Oracle Security Alert for CVE-2015-3456


Description


This Security Alert addresses security issue CVE-2015-3456 ("VENOM"), a buffer overflow vulnerability in QEMU's virtual Floppy Disk Controller (FDC). The vulnerable FDC code is included in various virtualization platforms and is used in some Oracle products. The vulnerability may be exploitable by an attacker who has access to an account on the guest operating system with privilege to access the FDC. The attacker may be able to send malicious code to the FDC that is executed in the context of the hypervisor process on the host operating system. This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without the need for a username and password.


Due to the severity of this vulnerability, Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible.


This Security Alert is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle's use of CVRF is available at: http://www.oracle.com/technetwork/topics/security/cpufaq-098434.html#CVRF.



Affected Products and Versions


The security vulnerability addressed by this Security Alert directly affects the products listed in the categories below. Please click on the link in the Patch Availability column or in the Patch Availability Table to access the documentation for those patches.


Oracle products and systems that include the products listed in this Alert are likely also affected. Customers should refer to Venom vulnerability - CVE-2015-3456 for additional information about those products. Oracle is investigating and will provide fixes for affected products as soon as they have been fully tested and determined to provide effective mitigation against this vulnerability. The product lists will be updated without additional emails being sent to customers and OTN Security Alerts subscribers. Thus, customers will need to check back for updates.



The list of affected product releases and versions that are in Premier Support or Extended Support, under the Oracle Lifetime Support Policy is as follows:



Affected Products and Versions Patch Availability
VirtualBox 3.2, 4.0, 4.1, 4.2, 4.3 prior to 4.3.28 Oracle Linux and Virtualization
Oracle VM 2.2, 3.2, 3.3 Oracle Linux and Virtualization
Oracle Linux 5, 6, 7 Oracle Linux and Virtualization

Supported Products and Versions


Patch availability information is provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. We recommend that customers remain on actively supported versions to ensure that they continue to receive security fixes from Oracle.


Product releases that are not under Premier Support or Extended Support are not tested for the presence of the vulnerability addressed by this Security Alert. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities.



Products in Extended Support


Security Alert fixes are available to customers who have purchased Extended Support under the Lifetime Support Policy. Customers must have a valid Extended Support service contract to apply Security Alert fixes for products in the Extended Support Phase.


Oracle Cloud


The Oracle security and development teams are investigating this issue and are developing fixes for the affected products and services. The Oracle Cloud teams are evaluating these fixes as they become available and will be applying the relevant patches in accordance with applicable change management processes.


Customers requiring additional information which is not addressed in this communication may obtain more information as follows:

  • Oracle Managed Cloud Services (OMCS) Customers should contact their Service Delivery Manager (SDM). CRM On Demand customers should request status via SR.
  • Oracle Cloud for Industry (OCI) and Micros Cloud Customers should contact gbu-risk-compliance-resp_ww@oracle.com.
  • Oracle Public Cloud (OPC) Customers should submit a Service Request within their designated support system to request an update which is specific to the services they have purchased.

     


Patch Availability Table and Risk Matrix


The security fixes in this Security Alert are cumulative; the latest updates includes all fixes from previous Critical Patch Updates and Security Alerts.



Patch Availability Table


Product Group Risk Matrix Patch Availability and Installation Information
Oracle Linux and Virtualization Oracle Linux and Virtualization


References


Modification History



Date Comments
2015-May-15 Rev 1. Initial Release


 

 

Appendix - Oracle Linux and Virtualization

 

 

Oracle Linux Executive Summary

 


This Security Alert contains 1 new security fix for Oracle Linux.  This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without the need for a username and password.  The English text form of this Risk Matrix can be found here.

 


Oracle Linux Risk Matrix


CVE# Component Protocol Sub-
component
Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-
tication
Confiden-
tiality
Integrity Avail-
ability
CVE-2015-3456 21092510 Oracle Linux None Xen, Qemu-KVM No 6.2 Local High None Complete Complete Complete 5, 6, 7  
 

 



 

Oracle Virtualization Executive Summary

 


This Security Alert contains 2 new security fixes for Oracle Virtualization.  Neither of these vulnerabilities may be remotely exploitable without authentication, i.e., neither may be exploited over a network without the need for a username and password.  The English text form of this Risk Matrix can be found here.

 


Oracle Virtualization Risk Matrix


CVE# Component Protocol Sub-
component
Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-
tication
Confiden-
tiality
Integrity Avail-
ability
CVE-2015-3456 20993910 Oracle VM None Xen Hypervisor No 6.2 Local High None Complete Complete Complete 2.2, 3.2, 3.3  
CVE-2015-3456 21027512 Oracle VM VirtualBox None Core No 6.2 Local High None Complete Complete Complete 3.2, 4.0, 4.1, 4.2, 4.3 prior to 4.3.28 See Note 1
 

 

Notes:


  1. The CVSS score assumes that the virtualization software is running on the host operating system as a privileged user. When this is not the case, the corresponding CVSS impact scores for Confidentiality, Integrity, and Availability are "Partial+" instead of "Complete", lowering the CVSS Base Score. For example, a Base Score of 6.2 becomes 3.7