OracleVM 3.4 : Unbreakable / etc (OVMSA-2019-0002)

High Nessus Plugin ID 121605

Synopsis

The remote OracleVM host is missing one or more security updates.

Description

The remote OracleVM system is missing necessary patches to address critical security updates :

- rds: congestion updates can be missed when kernel low on memory (Mukesh Kacker) [Orabug: 28425811]

- net/rds: ib: Fix endless RNR Retries caused by memory allocation failures (Venkat Venkatsubra) [Orabug:
28127993]

- net: rds: fix excess initialization of the recv SGEs (Zhu Yanjun) [Orabug: 29004503]

- xhci: fix usb2 resume timing and races. (Mathias Nyman) [Orabug: 29028940]

- xhci: Fix a race in usb2 LPM resume, blocking U3 for usb2 devices (Mathias Nyman) [Orabug: 29028940]

- userfaultfd: check VM_MAYWRITE was set after verifying the uffd is registered (Andrea Arcangeli) [Orabug:
29163750] (CVE-2018-18397)

- userfaultfd: shmem/hugetlbfs: only allow to register VM_MAYWRITE vmas (Andrea Arcangeli) [Orabug: 29163750] (CVE-2018-18397)

- x86/apic/x2apic: set affinity of a single interrupt to one cpu (Jianchao Wang) [Orabug: 29196396]

- xen/blkback: rework validate_io_op (Dongli Zhang) [Orabug: 29199843]

- xen/blkback: optimize validate_io_op to filter BLKIF_OP_RESERVED_1 operation (Dongli Zhang) [Orabug:
29199843]

- xen/blkback: do not BUG for invalid blkif_request from frontend (Dongli Zhang) [Orabug: 29199843]

- net/rds: WARNING: at net/rds/recv.c:222 rds_recv_hs_exthdrs+0xf8/0x1e0 (Venkat Venkatsubra) [Orabug: 29201779]

- xen-netback: wake up xenvif_dealloc_kthread when it should stop (Dongli Zhang) [Orabug: 29217927]

- Revert 'xfs: remove nonblocking mode from xfs_vm_writepage' (Wengang Wang) [Orabug: 29279692]

- Revert 'xfs: remove xfs_cancel_ioend' (Wengang Wang) [Orabug: 29279692]

- Revert 'xfs: Introduce writeback context for writepages' (Wengang Wang) [Orabug: 29279692]

- Revert 'xfs: xfs_cluster_write is redundant' (Wengang Wang) [Orabug: 29279692]

- Revert 'xfs: factor mapping out of xfs_do_writepage' (Wengang Wang) [Orabug: 29279692]

- Revert 'xfs: don't chain ioends during writepage submission' (Wengang Wang) [Orabug: 29279692]

- mstflint: Fix coding style issues - left with LINUX_VERSION_CODE (Idan Mehalel) [Orabug: 28878697]

- mstflint: Fix coding-style issues (Idan Mehalel) [Orabug: 28878697]

- mstflint: Fix errors found with checkpatch script (Idan Mehalel) [Orabug: 28878697]

- Added support for 5th Gen devices in Secure Boot module and mtcr (Adham Masarwah) [Orabug: 28878697]

- Fix typos in mst_kernel (Adham Masarwah) [Orabug:
28878697]

- bnxt_en: Report PCIe link properties with pcie_print_link_status (Brian Maly) [Orabug: 28942099]

- selinux: Perform both commoncap and selinux xattr checks (Eric W. Biederman) [Orabug: 28951521]

- Introduce v3 namespaced file capabilities (Serge E.
Hallyn) [Orabug: 28951521]

- rds: ib: Use a delay when reconnecting to the very same IP address (H&aring kon Bugge) [Orabug: 29138813]

- Change mincore to count 'mapped' pages rather than 'cached' pages (Linus Torvalds) [Orabug: 29187415] (CVE-2019-5489)

- NFSD: Set the attributes used to store the verifier for EXCLUSIVE4_1 (Kinglong Mee) [Orabug: 29204157]

- ext4: update i_disksize when new eof exceeds it (Shan Hai) [Orabug: 28940828]

- ext4: update i_disksize if direct write past ondisk size (Eryu Guan) [Orabug: 28940828]

- ext4: protect i_disksize update by i_data_sem in direct write path (Eryu Guan) [Orabug: 28940828]

- ALSA: usb-audio: Fix UAF decrement if card has no live interfaces in card.c (Hui Peng) [Orabug: 29042981] (CVE-2018-19824)

- ALSA: usb-audio: Replace probing flag with active refcount (Takashi Iwai) [Orabug: 29042981] (CVE-2018-19824)

- ALSA: usb-audio: Avoid nested autoresume calls (Takashi Iwai) [Orabug: 29042981] (CVE-2018-19824)

- ext4: validate that metadata blocks do not overlap superblock (Theodore Ts'o) [Orabug: 29114440] (CVE-2018-1094)

- ext4: update inline int ext4_has_metadata_csum(struct super_block *sb) (John Donnelly) [Orabug: 29114440] (CVE-2018-1094)

- ext4: always initialize the crc32c checksum driver (Theodore Ts'o) [Orabug: 29114440] (CVE-2018-1094) (CVE-2018-1094)

- Revert 'bnxt_en: Reduce default rings on multi-port cards.' (Brian Maly) [Orabug: 28687746]

- mlx4_core: Disable P_Key Violation Traps (H&aring kon Bugge) [Orabug: 27693633]

- rds: RDS connection does not reconnect after CQ access violation error (Venkat Venkatsubra) [Orabug: 28733324]

- KVM/SVM: Allow direct access to MSR_IA32_SPEC_CTRL (KarimAllah Ahmed) [Orabug: 28069548]

- KVM/VMX: Allow direct access to MSR_IA32_SPEC_CTRL - reloaded (Mihai Carabas) [Orabug: 28069548]

- KVM/x86: Add IBPB support (Ashok Raj) [Orabug: 28069548]

- KVM: x86: pass host_initiated to functions that read MSRs (Paolo Bonzini) [Orabug: 28069548]

- KVM: VMX: make MSR bitmaps per-VCPU (Paolo Bonzini) [Orabug: 28069548]

- KVM: VMX: introduce alloc_loaded_vmcs (Paolo Bonzini) [Orabug: 28069548]

- KVM: nVMX: Eliminate vmcs02 pool (Jim Mattson) [Orabug:
28069548]

- KVM: nVMX: fix msr bitmaps to prevent L2 from accessing L0 x2APIC (Radim Kr&#x10D m&aacute &#x159 ) [Orabug:
28069548]

- ocfs2: don't clear bh uptodate for block read (Junxiao Bi) [Orabug: 28762940]

- ocfs2: clear journal dirty flag after shutdown journal (Junxiao Bi) [Orabug: 28924775]

- ocfs2: fix panic due to unrecovered local alloc (Junxiao Bi) [Orabug: 28924775]

- net: rds: fix rds_ib_sysctl_max_recv_allocation error (Zhu Yanjun) [Orabug: 28947481]

- x86/speculation: Always disable IBRS in disable_ibrs_and_friends (Alejandro Jimenez) [Orabug:
29139710]

- pinctrl: amd: Use devm_pinctrl_register for pinctrl registration (Laxman Dewangan) [Orabug: 27539246] (CVE-2017-18174)

- mlock: fix mlock count can not decrease in race condition (Yisheng Xie) [Orabug: 27677611] (CVE-2017-18221)

- perf/core: Fix the perf_cpu_time_max_percent check (Tan Xiaojun) [Orabug: 27823815] (CVE-2017-18255)

- x86/microcode/intel: Fix a wrong assignment of revision in _save_mc (Zhenzhong Duan) [Orabug: 28190263]

- mm: cma: fix incorrect type conversion for size during dma allocation (Rohit Vaswani) [Orabug: 28407826] (CVE-2017-9725)

- x86/speculation: Make enhanced IBRS the default spectre v2 mitigation (Alejandro Jimenez) [Orabug: 28474851]

- x86/speculation: Enable enhanced IBRS usage (Alejandro Jimenez) [Orabug: 28474851]

- x86/speculation: functions for supporting enhanced IBRS (Alejandro Jimenez) [Orabug: 28474851]

- xen/blkback: fix disconnect while I/Os in flight (Juergen Gross) [Orabug: 28744234]

- mlx4_vnic: use the mlid while calling ib_detach_mcast (aru kolappan) [Orabug: 29029705]

- ext4: fail ext4_iget for root directory if unallocated (Theodore Ts'o) [Orabug: 29048557] (CVE-2018-1092) (CVE-2018-1092)

- Bluetooth: hidp: buffer overflow in hidp_process_report (Mark Salyzyn) [Orabug: 29121215] (CVE-2018-9363) (CVE-2018-9363)

- HID: debug: check length before copy_to_user (Daniel Rosenberg) [Orabug: 29128165] (CVE-2018-9516)

- x86/MCE: Serialize sysfs changes (Seunghun Han) [Orabug:
29149888] (CVE-2018-7995)

- Input: i8042 - fix crash at boot time (Chen Hong) [Orabug: 29152328] (CVE-2017-18079)

- base/memory, hotplug: fix a kernel oops in show_valid_zones (Toshi Kani) [Orabug: 29050538]

- mm/memory_hotplug.c: check start_pfn in test_pages_in_a_zone (Toshi Kani) [Orabug: 29050538]

- drivers/base/memory.c: prohibit offlining of memory blocks with missing sections (Seth Jennings) [Orabug:
29050538]

- mm: Check if section present during memory block (un)registering (Yinghai Lu) [Orabug: 29050538]

- hugetlb: take PMD sharing into account when flushing tlb/caches (Mike Kravetz) [Orabug: 28951854]

- mm: migration: fix migration of huge PMD shared pages (Mike Kravetz) [Orabug: 28951854]

- hugetlbfs: use truncate mutex to prevent pmd sharing race (Mike Kravetz) [Orabug: 28896255]

- rds: ib: Improve tracing during failover/back (H&aring kon Bugge) [Orabug: 28860366]

- rds: ib: Remove superfluous add of address on fail-back device (H&aring kon Bugge) [Orabug: 28860366]

- libiscsi: Fix NULL pointer dereference in iscsi_eh_session_reset (Fred Herard) [Orabug: 28946207]

- wil6210: missing length check in wmi_set_ie (Lior David) [Orabug: 28951265] (CVE-2018-5848)

- netfilter: xt_osf: Add missing permission checks (Kevin Cernekee) [Orabug: 29037831] (CVE-2017-17450)

- x86/speculation: Fix bad argument to rdmsrl in cpu_set_bug_bits (Alejandro Jimenez) [Orabug: 29044805]

Solution

Update the affected kernel-uek / kernel-uek-firmware packages.

See Also

http://www.nessus.org/u?e632fc23

Plugin Details

Severity: High

ID: 121605

File Name: oraclevm_OVMSA-2019-0002.nasl

Version: 1.2

Type: local

Published: 2019/02/06

Updated: 2019/04/02

Dependencies: 12634

Risk Information

Risk Factor: High

CVSS v2.0

Base Score: 9.3

Temporal Score: 7.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:POC/RL:OF/RC:C

CVSS v3.0

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:oracle:vm:kernel-uek, p-cpe:/a:oracle:vm:kernel-uek-firmware, cpe:/o:oracle:vm_server:3.4

Required KB Items: Host/local_checks_enabled, Host/OracleVM/release, Host/OracleVM/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2019/02/05

Vulnerability Publication Date: 2017/09/21

Reference Information

CVE: CVE-2017-17450, CVE-2017-18079, CVE-2017-18174, CVE-2017-18221, CVE-2017-18255, CVE-2017-9725, CVE-2018-1092, CVE-2018-1094, CVE-2018-18397, CVE-2018-19824, CVE-2018-5848, CVE-2018-7995, CVE-2018-9363, CVE-2018-9516, CVE-2019-5489