exploit the possibilities

Ubuntu Security Notice USN-3741-2

Ubuntu Security Notice USN-3741-2
Posted Aug 15, 2018
Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 3741-2 - USN-3741-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS. It was discovered that memory present in the L1 data cache of an Intel CPU core may be exposed to a malicious process that is executing on the CPU core. This vulnerability is also known as L1 Terminal Fault. A local attacker in a guest virtual machine could use this to expose sensitive information. Various other issues were also addressed.

tags | advisory, kernel, local, vulnerability
systems | linux, ubuntu
advisories | CVE-2018-3620, CVE-2018-3646, CVE-2018-5390, CVE-2018-5391
MD5 | a0d39dbb79e2f19019b21e3f47cfbcee

Ubuntu Security Notice USN-3741-2

Change Mirror Download
=========================================================================
Ubuntu Security Notice USN-3741-2
August 14, 2018

linux-lts-xenial, linux-aws vulnerabilities
=========================================================================
A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 14.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:
- linux-aws: Linux kernel for Amazon Web Services (AWS) systems
- linux-lts-xenial: Linux hardware enablement kernel from Xenial for Trusty

Details:

USN-3741-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04
LTS. This update provides the corresponding updates for the Linux
Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu
14.04 LTS.

It was discovered that memory present in the L1 data cache of an Intel CPU
core may be exposed to a malicious process that is executing on the CPU
core. This vulnerability is also known as L1 Terminal Fault (L1TF). A local
attacker in a guest virtual machine could use this to expose sensitive
information (memory from other guests or the host OS). (CVE-2018-3646)

It was discovered that memory present in the L1 data cache of an Intel CPU
core may be exposed to a malicious process that is executing on the CPU
core. This vulnerability is also known as L1 Terminal Fault (L1TF). A local
attacker could use this to expose sensitive information (memory from the
kernel or other processes). (CVE-2018-3620)

Juha-Matti Tilli discovered that the TCP implementation in the Linux kernel
performed algorithmically expensive operations in some situations when
handling incoming packets. A remote attacker could use this to cause a
denial of service. (CVE-2018-5390)

Juha-Matti Tilli discovered that the IP implementation in the Linux kernel
performed algorithmically expensive operations in some situations when
handling incoming packet fragments. A remote attacker could use this to
cause a denial of service. (CVE-2018-5391)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 14.04 LTS:
linux-image-4.4.0-1027-aws 4.4.0-1027.30
linux-image-4.4.0-133-generic 4.4.0-133.159~14.04.1
linux-image-4.4.0-133-generic-lpae 4.4.0-133.159~14.04.1
linux-image-4.4.0-133-lowlatency 4.4.0-133.159~14.04.1
linux-image-4.4.0-133-powerpc-e500mc 4.4.0-133.159~14.04.1
linux-image-4.4.0-133-powerpc-smp 4.4.0-133.159~14.04.1
linux-image-4.4.0-133-powerpc64-emb 4.4.0-133.159~14.04.1
linux-image-4.4.0-133-powerpc64-smp 4.4.0-133.159~14.04.1
linux-image-aws 4.4.0.1027.27
linux-image-generic-lpae-lts-xenial 4.4.0.133.113
linux-image-generic-lts-xenial 4.4.0.133.113
linux-image-lowlatency-lts-xenial 4.4.0.133.113
linux-image-powerpc-e500mc-lts-xenial 4.4.0.133.113
linux-image-powerpc-smp-lts-xenial 4.4.0.133.113
linux-image-powerpc64-emb-lts-xenial 4.4.0.133.113
linux-image-powerpc64-smp-lts-xenial 4.4.0.133.113

Please note that the recommended mitigation for CVE-2018-3646 involves
updating processor microcode in addition to updating the kernel;
however, the kernel includes a fallback for processors that have not
received microcode updates.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References:
https://usn.ubuntu.com/usn/usn-3741-2
https://usn.ubuntu.com/usn/usn-3741-1
CVE-2018-3620, CVE-2018-3646, CVE-2018-5390, CVE-2018-5391,
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/L1TF

Package Information:
https://launchpad.net/ubuntu/+source/linux-aws/4.4.0-1027.30
https://launchpad.net/ubuntu/+source/linux-lts-xenial/4.4.0-133.159~14.04.1
Login or Register to add favorites

File Archive:

October 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    25 Files
  • 2
    Oct 2nd
    13 Files
  • 3
    Oct 3rd
    1 Files
  • 4
    Oct 4th
    1 Files
  • 5
    Oct 5th
    15 Files
  • 6
    Oct 6th
    15 Files
  • 7
    Oct 7th
    15 Files
  • 8
    Oct 8th
    11 Files
  • 9
    Oct 9th
    3 Files
  • 10
    Oct 10th
    1 Files
  • 11
    Oct 11th
    1 Files
  • 12
    Oct 12th
    8 Files
  • 13
    Oct 13th
    12 Files
  • 14
    Oct 14th
    23 Files
  • 15
    Oct 15th
    4 Files
  • 16
    Oct 16th
    13 Files
  • 17
    Oct 17th
    1 Files
  • 18
    Oct 18th
    1 Files
  • 19
    Oct 19th
    27 Files
  • 20
    Oct 20th
    41 Files
  • 21
    Oct 21st
    18 Files
  • 22
    Oct 22nd
    16 Files
  • 23
    Oct 23rd
    2 Files
  • 24
    Oct 24th
    1 Files
  • 25
    Oct 25th
    1 Files
  • 26
    Oct 26th
    17 Files
  • 27
    Oct 27th
    19 Files
  • 28
    Oct 28th
    29 Files
  • 29
    Oct 29th
    13 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close