Test ID:	1.3.6.1.4.1.25623.1.1.12.2023.6221.1
Category:	Ubuntu Local Security Checks
Title:	Ubuntu: Security Advisory (USN-6221-1)
Summary:	The remote host is missing an update for the 'linux, linux-aws, linux-kvm, linux-lts-xenial' package(s) announced via the USN-6221-1 advisory.
Description:	Summary: The remote host is missing an update for the 'linux, linux-aws, linux-kvm, linux-lts-xenial' package(s) announced via the USN-6221-1 advisory. Vulnerability Insight: It was discovered that a race condition existed in the overlay file system implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2021-20321) It was discovered that the virtual terminal (vt) device implementation in the Linux kernel contained a race condition in its ioctl handling that led to an out-of-bounds read vulnerability. A local attacker could possibly use this to expose sensitive information. (CVE-2021-3753) It was discovered that the ext4 file system implementation in the Linux kernel contained a use-after-free vulnerability. An attacker could use this to construct a malicious ext4 file system image that, when mounted, could cause a denial of service (system crash). (CVE-2022-1184) Pawan Kumar Gupta, Alyssa Milburn, Amit Peled, Shani Rehana, Nir Shildan and Ariel Sabba discovered that some Intel processors with Enhanced Indirect Branch Restricted Speculation (eIBRS) did not properly handle RET instructions after a VM exits. A local attacker could potentially use this to expose sensitive information. (CVE-2022-26373) Johannes Wikner and Kaveh Razavi discovered that for some Intel x86-64 processors, the Linux kernel's protections against speculative branch target injection attacks were insufficient in some circumstances. A local attacker could possibly use this to expose sensitive information. (CVE-2022-29901) It was discovered that the ST NCI NFC driver did not properly handle device removal events. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2023-1990) It was discovered that the btrfs file system implementation in the Linux kernel did not properly handle error conditions in some situations, leading to a use-after-free vulnerability. A local attacker could possibly use this to cause a denial of service (system crash). (CVE-2023-3111) Affected Software/OS: 'linux, linux-aws, linux-kvm, linux-lts-xenial' package(s) on Ubuntu 14.04, Ubuntu 16.04. Solution: Please install the updated package(s). CVSS Score: 4.7 CVSS Vector: AV:L/AC:M/Au:N/C:N/I:N/A:C
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2021-20321 Debian Security Information: DSA-5096 (Google Search) https://www.debian.org/security/2022/dsa-5096 https://bugzilla.redhat.com/show_bug.cgi?id=2013242 https://lore.kernel.org/all/20211011134508.748956131@linuxfoundation.org/ https://lists.debian.org/debian-lts-announce/2022/03/msg00012.html Common Vulnerability Exposure (CVE) ID: CVE-2021-3753 https://bugzilla.redhat.com/show_bug.cgi?id=1999589 https://github.com/torvalds/linux/commit/2287a51ba822384834dafc1c798453375d1107c7 https://www.openwall.com/lists/oss-security/2021/09/01/4 Common Vulnerability Exposure (CVE) ID: CVE-2022-1184 DSA-5257 https://www.debian.org/security/2022/dsa-5257 [debian-lts-announce] 20221101 [SECURITY] [DLA 3173-1] linux-5.10 security update https://lists.debian.org/debian-lts-announce/2022/11/msg00001.html https://access.redhat.com/security/cve/CVE-2022-1184 https://bugzilla.redhat.com/show_bug.cgi?id=2070205 https://ubuntu.com/security/CVE-2022-1184 Common Vulnerability Exposure (CVE) ID: CVE-2022-26373 https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00706.html https://lists.debian.org/debian-lts-announce/2022/09/msg00011.html https://lists.debian.org/debian-lts-announce/2022/10/msg00000.html Common Vulnerability Exposure (CVE) ID: CVE-2022-29901 https://comsec.ethz.ch/retbleed Debian Security Information: DSA-5207 (Google Search) https://www.debian.org/security/2022/dsa-5207 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D4RW5FCIYFNCQOEFJEUIRW3DGYW7CWBG/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M27MB3QFNIJV4EQQSXWARHP3OGX6CR6K/ https://security.gentoo.org/glsa/202402-07 https://www.secpod.com/blog/retbleed-intel-and-amd-processor-information-disclosure-vulnerability/ https://lists.debian.org/debian-lts-announce/2022/12/msg00034.html http://www.openwall.com/lists/oss-security/2022/07/12/4 http://www.openwall.com/lists/oss-security/2022/07/12/5 http://www.openwall.com/lists/oss-security/2022/07/12/2 http://www.openwall.com/lists/oss-security/2022/07/13/1 Common Vulnerability Exposure (CVE) ID: CVE-2023-1990 https://lore.kernel.org/all/20230312160837.2040857-1-zyytlz.wz@163.com/ https://lists.debian.org/debian-lts-announce/2023/05/msg00005.html https://lists.debian.org/debian-lts-announce/2023/05/msg00006.html Common Vulnerability Exposure (CVE) ID: CVE-2023-3111 Debian Security Information: DSA-5480 (Google Search) https://www.debian.org/security/2023/dsa-5480 https://patchwork.kernel.org/project/linux-btrfs/patch/20220721074829.2905233-1-r33s3n6@gmail.com/ https://lists.debian.org/debian-lts-announce/2023/07/msg00030.html https://lists.debian.org/debian-lts-announce/2023/10/msg00027.html
Copyright	Copyright (C) 2023 Greenbone AG

This is only one of 146377 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below.