Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2018-4089) (Spectre)

High Nessus Plugin ID 109543

New! Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it's different from CVSS.

VPR Score: 7.6

Synopsis

The remote Oracle Linux host is missing one or more security updates.

Description

Description of changes:

kernel-uek [3.8.13-118.20.6.el7uek]
- perf/hwbp: Simplify the perf-hwbp code, fix documentation (Linus Torvalds) [Orabug: 27947608] {CVE-2018-100199}

[3.8.13-118.20.5.el7uek]
- x86/microcode: probe CPU features on microcode update (Ankur Arora) [Orabug: 27806667]
- x86/microcode: microcode_write() should not reference boot_cpu_data (Ankur Arora) [Orabug: 27806667]
- x86/cpufeatures: use cpu_data in init_scattered_cpuid_flags() (Ankur Arora) [Orabug: 27806667]

[3.8.13-118.20.4.el7uek]
- Drivers: hv: fcopy: set .owner reference for file operations (Joe Jin) [Orabug: 21191022]
- ALSA: usb-audio: Kill stray URB at exiting (Takashi Iwai) [Orabug: 27148281] {CVE-2017-16527}
- HID: usbhid: fix out-of-bounds bug (Jaejoong Kim) [Orabug: 27207929] {CVE-2017-16533}
- [media] cx231xx-cards: fix NULL-deref on missing association descriptor (Johan Hovold) [Orabug: 27208072] {CVE-2017-16536}
- net: cdc_ether: fix divide by 0 on bad descriptors (Bj&oslash rn Mork) [Orabug: 27215201] {CVE-2017-16649}
- x86/microcode/intel: Extend BDW late-loading with a revision check (Jia Zhang) [Orabug: 27343577]
- x86/microcode/intel: Disable late loading on model 79 (Borislav Petkov) [Orabug: 27343577]
- Bluetooth: bnep: bnep_add_connection() should verify that it's dealing with l2cap socket (Al Viro) [Orabug: 27344793] {CVE-2017-15868}
- Bluetooth: hidp: verify l2cap sockets (David Herrmann) [Orabug: 27344793] {CVE-2017-15868}
- ALSA: pcm: prevent UAF in snd_pcm_info (Robb Glasser) [Orabug: 27344843] {CVE-2017-0861} {CVE-2017-0861}
- ptrace: use fsuid, fsgid, effective creds for fs access checks (Jann Horn) [Orabug: 27364691] {CVE-2017-14140}
- sctp: do not peel off an assoc from one netns to another one (Xin Long) [Orabug: 27387001] {CVE-2017-15115}
- Revert 'x86/spec_ctrl: Add 'nolfence' knob to disable fallback for spectre_v2 mitigation' (Ankur Arora) [Orabug: 27601787] {CVE-2017-5715}
- Revert 'x86/spec: Add 'lfence_enabled' in sysfs' (Ankur Arora) [Orabug: 27601787] {CVE-2017-5715}
- Revert 'x86/mitigation/spectre_v2: Add reporting of 'lfence'' (Ankur Arora) [Orabug: 27601787] {CVE-2017-5715}
- x86/mitigation/spectre_v2: Add reporting of 'lfence' (Konrad Rzeszutek Wilk) {CVE-2017-5715}
- x86/spec: Add 'lfence_enabled' in sysfs (Konrad Rzeszutek Wilk) {CVE-2017-5715}
- x86/spec_ctrl: Add 'nolfence' knob to disable fallback for spectre_v2 mitigation (Konrad Rzeszutek Wilk) {CVE-2017-5715}
- x86/spectre: bring spec_ctrl management logic closer to UEK4 (Ankur Arora) [Orabug: 27516512] {CVE-2017-5715}
- x86/cpufeatures: Clean up Spectre v2 related CPUID flags (David Woodhouse) [Orabug: 27516357] {CVE-2017-5715}
- x86/spectre_v2: Remove 0xc2 from spectre_bad_microcodes (Darren Kenny) [Orabug: 27516419] {CVE-2017-5715}
- x86/cpufeature: Blacklist SPEC_CTRL/PRED_CMD on early Spectre v2 microcodes (David Woodhouse) [Orabug: 27516419] {CVE-2017-5715}
- x86: intel-family.h: Add GEMINI_LAKE SOC (Len Brown) [Orabug: 27516419]
- x86/cpu/intel: Introduce macros for Intel family numbers (Dave Hansen) [Orabug: 27516419]
- x86/spectre: expose 'stibp' (Konrad Rzeszutek Wilk) [Orabug: 27516419] {CVE-2017-5715}
- x86/speculation: Add basic IBPB (Indirect Branch Prediction Barrier) support (David Woodhouse) [Orabug: 27516379] {CVE-2017-5715}
- x86/speculation: Use Indirect Branch Prediction Barrier in context switch (Tim Chen) [Orabug: 27516379] {CVE-2017-5715}
- x86/spectre: fix spectre_v1 mitigation indicators (Ankur Arora) [Orabug: 27509932] {CVE-2017-5715}
- x86/ia32/syscall: Clear extended registers %r8-%r15 (Ankur Arora) [Orabug: 27452028] {CVE-2017-5715}
- x86/ia32/syscall: Save full stack frame throughout the entry code (Ankur Arora) [Orabug: 27452028] {CVE-2017-5715}
- x86/ia32/syscall: cleanup trailing whitespace (Ankur Arora) [Orabug: 27452028] {CVE-2017-5715}
- x86/syscall: Clear callee saved registers (%r12-%r15, %rbp, %rbx) (Ankur Arora) [Orabug: 27452028] {CVE-2017-5715}
- x86/syscall: Save callee saved registers on syscall entrance (Ankur Arora) [Orabug: 27452028] {CVE-2017-5715}

Solution

Update the affected unbreakable enterprise kernel packages.

See Also

https://oss.oracle.com/pipermail/el-errata/2018-May/007660.html

https://oss.oracle.com/pipermail/el-errata/2018-May/007661.html

Plugin Details

Severity: High

ID: 109543

File Name: oraclelinux_ELSA-2018-4089.nasl

Version: 1.11

Type: local

Agent: unix

Published: 2018/05/03

Updated: 2019/09/27

Dependencies: 12634, 122878

Risk Information

Risk Factor: High

VPR Score: 7.6

CVSS v2.0

Base Score: 7.2

Temporal Score: 6.3

Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:H/RL:OF/RC:C

CVSS v3.0

Base Score: 7.8

Temporal Score: 7.5

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:H/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:oracle:linux:dtrace-modules-3.8.13-118.20.6.el6uek, p-cpe:/a:oracle:linux:dtrace-modules-3.8.13-118.20.6.el7uek, p-cpe:/a:oracle:linux:kernel-uek, p-cpe:/a:oracle:linux:kernel-uek-debug, p-cpe:/a:oracle:linux:kernel-uek-debug-devel, p-cpe:/a:oracle:linux:kernel-uek-devel, p-cpe:/a:oracle:linux:kernel-uek-doc, p-cpe:/a:oracle:linux:kernel-uek-firmware, cpe:/o:oracle:linux:6, cpe:/o:oracle:linux:7

Required KB Items: Host/local_checks_enabled, Host/OracleLinux, Host/RedHat/release, Host/RedHat/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2018/05/02

Vulnerability Publication Date: 2017/09/05

Reference Information

CVE: CVE-2017-0861, CVE-2017-14140, CVE-2017-15115, CVE-2017-15868, CVE-2017-16527, CVE-2017-16533, CVE-2017-16536, CVE-2017-16649, CVE-2017-5715, CVE-2018-100199

IAVA: 2018-A-0020