Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2018-4114) (Spectre)

high Nessus Plugin ID 110071
New! Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it is different from CVSS.

VPR Score: 6.7


The remote Oracle Linux host is missing one or more security updates.


Description of changes:
- KVM: SVM: Move spec control call after restore of GS (Thomas Gleixner) {CVE-2018-3639}
- x86/bugs: Fix the parameters alignment and missing void (Konrad Rzeszutek Wilk) {CVE-2018-3639}
- x86/bugs: Make cpu_show_common() static (Jiri Kosina) {CVE-2018-3639}
- x86/bugs: Fix __ssb_select_mitigation() return type (Jiri Kosina) {CVE-2018-3639}
- Documentation/spec_ctrl: Do some minor cleanups (Borislav Petkov) {CVE-2018-3639}
- proc: Use underscores for SSBD in 'status' (Konrad Rzeszutek Wilk) {CVE-2018-3639}
- x86/bugs: Rename _RDS to _SSBD (Konrad Rzeszutek Wilk) {CVE-2018-3639}
- x86/speculation: Make 'seccomp' the default mode for Speculative Store Bypass (Kees Cook) {CVE-2018-3639}
- seccomp: Move speculation migitation control to arch code (Thomas Gleixner) {CVE-2018-3639}
- seccomp: Add filter flag to opt-out of SSB mitigation (Kees Cook) {CVE-2018-3639}
- seccomp: Use PR_SPEC_FORCE_DISABLE (Thomas Gleixner) {CVE-2018-3639}
- prctl: Add force disable speculation (Konrad Rzeszutek Wilk) {CVE-2018-3639}
- seccomp: Enable speculation flaw mitigations (Kees Cook) {CVE-2018-3639}
- proc: Provide details on speculation flaw mitigations (Kees Cook) {CVE-2018-3639}
- nospec: Allow getting/setting on non-current task (Kees Cook) {CVE-2018-3639}
- x86/bugs/IBRS: Disable SSB (RDS) if IBRS is sslected for spectre_v2. (Konrad Rzeszutek Wilk) {CVE-2018-3639}
- x86/speculation: Add prctl for Speculative Store Bypass mitigation (Thomas Gleixner) {CVE-2018-3639}
- x86: thread_info.h: move RDS from index 5 to 23 (Mihai Carabas) {CVE-2018-3639}
- x86/process: Allow runtime control of Speculative Store Bypass (Thomas Gleixner) {CVE-2018-3639}
- prctl: Add speculation control prctls (Thomas Gleixner) {CVE-2018-3639}
- x86/speculation: Create spec-ctrl.h to avoid include hell (Thomas Gleixner) {CVE-2018-3639}
- x86/KVM/VMX: Expose SPEC_CTRL Bit(2) to the guest (Konrad Rzeszutek Wilk) {CVE-2018-3639}
- x86/bugs/AMD: Add support to disable RDS on Fam[15,16,17]h if requested (Konrad Rzeszutek Wilk) {CVE-2018-3639}
- x86/bugs: Whitelist allowed SPEC_CTRL MSR values (Konrad Rzeszutek Wilk) {CVE-2018-3639}
- x86/bugs/intel: Set proper CPU features and setup RDS (Konrad Rzeszutek Wilk) {CVE-2018-3639}
- x86/bugs: Provide boot parameters for the spec_store_bypass_disable mitigation (Konrad Rzeszutek Wilk) {CVE-2018-3639}
- x86/cpufeatures: Add X86_FEATURE_RDS (Konrad Rzeszutek Wilk) {CVE-2018-3639}
- x86/bugs: Expose /sys/../spec_store_bypass (Konrad Rzeszutek Wilk) {CVE-2018-3639}
- x86/cpu/intel: Add Knights Mill to Intel family (Piotr Luc) {CVE-2018-3639}
- x86/cpu: Rename Merrifield2 to Moorefield (Andy Shevchenko) {CVE-2018-3639}
- x86/bugs, KVM: Support the combination of guest and host IBRS (Konrad Rzeszutek Wilk) {CVE-2018-3639}
- x86/bugs/IBRS: Warn if IBRS is enabled during boot. (Konrad Rzeszutek Wilk) {CVE-2018-3639}
- x86/bugs/IBRS: Use variable instead of defines for enabling IBRS (Konrad Rzeszutek Wilk) {CVE-2018-3639}
- x86/bugs: Read SPEC_CTRL MSR during boot and re-use reserved bits (Konrad Rzeszutek Wilk) {CVE-2018-3639}
- x86/bugs: Concentrate bug reporting into a separate function (Konrad Rzeszutek Wilk) {CVE-2018-3639}
- x86/bugs: Concentrate bug detection into a separate function (Konrad Rzeszutek Wilk) {CVE-2018-3639}
- x86/bugs/IBRS: Turn on IBRS in spectre_v2_select_mitigation (Konrad Rzeszutek Wilk) {CVE-2018-3639}
- x86/msr: Add SPEC_CTRL_IBRS.. (Konrad Rzeszutek Wilk) {CVE-2018-3639}
- scsi: libfc: Revisit kref handling (Hannes Reinecke)
- scsi: libfc: reset exchange manager during LOGO handling (Hannes Reinecke)
- scsi: libfc: send LOGO for PLOGI failure (Hannes Reinecke)
- scsi: libfc: Issue PRLI after a PRLO has been received (Hannes Reinecke)
- libfc: Update rport reference counting (Hannes Reinecke)
- amd/kvm: do not intercept new MSRs for spectre v2 mitigation (Elena Ufimtseva)
- RDS: NULL pointer dereference in rds_atomic_free_op (Mohamed Ghannam) [Orabug: 27422832] {CVE-2018-5333}
- ACPI: sbshc: remove raw pointer from printk() message (Greg Kroah-Hartman) [Orabug: 27501257] {CVE-2018-5750}
- futex: Prevent overflow by strengthen input validation (Li Jinyue) [Orabug: 27539548] {CVE-2018-6927}
- net: ipv4: add support for ECMP hash policy choice (Venkat Venkatsubra) [Orabug: 27547114]
- net: ipv4: Consider failed nexthops in multipath routes (David Ahern) [Orabug: 27547114]
- ipv4: L3 hash-based multipath (Peter N&oslash rlund) [Orabug: 27547114]
- dm: fix race between dm_get_from_kobject() and __dm_destroy() (Hou Tao) [Orabug: 27677556] {CVE-2017-18203}
- NFS: only invalidate dentrys that are clearly invalid. (NeilBrown) [Orabug: 27870824]
- net: Improve handling of failures on link and route dumps (David Ahern) [Orabug: 27959177]
- mm/mempolicy: fix use after free when calling get_mempolicy (zhong jiang) [Orabug: 27963519] {CVE-2018-10675}
- drm: udl: Properly check framebuffer mmap offsets (Greg Kroah-Hartman) [Orabug: 27963530] {CVE-2018-8781}
- xfs: set format back to extents if xfs_bmap_extents_to_btree (Eric Sandeen) [Orabug: 27963576] {CVE-2018-10323}
- Revert 'mlx4: change the ICM table allocations to lowest needed size' (H&aring kon Bugge) [Orabug: 27980030]
- Bluetooth: Prevent stack info leak from the EFS element. (Ben Seri) [Orabug: 28030514] {CVE-2017-1000410} {CVE-2017-1000410}


Update the affected unbreakable enterprise kernel packages.

See Also

Plugin Details

Severity: High

ID: 110071

File Name: oraclelinux_ELSA-2018-4114.nasl

Version: 1.10

Type: local

Agent: unix

Published: 5/24/2018

Updated: 1/23/2020

Dependencies: ssh_get_info.nasl, linux_alt_patch_detect.nasl

Risk Information

Risk Factor: High

VPR Score: 6.7

CVSS v2.0

Base Score: 7.2

Temporal Score: 5.6

Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:POC/RL:OF/RC:C

CVSS v3.0

Base Score: 7.8

Temporal Score: 7

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: cpe:2.3:o:oracle:linux:6:*:*:*:*:*:*:*, cpe:2.3:o:oracle:linux:7:*:*:*:*:*:*:*, p-cpe:2.3:a:oracle:linux:kernel-uek:*:*:*:*:*:*:*, p-cpe:2.3:a:oracle:linux:kernel-uek-debug:*:*:*:*:*:*:*, p-cpe:2.3:a:oracle:linux:kernel-uek-debug-devel:*:*:*:*:*:*:*, p-cpe:2.3:a:oracle:linux:kernel-uek-devel:*:*:*:*:*:*:*, p-cpe:2.3:a:oracle:linux:kernel-uek-doc:*:*:*:*:*:*:*, p-cpe:2.3:a:oracle:linux:kernel-uek-firmware:*:*:*:*:*:*:*

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/OracleLinux

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 5/23/2018

Vulnerability Publication Date: 12/7/2017

Exploitable With

Metasploit (Reliable Datagram Sockets (RDS) rds_atomic_free_op NULL pointer dereference Privilege Escalation)

Reference Information

CVE: CVE-2018-5333, CVE-2018-6927, CVE-2017-18203, CVE-2018-8781, CVE-2018-3639, CVE-2018-10675, CVE-2017-1000410, CVE-2018-5750, CVE-2018-10323