OracleVM 3.2 : dhcp (OVMSA-2016-0058)

High Nessus Plugin ID 91742


The remote OracleVM host is missing a security update.


The remote OracleVM system is missing necessary patches to address critical security updates :

- exit(2) after sending DHCPDECLINE when dhclient has been started with '-1' (RHBZ #756490)

- An error in the handling of malformed client identifiers can cause a denial-of-service condition in affected servers. (CVE-2012-3571, #843125)

- Propagate libdhcp timeout to internal timeout_arg (RHBZ #736515)

- A pair of defects cause the server to halt upon processing certain packets (CVE-2011-2748, CVE-2011-2749, #729881)

- dhclient.conf(5), dhclient(8) mention that interface-mtu option is also requested by default (RHBZ #694264)

- Better fix for CVE-2011-0997: making domain-name check more lenient (RHBZ #690577)

- dhclient requests interface-mtu option by default (RHBZ #694264)

- dhclient.conf(5) fix (RHBZ #585855)

- Make dhcpd init script LSB compliant (RHBZ #610128)

- Use PID for seeding the random number generator in dhclient (RHBZ #623953)

- Add DHCRELAYARGS variable to /etc/sysconfig/dhcrelay (RHBZ #624965)

- 'lease imbalance' messages are not logged unless rebalance was actually attempted (RHBZ #661939)

- Explicitly clear the ARP cache and flush all addresses & routes instead of bringing the interface down (RHBZ #685048)

- IPoIB support (RHBZ #660679)

- dhclient: insufficient sanitization of certain DHCP response values (CVE-2011-0997, #690577)

- A partner-down failover server no longer emits 'peer holds all free leases' if it is able to newly-allocate one of the peer's leases. (RHBZ #610219)

- The server's 'by client-id' and 'by hardware address' hash table lists are now sorted according to the preference to re-allocate that lease to returning clients. This should eliminate pool starvation problems arising when 'INIT' clients were given new leases rather than presently active ones. (RHBZ #615995)


Update the affected dhclient package.

See Also

Plugin Details

Severity: High

ID: 91742

File Name: oraclevm_OVMSA-2016-0058.nasl

Version: $Revision: 2.4 $

Type: local

Published: 2016/06/22

Modified: 2017/02/14

Dependencies: 12634

Risk Information

Risk Factor: High


Base Score: 7.8

Temporal Score: 6.1

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

Temporal Vector: CVSS2#E:POC/RL:OF/RC:C

Vulnerability Information

CPE: p-cpe:/a:oracle:vm:dhclient, cpe:/o:oracle:vm_server:3.2

Required KB Items: Host/local_checks_enabled, Host/OracleVM/release, Host/OracleVM/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2016/06/21

Exploitable With


Reference Information

CVE: CVE-2011-0997, CVE-2011-2748, CVE-2011-2749, CVE-2012-3571

BID: 47176, 49120, 54665

OSVDB: 71493, 74556, 74557, 84255