suse-su-2023:2428-1
Vulnerability from csaf_suse
Published
2023-06-06 20:33
Modified
2023-06-06 20:33
Summary
Security update for the Linux Kernel (Live Patch 11 for SLE 15 SP4)
Notes
Title of the patch
Security update for the Linux Kernel (Live Patch 11 for SLE 15 SP4)
Description of the patch
This update for the Linux Kernel 5.14.21-150400_24_60 fixes several issues.
The following security issues were fixed:
- CVE-2023-0386: Fixed privileges escalation for low-privileged users in the OverlayFS subsystem (bsc#1210499).
- CVE-2023-2162: Fixed an use-after-free flaw in iscsi_sw_tcp_session_create (bsc#1210662).
- CVE-2023-23454: Fixed a type-confusion in the CBQ network scheduler (bsc#1207188).
Patchnames
SUSE-2023-2428,SUSE-SLE-Module-Live-Patching-15-SP4-2023-2428
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for the Linux Kernel (Live Patch 11 for SLE 15 SP4)",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for the Linux Kernel 5.14.21-150400_24_60 fixes several issues.\n\nThe following security issues were fixed:\n\n- CVE-2023-0386: Fixed privileges escalation for low-privileged users in the OverlayFS subsystem (bsc#1210499).\n- CVE-2023-2162: Fixed an use-after-free flaw in iscsi_sw_tcp_session_create (bsc#1210662).\n- CVE-2023-23454: Fixed a type-confusion in the CBQ network scheduler (bsc#1207188).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2023-2428,SUSE-SLE-Module-Live-Patching-15-SP4-2023-2428",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2023_2428-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2023:2428-1",
"url": "https://www.suse.com/support/update/announcement/2023/suse-su-20232428-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2023:2428-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2023-June/015108.html"
},
{
"category": "self",
"summary": "SUSE Bug 1207188",
"url": "https://bugzilla.suse.com/1207188"
},
{
"category": "self",
"summary": "SUSE Bug 1210499",
"url": "https://bugzilla.suse.com/1210499"
},
{
"category": "self",
"summary": "SUSE Bug 1210662",
"url": "https://bugzilla.suse.com/1210662"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-0386 page",
"url": "https://www.suse.com/security/cve/CVE-2023-0386/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-2162 page",
"url": "https://www.suse.com/security/cve/CVE-2023-2162/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-23454 page",
"url": "https://www.suse.com/security/cve/CVE-2023-23454/"
}
],
"title": "Security update for the Linux Kernel (Live Patch 11 for SLE 15 SP4)",
"tracking": {
"current_release_date": "2023-06-06T20:33:52Z",
"generator": {
"date": "2023-06-06T20:33:52Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2023:2428-1",
"initial_release_date": "2023-06-06T20:33:52Z",
"revision_history": [
{
"date": "2023-06-06T20:33:52Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "kernel-livepatch-5_14_21-150400_24_60-default-2-150400.2.3.ppc64le",
"product": {
"name": "kernel-livepatch-5_14_21-150400_24_60-default-2-150400.2.3.ppc64le",
"product_id": "kernel-livepatch-5_14_21-150400_24_60-default-2-150400.2.3.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "kernel-livepatch-5_14_21-150400_24_60-default-2-150400.2.3.s390x",
"product": {
"name": "kernel-livepatch-5_14_21-150400_24_60-default-2-150400.2.3.s390x",
"product_id": "kernel-livepatch-5_14_21-150400_24_60-default-2-150400.2.3.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "kernel-livepatch-5_14_21-150400_24_60-default-2-150400.2.3.x86_64",
"product": {
"name": "kernel-livepatch-5_14_21-150400_24_60-default-2-150400.2.3.x86_64",
"product_id": "kernel-livepatch-5_14_21-150400_24_60-default-2-150400.2.3.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Live Patching 15 SP4",
"product": {
"name": "SUSE Linux Enterprise Live Patching 15 SP4",
"product_id": "SUSE Linux Enterprise Live Patching 15 SP4",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-live-patching:15:sp4"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "kernel-livepatch-5_14_21-150400_24_60-default-2-150400.2.3.ppc64le as component of SUSE Linux Enterprise Live Patching 15 SP4",
"product_id": "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_60-default-2-150400.2.3.ppc64le"
},
"product_reference": "kernel-livepatch-5_14_21-150400_24_60-default-2-150400.2.3.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Live Patching 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kernel-livepatch-5_14_21-150400_24_60-default-2-150400.2.3.s390x as component of SUSE Linux Enterprise Live Patching 15 SP4",
"product_id": "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_60-default-2-150400.2.3.s390x"
},
"product_reference": "kernel-livepatch-5_14_21-150400_24_60-default-2-150400.2.3.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Live Patching 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kernel-livepatch-5_14_21-150400_24_60-default-2-150400.2.3.x86_64 as component of SUSE Linux Enterprise Live Patching 15 SP4",
"product_id": "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_60-default-2-150400.2.3.x86_64"
},
"product_reference": "kernel-livepatch-5_14_21-150400_24_60-default-2-150400.2.3.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Live Patching 15 SP4"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-0386",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-0386"
}
],
"notes": [
{
"category": "general",
"text": "A flaw was found in the Linux kernel, where unauthorized access to the execution of the setuid file with capabilities was found in the Linux kernel\u0027s OverlayFS subsystem in how a user copies a capable file from a nosuid mount into another mount. This uid mapping bug allows a local user to escalate their privileges on the system.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_60-default-2-150400.2.3.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_60-default-2-150400.2.3.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_60-default-2-150400.2.3.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-0386",
"url": "https://www.suse.com/security/cve/CVE-2023-0386"
},
{
"category": "external",
"summary": "SUSE Bug 1209615 for CVE-2023-0386",
"url": "https://bugzilla.suse.com/1209615"
},
{
"category": "external",
"summary": "SUSE Bug 1210499 for CVE-2023-0386",
"url": "https://bugzilla.suse.com/1210499"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_60-default-2-150400.2.3.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_60-default-2-150400.2.3.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_60-default-2-150400.2.3.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_60-default-2-150400.2.3.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_60-default-2-150400.2.3.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_60-default-2-150400.2.3.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2023-06-06T20:33:52Z",
"details": "important"
}
],
"title": "CVE-2023-0386"
},
{
"cve": "CVE-2023-2162",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-2162"
}
],
"notes": [
{
"category": "general",
"text": "A use-after-free vulnerability was found in iscsi_sw_tcp_session_create in drivers/scsi/iscsi_tcp.c in SCSI sub-component in the Linux Kernel. In this flaw an attacker could leak kernel internal information.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_60-default-2-150400.2.3.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_60-default-2-150400.2.3.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_60-default-2-150400.2.3.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-2162",
"url": "https://www.suse.com/security/cve/CVE-2023-2162"
},
{
"category": "external",
"summary": "SUSE Bug 1210647 for CVE-2023-2162",
"url": "https://bugzilla.suse.com/1210647"
},
{
"category": "external",
"summary": "SUSE Bug 1210662 for CVE-2023-2162",
"url": "https://bugzilla.suse.com/1210662"
},
{
"category": "external",
"summary": "SUSE Bug 1213841 for CVE-2023-2162",
"url": "https://bugzilla.suse.com/1213841"
},
{
"category": "external",
"summary": "SUSE Bug 1213842 for CVE-2023-2162",
"url": "https://bugzilla.suse.com/1213842"
},
{
"category": "external",
"summary": "SUSE Bug 1214128 for CVE-2023-2162",
"url": "https://bugzilla.suse.com/1214128"
},
{
"category": "external",
"summary": "SUSE Bug 1222212 for CVE-2023-2162",
"url": "https://bugzilla.suse.com/1222212"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_60-default-2-150400.2.3.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_60-default-2-150400.2.3.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_60-default-2-150400.2.3.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_60-default-2-150400.2.3.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_60-default-2-150400.2.3.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_60-default-2-150400.2.3.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2023-06-06T20:33:52Z",
"details": "important"
}
],
"title": "CVE-2023-2162"
},
{
"cve": "CVE-2023-23454",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-23454"
}
],
"notes": [
{
"category": "general",
"text": "cbq_classify in net/sched/sch_cbq.c in the Linux kernel through 6.1.4 allows attackers to cause a denial of service (slab-out-of-bounds read) because of type confusion (non-negative numbers can sometimes indicate a TC_ACT_SHOT condition rather than valid classification results).",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_60-default-2-150400.2.3.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_60-default-2-150400.2.3.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_60-default-2-150400.2.3.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-23454",
"url": "https://www.suse.com/security/cve/CVE-2023-23454"
},
{
"category": "external",
"summary": "SUSE Bug 1207036 for CVE-2023-23454",
"url": "https://bugzilla.suse.com/1207036"
},
{
"category": "external",
"summary": "SUSE Bug 1207188 for CVE-2023-23454",
"url": "https://bugzilla.suse.com/1207188"
},
{
"category": "external",
"summary": "SUSE Bug 1208030 for CVE-2023-23454",
"url": "https://bugzilla.suse.com/1208030"
},
{
"category": "external",
"summary": "SUSE Bug 1208044 for CVE-2023-23454",
"url": "https://bugzilla.suse.com/1208044"
},
{
"category": "external",
"summary": "SUSE Bug 1208085 for CVE-2023-23454",
"url": "https://bugzilla.suse.com/1208085"
},
{
"category": "external",
"summary": "SUSE Bug 1211833 for CVE-2023-23454",
"url": "https://bugzilla.suse.com/1211833"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_60-default-2-150400.2.3.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_60-default-2-150400.2.3.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_60-default-2-150400.2.3.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_60-default-2-150400.2.3.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_60-default-2-150400.2.3.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_60-default-2-150400.2.3.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2023-06-06T20:33:52Z",
"details": "important"
}
],
"title": "CVE-2023-23454"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…