FERRAMENTAS LINUX: Critical Linux Kernel Security Update: Live Patch 49 for SLE 15 SP3 (CVE Fixes & Installation Guide)

sexta-feira, 27 de junho de 2025

Critical Linux Kernel Security Update: Live Patch 49 for SLE 15 SP3 (CVE Fixes & Installation Guide)

 

SUSE


SUSE releases critical Linux Kernel Live Patch 49 for SLE 15 SP3, fixing 7 high-risk CVEs (CVE-2024-56601, CVE-2024-50125, etc.). Learn how to patch vulnerabilities in inet_create(), dm_cache, Bluetooth L2CAP, and more. Step-by-step installation guide for OpenSUSE, SLE HPC, SAP, and Micro.

1. Key Security Vulnerabilities Patched

This SUSE-SU-2025:02136-1 update resolves 7 critical vulnerabilities (CVSS scores 7.1–8.5) in the Linux Kernel (5.3.18-150300_59_179), including:

  • CVE-2024-56601 (CVSS 8.5) – Kernel memory leak via inet_create() (bsc#1235231)

  • CVE-2024-50279 (CVSS 7.1) – Out-of-bounds access in dm-cache dirty bitset (bsc#1233708)

  • CVE-2024-50125 (CVSS 7.8) – Bluetooth SCO socket UAF (Use-After-Free) exploit (bsc#1232929)

  • CVE-2022-49545 (CVSS 7.3) – USB MIDI substream workqueue race condition (bsc#1238730)

Why is this urgent?
Unpatched systems risk privilege escalation, denial-of-service (DoS), and remote code execution (RCE). Enterprise users (SAP, HPC) must prioritize this update.

2. Affected Systems & Patch Instructions

Affected Products

  • SUSE Linux Enterprise Server 15 SP3

  • SUSE Linux Enterprise Live Patching 15-SP3

  • OpenSUSE Leap 15.3

  • SUSE Linux Enterprise Micro 5.1/5.2

How to Install the Update

Method 1: Automated (Recommended)

bash
# OpenSUSE Leap 15.3  
zypper in -t patch SUSE-2025-2136=1  

# SLE Live Patching 15-SP3  
zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP3-2025-2136=1

Method 2: Via YaST

Navigate to YaST → Online Update and apply the patch.

3. Technical Deep Dive: Exploit Analysis

CVE-2024-56601: Kernel Memory Leak in inet_create()

  • Impact: Dangling sk pointer leads to memory corruption.

  • Fix: Proper cleanup of socket structs on error.

CVE-2024-50125: Bluetooth SCO Timeout UAF

  • Attack Vector: Malicious Bluetooth packets trigger a use-after-free.

  • Mitigation: Socket timeout handlers now validate resource ownership.

(For full CVE details, see SUSE Security Portal.)

4. Best Practices for Enterprise Security

  • Schedule reboots after patching (live patches reduce downtime).

  • Monitor /var/log/messages for kernel errors.

  • Verify patches with:

    bash
    rpm -qa | grep kernel-livepatch

5. Frequently Asked Questions (FAQ)

Q: Can I delay this update if I’m not using Bluetooth or USB audio?
A: No—dm-cache and **inet_create()` flaws affect all systems.

Q: Does this patch require a reboot?
A: Live patching avoids reboots, but some CVEs (e.g., CVE-2024-56605) may require it.

Cezar Henrique at
Marcadores: Linux, Android, Segurança , ,

Nenhum comentário:

Postar um comentário

Assinar: Postar comentários (Atom)