Oracle Security Alert for CVE-2015-3456 - Beta Oracle CVRF Oracle Security Alert CVE-2015-3456 Final 1.0 1.0 2015-05-14T13:00:00-07:00 Initial Distribution 2015-05-14T13:00:00-07:00 2015-05-14T13:00:00-07:00 This document contains descriptions of Oracle product security vulnerabilities which have had fixes released for all supported versions and platforms for the associated product. Additional information regarding these vulnerabilities including fix distribution information can be found at the Oracle sites referenced in this document. This document is published at: http://www.oracle.com/ocom/groups/public/@otn/documents/webcontent/2543038.xml http://www.oracle.com/technetwork/topics/security/alert-cve-2015-3456-2542656.html URL to html version of Advisory Linux OS Version 5 Linux OS Version 6 Linux OS Version 7 Oracle VM Version 2.2 Oracle VM Version 3.2 Oracle VM Version 3.3 Oracle VM VirtualBox Version 3.2 Oracle VM VirtualBox Version 4.0 Oracle VM VirtualBox Version 4.1 Oracle VM VirtualBox Version 4.2 Oracle VM VirtualBox Version 4.3 prior to 4.3.28 Vulnerability in the Oracle Linux component of Oracle Linux (subcomponent: Xen, Qemu-KVM). Supported versions that are affected are 5, 6 and 7. Very difficult to exploit vulnerability requiring logon to Operating System. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution. CVSS Base Score 6.2 (Confidentiality, Integrity and Availability impacts). CVSS V2 Vector: (AV:L/AC:H/Au:N/C:C/I:C/A:C). Oracle Vector: (AV:L/AC:H/Au:N/C:C/I:C/A:C). Fix has been released CVE-2015-3456 P-1309V-5 P-1309V-6 P-1309V-7 6.2 AV:L/AC:H/Au:N/C:C/I:C/A:C CVE-2015-3456 Oracle customers with valid support contracts http://www.oracle.com/technetwork/topics/security/alert-cve-2015-3456-2542656.html P-1309V-5 P-1309V-6 P-1309V-7 Vulnerability in the Oracle VM component of Oracle Virtualization (subcomponent: Xen Hypervisor). Supported versions that are affected are 2.2, 3.2 and 3.3. Very difficult to exploit vulnerability requiring logon to Operating System. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution. CVSS Base Score 6.2 (Confidentiality, Integrity and Availability impacts). CVSS V2 Vector: (AV:L/AC:H/Au:N/C:C/I:C/A:C). Oracle Vector: (AV:L/AC:H/Au:N/C:C/I:C/A:C). Fix has been released CVE-2015-3456 P-4455V-2.2 P-4455V-3.2 P-4455V-3.3 6.2 AV:L/AC:H/Au:N/C:C/I:C/A:C CVE-2015-3456 Oracle customers with valid support contracts http://www.oracle.com/technetwork/topics/security/alert-cve-2015-3456-2542656.html P-4455V-2.2 P-4455V-3.2 P-4455V-3.3 Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are affected are 3.2, 4.0, 4.1, 4.2 and 4.3 prior to 4.3.28. Very difficult to exploit vulnerability requiring logon to Operating System. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution. Note: The CVSS score assumes that the virtualization software is running on the host operating system as a privileged user. When this is not the case, the corresponding CVSS impact scores for Confidentiality, Integrity, and Availability are "Partial+" instead of "Complete", lowering the CVSS Base Score. For example, a Base Score of 6.2 becomes 3.7. CVSS Base Score 6.2 (Confidentiality, Integrity and Availability impacts). CVSS V2 Vector: (AV:L/AC:H/Au:N/C:C/I:C/A:C). Oracle Vector: (AV:L/AC:H/Au:N/C:C/I:C/A:C). Fix has been released CVE-2015-3456 P-8370V-3.2 P-8370V-4.0 P-8370V-4.1 P-8370V-4.2 P-8370V-4.3 prior to 4.3.28 6.2 AV:L/AC:H/Au:N/C:C/I:C/A:C CVE-2015-3456 Oracle customers with valid support contracts http://www.oracle.com/technetwork/topics/security/alert-cve-2015-3456-2542656.html P-8370V-3.2 P-8370V-4.0 P-8370V-4.1 P-8370V-4.2 P-8370V-4.3 prior to 4.3.28