14 DAY TRIAL // Canonical released the first kernel live patch for its recently released, yet long-term supported Ubuntu 18.04 LTS (Bionic Beaver) operating system to address various security vulnerabilities.
Published last week on May 25, the kernel live patch is available for Ubuntu 18.04 LTS systems running the Linux 4.15 kernel, as well as for Ubuntu 16.04.4 LTS and Ubuntu 14.04.5 LTS systems running the Linux 4.4 kernel. It patches a total of four security vulnerabilities discovered by various security researchers.
Among these, we can mention a branch-pruning logic issue (CVE-2017-17862) with Linux kernel's Berkeley Packet Filter (BPF) implementation that could allow a local attacker to cause a denial of service, and a memory leak (CVE-2018-8087) in the hwsim_new_radio_nl function that could let local users to cause a denial of service (memory consumption).
Moreover, the kernel live patch addresses a race condition (CVE-2018-1000004) in Linux kernel's ALSA (Advanced Linux Sound Architecture) subsystem when handling ioctl()s, which could allow a local attacker to cause a system deadlock via a denial of service attack. The issue was discovered by Luo Quan and Wei Yang.
Two other issues were fixed in the EXT4 filesystem implementation
Linux kernel's EXT4 filesystem implementation received patches for two security vulnerabilities (CVE-2018-1092 and CVE-2018-1093) in this kernel update, addressing issues is the ext4_iget and ext4_valid_block_bitmap functions, which could allow attackers to cause a denial of service via a crafted EXT4 image.
All users are urged to update their installations to the new kernel live patch versions. These are lts-4.4.0-124.148~14.04.1 for Ubuntu 14.04.5 LTS (Trusty Tahr) systems, 4.4.0-124.148 for Ubuntu 16.04 LTS (Xenial Xerus) systems, and 4.15.0-20.21 for Ubuntu 18.04 LTS (Bionic Beaver) systems. Users using Canonical Livepatch Service don't have to reboot their computers after applying a new kernel live patch.
To use Canonical's Kernel Live Patch service, you must first go to the Canonical Livepatch Service website and generate your credentials by signing up on the Canonical Livepatch portal, then install the livepatch daemon and enable it using the instruction provided there. Ubuntu 18.04 LTS is the first release to integrate the Canonical Livepatch Service for ease of use.
However, Canonical recommends users to also install the latest kernel security update that's available through the main software repositories of the aforementioned Ubuntu releases as they patch even more security vulnerabilities disclosed lately, including the Spectre Variant 4. More details about the latest Ubuntu kernels are available here and here.