Oracle Linux 6 : Unbreakable Enterprise kernel (ELSA-2018-4020) (Meltdown) (Spectre)

High Nessus Plugin ID 106328

New! Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it's different from CVSS.

VPR Score: 8.1

Synopsis

The remote Oracle Linux host is missing one or more security updates.

Description

Description of changes:

[2.6.39-400.298.2.el6uek]
- x86: Use PRED_CMD MSR when ibpb is enabled (Konrad Rzeszutek Wilk) [Orabug: 27369777] {CVE-2017-5715} {CVE-2017-5753}
- x86/spec: Don't print the Missing arguments for option spectre_v2 (Konrad Rzeszutek Wilk) [Orabug: 27369777] {CVE-2017-5715} {CVE-2017-5753}
- x86: Move ENABLE_IBRS in the interrupt macro (Konrad Rzeszutek Wilk) [Orabug: 27369777] {CVE-2017-5715} {CVE-2017-5753}
- Add set_ibrs_disabled and set_ibpb_disabled (Konrad Rzeszutek Wilk) [Orabug: 27369777] {CVE-2017-5715} {CVE-2017-5753}
- x86/boot: Add early cmdline parsing for options with arguments (Tom Lendacky) [Orabug: 27369777] {CVE-2017-5715} {CVE-2017-5753}
- x86, boot: Carve out early cmdline parsing function (Borislav Petkov) [Orabug: 27369777] {CVE-2017-5715} {CVE-2017-5753}
- x86: Fix kABI build breakage (Konrad Rzeszutek Wilk) [Orabug: 27369777] {CVE-2017-5715} {CVE-2017-5753}
- x86: Add command-line options 'spectre_v2' and 'nospectre_v2' (Kanth Ghatraju) [Orabug: 27369777] {CVE-2017-5715} {CVE-2017-5753}
- x86/mm: Set IBPB upon context switch (Brian Maly) [Orabug: 27369777] {CVE-2017-5715} {CVE-2017-5753}
- x86: Display correct settings for the SPECTRE_V2 bug (Kanth Ghatraju) [Orabug: 27369777] {CVE-2017-5715} {CVE-2017-5753}
- Set CONFIG_GENERIC_CPU_VULNERABILITIES flag (Kanth Ghatraju) [Orabug: 27369777] {CVE-2017-5715} {CVE-2017-5753}
- x86/cpu: Implement CPU vulnerabilites sysfs functions (Thomas Gleixner) [Orabug: 27369777] {CVE-2017-5715} {CVE-2017-5753}
- sysfs/cpu: Fix typos in vulnerability documentation (David Woodhouse) [Orabug: 27369777] {CVE-2017-5715} {CVE-2017-5753}
- sysfs/cpu: Add vulnerability folder (Thomas Gleixner) [Orabug: 27369777] {CVE-2017-5715} {CVE-2017-5753}
- x86, cpu: Expand cpufeature facility to include cpu bugs (Borislav Petkov) [Orabug: 27369777] {CVE-2017-5715} {CVE-2017-5753}
- x86/cpufeatures: Add X86_BUG_SPECTRE_V[12] (David Woodhouse) [Orabug: 27369777] {CVE-2017-5715} {CVE-2017-5753}
- x86/cpufeatures: Add X86_BUG_CPU_MELTDOWN (Kanth Ghatraju) [Orabug: 27369777] {CVE-2017-5715} {CVE-2017-5753}
- x86/spec: STUFF_RSB _before_ ENABLE_IBRS (Konrad Rzeszutek Wilk) [Orabug: 27369777] {CVE-2017-5715} {CVE-2017-5753}
- x86: Move STUFF_RSB in to the idt macro (Konrad Rzeszutek Wilk) [Orabug: 27369777] {CVE-2017-5715} {CVE-2017-5753}
- x86/IBRS/IBPB: Set sysctl_ibrs/ibpb_enabled properly (Boris Ostrovsky) [Orabug: 27369777] {CVE-2017-5715} {CVE-2017-5753}
- x86/IBRS: Make sure we restore MSR_IA32_SPEC_CTRL to a valid value (Boris Ostrovsky) [Orabug: 27369777] {CVE-2017-5715} {CVE-2017-5753}
- x86/spec_ctrl: Add missing 'lfence' when IBRS is not supported (Konrad Rzeszutek Wilk) [Orabug: 27369777] {CVE-2017-5715} {CVE-2017-5753}
- x86/ia32: Move STUFF_RSB And ENABLE_IBRS (Konrad Rzeszutek Wilk) [Orabug: 27369777] {CVE-2017-5715} {CVE-2017-5753}
- x86/entry: Stuff RSB for entry to kernel for non-SMEP platform (Tim Chen) [Orabug: 27369777] {CVE-2017-5715} {CVE-2017-5753}
- x86: Use IBRS for firmware update path (David Woodhouse) [Orabug: 27369777] {CVE-2017-5715} {CVE-2017-5753}
- x86/spec_ctrl: Disable if running as Xen PV guest (Konrad Rzeszutek Wilk) [Orabug: 27369777] {CVE-2017-5715} {CVE-2017-5753}
- x86/microcode: Recheck IBRS features on microcode reload (Tim Chen) [Orabug: 27369777] {CVE-2017-5715} {CVE-2017-5753}
- x86/idle: Disable IBRS entering idle and enable it on wakeup (Tim Chen) [Orabug: 27369777] {CVE-2017-5715} {CVE-2017-5753}
- x86/spec_ctrl: Add sysctl knobs to enable/disable SPEC_CTRL feature (Tim Chen) [Orabug: 27369777] {CVE-2017-5715} {CVE-2017-5753}
- x86/enter: Use IBRS on syscall and interrupts (Tim Chen) [Orabug: 27369777] {CVE-2017-5715} {CVE-2017-5753}
- x86/enter: MACROS to set/clear IBRS and set IBPB (Tim Chen) [Orabug: 27369777] {CVE-2017-5715} {CVE-2017-5753}
- x86/feature: Detect the x86 IBRS feature to control Speculation (Tim Chen) [Orabug: 27369777] {CVE-2017-5715} {CVE-2017-5753}
- x86: fix build breakage (Brian Maly) [Orabug: 27346425] {CVE-2017-5753}
- kaiser: rename X86_FEATURE_KAISER to X86_FEATURE_PTI to match upstream (Mike Kravetz) {CVE-2017-5754}
- x86/kaiser: Check boottime cmdline params (Mike Kravetz) [Orabug: 27333761] {CVE-2017-5754}
- x86/kaiser: Rename and simplify X86_FEATURE_KAISER handling (Borislav Petkov) [Orabug: 27333761] {CVE-2017-5754}
- KPTI: Report when enabled (Mike Kravetz) [Orabug: 27333761] {CVE-2017-5754}
- PTI: unbreak EFI old_memmap (Jiri Kosina) [Orabug: 27333761] [Orabug: 27333760] {CVE-2017-5754}
- kaiser: Set _PAGE_NX only if supported (Guenter Roeck) [Orabug: 27333761] [Orabug: 27333760] {CVE-2017-5754}
- KPTI: Rename to PAGE_TABLE_ISOLATION (Kees Cook) [Orabug: 27333761] {CVE-2017-5754}
- kaiser: kaiser_flush_tlb_on_return_to_user() check PCID (Hugh Dickins) [Orabug: 27333761] {CVE-2017-5754}
- kaiser: asm/tlbflush.h handle noPGE at lower level (Hugh Dickins) [Orabug: 27333761] {CVE-2017-5754}
- kaiser: use ALTERNATIVE instead of x86_cr3_pcid_noflush (Hugh Dickins) [Orabug: 27333761] {CVE-2017-5754}
- x86/alternatives: add asm ALTERNATIVE macro (Mike Kravetz) [Orabug: 27333761] {CVE-2017-5754}
- x86/kaiser: Reenable PARAVIRT, dynamically disable KAISER if PARAVIRT (Borislav Petkov) [Orabug: 27333761] {CVE-2017-5754}
- kaiser: add 'nokaiser' boot option, using ALTERNATIVE (Hugh Dickins) [Orabug: 27333761] {CVE-2017-5754}
- x86-32: Fix boot with CONFIG_X86_INVD_BUG (Andy Lutomirski) [Orabug: 27333761] {CVE-2017-5754}
- kaiser: alloc_ldt_struct() use get_zeroed_page() (Hugh Dickins) [Orabug: 27333761] {CVE-2017-5754}
- kaiser: user_map __kprobes_text too (Hugh Dickins) [Orabug: 27333761] {CVE-2017-5754}
- x86/mm/kaiser: re-enable vsyscalls (Andrea Arcangeli) [Orabug: 27333761] {CVE-2017-5754}
- KAISER: Kernel Address Isolation (Hugh Dickins) [Orabug: 27333761] {CVE-2017-5754}
- x86/mm: fix bad backport to disable PCID on Xen (Borislav Petkov) [Orabug: 27333761] {CVE-2017-5754}
- x86/mm/64: Fix reboot interaction with CR4.PCIDE (Andy Lutomirski) [Orabug: 27333761] {CVE-2017-5754}
- x86/mm: Enable CR4.PCIDE on supported systems (Andy Lutomirski) [Orabug: 27333761] {CVE-2017-5754}
- x86/mm: Add the 'nopcid' boot option to turn off PCID (Andy Lutomirski) [Orabug: 27333761] {CVE-2017-5754}
- x86/mm: Disable PCID on 32-bit kernels (Andy Lutomirski) [Orabug: 27333761] {CVE-2017-5754}
- x86/mm: Remove the UP asm/tlbflush.h code, always use the (formerly) SMP code (Andy Lutomirski) [Orabug: 27333761] {CVE-2017-5754}
- sched/core: Idle_task_exit() shouldn't use switch_mm_irqs_off() (Andy Lutomirski) [Orabug: 27333761] {CVE-2017-5754}
- x86/mm, sched/core: Turn off IRQs in switch_mm() (Andy Lutomirski) [Orabug: 27333761] {CVE-2017-5754}
- x86/mm, sched/core: Uninline switch_mm() (Andy Lutomirski) [Orabug: 27333761] {CVE-2017-5754}
- x86/mm: Build arch/x86/mm/tlb.c even on !SMP (Andy Lutomirski) [Orabug: 27333761] {CVE-2017-5754}
- sched/core: Add switch_mm_irqs_off() and use it in the scheduler (Andy Lutomirski) [Orabug: 27333761] {CVE-2017-5754}
- mm/mmu_context, sched/core: Fix mmu_context.h assumption (Ingo Molnar) [Orabug: 27333761] {CVE-2017-5754}
- x86/mm: If INVPCID is available, use it to flush global mappings (Andy Lutomirski) [Orabug: 27333761] {CVE-2017-5754}
- x86/mm: Add a 'noinvpcid' boot option to turn off INVPCID (Andy Lutomirski) [Orabug: 27333761] {CVE-2017-5754}
- x86/mm: Fix INVPCID asm constraint (Borislav Petkov) [Orabug: 27333761] {CVE-2017-5754}
- x86/mm: Add INVPCID helpers (Andy Lutomirski) [Orabug: 27333761] {CVE-2017-5754}
- x86, cpufeature: Add CPU features from Intel document 319433-012A (H. Peter Anvin) [Orabug: 27333761] {CVE-2017-5754}
- x86/paravirt: Dont patch flush_tlb_single (Thomas Gleixner) [Orabug: 27333761] {CVE-2017-5754}
- x86-64: Map the HPET NX (Andy Lutomirski) [Orabug: 27333761] {CVE-2017-5754}
- x86/ldt: Make modify_ldt synchronous (Andy Lutomirski) [Orabug: 27333761] {CVE-2017-5754} {CVE-2015-5157}
- x86, cpu: Add cpufeature flag for PCIDs (Arun Thomas) [Orabug: 27333761] {CVE-2017-5754}
- x86/mm: Disable preemption during CR3 read+write (Sebastian Andrzej Siewior) [Orabug: 27333761] {CVE-2017-5754}
- locking/barriers: fix compile issue (Brian Maly) [Orabug: 27346425] {CVE-2017-5753}
- x86: Add another set of MSR accessor functions (Borislav Petkov) [Orabug: 27346425] {CVE-2017-5753}
- udf: prevent speculative execution (Elena Reshetova) [Orabug: 27346425] {CVE-2017-5753}
- fs: prevent speculative execution (Elena Reshetova) [Orabug: 27346425] {CVE-2017-5753}
- qla2xxx: prevent speculative execution (Elena Reshetova) [Orabug: 27346425] {CVE-2017-5753}
- p54: prevent speculative execution (Elena Reshetova) [Orabug: 27346425] {CVE-2017-5753}
- carl9170: prevent speculative execution (Elena Reshetova) [Orabug: 27346425] {CVE-2017-5753}
- uvcvideo: prevent speculative execution (Elena Reshetova) [Orabug: 27346425] {CVE-2017-5753}
- locking/barriers: introduce new observable speculation barrier (Elena Reshetova) [Orabug: 27346425] {CVE-2017-5753}
- x86/cpu/AMD: Remove now unused definition of MFENCE_RDTSC feature (Elena Reshetova) [Orabug: 27346425] {CVE-2017-5753}
- x86/cpu/AMD: Make the LFENCE instruction serialized (Elena Reshetova) [Orabug: 27346425] {CVE-2017-5753}

Solution

Update the affected unbreakable enterprise kernel packages.

See Also

https://oss.oracle.com/pipermail/el-errata/2018-January/007470.html

Plugin Details

Severity: High

ID: 106328

File Name: oraclelinux_ELSA-2018-4020.nasl

Version: 1.14

Type: local

Agent: unix

Published: 2018/01/25

Updated: 2019/09/27

Dependencies: 12634, 122878

Risk Information

Risk Factor: High

VPR Score: 8.1

CVSS v2.0

Base Score: 7.2

Temporal Score: 6.3

Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:H/RL:OF/RC:C

CVSS v3.0

Base Score: 5.6

Temporal Score: 5.4

Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:H/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:oracle:linux:kernel-uek, p-cpe:/a:oracle:linux:kernel-uek-debug, p-cpe:/a:oracle:linux:kernel-uek-debug-devel, p-cpe:/a:oracle:linux:kernel-uek-devel, p-cpe:/a:oracle:linux:kernel-uek-doc, p-cpe:/a:oracle:linux:kernel-uek-firmware, cpe:/o:oracle:linux:6

Required KB Items: Host/local_checks_enabled, Host/OracleLinux, Host/RedHat/release, Host/RedHat/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2018/01/24

Vulnerability Publication Date: 2015/08/31

Exploitable With

CANVAS (CANVAS)

Reference Information

CVE: CVE-2015-5157, CVE-2017-5715, CVE-2017-5753, CVE-2017-5754