, CVE-2022-1205, and CVE-2022-1199, three flaws discovered by Duoming Zhou in the AX.25 amateur radio protocol implementation that could allow a local attacker to cause a denial of service (system crash), as well as CVE-2022-1263, a KVM security issue discovered by Qiuhao Li, Gaoning Pan, and Yongkang Jia that could allow a local attacker in a guest VM to crash the host system.

Also patched in the Linux 5.15 LTS kernel of Ubuntu 22.04 LTS systems is CVE-2022-28388, a double-free vulnerability discovered in the 8 Devices USB2CAN interface implementation, CVE-2022-1651, a flaw found in the ACRN Hypervisor Service Module implementation, CVE-2022-1048, multiple race conditions discovered by Hu Jiahui in the ALSA framework, CVE-2022-0168, a flaw discovered by Billy Jheng Bing in the CIFS network file system implementation, and CVE-2022-1195, a use-after-free vulnerability discovered in the implementation of the 6pack and mkiss protocols. These security issues could allow a local attacker to cause a denial of service (system crash or memory exhaustion) or possibly execute arbitrary code.

Only for Ubuntu 20.04 LTS and Ubuntu 18.04 LTS systems running Linux kernel 5.4 LTS, the new security update addresses 10 other vulnerabilities, including CVE-2022-23036, CVE-2022-23037, CVE-2022-23038,
CVE-2022-23039, CVE-2022-23040, CVE-2022-23041, and CVE-2022-23042, a series of flaws discovered in several Xen para-virtualization device frontends by Demi Marie Obenour and Simon Gaiser, which could allow an attacker to gain access to memory pages of a guest VM or cause a denial of service in the guest by using a malicious Xen backend.

Also patched in the Linux 5.4 LTS kernel of Ubuntu 20.04 LTS and Ubuntu 18.04 LTS systems is CVE-2022-1011, a use-after-free vulnerability discovered by Google Project Zero’s Jann Horn in the FUSE file system implementation, which could allow a local attacker to cause a denial of service (system crash) or possibly execute arbitrary code, CVE-2021-4197, a security issue discovered by Eric Biederman in the cgroup process migration implementation, which could allow a local attacker to gain administrative privileges, and CVE-2022-26966, a flaw discovered in the USB SR9700 ethernet device driver that could allow a physically proximate attacker to expose sensitive information (kernel memory).

Last but not least, this new massive Ubuntu kernel update fixes three other security vulnerabilities affecting the Linux 4.15 kernel of Ubuntu 18.04 LTS systems. These are CVE-2022-1016, a security issue discovered by David Bouman in the netfilter subsystem that could allow a local attacker to expose sensitive information (kernel memory), CVE-2021-4149, a security issue found in the Btrfs file system implementation allowing a local
attacker to cause a denial of service (kernel deadlock), as well as CVE-2022-1419, a race condition discovered in the virtual graphics memory manager implementation potentially leading to an information leak.

Canonical urges all Ubuntu users to update their installations to the new kernel versions (linux-image 5.15.0.37.39 for Ubuntu 22.04 LTS, linux-image 5.13.0.48.56 for Ubuntu 21.10 and 20.04.4 LTS, linux-image 5.4.0.117.120 for Ubuntu 20.04 LTS, linux-image 5.4.0-117.132~18.04.1 for Ubuntu 18.04.6 LTS, as well as linux-image 4.15.0.184.172 for Ubuntu 18.04 LTS), as soon as possible by using the Software Updater utility or by running the sudo apt update && sudo apt full-upgrade command in the Terminal app. A system reboot is required after installing the new kernel versions!

Last updated 6 months ago