OracleVM 3.3 : xen (OVMSA-2014-0025)

This script is Copyright (C) 2014-2017 Tenable Network Security, Inc.


Synopsis :

The remote OracleVM host is missing one or more security updates.

Description :

The remote OracleVM system is missing necessary patches to address
critical security updates :

- x86/HVM: properly bound x2APIC MSR range This is
XSA-108. Additional changelog comments added to
4.3.0-55.el6.0.0.3 (CVE-2014-7188)

- Fix for bug 19698535

- x86emul: only emulate software interrupt injection for
real mode Protected mode emulation currently lacks
proper privilege checking of the referenced IDT entry,
and there's currently no legitimate way for any of the
respective instructions to reach the emulator when the
guest is in protected mode. This is XSA-106.
(CVE-2014-7156)

- x86/emulate: check cpl for all privileged instructions
Without this, it is possible for userspace to load its
own IDT or GDT. This is XSA-105. (CVE-2014-7155)

See also :

http://www.nessus.org/u?464e91f4

Solution :

Update the affected xen / xen-tools packages.

Risk factor :

High / CVSS Base Score : 8.3
(CVSS2#AV:A/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 6.1
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false

Family: OracleVM Local Security Checks

Nessus Plugin ID: 79541 ()

Bugtraq ID: 70057
70062
70198

CVE ID: CVE-2014-7155
CVE-2014-7156
CVE-2014-7188

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now