Urgent security updates address race conditions and memory management flaws in Ubuntu, safeguarding systems on both local servers and Amazon Web Services
Canonical has released critical security updates for Ubuntu, targeting multiple Linux kernel vulnerabilities that pose significant risks to both local systems and Amazon Web Services (AWS) environments. These vulnerabilities, involving race conditions and memory management errors, could lead to system crashes or unauthorised access if left unpatched.
The latest patches aim to mitigate these threats, enhancing the security of Ubuntu-based systems and AWS deployments. Security researchers have identified six key vulnerabilities within the Linux ecosystem, each requiring immediate attention to prevent potential exploitation.
Key Vulnerabilities & Their Impact:
– CVE-2024-22099: Discovered by Yuxuan Hu, this vulnerability affects the Bluetooth RFCOMM protocol driver in the Linux kernel. It introduces a race condition that could result in a NULL pointer dereference, leading to a denial of service (DoS) by crashing the system. This flaw impacts both x86 and ARM architectures and affects Linux kernel versions starting from v2.6.12-rc2.
– CVE-2024-24860: Another race condition was found in the Bluetooth subsystem of the Linux kernel, specifically within the {min,max}_key_size_set() function. This flaw, if exploited by privileged local attackers, could crash the system, leading to a kernel panic or system crashes.
– CVE-2024-35835: This vulnerability involves a double-free error in the net/mlx5e module of the Linux kernel. It could cause system instability or crashes if resources are freed twice due to failed allocations. The Ubuntu Security Team has addressed this issue with a patch correcting the resource management error.
– CVE-2024-39292: This flaw affects the Linux kernel’s handling of winch interrupt requests (IRQ), potentially leading to system crashes if the winch is added to the handler list too late. The fix ensures that the winch is registered before any interrupts are processed, preventing system panics.
– CVE-2023-52760: Found in the Global File System 2 (GFS2) component, this vulnerability involves a slab-use-after-free error due to improper cleanup procedures. It could lead to unpredictable system behaviour or crashes, now mitigated by a patch addressing the cleanup process.
– CVE-2023-52806: A vulnerability in the Advanced Linux Sound Architecture (ALSA) component could lead to a null pointer dereference during complex audio operations. The fix ensures correct assignment of audio streams, preventing crashes during audio processing.
Impact On AWS:
These vulnerabilities not only affect Ubuntu systems but also have significant implications for Linux Kernel AWS deployments. AWS users running Ubuntu-based instances are advised to apply these patches promptly to mitigate the risks associated with these kernel vulnerabilities. The affected systems include both Ubuntu-based virtual machines and those running critical applications on AWS.
Patches & Updates:
Canonical has addressed these vulnerabilities with timely security patches, which are available for various Ubuntu releases, including:
– Ubuntu Bionic (4.15.0-228.240)
– Ubuntu Focal (5.4.0-193.213)
– Ubuntu Jammy (5.15.0-102.112)
– Ubuntu Mantic (6.5.0-41.41)
These patches are essential for securing systems against the identified vulnerabilities, ensuring the continued integrity and stability of both local and cloud-based environments.
