[QSA-1221211] Linux kernel vulnerabilities

Qlustar Security Advisory 1221211

December 21st, 2021


Summary:

The system could crash or be made to run programs as an administrator.


Package(s)       : linux-image-ql-generic,
                   qlustar-module-core-bionic-amd64-11.0.1,
                   qlustar-module-core-centos7-amd64-11.0.1,
                   qlustar-module-core-centos8-amd64-11.0.1,
                   qlustar-module-core-focal-amd64-12.0.0,
                   qlustar-module-core-centos7-amd64-12.0.0,
                   qlustar-module-core-centos8-amd64-12.0.0
Qlustar releases : 11.0, 12.0
Affected versions: All versions prior to this update
Vulnerability    : privilege escalation/denial of service
Problem type     : local
Qlustar-specific : no
CVE Id(s)        : Not documented

A number of vulnerabilities and bugs have been discovered in the 5.4.x Linux kernel series since the last Qlustar 12.0 release based on 5.4.153. They may lead to a denial of service or privilege escalation. Please check the following web pages that contain details of the fixes in each release after 5.4.153 up to the current Qlustar kernel 5.4.167:

Linux kernel 5.4.167
Linux kernel 5.4.166
Linux kernel 5.4.165
Linux kernel 5.4.164
Linux kernel 5.4.163
Linux kernel 5.4.162
Linux kernel 5.4.161
Linux kernel 5.4.160
Linux kernel 5.4.159
Linux kernel 5.4.158
Linux kernel 5.4.157
Linux kernel 5.4.156
Linux kernel 5.4.155
Linux kernel 5.4.154

A number of vulnerabilities and bugs have been discovered in the 4.19.x Linux kernel series since the last Qlustar 11.0 release based on 4.19.211. They may lead to a denial of service or privilege escalation. Please check the following web pages that contain details of the fixes in each release after 4.19.211 up to the current Qlustar kernel 4.19.221:

Linux kernel 4.19.221
Linux kernel 4.19.220
Linux kernel 4.19.219
Linux kernel 4.19.218
Linux kernel 4.19.217
Linux kernel 4.19.216
Linux kernel 4.19.215
Linux kernel 4.19.214
Linux kernel 4.19.213
Linux kernel 4.19.212

Update instructions:

The problem can be corrected by updating your system to the following or more recent package versions:

For Qlustar 12.0

linux-image-ql-generic                     5.4.167-ql-generic-12.0-13
qlustar-module-core-focal-amd64-12.0.0     12.0.0.8-b546f1425
qlustar-module-core-centos7-amd64-12.0.0   12.0.0.8-b546f1425
qlustar-module-core-centos8-amd64-12.0.0   12.0.0.8-b546f1425

For Qlustar 11.0

linux-image-ql-generic                     4.19.221-ql-generic-11.0-28
qlustar-module-core-bionic-amd64-11.0.1    11.0.1.12-b543f1424
qlustar-module-core-centos7-amd64-11.0.1   11.0.1.12-b543f1424
qlustar-module-core-centos8-amd64-11.0.1   11.0.1.12-b543f1424

Special Update instructions:

In addition to the steps described in the general Qlustar Update Instructions these updates require the following:

  • On Qlustar 12: Also write the dnsmasq config with QluMan before rebooting. If your cluster was installed with a release earlier than 12.0.0.8-b546f1425 you will have to generate new LDAP certificates st some point since the earlier ones were generated with a 1 year validity. Now they are generated with an unlimited validity. To check the expiration date execute
    # openssl x509 -dates -in /etc/ssl/certs/qlustar-ca-cert.pem | grep notAfter
    

    To regenerate the certificate with unlimited validity execute

    # qluman-ldap-cli --update-certs
    

    before rebooting the whole cluster.

  • On Qlustar 11: Also perform the manual steps ‘7. Migration to GRUB PXE booting’ and ‘11. Adjust root bash shell initialization’ as described in the Release Notes if you haven’t done so yet.