OracleVM 3.4 : Unbreakable / etc (OVMSA-2017-0056)

This script is Copyright (C) 2017 Tenable Network Security, Inc.


Synopsis :

The remote OracleVM host is missing one or more security updates.

Description :

The remote OracleVM system is missing necessary patches to address
critical security updates :

- Revert 'x86/mm: Expand the exception table logic to
allow new handling options' (Brian Maly) [Orabug:
25790387] (CVE-2016-9644)

- Revert 'fix minor infoleak in get_user_ex' (Brian Maly)
[Orabug: 25790387] (CVE-2016-9644)

- x86/mm: Expand the exception table logic to allow new
handling options (Tony Luck) [Orabug: 25790387]
(CVE-2016-9644)

- rebuild bumping release

- net: ping: check minimum size on ICMP header length
(Kees Cook) [Orabug: 25766898] (CVE-2016-8399)
(CVE-2016-8399)

- sg_write/bsg_write is not fit to be called under
KERNEL_DS (Al Viro) [Orabug: 25765436] (CVE-2016-10088)

- scsi: sg: check length passed to SG_NEXT_CMD_LEN (peter
chang) [Orabug: 25751984] (CVE-2017-7187)

- tty: n_hdlc: get rid of racy n_hdlc.tbuf (Alexander
Popov) [Orabug: 25696677] (CVE-2017-2636)

- TTY: n_hdlc, fix lockdep false positive (Jiri Slaby)
[Orabug: 25696677] (CVE-2017-2636)

- If Slot Status indicates changes in both Data Link Layer
Status and Presence Detect, prioritize the Link status
change. (Jack Vogel)

- PCI: pciehp: Leave power indicator on when enabling
already-enabled slot (Ashok Raj) [Orabug: 25353783]

- firewire: net: guard against rx buffer overflows (Stefan
Richter) [Orabug: 25451520] (CVE-2016-8633)

- usbnet: cleanup after bind in probe (Oliver Neukum)
[Orabug: 25463898] (CVE-2016-3951)

- cdc_ncm: do not call usbnet_link_change from
cdc_ncm_bind (Bj&oslash rn Mork) [Orabug: 25463898]
(CVE-2016-3951)

- cdc_ncm: Add support for moving NDP to end of NCM frame
(Enrico Mioso) [Orabug: 25463898] (CVE-2016-3951)

- x86/mm/32: Enable full randomization on i386 and X86_32
(Hector Marco-Gisbert) [Orabug: 25463918]
(CVE-2016-3672)

- kvm: fix page struct leak in handle_vmon (Paolo Bonzini)
[Orabug: 25507133] (CVE-2017-2596)

- crypto: mcryptd - Check mcryptd algorithm compatibility
(tim) [Orabug: 25507153] (CVE-2016-10147)

- kvm: nVMX: Allow L1 to intercept software exceptions
(#BP and #OF) (Jim Mattson) [Orabug: 25507188]
(CVE-2016-9588)

- KVM: x86: drop error recovery in em_jmp_far and
em_ret_far (Radim Kr&#x10D m&aacute &#x159 ) [Orabug:
25507213] (CVE-2016-9756)

- tcp: take care of truncations done by sk_filter (Eric
Dumazet) [Orabug: 25507226] (CVE-2016-8645)

- rose: limit sk_filter trim to payload (Willem de Bruijn)
[Orabug: 25507226] (CVE-2016-8645)

- tipc: check minimum bearer MTU (Michal Kube&#x10D ek)
[Orabug: 25507239] (CVE-2016-8632) (CVE-2016-8632)

- fix minor infoleak in get_user_ex (Al Viro) [Orabug:
25507269] (CVE-2016-9178)

- scsi: arcmsr: Simplify user_len checking (Borislav
Petkov) [Orabug: 25507319] (CVE-2016-7425)

- scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer
(Dan Carpenter) [Orabug: 25507319] (CVE-2016-7425)

- tmpfs: clear S_ISGID when setting posix ACLs (Gu Zheng)
[Orabug: 25507341] (CVE-2016-7097) (CVE-2016-7097)

- posix_acl: Clear SGID bit when setting file permissions
(Jan Kara) [Orabug: 25507341] (CVE-2016-7097)
(CVE-2016-7097)

- ext2: convert to mbcache2 (Jan Kara) [Orabug: 25512366]
(CVE-2015-8952)

- ext4: convert to mbcache2 (Jan Kara) [Orabug: 25512366]
(CVE-2015-8952)

- mbcache2: reimplement mbcache (Jan Kara) [Orabug:
25512366] (CVE-2015-8952)

- USB: digi_acceleport: do sanity checking for the number
of ports (Oliver Neukum) [Orabug: 25512466]
(CVE-2016-3140)

- net/llc: avoid BUG_ON in skb_orphan (Eric Dumazet)
[Orabug: 25682419] (CVE-2017-6345)

- net/mlx4_core: Disallow creation of RAW QPs on a VF (Eli
Cohen)

- ipv4: keep skb->dst around in presence of IP options
(Eric Dumazet) [Orabug: 25698300] (CVE-2017-5970)

- perf/core: Fix concurrent sys_perf_event_open vs.
'move_group' race (Peter Zijlstra) [Orabug: 25698751]
(CVE-2017-6001)

- ip6_gre: fix ip6gre_err invalid reads (Eric Dumazet)
[Orabug: 25699015] (CVE-2017-5897)

- mpt3sas: Don't spam logs if logging level is 0 (Johannes
Thumshirn)

- xen-netfront: cast grant table reference first to type
int (Dongli Zhang)

- xen-netfront: do not cast grant table reference to
signed short (Dongli Zhang)

See also :

http://www.nessus.org/u?32b057e2

Solution :

Update the affected kernel-uek / kernel-uek-firmware packages.

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 6.9
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false