OracleVM 3.4 : Unbreakable / etc (OVMSA-2019-0038)

medium Nessus Plugin ID 127565

Language:

Synopsis

The remote OracleVM host is missing one or more security updates.

Description

The remote OracleVM system is missing necessary patches to address critical security updates :

 - x86/speculation: Exclude ATOMs from speculation through SWAPGS (Thomas Gleixner) [Orabug: 29967571] (CVE-2019-1125)

 - x86/speculation: Enable Spectre v1 swapgs mitigations (Josh Poimboeuf) [Orabug: 29967571] (CVE-2019-1125)

 - x86/speculation: Prepare entry code for Spectre v1 swapgs mitigations (Josh Poimboeuf) [Orabug: 29967571] (CVE-2019-1125)

 - mlx4_core: change log_num_[qp,rdmarc] with scale_profile (Mukesh Kacker) [Orabug: 30064080]

 - scsi: storvsc: Fix scsi_cmd error assignments in storvsc_handle_error (Cathy Avery) [Orabug: 30052805]

 - USB: check usb_get_extra_descriptor for proper size (Mathias Payer) [Orabug: 29755247] (CVE-2018-20169)

 - rds: ib: Fix dereference of conn when NULL and cleanup thereof (H&aring kon Bugge) [Orabug: 29924849]

 - ext4: zero out the unused memory region in the extent tree block (Sriram Rajagopalan) [Orabug: 29925523] (CVE-2019-11833) (CVE-2019-11833)

 - ip_sockglue: Fix missing-check bug in ip_ra_control (Gen Zhang) [Orabug: 29926005] (CVE-2019-12381)

 - ipv6_sockglue: Fix a missing-check bug in ip6_ra_control (Gen Zhang) [Orabug: 29926057] (CVE-2019-12378)

 - x86/microcode: fix x86_spec_ctrl_mask on late loading.
 (Mihai Carabas) [Orabug: 29941248]

 - net: rds: fix rds recv memory leak (Zhu Yanjun) [Orabug:
 30034815]

Solution

Update the affected kernel-uek / kernel-uek-firmware packages.

See Also

http://www.nessus.org/u?4a8d3cb3

Plugin Details

Severity: Medium

ID: 127565

File Name: oraclevm_OVMSA-2019-0038.nasl

Version: 1.4

Type: local

Published: 8/12/2019

Updated: 2/18/2020

Risk Information

VPR

Risk Factor: High

Score: 7.4

CVSS v2

Risk Factor: High

Base Score: 7.2

Temporal Score: 5.6

Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: E:POC/RL:OF/RC:C

CVSS v3

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 6.1

Vector: CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:oracle:vm:kernel-uek, p-cpe:/a:oracle:vm:kernel-uek-firmware, cpe:/o:oracle:vm_server:3.4

Required KB Items: Host/local_checks_enabled, Host/OracleVM/release, Host/OracleVM/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 8/8/2019

Vulnerability Publication Date: 12/17/2018

Reference Information

CVE: CVE-2018-20169, CVE-2019-1125, CVE-2019-11833, CVE-2019-12378, CVE-2019-12381