OracleVM 3.2 : xen (OVMSA-2016-0104)

This script is Copyright (C) 2016-2017 Tenable Network Security, Inc.


Synopsis :

The remote OracleVM host is missing one or more security updates.

Description :

The remote OracleVM system is missing necessary patches to address
critical security updates :

- From: Andrew Cooper Subject: x86/shadow: Avoid
overflowing sh_ctxt->seg_reg[] hvm_get_seg_reg does not
perform a range check on its input segment, calls
hvm_get_segment_register and writes straight into
sh_ctxt->seg_reg[]. x86_seg_none is outside the bounds
of sh_ctxt->seg_reg[], and will hit a BUG in
[vmx,svm]_get_segment_register. HVM guests running with
shadow paging can end up performing a virtual to linear
translation with x86_seg_none. This is used for
addresses which are already linear. However, none of
this is a legitimate pagetable update, so fail the
emulation in such a case. This is XSA-187
(CVE-2016-7094)

- x86/32on64: don't allow recursive page tables from L3 L3
entries are special in PAE mode, and hence can't
reasonably be used for setting up recursive (and hence
linear) page table mappings. Since abuse is possible
when the guest in fact gets run on 4-level page tables,
this needs to be excluded explicitly. This is XSA-185.

Conflict: xen/arch/x86/mm.c (CVE-2016-7092)

See also :

http://www.nessus.org/u?26ce459d

Solution :

Update the affected xen / xen-devel / xen-tools packages.

Risk factor :

Medium / CVSS Base Score : 6.8
(CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C)
CVSS Temporal Score : 5.0
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false

Family: OracleVM Local Security Checks

Nessus Plugin ID: 93397 ()

Bugtraq ID:

CVE ID: CVE-2016-7092
CVE-2016-7094

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now