Security update for the Linux Kernel

Announcement ID:	SUSE-SU-2023:4358-1
Rating:	important
References:	bsc#1212051 bsc#1214842 bsc#1215095 bsc#1215467 bsc#1215518 bsc#1215745 bsc#1215858 bsc#1215860 bsc#1215861 bsc#1216046
Cross-References:	CVE-2023-2163 CVE-2023-3111 CVE-2023-34324 CVE-2023-3777 CVE-2023-39189 CVE-2023-39192 CVE-2023-39193 CVE-2023-39194 CVE-2023-42754
CVSS scores:	CVE-2023-2163 ( SUSE ): 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVE-2023-2163 ( NVD ): 8.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVE-2023-3111 ( SUSE ): 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2023-3111 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2023-34324 ( SUSE ): 5.7 CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2023-34324 ( NVD ): 4.9 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2023-3777 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2023-3777 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2023-39189 ( SUSE ): 4.4 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N CVE-2023-39189 ( NVD ): 6.0 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H CVE-2023-39192 ( SUSE ): 6.0 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H CVE-2023-39192 ( NVD ): 6.0 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H CVE-2023-39193 ( SUSE ): 5.1 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:L CVE-2023-39193 ( NVD ): 6.0 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H CVE-2023-39194 ( SUSE ): 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N CVE-2023-39194 ( NVD ): 4.4 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N CVE-2023-42754 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2023-42754 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Affected Products:	SUSE Linux Enterprise Micro 5.1 SUSE Linux Enterprise Micro 5.2 SUSE Linux Enterprise Micro for Rancher 5.2

An update that solves nine vulnerabilities and has one security fix can now be installed.

Description:

The SUSE Linux Enterprise 15 SP3 RT kernel was updated to receive various security and bugfixes.

The following security bugs were fixed:

• CVE-2023-2163: Fixed an incorrect verifier pruning in BPF that could lead to unsafe code paths being incorrectly marked as safe, resulting in arbitrary read/write in kernel memory, lateral privilege escalation, and container escape. (bsc#1215518)
• CVE-2023-3777: Fixed a use-after-free vulnerability in netfilter: nf_tables component can be exploited to achieve local privilege escalation. (bsc#1215095)
• CVE-2023-34324: Fixed a possible deadlock in Linux kernel event handling. (bsc#1215745).
• CVE-2023-39189: Fixed a flaw in the Netfilter subsystem that could allow a local privileged (CAP_NET_ADMIN) attacker to trigger an out-of-bounds read, leading to a crash or information disclosure. (bsc#1216046)
• CVE-2023-3111: Fixed a use-after-free vulnerability in prepare_to_relocate in fs/btrfs/relocation.c (bsc#1212051).
• CVE-2023-39194: Fixed an out of bounds read in the XFRM subsystem (bsc#1215861).
• CVE-2023-39193: Fixed an out of bounds read in the xtables subsystem (bsc#1215860).
• CVE-2023-39192: Fixed an out of bounds read in the netfilter (bsc#1215858).
• CVE-2023-42754: Fixed a NULL pointer dereference in the IPv4 stack that could lead to denial of service (bsc#1215467).

The following non-security bugs were fixed:

• nvme-fc: Prevent null pointer dereference in nvme_fc_io_getuuid() (bsc#1214842).

Special Instructions and Notes:

• Please reboot the system after installing this update.

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise Micro 5.1
  zypper in -t patch SUSE-SUSE-MicroOS-5.1-2023-4358=1
• SUSE Linux Enterprise Micro 5.2
  zypper in -t patch SUSE-SUSE-MicroOS-5.2-2023-4358=1
• SUSE Linux Enterprise Micro for Rancher 5.2
  zypper in -t patch SUSE-SUSE-MicroOS-5.2-2023-4358=1

Package List:

• SUSE Linux Enterprise Micro 5.1 (nosrc x86_64)
  • kernel-rt-5.3.18-150300.149.1
• SUSE Linux Enterprise Micro 5.1 (x86_64)
  • kernel-rt-debuginfo-5.3.18-150300.149.1
  • kernel-rt-debugsource-5.3.18-150300.149.1
• SUSE Linux Enterprise Micro 5.2 (nosrc x86_64)
  • kernel-rt-5.3.18-150300.149.1
• SUSE Linux Enterprise Micro 5.2 (x86_64)
  • kernel-rt-debuginfo-5.3.18-150300.149.1
  • kernel-rt-debugsource-5.3.18-150300.149.1
• SUSE Linux Enterprise Micro for Rancher 5.2 (nosrc x86_64)
  • kernel-rt-5.3.18-150300.149.1
• SUSE Linux Enterprise Micro for Rancher 5.2 (x86_64)
  • kernel-rt-debuginfo-5.3.18-150300.149.1
  • kernel-rt-debugsource-5.3.18-150300.149.1

References:

• https://www.suse.com/security/cve/CVE-2023-2163.html
• https://www.suse.com/security/cve/CVE-2023-3111.html
• https://www.suse.com/security/cve/CVE-2023-34324.html
• https://www.suse.com/security/cve/CVE-2023-3777.html
• https://www.suse.com/security/cve/CVE-2023-39189.html
• https://www.suse.com/security/cve/CVE-2023-39192.html
• https://www.suse.com/security/cve/CVE-2023-39193.html
• https://www.suse.com/security/cve/CVE-2023-39194.html
• https://www.suse.com/security/cve/CVE-2023-42754.html
• https://bugzilla.suse.com/show_bug.cgi?id=1212051
• https://bugzilla.suse.com/show_bug.cgi?id=1214842
• https://bugzilla.suse.com/show_bug.cgi?id=1215095
• https://bugzilla.suse.com/show_bug.cgi?id=1215467
• https://bugzilla.suse.com/show_bug.cgi?id=1215518
• https://bugzilla.suse.com/show_bug.cgi?id=1215745
• https://bugzilla.suse.com/show_bug.cgi?id=1215858
• https://bugzilla.suse.com/show_bug.cgi?id=1215860
• https://bugzilla.suse.com/show_bug.cgi?id=1215861
• https://bugzilla.suse.com/show_bug.cgi?id=1216046