Oracle Linux 7 : libvirt (ELSA-2019-4714) (MDSUM/RIDL) (MFBDS/RIDL/ZombieLoad) (MLPDS/RIDL) (MSBDS/Fallout)

high Nessus Plugin ID 126674

Synopsis

The remote Oracle Linux host is missing one or more security updates.

Description

Description of changes:

[5.0.0-9.el7]
- qemu: remove cpuhostmask and cpuguestmask from virCaps structure (Wim ten Have) [Orabug: 29956508]

[5.0.0-8.el7]
- api: disallow virDomainSaveImageGetXMLDesc on read-only connections (J&aacute n Tomko) [Orabug: 29955742] {CVE-2019-10161}
- domain: Define explicit flags for saved image xml (Eric Blake) [Orabug: 29955742]
- api: disallow virDomainManagedSaveDefineXML on read-only connections (J&aacute n Tomko) [Orabug: 29955742] {CVE-2019-10166}
- api: disallow virConnectGetDomainCapabilities on read-only connections (J&aacute n Tomko) [Orabug: 29955742] {CVE-2019-10167}
- api: disallow virConnect*HypervisorCPU on read-only connections (J&aacute n Tomko) [Orabug: 29955742] {CVE-2019-10168}

[5.0.0-7.el7]
- cpu_map: Define md-clear CPUID bit (Jiri Denemark) [Orabug: 29874181] {CVE-2018-12126} {CVE-2018-12127} {CVE-2018-12130} {CVE-2019-11091}

[5.0.0-6.el7]
- qemu: Driver change adding private lock to auto-tune hugepages (Wim ten Have) [Orabug: 29809943]

[5.0.0-5.el7]
- qemu: disable setmem change requests for vNUMA targets (Wim ten Have) [Orabug: 29797366]
- domain: Disable memballoon memory configuration support for vNUMA guests (Wim ten Have) [Orabug: 29797366]
- qemu: Driver change to target for vNUMA setmaxmem change request (Wim ten Have) [Orabug: 29749852]
- domain: Add domain memory config support for vNUMA guests (Wim ten Have) [Orabug: 29749852]
- logging: restrict sockets to mode 0600 (Daniel P. Berrang&eacute ) [Orabug: 29861433] {CVE-2019-10132}
- locking: restrict sockets to mode 0600 (Daniel P. Berrang&eacute ) [Orabug: 29861433] {CVE-2019-10132}
- admin: reject clients unless their UID matches the current UID (Daniel P. Berrang&eacute ) [Orabug: 29861433] {CVE-2019-10132}

Solution

Update the affected libvirt packages.

See Also

https://oss.oracle.com/pipermail/el-errata/2019-July/008892.html

Plugin Details

Severity: High

ID: 126674

File Name: oraclelinux_ELSA-2019-4714.nasl

Version: 1.5

Type: local

Agent: unix

Published: 7/15/2019

Updated: 5/19/2022

Supported Sensors: Frictionless Assessment Agent, Nessus Agent

Risk Information

VPR

Risk Factor: High

Score: 7.1

CVSS v2

Risk Factor: High

Base Score: 7.2

Temporal Score: 5.3

Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: E:U/RL:OF/RC:C

CVSS Score Source: CVE-2019-10161

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: E:U/RL:O/RC:C

CVSS Score Source: CVE-2019-10132

Vulnerability Information

CPE: p-cpe:/a:oracle:linux:libvirt, p-cpe:/a:oracle:linux:libvirt-admin, p-cpe:/a:oracle:linux:libvirt-bash-completion, p-cpe:/a:oracle:linux:libvirt-client, p-cpe:/a:oracle:linux:libvirt-daemon, p-cpe:/a:oracle:linux:libvirt-daemon-config-network, p-cpe:/a:oracle:linux:libvirt-daemon-config-nwfilter, p-cpe:/a:oracle:linux:libvirt-daemon-driver-interface, p-cpe:/a:oracle:linux:libvirt-daemon-driver-lxc, p-cpe:/a:oracle:linux:libvirt-daemon-driver-network, p-cpe:/a:oracle:linux:libvirt-daemon-driver-nodedev, p-cpe:/a:oracle:linux:libvirt-daemon-driver-nwfilter, p-cpe:/a:oracle:linux:libvirt-daemon-driver-qemu, p-cpe:/a:oracle:linux:libvirt-daemon-driver-secret, p-cpe:/a:oracle:linux:libvirt-daemon-driver-storage, p-cpe:/a:oracle:linux:libvirt-daemon-driver-storage-core, p-cpe:/a:oracle:linux:libvirt-daemon-driver-storage-disk, p-cpe:/a:oracle:linux:libvirt-daemon-driver-storage-gluster, p-cpe:/a:oracle:linux:libvirt-daemon-driver-storage-iscsi, p-cpe:/a:oracle:linux:libvirt-daemon-driver-storage-logical, p-cpe:/a:oracle:linux:libvirt-daemon-driver-storage-mpath, p-cpe:/a:oracle:linux:libvirt-daemon-driver-storage-rbd, p-cpe:/a:oracle:linux:libvirt-daemon-driver-storage-scsi, p-cpe:/a:oracle:linux:libvirt-daemon-kvm, p-cpe:/a:oracle:linux:libvirt-daemon-lxc, p-cpe:/a:oracle:linux:libvirt-daemon-qemu, p-cpe:/a:oracle:linux:libvirt-devel, p-cpe:/a:oracle:linux:libvirt-docs, p-cpe:/a:oracle:linux:libvirt-libs, p-cpe:/a:oracle:linux:libvirt-lock-sanlock, p-cpe:/a:oracle:linux:libvirt-login-shell, p-cpe:/a:oracle:linux:libvirt-nss, cpe:/o:oracle:linux:7

Required KB Items: Host/local_checks_enabled, Host/OracleLinux, Host/RedHat/release, Host/RedHat/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 7/11/2019

Vulnerability Publication Date: 5/22/2019

Reference Information

CVE: CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-10132, CVE-2019-10161, CVE-2019-10166, CVE-2019-10167, CVE-2019-10168, CVE-2019-11091