OracleVM 3.4 : xen (OVMSA-2018-0233) (Spectre)

medium Nessus Plugin ID 110792
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

The remote OracleVM host is missing one or more security updates.

Description

The remote OracleVM system is missing necessary patches to address critical security updates :

- BUILDINFO: xen commit=67e64eec4bfe342ca6c2ff0858ae7f5c39041013

- BUILDINFO: QEMU upstream commit=8bff6989bd0bafcc0ddf859c23ce6a2ff21a80ff

- BUILDINFO: QEMU traditional commit=346fdd7edd73f8287d0d0a2bab9c67b71bc6b8ba

- BUILDINFO: IPXE commit=9a93db3f0947484e30e753bbd61a10b17336e20e

- BUILDINFO: SeaBIOS commit=7d9cbe613694924921ed1a6f8947d711c5832eee

- x86/HVM: Restart ioreq processing state machine (Boris Ostrovsky)

- BUILDINFO: xen commit=7e4f43226d60a48df300b32ce60ecff75ce2612d

- BUILDINFO: QEMU upstream commit=8bff6989bd0bafcc0ddf859c23ce6a2ff21a80ff

- BUILDINFO: QEMU traditional commit=346fdd7edd73f8287d0d0a2bab9c67b71bc6b8ba

- BUILDINFO: IPXE commit=9a93db3f0947484e30e753bbd61a10b17336e20e

- BUILDINFO: SeaBIOS commit=7d9cbe613694924921ed1a6f8947d711c5832eee

- svm: fix incorrect TSC scaling (Haozhong Zhang) [Orabug:
28189188]

- BUILDINFO: xen commit=ba8e4ae04e3594470f9ce1663135fbe8c25106af

- BUILDINFO: QEMU upstream commit=8bff6989bd0bafcc0ddf859c23ce6a2ff21a80ff

- BUILDINFO: QEMU traditional commit=346fdd7edd73f8287d0d0a2bab9c67b71bc6b8ba

- BUILDINFO: IPXE commit=9a93db3f0947484e30e753bbd61a10b17336e20e

- BUILDINFO: SeaBIOS commit=7d9cbe613694924921ed1a6f8947d711c5832eee

- x86/spec-ctrl: Mitigations for LazyFPU (Ross Philipson) [Orabug: 28135217] (CVE-2018-3665)

- x86: Support fully eager FPU context switching (Andrew Cooper) [Orabug: 28135217] (CVE-2018-3665)

- BUILDINFO: xen commit=312880584fe084de632a6667254a5cc1c846179e

- BUILDINFO: QEMU upstream commit=8bff6989bd0bafcc0ddf859c23ce6a2ff21a80ff

- BUILDINFO: QEMU traditional commit=346fdd7edd73f8287d0d0a2bab9c67b71bc6b8ba

- BUILDINFO: IPXE commit=9a93db3f0947484e30e753bbd61a10b17336e20e

- BUILDINFO: SeaBIOS commit=7d9cbe613694924921ed1a6f8947d711c5832eee

- [xenmicrocode] Fix error reporting on successful return from tool (Ross Philipson) [Orabug: 28128506]

- x86: correct default_xen_spec_ctrl calculation (Jan Beulich) [Orabug: 28034172]

- x86/msr: Virtualise MSR_SPEC_CTRL.SSBD for guests to use (Andrew Cooper) [Orabug: 28034172] (CVE-2018-3639)

- x86/Intel: Mitigations for GPZ SP4 - Speculative Store Bypass (Andrew Cooper) [Orabug: 28034172] (CVE-2018-3639)

- x86/AMD: Mitigations for GPZ SP4 - Speculative Store Bypass (Andrew Cooper) [Orabug: 28034172] (CVE-2018-3639)

- x86/spec_ctrl: Introduce a new `spec-ctrl=` command line argument to replace `bti=` (Andrew Cooper) [Orabug:
28034172] (CVE-2018-3639)

- x86/cpuid: Improvements to guest policies for speculative sidechannel features (Andrew Cooper) [Orabug: 28034172] (CVE-2018-3639)

- x86/spec_ctrl: Explicitly set Xen's default MSR_SPEC_CTRL value (Andrew Cooper) [Orabug: 28034172] (CVE-2018-3639)

- x86/spec_ctrl: Split X86_FEATURE_SC_MSR into PV and HVM variants (Andrew Cooper) [Orabug: 28034172] (CVE-2018-3639)

- x86/spec_ctrl: Elide MSR_SPEC_CTRL handling in idle context when possible (Andrew Cooper) [Orabug: 28034172] (CVE-2018-3639)

- x86/spec_ctrl: Rename bits of infrastructure to avoid NATIVE and VMEXIT (Andrew Cooper) [Orabug: 28034172] (CVE-2018-3639)

- x86/spec_ctrl: Fold the XEN_IBRS_[SET,CLEAR] ALTERNATIVES together (Andrew Cooper) [Orabug: 28034172] (CVE-2018-3639)

- x86/spec_ctrl: Merge bti_ist_info and use_shadow_spec_ctrl into spec_ctrl_flags (Andrew Cooper) [Orabug: 28034172] (CVE-2018-3639)

- x86/spec_ctrl: Express Xen's choice of MSR_SPEC_CTRL value as a variable (Andrew Cooper) [Orabug: 28034172] (CVE-2018-3639)

- x86/spec_ctrl: Read MSR_ARCH_CAPABILITIES only once (Andrew Cooper) [Orabug: 28034172] (CVE-2018-3639)

- x86/spec_ctrl: Assume that STIBP feature is always available (Boris Ostrovsky) [Orabug: 28034172] (CVE-2018-3639)

- x86/spec_ctrl: Updates to retpoline-safety decision making (Andrew Cooper) [Orabug: 28034172] (CVE-2018-3639)

- BUILDINFO: xen commit=dc770041d983843c860c06d405054c0e01a4fd98

- BUILDINFO: QEMU upstream commit=8bff6989bd0bafcc0ddf859c23ce6a2ff21a80ff

- BUILDINFO: QEMU traditional commit=346fdd7edd73f8287d0d0a2bab9c67b71bc6b8ba

- BUILDINFO: IPXE commit=9a93db3f0947484e30e753bbd61a10b17336e20e

- BUILDINFO: SeaBIOS commit=7d9cbe613694924921ed1a6f8947d711c5832eee

- one-off build

Solution

Update the affected xen / xen-tools packages.

See Also

https://oss.oracle.com/pipermail/oraclevm-errata/2018-June/000869.html

Plugin Details

Severity: Medium

ID: 110792

File Name: oraclevm_OVMSA-2018-0233.nasl

Version: 1.7

Type: local

Published: 6/29/2018

Updated: 4/15/2021

Dependencies: ssh_get_info.nasl

Risk Information

VPR

Risk Factor: High

Score: 7.1

CVSS v2

Risk Factor: Medium

Base Score: 4.7

Temporal Score: 3.7

Vector: AV:L/AC:M/Au:N/C:C/I:N/A:N

Temporal Vector: E:POC/RL:OF/RC:C

CVSS v3

Risk Factor: Medium

Base Score: 5.6

Temporal Score: 5.1

Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

Temporal Vector: E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:oracle:vm:xen, p-cpe:/a:oracle:vm:xen-tools, cpe:/o:oracle:vm_server:3.4

Required KB Items: Host/local_checks_enabled, Host/OracleVM/release, Host/OracleVM/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 6/28/2018

Vulnerability Publication Date: 5/22/2018

Reference Information

CVE: CVE-2018-3639, CVE-2018-3665