Bugzilla – Bug 1206896
CVE-2023-0047: DISPUTED: Out of memory in local cgroup's memory may cause denial of service outside its area
Last modified: 2024-06-25 17:20:00 UTC
rh#2144910 A Linux Kernel flaw found in memory management. If allocation failure happens in pagefault_out_of_memory with VM_FAULT_OOM, then it can lead to memory overflow when many tasks trigger this. An issue may cause multi-tenant denial of service (memory overflow). It was reported that a malicious workload may be allowed to OOM-kill random other workloads on the same node. Upstream fix: https://github.com/torvalds/linux/commit/60e2793d440a3ec95abb5d6d4fc034a4b480472d References: https://bugzilla.redhat.com/show_bug.cgi?id=2144910 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-0047
Afaics, out_of_memory() is called in pagefault_out_of_memory() on all our maintained branches. So I would say that they're all affected: - cve/linux-3.0 - cve/linux-4.12 - cve/linux-4.4 - cve/linux-5.3 stable and SLE15-SP4 already have the fix.
I (as the author of the patch) dispute this CVE. Concerns are theoretical and the patch is aimed at cleaning up the OOM handling much more than fixing any real life issue. Unless there is a clear example of this happening in real life I would be reluctant to backport it to any SLES releases.
(In reply to Michal Hocko from comment #2) > I (as the author of the patch) dispute this CVE. Concerns are theoretical > and the patch is aimed at cleaning up the OOM handling much more than fixing > any real life issue. > > Unless there is a clear example of this happening in real life I would be > reluctant to backport it to any SLES releases. Thanks for your feedback Michal. If I understand correctly, the bug is that processes can be killed by out_of_memory() if we receive an OOM in the page fault handler, right? Could there be a straightforward way to trigger it?
(In reply to Thomas Leroy from comment #3) > (In reply to Michal Hocko from comment #2) > > I (as the author of the patch) dispute this CVE. Concerns are theoretical > > and the patch is aimed at cleaning up the OOM handling much more than fixing > > any real life issue. > > > > Unless there is a clear example of this happening in real life I would be > > reluctant to backport it to any SLES releases. > > Thanks for your feedback Michal. If I understand correctly, the bug is that > processes can be killed by out_of_memory() if we receive an OOM in the page > fault handler, right? Nope. OOM can happen from the #PF path and it is quite normal when the page allocator cannot satisfy an allocation request (e.g. the page to be allocated and mapped for the faulting address). The oom victim will get selected and that can be the allocating process as well. If that happens then memory reserves are usually used so the allocation will proceed. Reserves could be depleted in extreme cases, though, but that shouldn't pose much of a problem either. Such an allocation would fail and VM_FAULT_OOM would be returned by handle_mm_fault. The page fault handler would then bail out because fatal_signals are pending and the task would get really killed afterwards. Another potential scenario would be when VM_FAULT_OOM is returned without OOM killer being invoked by the allocator. This can happen for 2 different reasons. Either some specific fault handler like filesystem or a driver returns VM_FAULT_OOM because of unexpected ENOMEM returned down the call chain. Then the oom killer is not really desirable for reasons explained in the changelog. Or the memcg (v1) kmem limit is triggered and the kernel allocation fails as a result. I suspect this is what this CVE cares about. In that case a global OOM can be triggered indeed. But let me point out that kmem accounting has never been enabled nor supported in any of SLES kernels. The feature shouldn't be really used in _any_ production systems as it has proven to be problematic and it can trigger many more problems. Vasily has appended the changelog exaplaining that [VvS: #PF allocation can hit into limit of cgroup v1 kmem controller. This is a local problem related to memcg, however, it causes unnecessary global OOM kills that are repeated over and over again and escalate into a real disaster. This has been broken since kmem accounting has been introduced for cgroup v1 (3.8). There was no kmem specific reclaim for the separate limit so the only way to handle kmem hard limit was to return with ENOMEM. In upstream the problem will be fixed by removing the outdated kmem limit, however stable and LTS kernels cannot do it and are still affected. This patch fixes the problem and should be backported into stable/LTS.] Is this worth a CVE? I would say no, because kmem has never really been in shape to be production ready. I would really discourage anybody from using it rather than pretending this is a fix they absolutely need. So I would go with INVALID. > Could there be a straightforward way to trigger it? Not that I am aware of.
(In reply to Michal Hocko from comment #4) [...] > But let me point out that kmem accounting has > never been enabled nor supported in any of SLES kernels. One clarification CONFIG_MEMCG_KMEM became enabled unconditionally since 4.5 IIRC. So we have the code enabled in 4.12 and 5.3 based kernels. The feature is still not supported though. If we are worried somebody might be using the feature on those kernels without understanding all the consequences then we can backport 58056f77502f ("memcg, kmem: further deprecate kmem.limit_in_bytes") to disable the feature completely.
(In reply to Michal Hocko from comment #4) > (In reply to Thomas Leroy from comment #3) > > (In reply to Michal Hocko from comment #2) > > > I (as the author of the patch) dispute this CVE. Concerns are theoretical > > > and the patch is aimed at cleaning up the OOM handling much more than fixing > > > any real life issue. > > > > > > Unless there is a clear example of this happening in real life I would be > > > reluctant to backport it to any SLES releases. > > > > Thanks for your feedback Michal. If I understand correctly, the bug is that > > processes can be killed by out_of_memory() if we receive an OOM in the page > > fault handler, right? > > Nope. OOM can happen from the #PF path and it is quite normal when the page > allocator cannot satisfy an allocation request (e.g. the page to be > allocated and mapped for the faulting address). The oom victim will get > selected and that can be the allocating process as well. If that happens > then memory reserves are usually used so the allocation will proceed. > Reserves could be depleted in extreme cases, though, but that shouldn't pose > much of a problem either. Such an allocation would fail and VM_FAULT_OOM > would be returned by handle_mm_fault. The page fault handler would then bail > out because fatal_signals are pending and the task would get really killed > afterwards. > Another potential scenario would be when VM_FAULT_OOM is returned without > OOM killer being invoked by the allocator. This can happen for 2 different > reasons. > Either some specific fault handler like filesystem or a driver returns > VM_FAULT_OOM because of unexpected ENOMEM returned down the call chain. Then > the oom killer is not really desirable for reasons explained in the > changelog. > Or the memcg (v1) kmem limit is triggered and the kernel allocation fails as > a result. I suspect this is what this CVE cares about. Thank you very much for the further explanations. I think so too. If a task running in a restricted memory cgroup manages to trigger a global OOM leading to a kernel panic, I can see a security border crossed... Otherwise, if at worse only all the cgroup's/user's tasks get oom killed, I don't think this deserves a CVE indeed. > OOM can be triggered indeed. But let me point out that kmem accounting has > never been enabled nor supported in any of SLES kernels. The feature > shouldn't be really used in _any_ production systems as it has proven to be > problematic and it can trigger many more problems. Vasily has appended the > changelog exaplaining that > [VvS: #PF allocation can hit into limit of cgroup v1 kmem controller. > This is a local problem related to memcg, however, it causes unnecessary > global OOM kills that are repeated over and over again and escalate into > a > real disaster. This has been broken since kmem accounting has been > introduced for cgroup v1 (3.8). There was no kmem specific reclaim for > the separate limit so the only way to handle kmem hard limit was to > return > with ENOMEM. In upstream the problem will be fixed by removing the > outdated kmem limit, however stable and LTS kernels cannot do it and are > still affected. This patch fixes the problem and should be backported > into stable/LTS.] > > Is this worth a CVE? I would say no, because kmem has never really been in > shape to be production ready. I would really discourage anybody from using > it rather than pretending this is a fix they absolutely need. > > So I would go with INVALID. > > > Could there be a straightforward way to trigger it? > > Not that I am aware of. (In reply to Michal Hocko from comment #5) > (In reply to Michal Hocko from comment #4) > [...] > > But let me point out that kmem accounting has > > never been enabled nor supported in any of SLES kernels. > > One clarification CONFIG_MEMCG_KMEM became enabled unconditionally since 4.5 > IIRC. So we have the code enabled in 4.12 and 5.3 based kernels. The feature > is still not supported though. > > If we are worried somebody might be using the feature on those kernels > without understanding all the consequences then we can backport > 58056f77502f ("memcg, kmem: further deprecate kmem.limit_in_bytes") to > disable the feature completely. If backporting the fix on CONFIG_MEMCG_KMEM-enabled kernels is too risky, and if the memcg kmem feature is experimental and not recommended by SUSE, I think we can go for a wontfix on those kernels. Or as you mentioned, we can also backport 58056f77502f if it's a reasonable choice :)
(In reply to Thomas Leroy from comment #6) [...] > If backporting the fix on CONFIG_MEMCG_KMEM-enabled kernels is too risky, > and if the memcg kmem feature is experimental and not recommended by SUSE, I > think we can go for a wontfix on those kernels. Or as you mentioned, we can > also backport 58056f77502f if it's a reasonable choice :) Backporting 60e2793d440a ("mm, oom: do not trigger out_of_memory from the #PF") shouldn't really impose a big risk AFAICS. I am just usually reluctant to backport patches which are not fixing real issues. The patch makes a lot of sense in upstream to help clean up the code but there is no such urgency for SLES. 58056f77502f ("memcg, kmem: further deprecate kmem.limit_in_bytes") will make more sense as it disallows a feature we really do not support. So I will backport that one and reference this bug so that we have the record for the reasoning. I will skip LTSS products so that will make it 12-SP5, 15-SP3 and 15-SP4.
58056f77502f ("memcg, kmem: further deprecate kmem.limit_in_bytes") has been added to 12-sp5, 15-sp3 and 15-sp4
Hi kernel-team, the submissions you made only mention
filed a dispute with Mitre.
SUSE-SU-2023:0146-1: An update that solves 15 vulnerabilities, contains two features and has 36 fixes is now available. Category: security (important) Bug References: 1065729,1187428,1188605,1190969,1191259,1193629,1199294,1201068,1203219,1203740,1203829,1204614,1204652,1204760,1204911,1204989,1205257,1205263,1205485,1205496,1205601,1205695,1206073,1206098,1206101,1206188,1206209,1206344,1206389,1206390,1206391,1206393,1206394,1206395,1206396,1206397,1206398,1206399,1206456,1206468,1206515,1206536,1206554,1206602,1206619,1206664,1206703,1206794,1206896,1206912,1207016 CVE References: CVE-2022-3104,CVE-2022-3105,CVE-2022-3106,CVE-2022-3107,CVE-2022-3108,CVE-2022-3111,CVE-2022-3112,CVE-2022-3113,CVE-2022-3114,CVE-2022-3115,CVE-2022-3344,CVE-2022-3564,CVE-2022-4379,CVE-2022-4662,CVE-2022-47520 JIRA References: PED-1445,PED-568 Sources used: openSUSE Leap 15.4 (src): kernel-azure-5.14.21-150400.14.31.1, kernel-source-azure-5.14.21-150400.14.31.1, kernel-syms-azure-5.14.21-150400.14.31.1 SUSE Linux Enterprise Module for Public Cloud 15-SP4 (src): kernel-azure-5.14.21-150400.14.31.1, kernel-source-azure-5.14.21-150400.14.31.1, kernel-syms-azure-5.14.21-150400.14.31.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:0147-1: An update that solves 14 vulnerabilities, contains three features and has 32 fixes is now available. Category: security (important) Bug References: 1065729,1187428,1188605,1191259,1193629,1199294,1201068,1203219,1203740,1204614,1204652,1204760,1204911,1204989,1205263,1205485,1205601,1205695,1206073,1206098,1206101,1206188,1206209,1206344,1206389,1206390,1206393,1206394,1206395,1206396,1206397,1206398,1206399,1206456,1206468,1206515,1206536,1206554,1206602,1206619,1206664,1206703,1206794,1206896,1206912,1207016 CVE References: CVE-2022-3104,CVE-2022-3105,CVE-2022-3106,CVE-2022-3107,CVE-2022-3108,CVE-2022-3111,CVE-2022-3112,CVE-2022-3113,CVE-2022-3115,CVE-2022-3344,CVE-2022-3564,CVE-2022-4379,CVE-2022-4662,CVE-2022-47520 JIRA References: PED-1445,PED-568,SLE-19249 Sources used: openSUSE Leap Micro 5.3 (src): kernel-rt-5.14.21-150400.15.8.1 openSUSE Leap 15.4 (src): kernel-rt-5.14.21-150400.15.8.1, kernel-rt_debug-5.14.21-150400.15.8.1, kernel-source-rt-5.14.21-150400.15.8.1, kernel-syms-rt-5.14.21-150400.15.8.1 SUSE Linux Enterprise Module for Realtime 15-SP4 (src): kernel-rt-5.14.21-150400.15.8.1, kernel-rt_debug-5.14.21-150400.15.8.1, kernel-source-rt-5.14.21-150400.15.8.1, kernel-syms-rt-5.14.21-150400.15.8.1 SUSE Linux Enterprise Module for Live Patching 15-SP4 (src): kernel-livepatch-SLE15-SP4-RT_Update_2-1-150400.1.3.1 SUSE Linux Enterprise Micro 5.3 (src): kernel-rt-5.14.21-150400.15.8.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:0149-1: An update that solves 15 vulnerabilities, contains two features and has 37 fixes is now available. Category: security (important) Bug References: 1065729,1187428,1188605,1190969,1191259,1193629,1199294,1201068,1203219,1203740,1203829,1204614,1204652,1204760,1204911,1204989,1205257,1205263,1205485,1205496,1205601,1205695,1206073,1206098,1206101,1206188,1206209,1206273,1206344,1206389,1206390,1206391,1206393,1206394,1206395,1206396,1206397,1206398,1206399,1206456,1206468,1206515,1206536,1206554,1206602,1206619,1206664,1206703,1206794,1206896,1206912,1207016 CVE References: CVE-2022-3104,CVE-2022-3105,CVE-2022-3106,CVE-2022-3107,CVE-2022-3108,CVE-2022-3111,CVE-2022-3112,CVE-2022-3113,CVE-2022-3114,CVE-2022-3115,CVE-2022-3344,CVE-2022-3564,CVE-2022-4379,CVE-2022-4662,CVE-2022-47520 JIRA References: PED-1445,PED-568 Sources used: openSUSE Leap Micro 5.3 (src): kernel-default-5.14.21-150400.24.41.1, kernel-default-base-5.14.21-150400.24.41.1.150400.24.15.1 openSUSE Leap 15.4 (src): dtb-aarch64-5.14.21-150400.24.41.1, kernel-64kb-5.14.21-150400.24.41.1, kernel-debug-5.14.21-150400.24.41.1, kernel-default-5.14.21-150400.24.41.1, kernel-default-base-5.14.21-150400.24.41.1.150400.24.15.1, kernel-docs-5.14.21-150400.24.41.1, kernel-kvmsmall-5.14.21-150400.24.41.1, kernel-obs-build-5.14.21-150400.24.41.1, kernel-obs-qa-5.14.21-150400.24.41.1, kernel-source-5.14.21-150400.24.41.1, kernel-syms-5.14.21-150400.24.41.1, kernel-zfcpdump-5.14.21-150400.24.41.1 SUSE Linux Enterprise Workstation Extension 15-SP4 (src): kernel-default-5.14.21-150400.24.41.1 SUSE Linux Enterprise Module for Live Patching 15-SP4 (src): kernel-default-5.14.21-150400.24.41.1, kernel-livepatch-SLE15-SP4_Update_7-1-150400.9.3.1 SUSE Linux Enterprise Module for Legacy Software 15-SP4 (src): kernel-default-5.14.21-150400.24.41.1 SUSE Linux Enterprise Module for Development Tools 15-SP4 (src): kernel-docs-5.14.21-150400.24.41.1, kernel-obs-build-5.14.21-150400.24.41.1, kernel-source-5.14.21-150400.24.41.1, kernel-syms-5.14.21-150400.24.41.1 SUSE Linux Enterprise Module for Basesystem 15-SP4 (src): kernel-64kb-5.14.21-150400.24.41.1, kernel-default-5.14.21-150400.24.41.1, kernel-default-base-5.14.21-150400.24.41.1.150400.24.15.1, kernel-source-5.14.21-150400.24.41.1, kernel-zfcpdump-5.14.21-150400.24.41.1 SUSE Linux Enterprise Micro 5.3 (src): kernel-default-5.14.21-150400.24.41.1, kernel-default-base-5.14.21-150400.24.41.1.150400.24.15.1 SUSE Linux Enterprise High Availability 15-SP4 (src): kernel-default-5.14.21-150400.24.41.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:0152-1: An update that solves 19 vulnerabilities, contains three features and has 71 fixes is now available. Category: security (important) Bug References: 1065729,1151927,1156395,1157049,1190969,1203183,1203693,1203740,1204171,1204250,1204614,1204693,1204760,1204989,1205149,1205256,1205495,1205496,1205601,1205695,1206073,1206113,1206114,1206174,1206175,1206176,1206177,1206178,1206179,1206344,1206389,1206393,1206394,1206395,1206397,1206398,1206399,1206515,1206602,1206634,1206635,1206636,1206637,1206640,1206641,1206642,1206643,1206644,1206645,1206646,1206647,1206648,1206649,1206663,1206664,1206784,1206841,1206854,1206855,1206857,1206858,1206859,1206860,1206873,1206875,1206876,1206877,1206878,1206880,1206881,1206882,1206883,1206884,1206885,1206886,1206887,1206888,1206889,1206890,1206891,1206893,1206896,1206904,1207036,1207125,1207134,1207186,1207198,1207218,1207237 CVE References: CVE-2019-19083,CVE-2022-3105,CVE-2022-3106,CVE-2022-3107,CVE-2022-3108,CVE-2022-3111,CVE-2022-3112,CVE-2022-3115,CVE-2022-3435,CVE-2022-3564,CVE-2022-3643,CVE-2022-42328,CVE-2022-42329,CVE-2022-4662,CVE-2022-47520,CVE-2022-47929,CVE-2023-0266,CVE-2023-23454,CVE-2023-23455 JIRA References: PED-1445,PED-1706,PED-568 Sources used: openSUSE Leap Micro 5.2 (src): kernel-default-5.3.18-150300.59.109.1, kernel-default-base-5.3.18-150300.59.109.1.150300.18.62.1 openSUSE Leap 15.4 (src): dtb-aarch64-5.3.18-150300.59.109.1 SUSE Manager Server 4.2 (src): kernel-default-5.3.18-150300.59.109.1, kernel-default-base-5.3.18-150300.59.109.1.150300.18.62.1, kernel-preempt-5.3.18-150300.59.109.1, kernel-source-5.3.18-150300.59.109.1, kernel-zfcpdump-5.3.18-150300.59.109.1 SUSE Manager Retail Branch Server 4.2 (src): kernel-default-5.3.18-150300.59.109.1, kernel-default-base-5.3.18-150300.59.109.1.150300.18.62.1, kernel-preempt-5.3.18-150300.59.109.1, kernel-source-5.3.18-150300.59.109.1 SUSE Manager Proxy 4.2 (src): kernel-default-5.3.18-150300.59.109.1, kernel-default-base-5.3.18-150300.59.109.1.150300.18.62.1, kernel-preempt-5.3.18-150300.59.109.1, kernel-source-5.3.18-150300.59.109.1 SUSE Linux Enterprise Server for SAP 15-SP3 (src): kernel-default-5.3.18-150300.59.109.1, kernel-default-base-5.3.18-150300.59.109.1.150300.18.62.1, kernel-docs-5.3.18-150300.59.109.1, kernel-obs-build-5.3.18-150300.59.109.1, kernel-preempt-5.3.18-150300.59.109.1, kernel-source-5.3.18-150300.59.109.1, kernel-syms-5.3.18-150300.59.109.1 SUSE Linux Enterprise Server 15-SP3-LTSS (src): kernel-64kb-5.3.18-150300.59.109.1, kernel-default-5.3.18-150300.59.109.1, kernel-default-base-5.3.18-150300.59.109.1.150300.18.62.1, kernel-docs-5.3.18-150300.59.109.1, kernel-obs-build-5.3.18-150300.59.109.1, kernel-preempt-5.3.18-150300.59.109.1, kernel-source-5.3.18-150300.59.109.1, kernel-syms-5.3.18-150300.59.109.1, kernel-zfcpdump-5.3.18-150300.59.109.1 SUSE Linux Enterprise Realtime Extension 15-SP3 (src): kernel-default-5.3.18-150300.59.109.1, kernel-default-base-5.3.18-150300.59.109.1.150300.18.62.1, kernel-docs-5.3.18-150300.59.109.1, kernel-obs-build-5.3.18-150300.59.109.1, kernel-preempt-5.3.18-150300.59.109.1, kernel-source-5.3.18-150300.59.109.1, kernel-syms-5.3.18-150300.59.109.1 SUSE Linux Enterprise Module for Live Patching 15-SP3 (src): kernel-default-5.3.18-150300.59.109.1, kernel-livepatch-SLE15-SP3_Update_28-1-150300.7.3.1 SUSE Linux Enterprise Micro 5.2 (src): kernel-default-5.3.18-150300.59.109.1, kernel-default-base-5.3.18-150300.59.109.1.150300.18.62.1 SUSE Linux Enterprise Micro 5.1 (src): kernel-default-5.3.18-150300.59.109.1, kernel-default-base-5.3.18-150300.59.109.1.150300.18.62.1 SUSE Linux Enterprise High Performance Computing 15-SP3-LTSS (src): kernel-64kb-5.3.18-150300.59.109.1, kernel-default-5.3.18-150300.59.109.1, kernel-default-base-5.3.18-150300.59.109.1.150300.18.62.1, kernel-docs-5.3.18-150300.59.109.1, kernel-obs-build-5.3.18-150300.59.109.1, kernel-preempt-5.3.18-150300.59.109.1, kernel-source-5.3.18-150300.59.109.1, kernel-syms-5.3.18-150300.59.109.1 SUSE Linux Enterprise High Performance Computing 15-SP3-ESPOS (src): kernel-64kb-5.3.18-150300.59.109.1, kernel-default-5.3.18-150300.59.109.1, kernel-default-base-5.3.18-150300.59.109.1.150300.18.62.1, kernel-docs-5.3.18-150300.59.109.1, kernel-obs-build-5.3.18-150300.59.109.1, kernel-preempt-5.3.18-150300.59.109.1, kernel-source-5.3.18-150300.59.109.1, kernel-syms-5.3.18-150300.59.109.1 SUSE Linux Enterprise High Availability 15-SP3 (src): kernel-default-5.3.18-150300.59.109.1 SUSE Enterprise Storage 7.1 (src): kernel-64kb-5.3.18-150300.59.109.1, kernel-default-5.3.18-150300.59.109.1, kernel-default-base-5.3.18-150300.59.109.1.150300.18.62.1, kernel-docs-5.3.18-150300.59.109.1, kernel-obs-build-5.3.18-150300.59.109.1, kernel-preempt-5.3.18-150300.59.109.1, kernel-source-5.3.18-150300.59.109.1, kernel-syms-5.3.18-150300.59.109.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:0148-1: An update that solves four vulnerabilities, contains one feature and has 9 fixes is now available. Category: security (important) Bug References: 1065729,1174298,1174299,1203740,1204250,1204667,1205695,1206073,1206344,1206389,1206395,1206664,1206896 CVE References: CVE-2022-3107,CVE-2022-3108,CVE-2022-3564,CVE-2022-4662 JIRA References: PED-568 Sources used: SUSE Linux Enterprise Real Time Extension 12-SP5 (src): kernel-rt-4.12.14-10.112.1, kernel-rt_debug-4.12.14-10.112.1, kernel-source-rt-4.12.14-10.112.1, kernel-syms-rt-4.12.14-10.112.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
The assigning CNA and Mitre have rejected this CVE after our request.
SUSE-SU-2023:0591-1: An update that solves six vulnerabilities, contains two features and has 51 fixes can now be installed. Category: security (important) Bug References: 1065729, 1156395, 1203740, 1204614, 1204989, 1205496, 1205601, 1205695, 1206073, 1206344, 1206393, 1206399, 1206515, 1206602, 1206634, 1206635, 1206636, 1206637, 1206640, 1206641, 1206642, 1206643, 1206644, 1206645, 1206646, 1206647, 1206648, 1206649, 1206841, 1206854, 1206855, 1206857, 1206858, 1206859, 1206860, 1206873, 1206875, 1206876, 1206877, 1206878, 1206880, 1206881, 1206882, 1206883, 1206884, 1206885, 1206886, 1206887, 1206888, 1206889, 1206890, 1206891, 1206893, 1206896, 1206904, 1207036, 1207125 CVE References: CVE-2022-3112, CVE-2022-3115, CVE-2022-3564, CVE-2022-47520, CVE-2023-23454, CVE-2023-23455 Jira References: PED-1445, PED-568 Sources used: SUSE Real Time Module 15-SP3 (src): kernel-syms-rt-5.3.18-150300.118.1, kernel-source-rt-5.3.18-150300.118.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:0618-1: An update that solves 10 vulnerabilities, contains three features and has 28 fixes can now be installed. Category: security (important) Bug References: 1065729, 1175995, 1198971, 1202712, 1203200, 1203740, 1204250, 1204514, 1205149, 1205397, 1205495, 1206073, 1206640, 1206648, 1206784, 1206855, 1206858, 1206873, 1206877, 1206878, 1206880, 1206882, 1206883, 1206884, 1206887, 1206896, 1207092, 1207093, 1207094, 1207097, 1207102, 1207186, 1207195, 1207201, 1207237, 1208108, 1208541, 1208570 CVE References: CVE-2022-3107, CVE-2022-3108, CVE-2022-3564, CVE-2022-36280, CVE-2022-4662, CVE-2022-47929, CVE-2023-0045, CVE-2023-0266, CVE-2023-0590, CVE-2023-23454 Jira References: PED-1706, PED-568, SLE-15608 Sources used: SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): kernel-source-azure-4.12.14-16.124.1, kernel-syms-azure-4.12.14-16.124.1 SUSE Linux Enterprise High Performance Computing 12 SP5 (src): kernel-source-azure-4.12.14-16.124.1, kernel-syms-azure-4.12.14-16.124.1 SUSE Linux Enterprise Server 12 SP5 (src): kernel-source-azure-4.12.14-16.124.1, kernel-syms-azure-4.12.14-16.124.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.