OracleVM 3.3 : xen (OVMSA-2015-0141)

This script is Copyright (C) 2015-2017 Tenable Network Security, Inc.


Synopsis :

The remote OracleVM host is missing one or more security updates.

Description :

The remote OracleVM system is missing necessary patches to address
critical security updates :

- x86: rate-limit logging in do_xen[oprof,pmu]_op Some of
the sub-ops are acessible to all guests, and hence
should be rate-limited. In the xenoprof case, just like
for XSA-146, include them only in debug builds. Since
the vPMU code is rather new, allow them to be always
present, but downgrade them to (rate limited) guest
messages. This is XSA-152. (CVE-2015-7971)

- xenoprof: free domain's vcpu array This was overlooked
in fb442e2171 ('x86_64: allow more vCPU-s per guest').
This is XSA-151. (CVE-2015-7969)

- x86: guard against undue super page PTE creation When
optional super page support got added (commit bd1cd81d64
'x86: PV support for hugepages'), two adjustments were
missed: mod_l2_entry needs to consider the PSE and RW
bits when deciding whether to use the fast path, and the
PSE bit must not be removed from L2_DISALLOW_MASK
unconditionally. This is XSA-148. (CVE-2015-7835)

See also :

http://www.nessus.org/u?2dce5d78

Solution :

Update the affected xen / xen-tools packages.

Risk factor :

High / CVSS Base Score : 7.2
(CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 5.3
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false

Family: OracleVM Local Security Checks

Nessus Plugin ID: 86669 ()

Bugtraq ID:

CVE ID: CVE-2015-7835
CVE-2015-7969
CVE-2015-7971

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now