[QSA-0821202] Security Update Bundle
Qlustar Security Advisory 0821202
August 21st, 2020
Summary:
A Qlustar security update bundle is a cumulative update of packages that are taken from upstream Debian/Ubuntu without modification. Only packages that are used in a typical HPC/Storage cluster installation are mentioned in Qlustar Security Advisories. Other non-HPC related updates also enter the Qlustar repository, but their functionality is not separately verified by the Qlustar team. To track these updates subscribe to the general security mailing lists of Debian/Ubuntu and/or CentOS.
Package(s) : see upstream description of individual package
Qlustar releases : 10.1, 11.0
Affected versions: All versions prior to this update
Vulnerability : see upstream description of individual package
Problem type : see upstream description of individual package
Qlustar-specific : no
CVE Id(s) : see upstream description of individual package
This update includes several security related package updates from Debian/Ubuntu and CentOS. The following list provides references to the upstream security report of the corresponding packages. You can view the original upstream advisory by clicking on the corresponding title.
Relevant to Qlustar 11.0 and 10.1
QEMU vulnerabilities
Ziming Zhang and VictorV discovered that the QEMU SLiRP networking implementation incorrectly handled replying to certain ICMP echo requests. An attacker inside a guest could possibly use this issue to leak host memory to obtain sensitive information.
Ziming Zhang discovered that the QEMU SM501 graphics driver incorrectly handled certain operations. An attacker inside a guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code.
It was discovered that the QEMU SD memory card implementation incorrectly handled certain memory operations. An attacker inside a guest could possibly use this issue to cause QEMU to crash, resulting in a denial of service.
Ren Ding and Hanqing Zhao discovered that the QEMU ES1370 audio driver incorrectly handled certain invalid frame counts. An attacker inside a guest could possibly use this issue to cause QEMU to crash, resulting in a denial of service.
Ren Ding and Hanqing Zhao discovered that the QEMU MegaRAID SAS SCSI driver incorrectly handled certain memory operations. An attacker inside a guest could possibly use this issue to cause QEMU to crash, resulting in a denial of service.
Alexander Bulekov discovered that QEMU MegaRAID SAS SCSI driver incorrectly handled certain memory space operations. An attacker inside a guest could possibly use this issue to cause QEMU to crash, resulting in a denial of service.
Ren Ding, Hanqing Zhao, Alexander Bulekov, and Anatoly Trosinenko discovered that the QEMU incorrectly handled certain msi-x mmio operations. An attacker inside a guest could possibly use this issue to cause QEMU to crash, resulting in a denial of service.
It was discovered that QEMU incorrectly handled certain memory copy operations when loading ROM contents. If a user were tricked into running an untrusted kernel image, a remote attacker could possibly use this issue to run arbitrary code.
Ziming Zhang discovered that the QEMU XGMAC Ethernet controller incorrectly handled packet transmission. An attacker inside a guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code.
Ziming Zhang discovered that the QEMU e1000e Ethernet controller incorrectly handled packet processing. An attacker inside a guest could possibly use this issue to cause QEMU to crash, resulting in a denial of service.
curl vulnerability
Marc Aldorasi discovered that curl incorrectly handled the libcurl CURLOPT_CONNECT_ONLY option. This could result in data being sent to the wrong destination, possibly exposing sensitive information.
Apache HTTP Server vulnerabilities
Fabrice Perez discovered that the Apache mod_rewrite module incorrectly handled certain redirects. A remote attacker could possibly use this issue to perform redirects to an unexpected URL.
Chamal De Silva discovered that the Apache mod_proxy_ftp module incorrectly handled memory when proxying to a malicious FTP server. A remote attacker could possibly use this issue to obtain sensitive information.
Felix Wilhelm discovered that the HTTP/2 implementation in Apache did not properly handle certain Cache-Digest headers. A remote attacker could possibly use this issue to cause Apache to crash, resulting in a denial of service.
Felix Wilhelm discovered that the HTTP/2 implementation in Apache did not properly handle certain logging statements. A remote attacker could possibly use this issue to cause Apache to crash, resulting in a denial of service.
NSS vulnerabilities
It was discovered that NSS incorrectly handled certain signatures. An attacker could possibly use this issue to expose sensitive information.
Samba vulnerability
Martin von Wittich and Wilko Meyer discovered that Samba incorrectly handled certain empty UDP packets when being used as a AD DC NBT server. A remote attacker could possibly use this issue to cause Samba to crash, resulting in a denial of service.
GRUB 2 vulnerabilities
Jesse Michael and Mickey Shkatov discovered that the configuration parser in GRUB2 did not properly exit when errors were discovered, resulting in heap-based buffer overflows. A local attacker could use this to execute arbitrary code and bypass UEFI Secure Boot restrictions.
Chris Coulson discovered that the GRUB2 function handling code did not properly handle a function being redefined, leading to a use-after-free vulnerability. A local attacker could use this to execute arbitrary code and bypass UEFI Secure Boot restrictions.
Chris Coulson discovered that multiple integer overflows existed in GRUB2 when handling certain filesystems or font files, leading to heap-based buffer overflows. A local attacker could use these to execute arbitrary code and bypass UEFI Secure Boot restrictions.
It was discovered that the memory allocator for GRUB2 did not validate allocation size, resulting in multiple integer overflows and heap-based buffer overflows when handling certain filesystems, PNG images or disk metadata. A local attacker could use this to execute arbitrary code and bypass UEFI Secure Boot restrictions.
Mathieu Trudel-Lapierre discovered that in certain situations, GRUB2 failed to validate kernel signatures. A local attacker could use this to bypass Secure Boot restrictions.
Colin Watson and Chris Coulson discovered that an integer overflow existed in GRUB2 when handling the initrd command, leading to a heap-based buffer overflow. A local attacker could use this to execute arbitrary code and bypass UEFI Secure Boot restrictions.
Python vulnerabilities
It was discovered that Python documentation had a misleading information. A security issue could be possibly caused by wrong assumptions of this information.
It was discovered that Python incorrectly handled certain TAR archives. An attacker could possibly use this issue to cause a denial of service.
It was discovered that incorrectly handled certain ZIP files. An attacker could possibly use this issue to cause a denial of service.
It was discovered that Python incorrectly handled certain IP values. An attacker could possibly use this issue to cause a denial of service.
CentOS 7.8 / 8.1 security updates
Please check the CentOS mailing list for details about CentOS 7/8 updates that entered this release (everything from July 15th to Aug 21st, 2020).
Update instructions:
The problem can be corrected by updating your system to the following Qlustar package versions in addition to the package versions mentioned in the upstream reports (follow the Qlustar Update Instructions and on Qlustar 11 also perform the manual steps '7. Migration to GRUB PXE booting' and '10. Adjust root bash shell initialization' as described in the Release Notes if you haven't done so yet):
For Qlustar 11.0
qlustar-module-core-bionic-amd64-11.0.1 11.0.1.2-b522f1305
qlustar-module-core-centos7-amd64-11.0.1 11.0.1.2-b522f1305
For Qlustar 10.1
qlustar-module-core-xenial-amd64-10.1.1 10.1.1.15-b521f1304