OracleVM 3.4 : Unbreakable / etc (OVMSA-2020-0041)

high Nessus Plugin ID 140361


The remote OracleVM host is missing one or more security updates.


The remote OracleVM system is missing necessary patches to address critical security updates :

- can: peak_usb: pcan_usb_fd: Fix info-leaks to USB devices (Tomas Bortoli) [Orabug: 31351221] (CVE-2019-19535)

- media: hdpvr: Fix an error handling path in hdpvr_probe (Arvind Yadav) [Orabug: 31352053] (CVE-2017-16644)

- fs/binfmt_misc.c: do not allow offset overflow (Thadeu Lima de Souza Cascardo) [Orabug: 31588258] - clear inode and truncate pages before enqueuing for async inactivation (Gautham Ananthakrishna) [Orabug: 31744270]

- mm: create alloc_last_chance debugfs entries (Mike Kravetz) [Orabug: 31295499] - mm: perform 'last chance' reclaim efforts before allocation failure (Mike Kravetz) [Orabug: 31295499] - mm: let page allocation slowpath retry 'order' times (Mike Kravetz) [Orabug: 31295499] - fix kABI breakage from 'netns: provide pure entropy for net_hash_mix' (Dan Duval) [Orabug: 31351904] (CVE-2019-10638) (CVE-2019-10639)

- netns: provide pure entropy for net_hash_mix (Eric Dumazet) [Orabug: 31351904] (CVE-2019-10638) (CVE-2019-10639)

- hrtimer: Annotate lockless access to timer->base (Eric Dumazet) [Orabug: 31380495] - rds: ib: Revert 'net/rds:
Avoid stalled connection due to CM REQ retries' (H&aring kon Bugge) [Orabug: 31648141] - rds: Clear reconnect pending bit (H&aring kon Bugge) [Orabug:
31648141] - RDMA/netlink: Do not always generate an ACK for some netlink operations (H&aring kon Bugge) [Orabug:
31666975] - genirq/proc: Return proper error code when irq_set_affinity fails (Wen Yaxng) [Orabug: 31723450]

- fs/binfmt_elf.c: allocate initialized memory in fill_thread_core_info (Alexander Potapenko) [Orabug:
31350639] (CVE-2020-10732)

- crypto: user - fix memory leak in crypto_report (Navid Emamdoost) [Orabug: 31351640] (CVE-2019-19062)

- of: unittest: fix memory leak in unittest_data_add (Navid Emamdoost) [Orabug: 31351702] (CVE-2019-19049)

- IB/sa: Resolv use-after-free in ib_nl_make_request (Divya Indi) [Orabug: 31656992] - net-sysfs: call dev_hold if kobject_init_and_add success (YueHaibing) [Orabug: 31687545] (CVE-2019-20811)


Update the affected kernel-uek / kernel-uek-firmware packages.

See Also

Plugin Details

Severity: High

ID: 140361

File Name: oraclevm_OVMSA-2020-0041.nasl

Version: 1.3

Type: local

Published: 9/8/2020

Updated: 5/13/2022

Risk Information


Risk Factor: Medium

Score: 5.9


Risk Factor: High

Base Score: 7.2

Temporal Score: 5.3

Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: E:U/RL:OF/RC:C

CVSS Score Source: CVE-2017-16644


Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:oracle:vm:kernel-uek, p-cpe:/a:oracle:vm:kernel-uek-firmware, cpe:/o:oracle:vm_server:3.4

Required KB Items: Host/local_checks_enabled, Host/OracleVM/release, Host/OracleVM/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 9/4/2020

Vulnerability Publication Date: 11/7/2017

Reference Information

CVE: CVE-2017-16644, CVE-2019-10638, CVE-2019-10639, CVE-2019-19049, CVE-2019-19062, CVE-2019-19535, CVE-2019-20811, CVE-2020-10732