Oracle VM Server for x86 Bulletin - April 2018

Description

The Oracle VM Server for x86 Bulletin lists all CVEs that had been resolved and announced in Oracle VM Server for x86 Security Advisories (OVMSA) in the last one month prior to the release of the bulletin. Oracle VM Server for x86 Bulletins are published on the same day as Oracle Critical Patch Updates are released. These bulletins will also be updated for the following two months after their release (i.e., the two months between the normal quarterly Critical Patch Update publication dates) to cover all CVEs that had been resolved in those two months following the bulletin's publication. In addition, Oracle VM Server for x86 Bulletins may also be updated for vulnerability fixes deemed too critical to wait for the next scheduled bulletin publication date.

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Oracle VM Server for x86 Bulletin fixes as soon as possible.

Patch Availability

Please see ULN Advisory http://linux.oracle.com/ovm-bulletin-pad

Oracle VM Server for x86 Bulletin Schedule

Oracle VM Server for x86 Bulletins are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:

  • 17 July 2018
  • 16 October 2018
  • 15 January 2019
  • 16 April 2019

References

Modification History

2018-June-18 Rev 3. New CVEs added.
2018-May-21 Rev 2. New CVEs added.
2018-April-17 Rev 1. Initial Release

Oracle VM Server for x86 Executive Summary

This Oracle VM Server for x86 Bulletin contains 55 new security fixes for the Oracle VM Server for x86. 55 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.

Oracle VM Server for x86 Risk Matrix

Revision 3: Published on 2018-06-18

CVE# Product Component Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected
Base Score Access Vector Access Complexity Authen­tication Confid­entiality Inte­grity Avail­ability
CVE-2016-2384 Oracle VM Server for x86 Unbreakable Enterprise kernel Undefined 3.3
CVE-2016-2543 Oracle VM Server for x86 Unbreakable Enterprise kernel Undefined 3.3
CVE-2016-2544 Oracle VM Server for x86 Unbreakable Enterprise kernel Undefined 3.3
CVE-2016-2545 Oracle VM Server for x86 Unbreakable Enterprise kernel Undefined 3.3
CVE-2016-2547 Oracle VM Server for x86 Unbreakable Enterprise kernel Undefined 3.3
CVE-2016-2548 Oracle VM Server for x86 Unbreakable Enterprise kernel Undefined 3.3
CVE-2016-2549 Oracle VM Server for x86 Unbreakable Enterprise kernel Undefined 3.3
CVE-2017-1000410 Oracle VM Server for x86 Unbreakable Enterprise kernel Undefined 3.3,3.4
CVE-2017-16939 Oracle VM Server for x86 Unbreakable Enterprise kernel Undefined 3.4
CVE-2017-17741 Oracle VM Server for x86 Unbreakable Enterprise kernel Undefined 3.3
CVE-2017-18203 Oracle VM Server for x86 Unbreakable Enterprise kernel Undefined 3.4
CVE-2018-1000199 Oracle VM Server for x86 Unbreakable Enterprise kernel Undefined 3.3,3.4
CVE-2018-10323 Oracle VM Server for x86 Unbreakable Enterprise kernel Undefined 3.3,3.4
CVE-2018-10675 Oracle VM Server for x86 Unbreakable Enterprise kernel Undefined 3.4
CVE-2018-3639 Oracle VM Server for x86 Unbreakable Enterprise kernel Undefined 3.4
CVE-2018-3665 Oracle VM Server for x86 Unbreakable Enterprise kernel Undefined 3.3,3.4
CVE-2018-5333 Oracle VM Server for x86 Unbreakable Enterprise kernel Undefined 3.4
CVE-2018-5750 Oracle VM Server for x86 Unbreakable Enterprise kernel Undefined 3.4
CVE-2018-6927 Oracle VM Server for x86 Unbreakable Enterprise kernel Undefined 3.4
CVE-2018-1124 Oracle VM Server for x86 procps Undefined 3.3,3.4
CVE-2018-1126 Oracle VM Server for x86 procps Undefined 3.3,3.4
CVE-2018-3639 Oracle VM Server for x86 qemu-kvm Undefined 3.4
CVE-2017-17563 Oracle VM Server for x86 xen Undefined 3.2,3.3
CVE-2017-17564 Oracle VM Server for x86 xen Undefined 3.2,3.3
CVE-2017-17565 Oracle VM Server for x86 xen Undefined 3.2,3.3,3.4
CVE-2017-17566 Oracle VM Server for x86 xen Undefined 3.2,3.3,3.4
CVE-2017-5715 Oracle VM Server for x86 xen Undefined 3.2,3.3
CVE-2017-5753 Oracle VM Server for x86 xen Undefined 3.3
CVE-2017-5754 Oracle VM Server for x86 xen Undefined 3.3
CVE-2018-8897 Oracle VM Server for x86 xen Undefined 3.4

Revision 2: Published on 2018-05-21

CVE# Product Component Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected
Base Score Access Vector Access Complexity Authen­tication Confid­entiality Inte­grity Avail­ability
CVE-2017-12146 Oracle VM Server for x86 Unbreakable Enterprise kernel Undefined 3.4
CVE-2017-15116 Oracle VM Server for x86 Unbreakable Enterprise kernel Undefined 3.4
CVE-2017-15129 Oracle VM Server for x86 Unbreakable Enterprise kernel Undefined 3.4
CVE-2017-15299 Oracle VM Server for x86 Unbreakable Enterprise kernel Undefined 3.3,3.4
CVE-2017-15537 Oracle VM Server for x86 Unbreakable Enterprise kernel Undefined 3.4
CVE-2017-16532 Oracle VM Server for x86 Unbreakable Enterprise kernel Undefined 3.3,3.4
CVE-2017-16537 Oracle VM Server for x86 Unbreakable Enterprise kernel Undefined 3.3
CVE-2017-16643 Oracle VM Server for x86 Unbreakable Enterprise kernel Undefined 3.3,3.4
CVE-2017-16645 Oracle VM Server for x86 Unbreakable Enterprise kernel Undefined 3.4
CVE-2017-16646 Oracle VM Server for x86 Unbreakable Enterprise kernel Undefined 3.4
CVE-2017-16994 Oracle VM Server for x86 Unbreakable Enterprise kernel Undefined 3.4
CVE-2017-17448 Oracle VM Server for x86 Unbreakable Enterprise kernel Undefined 3.3,3.4
CVE-2017-17449 Oracle VM Server for x86 Unbreakable Enterprise kernel Undefined 3.4
CVE-2017-17558 Oracle VM Server for x86 Unbreakable Enterprise kernel Undefined 3.3
CVE-2017-17741 Oracle VM Server for x86 Unbreakable Enterprise kernel Undefined 3.4
CVE-2017-7294 Oracle VM Server for x86 Unbreakable Enterprise kernel Undefined 3.4
CVE-2018-100199 Oracle VM Server for x86 Unbreakable Enterprise kernel Undefined 3.3,3.4
CVE-2018-1068 Oracle VM Server for x86 Unbreakable Enterprise kernel Undefined 3.3,3.4
CVE-2018-1087 Oracle VM Server for x86 Unbreakable Enterprise kernel Undefined 3.4
CVE-2018-1093 Oracle VM Server for x86 Unbreakable Enterprise kernel Undefined 3.3,3.4
CVE-2018-5332 Oracle VM Server for x86 Unbreakable Enterprise kernel Undefined 3.3,3.4
CVE-2018-8897 Oracle VM Server for x86 Unbreakable Enterprise kernel Undefined 3.3,3.4
CVE-2018-1111 Oracle VM Server for x86 dhcp Undefined 3.3,3.4
CVE-2018-1000156 Oracle VM Server for x86 patch Undefined 3.3,3.4
CVE-2018-7750 Oracle VM Server for x86 python-paramiko Undefined 3.3,3.4
CVE-2017-17563 Oracle VM Server for x86 xen Undefined 3.4
CVE-2017-17564 Oracle VM Server for x86 xen Undefined 3.4

Revision 1: Published on 2018-04-17

CVE# Product Component Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected
Base Score Access Vector Access Complexity Authen­tication Confid­entiality Inte­grity Avail­ability
CVE-2017-17052 Oracle VM Server for x86 Unbreakable Enterprise kernel Undefined 3.4
CVE-2017-7518 Oracle VM Server for x86 Unbreakable Enterprise kernel Undefined 3.4
CVE-2018-5146 Oracle VM Server for x86 libvorbis Undefined 3.3,3.4
CVE-2017-5715 Oracle VM Server for x86 xen Undefined 3.2,3.4
CVE-2017-5753 Oracle VM Server for x86 xen Undefined 3.2
CVE-2017-5754 Oracle VM Server for x86 xen Undefined 3.2