OracleVM 3.4 : Unbreakable / etc (OVMSA-2018-0223) (Spectre)

high Nessus Plugin ID 110072
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.


The remote OracleVM host is missing one or more security updates.


The remote OracleVM system is missing necessary patches to address critical security updates :

- KVM: SVM: Move spec control call after restore of GS (Thomas Gleixner) (CVE-2018-3639)

- x86/bugs: Fix the parameters alignment and missing void (Konrad Rzeszutek Wilk) (CVE-2018-3639)

- x86/bugs: Make cpu_show_common static (Jiri Kosina) (CVE-2018-3639)

- x86/bugs: Fix __ssb_select_mitigation return type (Jiri Kosina) (CVE-2018-3639)

- Documentation/spec_ctrl: Do some minor cleanups (Borislav Petkov) (CVE-2018-3639)

- proc: Use underscores for SSBD in 'status' (Konrad Rzeszutek Wilk) (CVE-2018-3639)

- x86/bugs: Rename _RDS to _SSBD (Konrad Rzeszutek Wilk) (CVE-2018-3639)

- x86/speculation: Make 'seccomp' the default mode for Speculative Store Bypass (Kees Cook) (CVE-2018-3639)

- seccomp: Move speculation migitation control to arch code (Thomas Gleixner) (CVE-2018-3639)

- seccomp: Add filter flag to opt-out of SSB mitigation (Kees Cook) (CVE-2018-3639)

- seccomp: Use PR_SPEC_FORCE_DISABLE (Thomas Gleixner) (CVE-2018-3639)

- prctl: Add force disable speculation (Konrad Rzeszutek Wilk) (CVE-2018-3639)

- seccomp: Enable speculation flaw mitigations (Kees Cook) (CVE-2018-3639)

- proc: Provide details on speculation flaw mitigations (Kees Cook) (CVE-2018-3639)

- nospec: Allow getting/setting on non-current task (Kees Cook) (CVE-2018-3639)

- x86/bugs/IBRS: Disable SSB (RDS) if IBRS is sslected for spectre_v2. (Konrad Rzeszutek Wilk) (CVE-2018-3639)

- x86/speculation: Add prctl for Speculative Store Bypass mitigation (Thomas Gleixner) (CVE-2018-3639)

- x86: thread_info.h: move RDS from index 5 to 23 (Mihai Carabas) (CVE-2018-3639)

- x86/process: Allow runtime control of Speculative Store Bypass (Thomas Gleixner) (CVE-2018-3639)

- prctl: Add speculation control prctls (Thomas Gleixner) (CVE-2018-3639)

- x86/speculation: Create spec-ctrl.h to avoid include hell (Thomas Gleixner) (CVE-2018-3639)

- x86/KVM/VMX: Expose SPEC_CTRL Bit(2) to the guest (Konrad Rzeszutek Wilk) (CVE-2018-3639)

- x86/bugs/AMD: Add support to disable RDS on Fam[15,16,17]h if requested (Konrad Rzeszutek Wilk) (CVE-2018-3639)

- x86/bugs: Whitelist allowed SPEC_CTRL MSR values (Konrad Rzeszutek Wilk) (CVE-2018-3639)

- x86/bugs/intel: Set proper CPU features and setup RDS (Konrad Rzeszutek Wilk) (CVE-2018-3639)

- x86/bugs: Provide boot parameters for the spec_store_bypass_disable mitigation (Konrad Rzeszutek Wilk) (CVE-2018-3639)

- x86/cpufeatures: Add X86_FEATURE_RDS (Konrad Rzeszutek Wilk) (CVE-2018-3639)

- x86/bugs: Expose /sys/../spec_store_bypass (Konrad Rzeszutek Wilk) (CVE-2018-3639)

- x86/cpu/intel: Add Knights Mill to Intel family (Piotr Luc) (CVE-2018-3639)

- x86/cpu: Rename Merrifield2 to Moorefield (Andy Shevchenko) (CVE-2018-3639)

- x86/bugs, KVM: Support the combination of guest and host IBRS (Konrad Rzeszutek Wilk) (CVE-2018-3639)

- x86/bugs/IBRS: Warn if IBRS is enabled during boot.
(Konrad Rzeszutek Wilk) (CVE-2018-3639)

- x86/bugs/IBRS: Use variable instead of defines for enabling IBRS (Konrad Rzeszutek Wilk) (CVE-2018-3639)

- x86/bugs: Read SPEC_CTRL MSR during boot and re-use reserved bits (Konrad Rzeszutek Wilk) (CVE-2018-3639)

- x86/bugs: Concentrate bug reporting into a separate function (Konrad Rzeszutek Wilk) (CVE-2018-3639)

- x86/bugs: Concentrate bug detection into a separate function (Konrad Rzeszutek Wilk) (CVE-2018-3639)

- x86/bugs/IBRS: Turn on IBRS in spectre_v2_select_mitigation (Konrad Rzeszutek Wilk) (CVE-2018-3639)

- x86/msr: Add SPEC_CTRL_IBRS.. (Konrad Rzeszutek Wilk) (CVE-2018-3639)

- scsi: libfc: Revisit kref handling (Hannes Reinecke)

- scsi: libfc: reset exchange manager during LOGO handling (Hannes Reinecke)

- scsi: libfc: send LOGO for PLOGI failure (Hannes Reinecke)

- scsi: libfc: Issue PRLI after a PRLO has been received (Hannes Reinecke)

- libfc: Update rport reference counting (Hannes Reinecke)

- amd/kvm: do not intercept new MSRs for spectre v2 mitigation (Elena Ufimtseva)

- RDS: null pointer dereference in rds_atomic_free_op (Mohamed Ghannam) [Orabug: 27422832] (CVE-2018-5333)

- ACPI: sbshc: remove raw pointer from printk message (Greg Kroah-Hartman) [Orabug: 27501257] (CVE-2018-5750)

- futex: Prevent overflow by strengthen input validation (Li Jinyue) [Orabug: 27539548] (CVE-2018-6927)

- net: ipv4: add support for ECMP hash policy choice (Venkat Venkatsubra) [Orabug: 27547114]

- net: ipv4: Consider failed nexthops in multipath routes (David Ahern)

- ipv4: L3 hash-based multipath (Peter N&oslash rlund) [Orabug: 27547114]

- dm: fix race between dm_get_from_kobject and
__dm_destroy (Hou Tao) [Orabug: 27677556] (CVE-2017-18203)

- NFS: only invalidate dentrys that are clearly invalid.

- net: Improve handling of failures on link and route dumps (David Ahern) [Orabug: 27959177]

- mm/mempolicy: fix use after free when calling get_mempolicy (zhong jiang) [Orabug: 27963519] (CVE-2018-10675)

- drm: udl: Properly check framebuffer mmap offsets (Greg Kroah-Hartman) [Orabug: 27963530] (CVE-2018-8781)

- xfs: set format back to extents if xfs_bmap_extents_to_btree (Eric Sandeen) [Orabug:
27963576] (CVE-2018-10323)

- Revert 'mlx4: change the ICM table allocations to lowest needed size' (H&aring kon Bugge) [Orabug: 27980030]

- Bluetooth: Prevent stack info leak from the EFS element.
(Ben Seri) [Orabug: 28030514] (CVE-2017-1000410) (CVE-2017-1000410)


Update the affected kernel-uek / kernel-uek-firmware packages.

See Also

Plugin Details

Severity: High

ID: 110072

File Name: oraclevm_OVMSA-2018-0223.nasl

Version: 1.5

Type: local

Published: 5/24/2018

Updated: 1/23/2020

Dependencies: ssh_get_info.nasl

Risk Information


Risk Factor: Medium

Score: 6.9


Risk Factor: High

Base Score: 7.2

Temporal Score: 5.6

Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: E:POC/RL:OF/RC:C


Risk Factor: High

Base Score: 7.8

Temporal Score: 7

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:oracle:vm:kernel-uek, p-cpe:/a:oracle:vm:kernel-uek-firmware, cpe:/o:oracle:vm_server:3.4

Required KB Items: Host/local_checks_enabled, Host/OracleVM/release, Host/OracleVM/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 5/23/2018

Vulnerability Publication Date: 12/7/2017

Exploitable With

Metasploit (Reliable Datagram Sockets (RDS) rds_atomic_free_op NULL pointer dereference Privilege Escalation)

Reference Information

CVE: CVE-2017-1000410, CVE-2017-18203, CVE-2018-10323, CVE-2018-10675, CVE-2018-3639, CVE-2018-5333, CVE-2018-5750, CVE-2018-6927, CVE-2018-8781