OracleVM 3.4 : Unbreakable / etc (OVMSA-2018-0258)

high Nessus Plugin ID 117764

Language:

Synopsis

The remote OracleVM host is missing one or more security updates.

Description

The remote OracleVM system is missing necessary patches to address critical security updates :

- nsfs: mark dentry with DCACHE_RCUACCESS (Cong Wang) [Orabug: 28576290] (CVE-2018-5873)

- dm crypt: add middle-endian variant of plain64 IV (Konrad Rzeszutek Wilk) [Orabug: 28604628]

- IB/ipoib: Improve filtering log message (Yuval Shaia) [Orabug: 28655409]

- IB/ipoib: Fix wrong update of arp_blocked counter (Yuval Shaia)

- IB/ipoib: Update RX counters after ACL filtering (Yuval Shaia)

- IB/ipoib: Filter RX packets before adding pseudo header (Yuval Shaia)

- cdrom: Fix info leak/OOB read in cdrom_ioctl_drive_status (Scott Bauer) [Orabug:
28664501] (CVE-2018-16658)

- ACPICA: acpi: acpica: fix acpi operand cache leak in nseval.c (Seunghun Han) [Orabug: 28664577] (CVE-2017-13695)

- uek-rpm: Disable deprecated CONFIG_ACPI_PROCFS_POWER (Victor Erminpour) [Orabug: 28680213]

Solution

Update the affected kernel-uek / kernel-uek-firmware packages.

Plugin Details

Severity: High

ID: 117764

File Name: oraclevm_OVMSA-2018-0258.nasl

Version: 1.3

Type: local

Family: OracleVM Local Security Checks

Published: 9/27/2018

Updated: 3/4/2022

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Medium

Base Score: 6.9

Temporal Score: 5.1

Vector: CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2018-5873

CVSS v3

Risk Factor: High

Base Score: 7

Temporal Score: 6.1

Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:oracle:vm:kernel-uek, p-cpe:/a:oracle:vm:kernel-uek-firmware, cpe:/o:oracle:vm_server:3.4

Required KB Items: Host/local_checks_enabled, Host/OracleVM/release, Host/OracleVM/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 9/26/2018

Vulnerability Publication Date: 8/25/2017

Reference Information

CVE: CVE-2017-13695, CVE-2018-16658, CVE-2018-5873

Detections

Analytics