vulnerability
Oracle Linux: CVE-2024-41090: ELSA-2024-12581: Unbreakable Enterprise kernel security update (IMPORTANT) (Multiple Advisories)
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 5 | (AV:L/AC:L/Au:N/C:N/I:N/A:C) | 07/24/2024 | 08/16/2024 | 01/23/2025 |
Severity
5
CVSS
(AV:L/AC:L/Au:N/C:N/I:N/A:C)
Published
07/24/2024
Added
08/16/2024
Modified
01/23/2025
Description
In the Linux kernel, the following vulnerability has been resolved:
tap: add missing verification for short frame
The cited commit missed to check against the validity of the frame length
in the tap_get_user_xdp() path, which could cause a corrupted skb to be
sent downstack. Even before the skb is transmitted, the
tap_get_user_xdp()-->skb_set_network_header() may assume the size is more
than ETH_HLEN. Once transmitted, this could either cause out-of-bound
access beyond the actual length, or confuse the underlayer with incorrect
or inconsistent header length in the skb metadata.
In the alternative path, tap_get_user() already prohibits short frame which
has the length less than Ethernet header size from being transmitted.
This is to drop any frame shorter than the Ethernet header size just like
how tap_get_user() does.
CVE: CVE-2024-41090
A denial of service (DoS) attack was found in the mlx5 driver in the Linux kernel. A KVM guest VM using virtio-net can crash the host by sending a short packet, for example, size < ETH_HLEN. The packet may traverse through vhost-net, macvtap, and vlan without any validation or drop. When this packet is presented to the mlx5 driver on the host side, the kernel panic happens since mlx5_core assumes the frame size is always >= ETH_HLEN.
tap: add missing verification for short frame
The cited commit missed to check against the validity of the frame length
in the tap_get_user_xdp() path, which could cause a corrupted skb to be
sent downstack. Even before the skb is transmitted, the
tap_get_user_xdp()-->skb_set_network_header() may assume the size is more
than ETH_HLEN. Once transmitted, this could either cause out-of-bound
access beyond the actual length, or confuse the underlayer with incorrect
or inconsistent header length in the skb metadata.
In the alternative path, tap_get_user() already prohibits short frame which
has the length less than Ethernet header size from being transmitted.
This is to drop any frame shorter than the Ethernet header size just like
how tap_get_user() does.
CVE: CVE-2024-41090
A denial of service (DoS) attack was found in the mlx5 driver in the Linux kernel. A KVM guest VM using virtio-net can crash the host by sending a short packet, for example, size < ETH_HLEN. The packet may traverse through vhost-net, macvtap, and vlan without any validation or drop. When this packet is presented to the mlx5 driver on the host side, the kernel panic happens since mlx5_core assumes the frame size is always >= ETH_HLEN.
Solution(s)
oracle-linux-upgrade-kerneloracle-linux-upgrade-kernel-uek
References
- CVE-2024-41090
- https://attackerkb.com/topics/CVE-2024-41090
- ELSA-ELSA-2024-12581
- ELSA-ELSA-2024-5928
- ELSA-ELSA-2024-12549
- ELSA-ELSA-2024-7000
- ELSA-ELSA-2024-12546
- ELSA-ELSA-2024-12582
- ELSA-ELSA-2024-12548
- ELSA-ELSA-2024-12547
- ELSA-ELSA-2024-12584
- ELSA-ELSA-2024-12585
- ELSA-ELSA-2024-12782
- ELSA-ELSA-2024-12571
- ELSA-ELSA-2024-12583
- ELSA-ELSA-2024-12780
- ELSA-ELSA-2024-12570
- ELSA-ELSA-2024-12551
- ELSA-ELSA-2024-12552
- ELSA-ELSA-2024-12815
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.