OracleVM 3.3 : xen (OVMSA-2015-0067)

This script is Copyright (C) 2015-2017 Tenable Network Security, Inc.


Synopsis :

The remote OracleVM host is missing one or more security updates.

Description :

The remote OracleVM system is missing necessary patches to address
critical security updates :

- x86/traps: loop in the correct direction in compat_iret
This is XSA-136. (CVE-2015-4164)

- pcnet: force the buffer access to be in bounds during tx
4096 is the maximum length per TMD and it is also
currently the size of the relay buffer pcnet driver uses
for sending the packet data to QEMU for further
processing. With packet spanning multiple TMDs it can
happen that the overall packet size will be bigger than
sizeof(buffer), which results in memory corruption. Fix
this by only allowing to queue maximum sizeof(buffer)
bytes. This is CVE-2015-3209. (CVE-2015-3209)

- pcnet: fix Negative array index read From: Gonglei
s->xmit_pos maybe assigned to a negative value (-1), but
in this branch variable s->xmit_pos as an index to array
s->buffer. Let's add a check for s->xmit_pos.
upstream-commit-id:
7b50d00911ddd6d56a766ac5671e47304c20a21b (CVE-2015-3209)

- pcnet: force the buffer access to be in bounds during tx
4096 is the maximum length per TMD and it is also
currently the size of the relay buffer pcnet driver uses
for sending the packet data to QEMU for further
processing. With packet spanning multiple TMDs it can
happen that the overall packet size will be bigger than
sizeof(buffer), which results in memory corruption. Fix
this by only allowing to queue maximum sizeof(buffer)
bytes. This is CVE-2015-3209. (CVE-2015-3209)

- pcnet: fix Negative array index read From: Gonglei
s->xmit_pos maybe assigned to a negative value (-1), but
in this branch variable s->xmit_pos as an index to array
s->buffer. Let's add a check for s->xmit_pos.
upstream-commit-id:
7b50d00911ddd6d56a766ac5671e47304c20a21b (CVE-2015-3209)

- gnttab: add missing version check to
GNTTABOP_swap_grant_ref handling ... avoiding NULL
derefs when the version to use wasn't set yet (via
GNTTABOP_setup_table or GNTTABOP_set_version). This is
XSA-134. (CVE-2015-4163)

See also :

https://oss.oracle.com/pipermail/oraclevm-errata/2015-June/000316.html

Solution :

Update the affected xen / xen-tools packages.

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 5.5
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false

Family: OracleVM Local Security Checks

Nessus Plugin ID: 84139 ()

Bugtraq ID: 75123
75141
75149

CVE ID: CVE-2015-3209
CVE-2015-4163
CVE-2015-4164

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now