OracleVM 3.4 : Unbreakable / etc (OVMSA-2020-0041)

medium Nessus Plugin ID 140361
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.


The remote OracleVM host is missing one or more security updates.


The remote OracleVM system is missing necessary patches to address critical security updates :

- can: peak_usb: pcan_usb_fd: Fix info-leaks to USB devices (Tomas Bortoli) [Orabug: 31351221] (CVE-2019-19535)

- media: hdpvr: Fix an error handling path in hdpvr_probe (Arvind Yadav) [Orabug: 31352053] (CVE-2017-16644)

- fs/binfmt_misc.c: do not allow offset overflow (Thadeu Lima de Souza Cascardo) [Orabug: 31588258] - clear inode and truncate pages before enqueuing for async inactivation (Gautham Ananthakrishna) [Orabug: 31744270]

- mm: create alloc_last_chance debugfs entries (Mike Kravetz) [Orabug: 31295499] - mm: perform 'last chance' reclaim efforts before allocation failure (Mike Kravetz) [Orabug: 31295499] - mm: let page allocation slowpath retry 'order' times (Mike Kravetz) [Orabug: 31295499] - fix kABI breakage from 'netns: provide pure entropy for net_hash_mix' (Dan Duval) [Orabug: 31351904] (CVE-2019-10638) (CVE-2019-10639)

- netns: provide pure entropy for net_hash_mix (Eric Dumazet) [Orabug: 31351904] (CVE-2019-10638) (CVE-2019-10639)

- hrtimer: Annotate lockless access to timer->base (Eric Dumazet) [Orabug: 31380495] - rds: ib: Revert 'net/rds:
Avoid stalled connection due to CM REQ retries' (H&aring kon Bugge) [Orabug: 31648141] - rds: Clear reconnect pending bit (H&aring kon Bugge) [Orabug:
31648141] - RDMA/netlink: Do not always generate an ACK for some netlink operations (H&aring kon Bugge) [Orabug:
31666975] - genirq/proc: Return proper error code when irq_set_affinity fails (Wen Yaxng) [Orabug: 31723450]

- fs/binfmt_elf.c: allocate initialized memory in fill_thread_core_info (Alexander Potapenko) [Orabug:
31350639] (CVE-2020-10732)

- crypto: user - fix memory leak in crypto_report (Navid Emamdoost) [Orabug: 31351640] (CVE-2019-19062)

- of: unittest: fix memory leak in unittest_data_add (Navid Emamdoost) [Orabug: 31351702] (CVE-2019-19049)

- IB/sa: Resolv use-after-free in ib_nl_make_request (Divya Indi) [Orabug: 31656992] - net-sysfs: call dev_hold if kobject_init_and_add success (YueHaibing) [Orabug: 31687545] (CVE-2019-20811)


Update the affected kernel-uek / kernel-uek-firmware packages.

See Also

Plugin Details

Severity: Medium

ID: 140361

File Name: oraclevm_OVMSA-2020-0041.nasl

Version: 1.2

Type: local

Published: 9/8/2020

Updated: 9/10/2020

Dependencies: ssh_get_info.nasl

Risk Information

CVSS Score Source: CVE-2017-16644


Risk Factor: Medium

Score: 5.9


Risk Factor: High

Base Score: 7.2

Temporal Score: 5.3

Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:U/RL:OF/RC:C


Risk Factor: Medium

Base Score: 6.6

Temporal Score: 5.8

Vector: CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:2.3:o:oracle:vm_server:3.4:*:*:*:*:*:*:*, p-cpe:2.3:a:oracle:vm:kernel-uek:*:*:*:*:*:*:*, p-cpe:2.3:a:oracle:vm:kernel-uek-firmware:*:*:*:*:*:*:*

Required KB Items: Host/local_checks_enabled, Host/OracleVM/release, Host/OracleVM/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 9/4/2020

Vulnerability Publication Date: 11/7/2017

Reference Information

CVE: CVE-2017-16644, CVE-2019-10638, CVE-2019-10639, CVE-2019-19049, CVE-2019-19062, CVE-2019-19535, CVE-2019-20811, CVE-2020-10732