Episode 146

Show Notes

Overview

Ubuntu 21.04 goes EOL soon, plus we cover security updates for Django, the Linux kernel, Apache httpd2 + Log4j2, Ghostscript and more.

This week in Ubuntu Security Updates

28 unique CVEs addressed

[USN-5204-1] Django vulnerabilities [00:45]

• 3 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)
  • CVE-2021-45452
  • CVE-2021-45116
  • CVE-2021-45115
• Possible to write to arbitrary locations if a plugin etc would call Storage.save() with crafted file names
• Also possible to use the dictsort template filter to disclose info or make method calls when passing in a crafted key - Django upstream remind that should always validate user input before use
• Possible DoS attack since the password comparison logic would compare entire submitted password for similarity which (when passed a very long password) would use a lot of CPU - fixed to discard anything with a length that was significantly different than the supplied password

[USN-5206-1] Linux kernel (OEM) vulnerability [02:08]

• 1 CVEs addressed in Focal (20.04 LTS)
  • CVE-2021-4002
• 5.14 OEM kernel for Ubuntu 20.04 LTS
• hugetlb would not always flush TLBs under certain conditions - since don’t get flushed, a local attacker could then possibly read or alter stale data from other processes which are using huge pages
  • In general most processes don’t use huge pages - have to specifically opt in by using mmap() or SYSV shmem syscalls with the SHM_HUGETLB flag
  • But this is often used by applications which have large memory requirements as they can preallocate memory using much larger page sizes which gives performance benefits since many less TLB entries for the same amount of memory compared to using standard size 4K pages

[USN-5207-1] Linux kernel (OEM) vulnerabilities [04:26]

• 4 CVEs addressed in Focal (20.04 LTS)
  • CVE-2021-43267
  • CVE-2021-42739
  • CVE-2021-4001
  • CVE-2021-4002
• 5.10 OEM kernel for Ubuntu 20.04 LTS
• huge pages tlb flushing issue above
• Race-condition in handling of read-only maps in eBPF - could allow a privileged attacker to modify maps that were meant to be read-only
• 2 vulns previously discussed in Episode 140
  • TIPC + MSG_CRYPTO OOB write, and Firewire OOB write - both can be used by local unprivileged users to cause DoS / possible code execution

[USN-5208-1] Linux kernel vulnerabilities [06:01]

• 7 CVEs addressed in Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)
  • CVE-2021-43389
  • CVE-2021-43267
  • CVE-2021-43056
  • CVE-2021-41864
  • CVE-2021-3760
  • CVE-2021-20321
  • CVE-2021-4002
• 5.13 kernel series for Ubuntu 21.10, 5.11 kernel series for Ubuntu 21.04, 5.11 HWE kernel series for Ubuntu 20.04 LTS
• As above plus
  • overlayfs race-condition -> DoS
  • NFS UAF -> crash -> DoS / code-exec
  • eBPF integer overflow -> OOB write -> crash -> DoS / code-exec

[USN-5209-1] Linux kernel vulnerabilities [06:38]

• 6 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS)
  • CVE-2021-43389
  • CVE-2021-41864
  • CVE-2021-3760
  • CVE-2021-20321
  • CVE-2021-20317
  • CVE-2021-4002
• 4.15 kernel series for Ubuntu 20.04 LTS, 4.15 HWE kernel series for Ubuntu 16.04 ESM, 4.15 kernel for Ubuntu 14.04 ESM on Azure
• A bunch of the previously mentioned CVEs, plus:
  • race condition in timer impl -> DoS from a privileged local users

[USN-5210-1] Linux kernel vulnerabilities

• 7 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
  • CVE-2021-43389
  • CVE-2021-43056
  • CVE-2021-41864
  • CVE-2021-3760
  • CVE-2021-20321
  • CVE-2020-26541
  • CVE-2021-4002
• 5.4 kernel series for Ubuntu 20.04 LTS, 5.4 HWE kernel series for Ubuntu 18.04 LTS
• As above

[USN-5211-1] Linux kernel vulnerability

• 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
  • CVE-2021-4002
• 4.4 kernel series for Ubuntu 16.04 ESM, 3.13 kernel series for Ubuntu 14.04 ESM

[USN-5219-1] Linux kernel vulnerability

• Affecting Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)
• 5.13 kernel series for Ubuntu 21.10, 5.11 kernel series for Ubuntu 21.04, 5.11 HWE kernel series for Ubuntu 20.04 LTS
• eBPF ringbuf OOB write -> local attacker -> DoS / RCE

[USN-5217-1] Linux kernel (OEM) vulnerabilities

• 1 CVEs addressed in Focal (20.04 LTS)
  • CVE-2021-4090
• NFS OOB write -> local attacker -> DoS / RCE
• eBPF ringbuf OOB write
  • same impact

[USN-5218-1] Linux kernel (OEM) vulnerabilities

• 7 CVEs addressed in Focal (20.04 LTS)
  • CVE-2021-43389
  • CVE-2021-43267
  • CVE-2021-43056
  • CVE-2021-41864
  • CVE-2021-3760
  • CVE-2021-20321
  • CVE-2021-4002
• 5.13 OEM kernel series for Ubuntu 20.04 LTS

[LSN-0083-1] Linux kernel vulnerability [07:33]

• 5 CVEs addressed in Ubuntu 20.04 LTS, 18.04 LTS and 16.04 ESM
  • CVE-2021-33909
  • CVE-2021-22555
  • CVE-2021-4002
  • CVE-2021-3653
  • CVE-2018-25020
• Various recent high priority CVEs now available as a livepatch
  • Including hugepages issue above as well as
  • eBPF verifier issue
  • AMD specific issue with KVM -> guest to host memory write
  • OOB write in netfilter
  • VFS OOB write
• All could lead to code execution by a relatively unprivileged user into the kernel

[USN-5212-1, USN-5212-2] Apache HTTP Server vulnerabilities [08:54]

• 2 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)
  • CVE-2021-44790
  • CVE-2021-44224
• Possible NULL ptr deref when configured as a forward proxy (ProxyRequests on)
• Possible SSRF when configured as both a forward and reverse proxy

[USN-5213-1] WebKitGTK vulnerabilities [09:37]

• 2 CVEs addressed in Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)
  • CVE-2021-30890
  • CVE-2021-30887
• “Universal” XSS and Content Security Policy bypass
  • both come from upstream webkit

[USN-5043-2] Exiv2 regression [10:10]

• 1 CVEs addressed in Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)
  • CVE-2021-37620
• Gwenview crash when opening images exported by darktable
  • gwenview uses exiv2 for metadata handling
  • recent security update for exiv2 introduced a regression
• Thanks Simon Schmeißer from the Ubuntu community for contributing the debdiff to fix this issue

[USN-5222-1] Apache Log4j 2 vulnerabilities [11:06]

• 2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)
  • CVE-2021-45105
  • CVE-2021-44832
• Moar log4j2
  • Another instance of JNDI RCE but this time needed to have configured to use a JDBC appender - ie configured to write event logs to a relational database table via standard JDBC
  • Uncontrolled recursion via self-referential lookups - but requires an attacker to be able to control Thread Context Map data as well as be able to supply crafted strings to get logged

[USN-5224-1] Ghostscript vulnerabilities [12:21]

• 2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)
  • CVE-2021-45949
  • CVE-2021-45944
• Hello Ghostscript my old friend!
• 2 issues discovered by oss-fuzz (used to be all Tavis Ormandy, but those were more logic bugs in the sandbox etc) - in this case a UAF and a heap buffer overflow -> crash / RCE

Goings on in Ubuntu Security Community

Ubuntu 21.04 EOL [13:31]

• Next week on 20th January Ubuntu 21.04 goes EOL
• No more bug fix or security updates from then onwards
• Now is the perfect time to upgrade to Ubuntu 21.10 which is supported for another 6 months more until July 2022

Ubuntu Security Podcast back on break for 2 weeks [14:37]

• 22.04 mid-cycle sprint week
• holiday
• back in 3 weeks time (end of first week of February)

Get in contact

• security@ubuntu.com
• #ubuntu-security on the Libera.Chat IRC network
• ubuntu-hardened mailing list
• Security section on discourse.ubuntu.com
• @ubuntu_sec on twitter