Available now for Ubuntu 18.04 LTS, 16.04 LTS, and 14.04 LTS

Oct 9, 2018 10:13 GMT  ·  By

Canonical released a new kernel live patch for all its supported Ubuntu Linux operating systems to address several critical security vulnerabilities discovered by various researchers lately.

Available for the Ubuntu 18.04 LTS (Bionic Beaver), Ubuntu 16.04 LTS (Xenial Xerus), and Ubuntu 14.04 LTS (Trusty Tahr) operating system series, the new Linux kernel livepatch is rolling out now to all subscribers of the Canonical Livepatch Service. It patches a total of seven security flaws, including the well-known L1 Terminal Fault (L1TF)/Foreshadow and SpectreRSB vulnerabilities.

The two L1FT vulnerabilities fixed in this new kernel livepatch are CVE-2018-3620 and CVE-2018-3646, but it also addresses a flaw that reduced the effectiveness of Spectre Variant 2 mitigations for paravirtual guests (CVE-2018-15594), a use-after-free vulnerability in the IRDA implementation (CVE-2018-6555), and a critical stack-based buffer overflow in the iSCSI target implementation (CVE-2018-14633).

Furthermore, the new kernel livepatch fixes the recently discovered CPU side-channel attack named SpectreRSB (CVE-2018-15572), which affects microprocessors utilizing speculative execution and prediction of return addresses via Return Stack Buffer (RSB), allowing attackers to expose sensitive information, as well as a use-after-free vulnerability in the vmacache subsystem (CVE-2018-17182).

All users are urged to update their installations immediately

If you didn't install last week's kernel security update and you're using the Canonical Livepatch Service on your 64-bit Ubuntu PC, you can now update the rebootless kernel livepatch to version 44.1 and 44.2. The new kernel versions are linux-image 4.15.0-34.37 for Ubuntu 18.04 LTS users, linux-image 4.15.0-34.37~16.04.1 for Ubuntu 16.04.5 LTS HWE users, and linux-image 4.4.0-135.161~14.04.1 for Ubuntu 14.04.5 LTS HWE users.

"Note that due to a client issue, this livepatch may report that it failed to load. You can verify that the patch has successfully loaded by looking in /sys/kernel/livepatch for a directory starting with the name "lkp_Ubuntu," followed by your kernel version, and ending with the version number, "44." The next client update should correct this problem," reads the security advisory.