Ksplice for Exadata

Here is detailed how installing online Uptrack fixes on the Exadata Linux Kernel using Oracle Kesplice.

Quick licensing information this option requires “Oracle Linux Premier Support Customers” for all details please visit this link


Exadata Online Linux Kernel Patching

Downloading the Uptrack from linux.oracle.com

If still present remove the exadata-sun.*computenode-exact RPM

yum list installed | grep 'exadata-sun.*computenode-exact'

[root@tvdexa07db01 Ksplice]# yum list installed | grep 'exadata-sun.*computenode-exact'
exadata-sun-vm-computenode-exact.noarch
[root@tvdexa07db01 Ksplice]#

[root@tvdexa07db01 Ksplice]# yum erase exadata-sun-vm-computenode-exact.noarch
Resolving Dependencies
--> Running transaction check
---> Package exadata-sun-vm-computenode-exact.noarch 0:19.3.4.0.0.200130-1 will be erased
--> Finished Dependency Resolution

Dependencies Resolved


Install the Uptrack update

[root@tvdexa07db01 Ksplice]# yum install uptrack-updates-4.14.35-1902.9.2.el7uek.x86_64-20200417-0.noarch.rpm
Examining uptrack-updates-4.14.35-1902.9.2.el7uek.x86_64-20200417-0.noarch.rpm: uptrack-updates-4.14.35-1902.9.2.el7uek.x86_64-20200417-0.noarch
Marking uptrack-updates-4.14.35-1902.9.2.el7uek.x86_64-20200417-0.noarch.rpm as an update to uptrack-updates-4.14.35-1902.9.2.el7uek.x86_64-20200128-0.noarch
Resolving Dependencies
--> Running transaction check
---> Package uptrack-updates-4.14.35-1902.9.2.el7uek.x86_64.noarch 0:20200128-0 will be updated
---> Package uptrack-updates-4.14.35-1902.9.2.el7uek.x86_64.noarch 0:20200417-0 will be an update
--> Finished Dependency Resolution

Dependencies Resolved

Upgrade 1 Package

Total size: 18 M
Is this ok [y/d/N]: y
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Updating : uptrack-updates-4.14.35-1902.9.2.el7uek.x86_64-20200417-0.noarch 1/2
The following steps will be taken:
Install [mnnc6fcu] CVE-2019-3016: Privilege escalation in KVM guest paravirtualized TLB flushes.
Install [tvgkcphj] Improved fix to CVE-2019-3016: Privilege escalation in KVM guest paravirtualized TLB flushes.
Install [bss17slx] CVE-2019-19332: Denial-of-service in KVM cpuid emulation reporting.
Install [sl587t78] Missing Non Maskable Interrupts on AMD KVM guests.
Install [98393wix] CVE-2016-5244: Information leak in the RDS network protocol.
Install [alabfukc] CVE-2019-17666: Remote code execution in Realtek peer-to-peer Wifi.
Install [sc77umtr] CVE-2019-0155: Privilege escalation in Intel i915 graphics driver.
Install [o8kefoq8] CVE-2019-0154: Denial-of-service in Intel i915 graphics driver.
Install [cy9t2fe7] Improved fix to CVE-2019-11135: Side-channel information leak in Intel TSX on late microcode update.
Install [3h40qtja] IO hang on block multiqueue device waits.
Install [ll4csbbo] CVE-2019-20054: Denial-of-service in procfs sysctl removal.
Install [r7vboahq] Deadlock in Reliable Datagram socket connection.
Install [pojd20br] Denial-of-service in Reliable Datagram Socket send cancellation.
Install [ayrz7nql] CVE-2020-2732: Privilege escalation in Intel KVM nested emulation.
Install [e6szjj4l] CVE-2019-14901: Denial-of-service when parsing TDLS action frame in Marvell WiFi-Ex driver.
Install [9253ftyr] CVE-2019-15291: Denial-of-service in B2C2 FlexCop driver probing.
Install [h6qm8tqh] IO hang in Reliable Datagram Socket remote DMA socket closing.
Install [jmo8wvme] Denial-of-service in CIFS POSIX file locks on close.
Install [c92mbxy5] CVE-2019-15538: Denial-of-service in XFS filesystem with Quota support enabled.
Install [6z2m3403] CVE-2020-7053: Use-after-free when destroying i915 GEM context.
Install [c5t3d5fa] NULL dereference while loading userspace I/O driver.
Install [8dgt3zi6] CVE-2019-14895: Denial-of-service when receiving Country WLAN element in Marvell WiFi-Ex driver.
Install [a4scbw6j] Kernel panic in Infiniband RDMA QP send queues.
Install [9m542zj0] Denial-of-service in IPMI device registration.
Install [jq0r6r0v] Denial-of-service in Pressure Stall Information cgroup destruction.
Install [m5jqkbu3] Denial-of-service in Infiniband pool destruction.
Install [miag3lwz] CVE-2019-19338: Missing Intel TAA mitigation in KVM guests.
Install [28o9c5jg] CVE-2019-14615: Information leak in Intel i915 generation 9 devices.
Install [e9ghelsq] Race condition in crypto initialization causes denial-of-service.
Install [8kg2ltrj] Denial-of-service in XFS whiteout renames.
Install [djt21tl9] NULL pointer dereference when mounting a GFS2 filesystem.
Install [fmlfqa0h] NULL-pointer dereference when driver logs in/out of system.
Install [r0hywzwk] Soft lockup in low memory situation due to misused allocator in LPFC.
Install [o6ivsuer] Use-after-free due to race condition in LPFC NVME write handling.
Install [muzxn90m] Hard lock up when handling aborts for LPFC.
Install [297glmum] Soft lockup when multiple threads read /proc/stat simultaneously.
Install [p2wsrgbk] Denial-of-service in the batman-adv subsystem.
Install [tg92ldhm] Spurious signals during TTY reopen.
Install [e6k3gzxq] CVE-2019-18809: Memory leak when identifying state in Afatech AF9005 DVB-T USB1.1 driver.
Install [9ccfw3yo] CVE-2019-18806: Memory leak when allocating large buffers in QLogic QLA3XXX Network driver.
Install [73fkk23h] Use-after-free when using NFS with page cache.
Install [d4thcifo] NULL pointer dereference during UBIFS mount.
Install [jdwrgfic] CVE-2020-10942: Out-of-bounds memory access in the Virtual host driver.
Install [iizw2yj1] Use-after-free when constructing ERSPAN packet header.
Install [221vs9ih] Deadlock when deleting NVMe namespace fails.
Install [1outnjhr] Out-of-bounds read when transmitting packet using XFRM.

Install [i6sjtrm9] Point-to-Point Protocol IOCDETACH ioctl causes use-after-free.
Install [8grqdp2d] Flawed logic in read/write semaphore implementation causes crash.
Install [jsndggsn] System fails to generate vmcore dump after panic.
Install [p6dow9c8] CVE-2018-5953: Information leak in software IO TLB driver.
Installing [mnnc6fcu] CVE-2019-3016: Privilege escalation in KVM guest paravirtualized TLB flushes.
Installing [tvgkcphj] Improved fix to CVE-2019-3016: Privilege escalation in KVM guest paravirtualized TLB flushes.
Installing [bss17slx] CVE-2019-19332: Denial-of-service in KVM cpuid emulation reporting.
Installing [sl587t78] Missing Non Maskable Interrupts on AMD KVM guests.
Installing [98393wix] CVE-2016-5244: Information leak in the RDS network protocol.
Installing [alabfukc] CVE-2019-17666: Remote code execution in Realtek peer-to-peer Wifi.
Installing [sc77umtr] CVE-2019-0155: Privilege escalation in Intel i915 graphics driver.
Installing [o8kefoq8] CVE-2019-0154: Denial-of-service in Intel i915 graphics driver.
Installing [cy9t2fe7] Improved fix to CVE-2019-11135: Side-channel information leak in Intel TSX on late microcode update.
Installing [3h40qtja] IO hang on block multiqueue device waits.
Installing [ll4csbbo] CVE-2019-20054: Denial-of-service in procfs sysctl removal.
Installing [r7vboahq] Deadlock in Reliable Datagram socket connection.
Installing [pojd20br] Denial-of-service in Reliable Datagram Socket send cancellation.
Installing [ayrz7nql] CVE-2020-2732: Privilege escalation in Intel KVM nested emulation.
Installing [e6szjj4l] CVE-2019-14901: Denial-of-service when parsing TDLS action frame in Marvell WiFi-Ex driver.
Installing [9253ftyr] CVE-2019-15291: Denial-of-service in B2C2 FlexCop driver probing.
Installing [h6qm8tqh] IO hang in Reliable Datagram Socket remote DMA socket closing.
Installing [jmo8wvme] Denial-of-service in CIFS POSIX file locks on close.
Installing [c92mbxy5] CVE-2019-15538: Denial-of-service in XFS filesystem with Quota support enabled.
Installing [6z2m3403] CVE-2020-7053: Use-after-free when destroying i915 GEM context.
Installing [c5t3d5fa] NULL dereference while loading userspace I/O driver.
Installing [8dgt3zi6] CVE-2019-14895: Denial-of-service when receiving Country WLAN element in Marvell WiFi-Ex driver.
Installing [a4scbw6j] Kernel panic in Infiniband RDMA QP send queues.
Installing [9m542zj0] Denial-of-service in IPMI device registration.
Installing [jq0r6r0v] Denial-of-service in Pressure Stall Information cgroup destruction.
Installing [m5jqkbu3] Denial-of-service in Infiniband pool destruction.
Installing [miag3lwz] CVE-2019-19338: Missing Intel TAA mitigation in KVM guests.
Installing [28o9c5jg] CVE-2019-14615: Information leak in Intel i915 generation 9 devices.
Installing [e9ghelsq] Race condition in crypto initialization causes denial-of-service.
Installing [8kg2ltrj] Denial-of-service in XFS whiteout renames.
Installing [djt21tl9] NULL pointer dereference when mounting a GFS2 filesystem.
Installing [fmlfqa0h] NULL-pointer dereference when driver logs in/out of system.
Installing [r0hywzwk] Soft lockup in low memory situation due to misused allocator in LPFC.
Installing [o6ivsuer] Use-after-free due to race condition in LPFC NVME write handling.
Installing [muzxn90m] Hard lock up when handling aborts for LPFC.
Installing [297glmum] Soft lockup when multiple threads read /proc/stat simultaneously.
Installing [p2wsrgbk] Denial-of-service in the batman-adv subsystem.
Installing [tg92ldhm] Spurious signals during TTY reopen.
Installing [e6k3gzxq] CVE-2019-18809: Memory leak when identifying state in Afatech AF9005 DVB-T USB1.1 driver.
Installing [9ccfw3yo] CVE-2019-18806: Memory leak when allocating large buffers in QLogic QLA3XXX Network driver.
Installing [73fkk23h] Use-after-free when using NFS with page cache.
Installing [d4thcifo] NULL pointer dereference during UBIFS mount.
Installing [jdwrgfic] CVE-2020-10942: Out-of-bounds memory access in the Virtual host driver.
Installing [iizw2yj1] Use-after-free when constructing ERSPAN packet header.
Installing [221vs9ih] Deadlock when deleting NVMe namespace fails.
Installing [1outnjhr] Out-of-bounds read when transmitting packet using XFRM.
Installing [i6sjtrm9] Point-to-Point Protocol IOCDETACH ioctl causes use-after-free.
Installing [8grqdp2d] Flawed logic in read/write semaphore implementation causes crash.
Installing [jsndggsn] System fails to generate vmcore dump after panic.
Installing [p6dow9c8] CVE-2018-5953: Information leak in software IO TLB driver.
Your kernel is fully up to date.
Effective kernel version is 4.14.35-1902.301.1.el7uek
Cleanup : uptrack-updates-4.14.35-1902.9.2.el7uek.x86_64-20200128-0.noarch 2/2
Verifying : uptrack-updates-4.14.35-1902.9.2.el7uek.x86_64-20200417-0.noarch 1/2
Verifying : uptrack-updates-4.14.35-1902.9.2.el7uek.x86_64-20200128-0.noarch 2/2

Updated:
uptrack-updates-4.14.35-1902.9.2.el7uek.x86_64.noarch 0:20200417-0

Complete!
[root@tvdexa07db01 Ksplice]#


Check the Newly Installed Uptrack Version

[root@tvdexa07db01 Ksplice]# yum list installed | grep uptrack-updates
uptrack-updates-4.14.35-1902.9.2.el7uek.x86_64.noarch
20200417-0 @/uptrack-updates-4.14.35-1902.9.2.el7uek.x86_64-20200417-0.noarch


[root@tvdexa07db01 Ksplice]# uname -r
4.14.35-1902.9.2.el7uek.x86_64


[root@tvdexa07db01 Ksplice]# uptrack-uname -r
4.14.35-1902.301.1.el7uek.x86_64


[root@tvdexa07db01 Ksplice]# uptrack-show
Installed updates:
[qb92vyqf] Known exploit detection.
[inu8wb4r] Known exploit detection for CVE-2017-7308.
[cd8sbgv7] Known exploit detection for CVE-2018-14634.
[1kzvx01a] KPTI enablement for Ksplice.
[6vwn8ut1] Known exploit detection for CVE-2018-18445.
[4zccrjds] KSPLICE enablement for patching KVM Intel module.
[gzezyqb5] Memory leak in Mellanox ConnextX HCA Infiniband CX-3 virtual functions.
[bk9sc6f2] NULL pointer dereference when mounting a CIFS filesystem with invalid mount option.
[tiomcx4f] CVE-2019-15917: Use-after-free when registering Bluetooth HCI uart device.
[1oztqfiv] Memory corruption in Reliable Datagram Socket send completion.
[13vvcp2l] Oracle ASM device hang during offline.
[d1r03k7l] Network stall during RDMA failover.
[mnnc6fcu] CVE-2019-3016: Privilege escalation in KVM guest paravirtualized TLB flushes.
[tvgkcphj] Improved fix to CVE-2019-3016: Privilege escalation in KVM guest paravirtualized TLB flushes.
[bss17slx] CVE-2019-19332: Denial-of-service in KVM cpuid emulation reporting.
[sl587t78] Missing Non Maskable Interrupts on AMD KVM guests.
[98393wix] CVE-2016-5244: Information leak in the RDS network protocol.
[alabfukc] CVE-2019-17666: Remote code execution in Realtek peer-to-peer Wifi.
[sc77umtr] CVE-2019-0155: Privilege escalation in Intel i915 graphics driver.
[o8kefoq8] CVE-2019-0154: Denial-of-service in Intel i915 graphics driver.
[cy9t2fe7] Improved fix to CVE-2019-11135: Side-channel information leak in Intel TSX on late microcode update.
[3h40qtja] IO hang on block multiqueue device waits.
[ll4csbbo] CVE-2019-20054: Denial-of-service in procfs sysctl removal.
[r7vboahq] Deadlock in Reliable Datagram socket connection.
[pojd20br] Denial-of-service in Reliable Datagram Socket send cancellation.
[ayrz7nql] CVE-2020-2732: Privilege escalation in Intel KVM nested emulation.
[e6szjj4l] CVE-2019-14901: Denial-of-service when parsing TDLS action frame in Marvell WiFi-Ex driver.
[9253ftyr] CVE-2019-15291: Denial-of-service in B2C2 FlexCop driver probing.
[h6qm8tqh] IO hang in Reliable Datagram Socket remote DMA socket closing.
[jmo8wvme] Denial-of-service in CIFS POSIX file locks on close.
[c92mbxy5] CVE-2019-15538: Denial-of-service in XFS filesystem with Quota support enabled.
[6z2m3403] CVE-2020-7053: Use-after-free when destroying i915 GEM context.
[c5t3d5fa] NULL dereference while loading userspace I/O driver.
[8dgt3zi6] CVE-2019-14895: Denial-of-service when receiving Country WLAN element in Marvell WiFi-Ex driver.
[a4scbw6j] Kernel panic in Infiniband RDMA QP send queues.
[9m542zj0] Denial-of-service in IPMI device registration.
[jq0r6r0v] Denial-of-service in Pressure Stall Information cgroup destruction.
[m5jqkbu3] Denial-of-service in Infiniband pool destruction.
[miag3lwz] CVE-2019-19338: Missing Intel TAA mitigation in KVM guests.
[28o9c5jg] CVE-2019-14615: Information leak in Intel i915 generation 9 devices.
[e9ghelsq] Race condition in crypto initialization causes denial-of-service.
[8kg2ltrj] Denial-of-service in XFS whiteout renames.
[djt21tl9] NULL pointer dereference when mounting a GFS2 filesystem.
[fmlfqa0h] NULL-pointer dereference when driver logs in/out of system.
[r0hywzwk] Soft lockup in low memory situation due to misused allocator in LPFC.
[o6ivsuer] Use-after-free due to race condition in LPFC NVME write handling.
[muzxn90m] Hard lock up when handling aborts for LPFC.
[297glmum] Soft lockup when multiple threads read /proc/stat simultaneously.
[p2wsrgbk] Denial-of-service in the batman-adv subsystem.
[tg92ldhm] Spurious signals during TTY reopen.
[e6k3gzxq] CVE-2019-18809: Memory leak when identifying state in Afatech AF9005 DVB-T USB1.1 driver.
[9ccfw3yo] CVE-2019-18806: Memory leak when allocating large buffers in QLogic QLA3XXX Network driver.
[73fkk23h] Use-after-free when using NFS with page cache.
[d4thcifo] NULL pointer dereference during UBIFS mount.
[jdwrgfic] CVE-2020-10942: Out-of-bounds memory access in the Virtual host driver.
[iizw2yj1] Use-after-free when constructing ERSPAN packet header.
[221vs9ih] Deadlock when deleting NVMe namespace fails.
[1outnjhr] Out-of-bounds read when transmitting packet using XFRM.
[i6sjtrm9] Point-to-Point Protocol IOCDETACH ioctl causes use-after-free.
[8grqdp2d] Flawed logic in read/write semaphore implementation causes crash.
[jsndggsn] System fails to generate vmcore dump after panic.
[p6dow9c8] CVE-2018-5953: Information leak in software IO TLB driver.

Effective kernel version is 4.14.35-1902.301.1.el7uek
[root@tvdexa07db01 Ksplice]#


One last personal feedback about Oracle Kesplice, this tool is really cool! Few times I used to quickly and effectively fix Kernel Bug online, avoiding unplanned service interruption.