14 DAY TRIAL // After releasing new kernel security updates for the Ubuntu 16.04 LTS (Xenial Xerus) and Ubuntu 14.04 LTS (Trusty Tahr) operating system series, Canonical published corresponding updates for the Linux kernel for Microsoft Azure cloud systems.
The new Azure kernel is available for Ubuntu 18.04 LTS (Bionic Beaver) and Ubuntu 16.04 LTS (Xenial Xerus) operating system series and addresses the side-channel attack discovered by Jann Horn and Ken Johnson, known as Spectre Variant 4 (CVE-2018-3639), which could allow a local attacker to expose sensitive information.
Also discovered by Jann Horn, the new Azure kernel fixes the original Spectre vulnerability (CVE-2017-5715) and a use-after-free vulnerability (CVE-2018-17182) found in the vmacache subsystem, which could let a local attacker crash the system or execute arbitrary code.
"Jann Horn discovered that microprocessors utilizing speculative execution and branch prediction may allow unauthorized memory reads via side-channel attacks. This flaw is known as Spectre. A local attacker could use this to expose sensitive information, including kernel memory," reads the security advisory.
SpectreRSB and remote exploit also patched
Running Ubuntu in the cloud as secure as possible is a top priority for Canonical, so the new kernel update also addresses a flaw (CVE-2018-15594) discovered in the paravirtualization implementation, which may reduce the effectiveness of the Spectre Variant 2 mitigations for paravirtual guests, allowing local attackers to expose sensitive information.
Another side-channel attack was patched in this new Azure kernel for Ubuntu 18.04 LTS and Ubuntu 16.04 LTS, known as SpectreRSB (CVE-2018-15572), which could allow an attacker to expose sensitive information, as well as a stack-based buffer overflow (CVE-2018-14633) found in the iSCSI target implementation, which lets remote attackers crash the vulnerable machines.
Also patched are two flaws discovered in Linux kernel's IRDA implementation, a use-after-free vulnerability (CVE-2018-6555) that could allow a local attacker to either crash the system or execute arbitrary code, and a memory leak (CVE-2018-6554) that may let a local attacker cause a denial of service (kernel memory exhaustion).
All users of the Ubuntu 18.04 LTS (Bionic Beaver) operating system on Microsoft Azure cloud systems are urged to update the kernel to linux-image-4.15.0-1025-azure 4.15.0-1025.26. Thanks to Canonical's HWE (Hardware Enablement) kernels, this kernel version is also available for Ubuntu 16.04 LTS (Xenial Xerus) systems, so update the kernel to linux-image-4.15.0-1025-azure 4.15.0-1025.26~16.04.1.