OracleVM 3.3 / 3.4 : glibc (OVMSA-2017-0051)

critical Nessus Plugin ID 99078


The remote OracleVM host is missing one or more security updates.


The remote OracleVM system is missing necessary patches to address critical security updates :

- Update newmode size to fix a possible corruption

- Fix AF_INET6 getaddrinfo with nscd (#1416496)

- Update tests for struct sockaddr_storage changes (#1338673)

- Use FL_CLOEXEC in internal calls to fopen (#1012343).

- Fix CVE-2015-8779 glibc: Unbounded stack allocation in catopen function (#1358015).

- Make padding in struct sockaddr_storage explicit (#1338673)

- Fix detection of Intel FMA hardware (#1384281).

- Add support for, ur_IN, and wal_ET locales (#1101858).

- Change malloc/tst-malloc-thread-exit.c to use fewer threads and avoid timeout (#1318380).

- df can fail on some systems (#1307029).

- Log uname, cpuinfo, meminfo during build (#1307029).

- Draw graphs for heap and stack only if MAXSIZE_HEAP and MAXSIZE_STACK are non-zero (#1331304).

- Avoid unneeded calls to __check_pf in getadddrinfo (#1270950)

- Fix CVE-2015-8778 glibc: Integer overflow in hcreate and hcreate_r (#1358013).

- Fix CVE-2015-8776 glibc: Segmentation fault caused by passing out-of-range data to strftime (#1358011).

- tzdata-update: Ignore umask setting (#1373646)

- CVE-2014-9761: Fix unbounded stack allocation in nan* (#1358014)

- Avoid using uninitialized data in getaddrinfo (#1223095)

- Update fix for CVE-2015-7547 (#1296029).

- Create helper threads with enough stack for POSIX AIO and timers (#1299319).

- Fix CVE-2015-7547: getaddrinfo stack-based buffer overflow (#1296029).

- Update malloc free_list cyclic fix (#1264189).

- Update tzdata-update changes (#1200555).

- Avoid redundant shift character in iconv output at block boundary (#1293914).

- Clean up testsuite results when testing with newer kernels (#1293464).

- Do not rewrite /etc/localtime if it is a symbolic link.

- Support long lines in /etc/hosts (#1020263).

- Avoid aliasing warning in tst-rec-dlopen (#1291444)

- Don't touch user-controlled stdio locks in forked child (#1275384).

- Increase the limit of shared libraries that can use static TLS (#1198802).

- Avoid PLT in libm for feupdateenv (#1186104).

- Allow PLT entry in libc for _Unwind_Find_FDE on s390/s390x (#1186104).

- Provide /etc/gai.conf only in the glibc package.

- Change first day of the week to Monday for the ca_ES locale. (#1011900)

- Update BIG5-HKSCS charmap to HKSCS-2008. (#1211748)

- Rename Oriya locale to Odia. (#1091334)

- Avoid hang in gethostbyname_r due to missing mutex unlocking (#1192621)

- Avoid crash when audit modules provide path (#1211098)

- Suppress expected backtrace in tst-malloc-backtrace (#1276633)

- Avoid PLT for memmem (#1186104).

- Fix up a missing dependency in the Makefile (#1219627).

- Reduce lock contention in __tz_convert (#1244585).

- Prevent the malloc arena free list from becoming cyclic (#1264189)

- Remove legacy IA64 support (#1246145).

- Check for NULL arena pointer in _int_pvalloc (#1246656).

- Don't change no_dyn_threshold on mallopt failure (#1246660).

- Unlock main arena after allocation in calloc (#1245731).

- Enable robust malloc change again (#1245731).

- Fix perturbing in malloc on free and simply perturb_byte (#1245731).

- Don't fall back to mmap prematurely (#1245731).

- The malloc deadlock avoidance support has been temporarily removed since it triggers deadlocks in certain applications (#1243824).


Update the affected packages.

See Also

Plugin Details

Severity: Critical

ID: 99078

File Name: oraclevm_OVMSA-2017-0051.nasl

Version: 3.5

Type: local

Published: 3/30/2017

Updated: 1/4/2021

Risk Information


Risk Factor: Critical

Score: 9


Risk Factor: Critical

Base Score: 10

Temporal Score: 7.8

Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: E:POC/RL:OF/RC:C


Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:oracle:vm:glibc, p-cpe:/a:oracle:vm:glibc-common, p-cpe:/a:oracle:vm:glibc-devel, p-cpe:/a:oracle:vm:glibc-headers, p-cpe:/a:oracle:vm:nscd, cpe:/o:oracle:vm_server:3.3, cpe:/o:oracle:vm_server:3.4

Required KB Items: Host/local_checks_enabled, Host/OracleVM/release, Host/OracleVM/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 3/29/2017

Vulnerability Publication Date: 2/18/2016

Reference Information

CVE: CVE-2014-9761, CVE-2015-7547, CVE-2015-8776, CVE-2015-8778, CVE-2015-8779