QID 198548

Date Published: 2021-10-29

QID 198548: Ubuntu Security Notification for Linux kernel (Azure) Vulnerabilities (USN-5120-1)

The f2fs file system in the linux kernel did not properly validate metadata in some situations.
The linux kernel did not properly enforce certain types of entries in the secure boot forbidden signature database (aka dbx) protection mechanism.
The kvm hypervisor implementation for amd processors in the linux kernel did not ensure enough processing time was given to perform cleanups of large sev vms.
The kvm hypervisor implementation in the linux kernel did not properly perform reference counting in some situations, leading to a use-after-free vulnerability.
The joystick device interface in the linux kernel did not properly validate data passed via an ioctl().the linux kernel did not properly account for the memory usage of certain ipc objects.
The nfsv4 client implementation in the linux kernel did not properly order connection setup operations.
The xilinx ll temac device driver in the linux kernel did not properly calculate the number of buffers to be used in certain situations.
The ext4 file system in the linux kernel contained a race condition when writing xattrs to an inode.

Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

an attacker could use this to construct a malicious f2fs image that, when mounted and operated on, could cause a denial of service (system crash) or possibly execute arbitrary code. (
Cve-2019-19449).
An attacker could use this to bypass uefi secure boot restrictions. (
Cve-2020-26541).
A local attacker could use this to cause a denial of service (soft lockup) (cve-2020-36311).
An attacker who could start and control a vm could possibly use this to expose sensitive information or execute arbitrary code. (
Cve-2021-22543).
A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code on systems with a joystick device registered. (
Cve-2021-3612).
A local attacker could use this to cause a denial of service (memory exhaustion) (cve-2021-3759).
An attacker controlling a remote nfs server could use this to cause a denial of service on the client. (
Cve-2021-38199).
A remote attacker could use this to cause a denial of service (system crash) (cve-2021-38207).
A local attacker could use this to cause a denial of service or possibly gain administrative privileges. (
Cve-2021-40490).

  • CVSS V3 rated as High - 7.8 severity.
  • CVSS V2 rated as High - 7.2 severity.
  • Solution
    Refer to Ubuntu advisory: USN-5120-1 for affected packages and patching details, or update with your package manager.
    Vendor References
    Software Advisories
    Advisory ID Software Component Link
    USN-5120-1 Ubuntu Linux URL Logo ubuntu.com/security/notices/USN-5120-1