The new Azure kernel is available for Ubuntu 18.04 LTS (Bionic Beaver) and Ubuntu 16.04 LTS (Xenial Xerus) operating system series and addresses the side-channel attack discovered by Jann Horn and Ken Johnson, known as Spectre Variant 4 (CVE-2018-3639), which could allow a local attacker to expose sensitive information.
Also discovered by Jann Horn, the new Azure kernel fixes the original Spectre vulnerability (CVE-2017-5715) and a use-after-free vulnerability (CVE-2018-17182) found in the vmacache subsystem, which could let a local attacker crash the system or execute arbitrary code.
Running Ubuntu in the cloud as secure as possible is a top priority for Canonical, so the new kernel update also addresses a flaw (CVE-2018-15594) discovered in the paravirtualization implementation, which may reduce the effectiveness of the Spectre Variant 2 mitigations for paravirtual guests, allowing local attackers to expose sensitive information.
Another side-channel attack was patched in this new Azure kernel for Ubuntu 18.04 LTS and Ubuntu 16.04 LTS, known as SpectreRSB (CVE-2018-15572), which could allow an attacker to expose sensitive information, as well as a stack-based buffer overflow (CVE-2018-14633) found in the iSCSI target implementation, which lets remote attackers crash the vulnerable machines.
Also patched are two flaws discovered in Linux kernel’s IRDA implementation, a use-after-free vulnerability (CVE-2018-6555) that could allow a local attacker to either crash the system or execute arbitrary code, and a memory leak (CVE-2018-6554) that may let a local attacker cause a denial of service (kernel memory exhaustion).
Submitted by: Arnfried Walbrecht