Medium: kernel

Issue Overview:

When running as a Xen 64-bit PV guest, user mode processes not supposed to be able to access I/O ports may be granted such permission, potentially resulting in one or more of in-guest privilege escalation, guest crashes (Denial of Service), or in-guest information leaks. (CVE-2016-3157)

In some cases, the kernel did not correctly fix backward jumps in a new eBPF program, which could allow arbitrary reads. (CVE-2016-2383)

The kernel incorrectly accounted for the number of in-flight fds over a unix domain socket to the original opener of the file descriptor. Another process could arbitrarily deplete the original file opener’s maximum open files resource limit. (CVE-2016-2550)

A resource-exhaustion vulnerability was found in the kernel, where an unprivileged process could allocate and accumulate far more file descriptors than the process’ limit. A local, unauthenticated user could exploit this flaw by sending file descriptors over a Unix socket and then closing them to keep the process’ fd count low, thereby creating kernel-memory or file-descriptors exhaustion (denial of service). (CVE-2016-2847)

Affected Packages:

kernel

Issue Correction:
Run yum update kernel to update your system.

New Packages:

i686:  
    perf-debuginfo-4.1.19-24.31.amzn1.i686  
    kernel-headers-4.1.19-24.31.amzn1.i686  
    kernel-devel-4.1.19-24.31.amzn1.i686  
    kernel-debuginfo-common-i686-4.1.19-24.31.amzn1.i686  
    kernel-tools-devel-4.1.19-24.31.amzn1.i686  
    kernel-tools-debuginfo-4.1.19-24.31.amzn1.i686  
    kernel-tools-4.1.19-24.31.amzn1.i686  
    kernel-4.1.19-24.31.amzn1.i686  
    kernel-debuginfo-4.1.19-24.31.amzn1.i686  
    perf-4.1.19-24.31.amzn1.i686  
  
noarch:  
    kernel-doc-4.1.19-24.31.amzn1.noarch  
  
src:  
    kernel-4.1.19-24.31.amzn1.src  
  
x86_64:  
    kernel-tools-debuginfo-4.1.19-24.31.amzn1.x86_64  
    kernel-tools-devel-4.1.19-24.31.amzn1.x86_64  
    kernel-devel-4.1.19-24.31.amzn1.x86_64  
    kernel-headers-4.1.19-24.31.amzn1.x86_64  
    kernel-debuginfo-common-x86_64-4.1.19-24.31.amzn1.x86_64  
    kernel-tools-4.1.19-24.31.amzn1.x86_64  
    kernel-4.1.19-24.31.amzn1.x86_64  
    perf-4.1.19-24.31.amzn1.x86_64  
    perf-debuginfo-4.1.19-24.31.amzn1.x86_64  
    kernel-debuginfo-4.1.19-24.31.amzn1.x86_64  

Additional References

Red Hat: CVE-2016-2383, CVE-2016-2550, CVE-2016-2847, CVE-2016-3157

Mitre: CVE-2016-2383, CVE-2016-2550, CVE-2016-2847, CVE-2016-3157