OracleVM 3.4 : Unbreakable / etc (OVMSA-2018-0017) (Meltdown)

High Nessus Plugin ID 106706

Synopsis

The remote OracleVM host is missing one or more security updates.

Description

The remote OracleVM system is missing necessary patches to address critical security updates :

- drivers/char/mem.c: deny access in open operation when securelevel is set (Ethan Zhao) [Orabug: 27234850] [Orabug: 27234850]

- hugetlb: fix nr_pmds accounting with shared page tables (Kirill A. Shutemov) [Orabug: 26988581]

- x86/IBRS: Drop unnecessary WRITE_ONCE (Boris Ostrovsky) [Orabug: 27416198]

- x86/IBRS: Don't try to change IBRS mode if IBRS is not available (Boris Ostrovsky) [Orabug: 27416198]

- x86/IBRS: Remove support for IBRS_ENABLED_USER mode (Boris Ostrovsky)

- x86: Include linux/device.h in bugs_64.c (Boris Ostrovsky) [Orabug: 27418896]

- x86/spectre: Drop the warning about ibrs being obsolete.
(Konrad Rzeszutek Wilk)

- x86/spec: Don't print the Missing arguments for option spectre_v2. (Konrad Rzeszutek Wilk)

- x86/spec: Also print IBRS if IBPB is disabled. (Konrad Rzeszutek Wilk)

- x86/IBPB: Provide debugfs interface for changing IBPB mode (Boris Ostrovsky) [Orabug: 27449065]

- xen: Make PV Dom0 Linux kernel NUMA aware (Elena Ufimtseva)

- net/rds: Fix incorrect error handling (H&aring kon Bugge) [Orabug: 26848729]

- net/rds: use multiple sge than buddy allocation in congestion code (Wei Lin Guay) [Orabug: 26848729]

- Revert 'RDS: fix the sg allocation based on actual message size' (Wei Lin Guay) [Orabug: 26848729]

- Revert 'RDS: avoid large pages for sg allocation for TCP transport' (Wei Lin Guay) [Orabug: 26848729]

- Revert 'net/rds: Reduce memory footprint in rds_sendmsg' (Wei Lin Guay) [Orabug: 26848729]

- net/rds: reduce memory footprint during ib_post_recv in IB transport (Wei Lin Guay) [Orabug: 26848729]

- net/rds: reduce memory footprint during rds_sendmsg with IB transport (Wei Lin Guay) [Orabug: 26848729]

- net/rds: set the rds_ib_init_frag based on supported sge (Wei Lin Guay) [Orabug: 26848729]

- bnxt_en: Fix possible corrupted NVRAM parameters from firmware response. (Michael Chan) [Orabug: 27199588]

- x86, kasan: Fix build failure on KASAN=y && KMEMCHECK=y kernels (Andrey Ryabinin) [Orabug: 27255122]

- x86, efi, kasan: Fix build failure on !KASAN && KMEMCHECK=y kernels (Andrey Ryabinin) [Orabug: 27255122]

- x86, efi, kasan: #undef memset/memcpy/memmove per arch (Andrey Ryabinin) [Orabug: 27255122]

- Revert 'Makefile: Build with -Werror=date-time if the compiler supports it' (Gayatri Vasudevan) [Orabug:
27255122]

- dccp: CVE-2017-8824: use-after-free in DCCP code (Mohamed Ghannam) [Orabug: 27290300] (CVE-2017-8824)

- x86/efi: Initialize and display UEFI secure boot state a bit later during init (Daniel Kiper) [Orabug: 27309477]

- x86/espfix: Init espfix on the boot CPU side (Zhu Guihua) [Orabug: 27344552]

- x86/espfix: Add 'cpu' parameter to init_espfix_ap (Zhu Guihua)

- ALSA: pcm: prevent UAF in snd_pcm_info (Robb Glasser) [Orabug: 27344841] (CVE-2017-0861) (CVE-2017-0861)

- fs/ocfs2: remove page cache for converted direct write (Wengang Wang)

- Revert 'ocfs2: code clean up for direct io' (Wengang Wang)

- assoc_array: Fix a buggy node-splitting case (David Howells) [Orabug: 27364592] (CVE-2017-12193) (CVE-2017-12193)

- Sanitize 'move_pages' permission checks (Linus Torvalds) [Orabug: 27364690] (CVE-2017-14140)

- pti: compile fix for when PTI is disabled (Pavel Tatashin) [Orabug: 27383147] (CVE-2017-5754)

- sctp: do not peel off an assoc from one netns to another one (Xin Long) [Orabug: 27386999] (CVE-2017-15115)

- net: ipv4: fix for a race condition in raw_sendmsg (Mohamed Ghannam) [Orabug: 27390682] (CVE-2017-17712)

- mlx4: add mstflint secure boot access kernel support (Qing Huang)

- x86: Move STUFF_RSB in to the idt macro (Konrad Rzeszutek Wilk)

- x86/spec: STUFF_RSB _before_ ENABLE_IBRS (Konrad Rzeszutek Wilk)

- x86: Move ENABLE_IBRS in the interrupt macro. (Konrad Rzeszutek Wilk)

Solution

Update the affected kernel-uek / kernel-uek-firmware packages.

See Also

http://www.nessus.org/u?f9702f90

Plugin Details

Severity: High

ID: 106706

File Name: oraclevm_OVMSA-2018-0017.nasl

Version: 3.3

Type: local

Published: 2018/02/09

Modified: 2018/07/24

Dependencies: 12634

Risk Information

Risk Factor: High

CVSSv2

Base Score: 7.2

Temporal Score: 6.3

Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:H/RL:OF/RC:C

CVSSv3

Base Score: 7.8

Temporal Score: 7.5

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:H/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:oracle:vm:kernel-uek, p-cpe:/a:oracle:vm:kernel-uek-firmware, cpe:/o:oracle:vm_server:3.4

Required KB Items: Host/local_checks_enabled, Host/OracleVM/release, Host/OracleVM/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2018/02/08

Reference Information

CVE: CVE-2017-0861, CVE-2017-12193, CVE-2017-14140, CVE-2017-15115, CVE-2017-17712, CVE-2017-5754, CVE-2017-8824

IAVA: 2018-A-0019