LSN-0080-1: Kernel Live Patch Security Notice

16 August 2021

Several security issues were fixed in the kernel.

Releases

Software Description

gcp - Linux kernel for Google Cloud Platform (GCP) systems - (>= 5.4.0-1009)
generic-4.15 - Linux hardware enablement (HWE) kernel - (>= 4.15.0-69, >= 4.15.0-69)
generic-4.4 - Linux kernel - (>= 4.4.0-168, >= 4.4.0-168)
generic-5.4 - Linux kernel - (>= 5.4.0-26, >= 5.4.0-26)
gke - Linux kernel for Google Container Engine (GKE) systems - (>= 5.4.0-1033)
gke-4.15 - Linux kernel for Google Container Engine (GKE) systems - (>= 4.15.0-1076)
gke-5.4 - Linux kernel for Google Container Engine (GKE) systems - (>= 5.4.0-1009)
gkeop - Linux kernel for Google Container Engine (GKE) systems - (>= 5.4.0-1009)
gkeop-5.4 - Linux kernel for Google Container Engine (GKE) systems - (>= 5.4.0-1007)
lowlatency-4.15 - Linux hardware enablement (HWE) kernel - (>= 4.15.0-69, >= 4.15.0-69)
lowlatency-4.4 - Linux kernel - (>= 4.4.0-168, >= 4.4.0-168)
lowlatency-5.4 - Linux kernel - (>= 5.4.0-26, >= 5.4.0-26)
oem - Linux kernel for OEM systems - (>= 4.15.0-1063)

Details

Andy Nguyen discovered that the netfilter subsystem in the Linux kernel
contained an out-of-bounds write in its setsockopt() implementation. A
local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code.(CVE-2021-22555)

Checking update status

The problem can be corrected in these Livepatch versions:

Kernel type	20.04	18.04	16.04	14.04
gcp	80.1	—	—	—
generic-4.15	—	80.1	80.1	—
generic-4.4	—	—	80.1	80.1
generic-5.4	80.1	80.1	—	—
gke	80.1	—	—	—
gke-4.15	—	80.1	—	—
gke-5.4	—	80.1	—	—
gkeop	80.1	—	—	—
gkeop-5.4	—	80.1	—	—
lowlatency-4.15	—	80.1	80.1	—
lowlatency-4.4	—	—	80.1	80.1
lowlatency-5.4	80.1	80.1	—	—
oem	—	80.1	—	—

To check your kernel type and Livepatch version, enter this command:

canonical-livepatch status

References

CVE-2021-22555

Join the discussion

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›