Detections
Analytics

OracleVM 3.4 : Unbreakable / etc (OVMSA-2018-0017) (Meltdown)

high Nessus Plugin ID 106706

Language:

Synopsis

The remote OracleVM host is missing one or more security updates.

Description

The remote OracleVM system is missing necessary patches to address critical security updates :

 - drivers/char/mem.c: deny access in open operation when securelevel is set (Ethan Zhao) [Orabug: 27234850] [Orabug: 27234850]

 - hugetlb: fix nr_pmds accounting with shared page tables (Kirill A. Shutemov) [Orabug: 26988581]

 - x86/IBRS: Drop unnecessary WRITE_ONCE (Boris Ostrovsky) [Orabug: 27416198]

 - x86/IBRS: Don't try to change IBRS mode if IBRS is not available (Boris Ostrovsky) [Orabug: 27416198]

 - x86/IBRS: Remove support for IBRS_ENABLED_USER mode (Boris Ostrovsky)

- x86: Include linux/device.h in bugs_64.c (Boris Ostrovsky) [Orabug: 27418896]

 - x86/spectre: Drop the warning about ibrs being obsolete.
 (Konrad Rzeszutek Wilk)

 - x86/spec: Don't print the Missing arguments for option spectre_v2. (Konrad Rzeszutek Wilk)

 - x86/spec: Also print IBRS if IBPB is disabled. (Konrad Rzeszutek Wilk)

 - x86/IBPB: Provide debugfs interface for changing IBPB mode (Boris Ostrovsky) [Orabug: 27449065]

 - xen: Make PV Dom0 Linux kernel NUMA aware (Elena Ufimtseva)

 - net/rds: Fix incorrect error handling (H&aring kon Bugge) [Orabug: 26848729]

 - net/rds: use multiple sge than buddy allocation in congestion code (Wei Lin Guay) [Orabug: 26848729]

 - Revert 'RDS: fix the sg allocation based on actual message size' (Wei Lin Guay) [Orabug: 26848729]

 - Revert 'RDS: avoid large pages for sg allocation for TCP transport' (Wei Lin Guay) [Orabug: 26848729]

 - Revert 'net/rds: Reduce memory footprint in rds_sendmsg' (Wei Lin Guay) [Orabug: 26848729]

 - net/rds: reduce memory footprint during ib_post_recv in IB transport (Wei Lin Guay) [Orabug: 26848729]

 - net/rds: reduce memory footprint during rds_sendmsg with IB transport (Wei Lin Guay) [Orabug: 26848729]

 - net/rds: set the rds_ib_init_frag based on supported sge (Wei Lin Guay) [Orabug: 26848729]

 - bnxt_en: Fix possible corrupted NVRAM parameters from firmware response. (Michael Chan) [Orabug: 27199588]

 - x86, kasan: Fix build failure on KASAN=y && KMEMCHECK=y kernels (Andrey Ryabinin) [Orabug: 27255122]

 - x86, efi, kasan: Fix build failure on !KASAN && KMEMCHECK=y kernels (Andrey Ryabinin) [Orabug: 27255122]

 - x86, efi, kasan: #undef memset/memcpy/memmove per arch (Andrey Ryabinin) [Orabug: 27255122]

 - Revert 'Makefile: Build with -Werror=date-time if the compiler supports it' (Gayatri Vasudevan) [Orabug:
 27255122]

 - dccp: CVE-2017-8824: use-after-free in DCCP code (Mohamed Ghannam) [Orabug: 27290300] (CVE-2017-8824)

 - x86/efi: Initialize and display UEFI secure boot state a bit later during init (Daniel Kiper) [Orabug: 27309477]

 - x86/espfix: Init espfix on the boot CPU side (Zhu Guihua) [Orabug: 27344552]

 - x86/espfix: Add 'cpu' parameter to init_espfix_ap (Zhu Guihua)

- ALSA: pcm: prevent UAF in snd_pcm_info (Robb Glasser) [Orabug: 27344841] (CVE-2017-0861) (CVE-2017-0861)

 - fs/ocfs2: remove page cache for converted direct write (Wengang Wang)

 - Revert 'ocfs2: code clean up for direct io' (Wengang Wang)

 - assoc_array: Fix a buggy node-splitting case (David Howells) [Orabug: 27364592] (CVE-2017-12193) (CVE-2017-12193)

 - Sanitize 'move_pages' permission checks (Linus Torvalds) [Orabug: 27364690] (CVE-2017-14140)

 - pti: compile fix for when PTI is disabled (Pavel Tatashin) [Orabug: 27383147] (CVE-2017-5754)

 - sctp: do not peel off an assoc from one netns to another one (Xin Long) [Orabug: 27386999] (CVE-2017-15115)

 - net: ipv4: fix for a race condition in raw_sendmsg (Mohamed Ghannam) [Orabug: 27390682] (CVE-2017-17712)

 - mlx4: add mstflint secure boot access kernel support (Qing Huang)

- x86: Move STUFF_RSB in to the idt macro (Konrad Rzeszutek Wilk)

 - x86/spec: STUFF_RSB _before_ ENABLE_IBRS (Konrad Rzeszutek Wilk)

 - x86: Move ENABLE_IBRS in the interrupt macro. (Konrad Rzeszutek Wilk)

Solution

Update the affected kernel-uek / kernel-uek-firmware packages.

See Also

http://www.nessus.org/u?f9702f90

Plugin Details

Severity: High

ID: 106706

File Name: oraclevm_OVMSA-2018-0017.nasl

Version: 3.4

Type: local

Published: 2/9/2018

Updated: 9/27/2019

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: High

Score: 8.1

CVSS v2

Risk Factor: High

Base Score: 7.2

Temporal Score: 6.3

Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 7.5

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:H/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:oracle:vm:kernel-uek, p-cpe:/a:oracle:vm:kernel-uek-firmware, cpe:/o:oracle:vm_server:3.4

Required KB Items: Host/local_checks_enabled, Host/OracleVM/release, Host/OracleVM/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2/8/2018

Vulnerability Publication Date: 9/5/2017

Reference Information

CVE: CVE-2017-0861, CVE-2017-12193, CVE-2017-14140, CVE-2017-15115, CVE-2017-17712, CVE-2017-5754, CVE-2017-8824

IAVA: 2018-A-0019