OracleVM 3.2 : xen (OVMSA-2016-0008)

High Nessus Plugin ID 88171


The remote OracleVM host is missing one or more security updates.


The remote OracleVM system is missing necessary patches to address critical security updates :

- VT-d: fix TLB flushing in dma_pte_clear_one From: Jan Beulich The TLB flush code was wrong since xen-4.1.3-25.el5.127.20 (commit:
vtd-Refactor-iotlb-flush-code.patch), both ovm-3.2.9 and ovm-3.2.10 were affected. The third parameter of
__intel_iommu_iotlb_flush is to indicate whether the to be flushed entry was a present one. A few lines before, we bailed if !dma_pte_present(*pte), so there's no need to check the flag here again - we can simply always pass TRUE here. This is CVE-2013-6375 / XSA-78. Suggested-by:
Cheng Yueqiang

(cherry picked from commit 85c72f9fe764ed96f5c149efcdd69ab7c18bfe3d) (CVE-2013-6375)

- x86/VMX: prevent INVVPID failure due to non-canonical guest address While INVLPG (and on SVM INVLPGA) don't fault on non-canonical addresses, INVVPID fails (in the 'individual address' case) when passed such an address.
Since such intercepted INVLPG are effectively no-ops anyway, don't fix this in vmx_invlpg_intercept, but instead have paging_invlpg never return true in such a case. This is XSA-168. (CVE-2016-1571)

- x86/mm: PV superpage handling lacks sanity checks MMUEXT_[,UN]MARK_SUPER fail to check the input MFN for validity before dereferencing pointers into the superpage frame table. get_superpage has a similar issue. This is XSA-167. (CVE-2016-1570)

- xend/image: Don't throw VMException when using backend domains for disks. If we are using backend domains the disk image may not be accessible within the host (domain0). As such it is OK to continue on. The 'addStoreEntries' in already does the check to make sure that when the 'backend' configuration is used - that said domain exists. As such the only change we need to do is to exclude the disk image location if the domain is not dom0.

- memory: fix XENMEM_exchange error handling assign_pages can fail due to the domain getting killed in parallel, which should not result in a hypervisor crash. Also delete a redundant put_gfn - all relevant paths leading to the 'fail' label already do this (and there are also paths where it was plain wrong). All of the put_gfn-s got introduced by 51032ca058 ('Modify naming of queries into the p2m'), including the otherwise unneeded initializer for k (with even a kind of misleading comment - the compiler warning could actually have served as a hint that the use is wrong). This is XSA-159.

Based on's xsa159.patch Conflicts: OVM 3.2 does not have the change (51032ca058) that is backed out in xen/common/memory.c or the put_gfn in xen/common/memory.c

(CVE-2015-8339, CVE-2015-8340)


Update the affected xen / xen-devel / xen-tools packages.

See Also

Plugin Details

Severity: High

ID: 88171

File Name: oraclevm_OVMSA-2016-0008.nasl

Version: $Revision: 2.6 $

Type: local

Published: 2016/01/26

Modified: 2017/02/14

Dependencies: 12634

Risk Information

Risk Factor: High


Base Score: 7.9

Temporal Score: 5.8

Vector: CVSS2#AV:A/AC:M/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:U/RL:OF/RC:C


Base Score: 8.5

Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Vulnerability Information

CPE: p-cpe:/a:oracle:vm:xen, p-cpe:/a:oracle:vm:xen-devel, p-cpe:/a:oracle:vm:xen-tools, cpe:/o:oracle:vm_server:3.2

Required KB Items: Host/local_checks_enabled, Host/OracleVM/release, Host/OracleVM/rpm-list

Exploit Available: false

Exploit Ease: No known exploits are available

Patch Publication Date: 2016/01/25

Reference Information

CVE: CVE-2013-6375, CVE-2015-8339, CVE-2015-8340, CVE-2016-1570, CVE-2016-1571

BID: 63830

OSVDB: 131284, 131285, 133503, 133504