[ALAS-2018-1023] Amazon Linux AMI 2014.03 - ALAS-2018-1023: important priority package update for kernel

Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-8897:
A flaw was found in the way the Linux kernel handled exceptions delivered after a stack switch operation via Mov SS or Pop SS instructions. During the stack switch operation, the processor did not deliver interrupts and exceptions, rather they are delivered once the first instruction after the stack switch is executed. An unprivileged system user could use this flaw to crash the system kernel resulting in the denial of service.
1567074:
CVE-2018-8897 Kernel: error in exception handling leads to DoS

CVE-2018-7995:
A race condition in the store_int_with_restart() function in arch/x86/kernel/cpu/mcheck/mce.c in the Linux kernel allows local users to cause a denial of service (panic) by leveraging root access to write to the check_interval file in a /sys/devices/system/machinecheck/machinecheck<cpu number> directory.
1553911:
CVE-2018-7995 kernel: Race condition in the store_int_with_restart() function in cpu/mcheck/mce.c

CVE-2018-1108:
A weakness was found in the Linux kernel's implementation of random seed data. Programs, early in the boot sequence, could use the data allocated for the seed before it was sufficiently generated.
1567306:
CVE-2018-1108 kernel: drivers: getrandom(2) unblocks too early after system boot

CVE-2018-1091:
A flaw was found in the Linux kernel where a crash can be triggered from unprivileged userspace during core dump on a POWER system with a certain configuration. This is due to a missing processor feature check and an erroneous use of transactional memory (TM) instructions in the core dump path leading to a denial of service.
1558149:
CVE-2018-1091 kernel: guest kernel crash during core dump on POWER9 host

CVE-2018-10901:
A flaw was found in Linux kernel's KVM virtualization subsystem. The VMX code does not restore the GDT.LIMIT to the previous host value, but instead sets it to 64KB. With a corrupted GDT limit a host's userspace code has an ability to place malicious entries in the GDT, particularly to the per-cpu variables. An attacker can use this to escalate their privileges.
1601849:
CVE-2018-10901 kernel: kvm: vmx: host GDT limit corruption

CVE-2018-1087:
A flaw was found in the way the Linux kernel's KVM hypervisor handled exceptions delivered after a stack switch operation via Mov SS or Pop SS instructions. During the stack switch operation, the processor did not deliver interrupts and exceptions, rather they are delivered once the first instruction after the stack switch is executed. An unprivileged KVM guest user could use this flaw to crash the guest or, potentially, escalate their privileges in the guest.
1566837:
CVE-2018-1087 Kernel: KVM: error in exception handling leads to wrong debug stack value

CVE-2018-1068:
A flaw was found in the Linux kernel's implementation of 32-bit syscall interface for bridging. This allowed a privileged user to arbitrarily write to a limited range of kernel memory.
1552048:
CVE-2018-1068 kernel: Out-of-bounds write via userland offsets in ebt_entry struct in netfilter/ebtables.c

CVE-2018-10675:
The do_get_mempolicy() function in mm/mempolicy.c in the Linux kernel allows local users to hit a use-after-free bug via crafted system calls and thus cause a denial of service (DoS) or possibly have unspecified other impact. Due to the nature of the flaw, privilege escalation cannot be fully ruled out.
1575065:
CVE-2018-10675 kernel: mm: use-after-free in do_get_mempolicy function allows local DoS or other unspecified impact

CVE-2018-1000199:
An address corruption flaw was discovered in the Linux kernel built with hardware breakpoint (CONFIG_HAVE_HW_BREAKPOINT) support. While modifying a h/w breakpoint via 'modify_user_hw_breakpoint' routine, an unprivileged user/process could use this flaw to crash the system kernel resulting in DoS OR to potentially escalate privileges on a the system.
1568477:
CVE-2018-1000199 kernel: ptrace() incorrect error handling leads to corruption and DoS

CVE-2017-16939:
The Linux kernel is vulerable to a use-after-free flaw when Transformation User configuration interface(CONFIG_XFRM_USER) compile-time configuration were enabled. This vulnerability occurs while closing a xfrm netlink socket in xfrm_dump_policy_done. A user/process could abuse this flaw to potentially escalate their privileges on a system.
1517220:
CVE-2017-16939 Kernel: ipsec: xfrm: use-after-free leading to potential privilege escalation

CVE-2017-13215:
A flaw was found in the Linux kernel's skcipher component, which affects the skcipher_recvmsg function. Attackers using a specific input can lead to a privilege escalation.
1535173:
CVE-2017-13215 kernel: crypto: privilege escalation in skcipher_recvmsg function