NULL Pointer Dereference Affecting kernel-uek-debug-core package, versions <0:5.15.0-303.171.5.2.el8uek


Severity

Recommended
high

Based on Oracle Linux security rating.

Threat Intelligence

EPSS
0.25% (16th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-ORACLE8-KERNELUEKDEBUGCORE-8539602
  • published20 Dec 2024
  • disclosed21 Oct 2024

Introduced: 21 Oct 2024

CVE-2024-49957  (opens in a new tab)
CWE-476  (opens in a new tab)

How to fix?

Upgrade Oracle:8 kernel-uek-debug-core to version 0:5.15.0-303.171.5.2.el8uek or higher.
This issue was patched in ELSA-2024-12887.

NVD Description

Note: Versions mentioned in the description apply only to the upstream kernel-uek-debug-core package and not the kernel-uek-debug-core package as distributed by Oracle. See How to fix? for Oracle:8 relevant fixed versions and status.

In the Linux kernel, the following vulnerability has been resolved:

ocfs2: fix null-ptr-deref when journal load failed.

During the mounting process, if journal_reset() fails because of too short journal, then lead to jbd2_journal_load() fails with NULL j_sb_buffer. Subsequently, ocfs2_journal_shutdown() calls jbd2_journal_flush()->jbd2_cleanup_journal_tail()-> __jbd2_update_log_tail()->jbd2_journal_update_sb_log_tail() ->lock_buffer(journal->j_sb_buffer), resulting in a null-pointer dereference error.

To resolve this issue, we should check the JBD2_LOADED flag to ensure the journal was properly loaded. Additionally, use journal instead of osb->journal directly to simplify the code.

CVSS Base Scores

version 3.1