Oracle VM Server for x86 Bulletin - January 2022 - Oracle CVRF Oracle VM Server for x86 Bulletin Advisory OVMBulletinJan2022 Final 2.0 1.0 2022-01-14T13:00:00-07:00 Initial Distribution 2.0 2022-02-15T13:00:00-07:00 New CVEs added. This document contains descriptions of Oracle VM Server for x86 security vulnerabilities which have had security patches released for all supported versions and platforms. https://www.oracle.com/security-alerts/ovmbulletinjan2022.html URL to html version of Advisory Oracle VM Server for x86 3.2 Oracle VM Server for x86 3.3 Oracle VM Server for x86 3.4 This is a vulnerability in Unbreakable Enterprise kernel in Oracle VM Server for x86. In ep_loop_check_proc of eventpoll.c, there is a possible way to corrupt memory due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-204573007References: Upstream kernel CVSS Base Score: 7.8 CVSS V3 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. Security patch has been released CVE-2021-1048 P-4455V-3 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Oracle VM Server for x86 Security Advisory Oracle VM Server for x86 customers https://linux.oracle.com/errata/OVMSA-2022-0007.html P-4455V-3 This is a vulnerability in polkit in Oracle VM Server for x86. A local privilege escalation vulnerability was found on polkit's pkexec utility. The pkexec application is a setuid tool designed to allow unprivileged users to run commands as privileged users according predefined policies. The current version of pkexec doesn't handle the calling parameters count correctly and ends trying to execute environment variables as commands. An attacker can leverage this by crafting environment variables in such a way it'll induce pkexec to execute arbitrary code. When successfully executed the attack can cause a local privilege escalation given unprivileged users administrative rights on the target machine. CVSS Base Score: 7.8 CVSS V3 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. Security patch has been released CVE-2021-4034 P-4455V-3 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Oracle VM Server for x86 Security Advisory Oracle VM Server for x86 customers https://linux.oracle.com/errata/OVMSA-2022-0006.html P-4455V-3 This is a vulnerability in Unbreakable Enterprise kernel in Oracle VM Server for x86. ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVSS Base Score: 7 CVSS V3 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H. Security patch has been released CVE-2021-3752 P-4455V-3 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Oracle VM Server for x86 Security Advisory Oracle VM Server for x86 customers https://linux.oracle.com/errata/OVMSA-2022-0007.html P-4455V-3 This is a vulnerability in Unbreakable Enterprise kernel in Oracle VM Server for x86. Improper access control in BlueZ may allow an authenticated user to potentially enable information disclosure via adjacent access. CVSS Base Score: 5.7 CVSS V3 Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. Security patch has been released CVE-2021-0129 P-4455V-3 5.7 CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Oracle VM Server for x86 Security Advisory Oracle VM Server for x86 customers https://linux.oracle.com/errata/OVMSA-2022-0007.html P-4455V-3 This is a vulnerability in Unbreakable Enterprise kernel in Oracle VM Server for x86. ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVSS Base Score: 5.5 CVSS V3 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. Security patch has been released CVE-2021-20321 P-4455V-3 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Oracle VM Server for x86 Security Advisory Oracle VM Server for x86 customers https://linux.oracle.com/errata/OVMSA-2022-0007.html P-4455V-3 This is a vulnerability in Unbreakable Enterprise kernel in Oracle VM Server for x86. ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVSS Base Score: 5.5 CVSS V3 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. Security patch has been released CVE-2021-4155 P-4455V-3 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Oracle VM Server for x86 Security Advisory Oracle VM Server for x86 customers https://linux.oracle.com/errata/OVMSA-2022-0007.html P-4455V-3 This is a vulnerability in Unbreakable Enterprise kernel in Oracle VM Server for x86. ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVSS Base Score: 4.7 CVSS V3 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N. Security patch has been released CVE-2021-3753 P-4455V-3 4.7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N Oracle VM Server for x86 Security Advisory Oracle VM Server for x86 customers https://linux.oracle.com/errata/OVMSA-2022-0007.html P-4455V-3