Oracle VM Server for x86 Bulletin - April 2020

 

Description

The Oracle VM Server for x86 Bulletin lists all CVEs that had been resolved and announced in Oracle VM Server for x86 Security Advisories (OVMSA) in the last one month prior to the release of the bulletin. Oracle VM Server for x86 Bulletins are published on the same day as Oracle Critical Patch Updates are released. These bulletins will also be updated for the following two months after their release (i.e., the two months between the normal quarterly Critical Patch Update publication dates) to cover all CVEs that had been resolved in those two months following the bulletin's publication. In addition, Oracle VM Server for x86 Bulletins may also be updated for vulnerability issues deemed too critical to wait for the next scheduled bulletin publication date.

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Oracle VM Server for x86 Bulletin security patches as soon as possible.

 

Patch Availability

Please see ULN Advisory https://linux.oracle.com/ovm-bulletin-pad

 

Oracle VM Server for x86 Bulletin Schedule

Oracle VM Server for x86 Bulletins are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:

  • 14 July 2020
  • 20 October 2020
  • 19 January 2021
  • 20 April 2021

References

 

Modification History

Date Note
2020-June-15 Rev 3. New CVEs added.
2020-May-18 Rev 2. New CVEs added.
2020-April-14 Rev 1. Initial Release

Oracle VM Server for x86 Executive Summary

This Oracle VM Server for x86 Bulletin contains 39 new security patches for the Oracle VM Server for x86.  6 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. 

Oracle VM Server for x86 Risk Matrix

Revision 3: Published on 2020-06-15

CVE# Product Component Remote Exploit without Auth.? CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2019-14897 Oracle VM Server for x86 Unbreakable Enterprise kernel Yes 9.8 Network Low None None Unchanged High High High 3.4
CVE-2019-0140 Oracle VM Server for x86 Unbreakable Enterprise kernel No 8.8 Adjacent network Low None None Unchanged High High High 3.4
CVE-2019-9503 Oracle VM Server for x86 Unbreakable Enterprise kernel No 8.3 Adjacent network High None None Changed High High High 3.4
CVE-2019-14814 Oracle VM Server for x86 Unbreakable Enterprise kernel No 7.8 Local Low Low None Unchanged High High High 3.4
CVE-2019-14815 Oracle VM Server for x86 Unbreakable Enterprise kernel No 7.8 Local Low Low None Unchanged High High High 3.4
CVE-2019-14816 Oracle VM Server for x86 Unbreakable Enterprise kernel No 7.8 Local Low Low None Unchanged High High High 3.4
CVE-2017-1000370 Oracle VM Server for x86 Unbreakable Enterprise kernel No 7.8 Local Low Low None Unchanged High High High 3.4
CVE-2018-18281 Oracle VM Server for x86 Unbreakable Enterprise kernel No 7.8 Local Low Low None Unchanged High High High 3.4
CVE-2016-5244 Oracle VM Server for x86 Unbreakable Enterprise kernel Yes 7.5 Network Low None None Unchanged High None None 3.4
CVE-2020-8648 Oracle VM Server for x86 Unbreakable Enterprise kernel No 7.1 Local Low Low None Unchanged High None High 3.4
CVE-2020-9383 Oracle VM Server for x86 Unbreakable Enterprise kernel No 7.1 Local Low Low None Unchanged High None High 3.4
CVE-2020-11668 Oracle VM Server for x86 Unbreakable Enterprise kernel No 7.1 Local Low Low None Unchanged None High High 3.4
CVE-2019-19527 Oracle VM Server for x86 Unbreakable Enterprise kernel No 6.8 Physical Low None None Unchanged High High High 3.4
CVE-2019-19532 Oracle VM Server for x86 Unbreakable Enterprise kernel No 6.8 Physical Low None None Unchanged High High High 3.4
CVE-2019-0139 Oracle VM Server for x86 Unbreakable Enterprise kernel No 6.7 Local Low High None Unchanged High High High 3.4
CVE-2019-20636 Oracle VM Server for x86 Unbreakable Enterprise kernel No 6.7 Local Low High None Unchanged High High High 3.4
CVE-2019-0144 Oracle VM Server for x86 Unbreakable Enterprise kernel No 6.5 Local Low Low None Changed None None High 3.4
CVE-2020-8647 Oracle VM Server for x86 Unbreakable Enterprise kernel No 6.1 Local Low Low None Unchanged Low None High 3.4
CVE-2019-19528 Oracle VM Server for x86 Unbreakable Enterprise kernel No 6.1 Physical Low None None Unchanged High None High 3.4
CVE-2020-8649 Oracle VM Server for x86 Unbreakable Enterprise kernel No 5.9 Physical Low Low None Unchanged High None High 3.4
CVE-2017-7346 Oracle VM Server for x86 Unbreakable Enterprise kernel No 5.5 Local Low Low None Unchanged None None High 3.4
CVE-2018-5953 Oracle VM Server for x86 Unbreakable Enterprise kernel No 5.5 Local Low Low None Unchanged High None None 3.4
CVE-2019-18806 Oracle VM Server for x86 Unbreakable Enterprise kernel No 5.5 Local Low Low None Unchanged None None High 3.4
CVE-2019-12819 Oracle VM Server for x86 Unbreakable Enterprise kernel No 5.5 Local Low Low None Unchanged None None High 3.4
CVE-2020-10942 Oracle VM Server for x86 Unbreakable Enterprise kernel No 5.3 Local High Low None Unchanged None Low High 3.4
CVE-2019-19056 Oracle VM Server for x86 Unbreakable Enterprise kernel No 4.7 Local High Low None Unchanged None None High 3.4
CVE-2019-19523 Oracle VM Server for x86 Unbreakable Enterprise kernel No 4.6 Physical Low None None Unchanged None None High 3.4
CVE-2019-19524 Oracle VM Server for x86 Unbreakable Enterprise kernel No 4.6 Physical Low None None Unchanged None None High 3.4
CVE-2020-11494 Oracle VM Server for x86 Unbreakable Enterprise kernel No 4.4 Local Low High None Unchanged High None None 3.4
CVE-2020-11608 Oracle VM Server for x86 Unbreakable Enterprise kernel No 4.3 Physical Low Low None Unchanged None None High 3.4
CVE-2020-11609 Oracle VM Server for x86 Unbreakable Enterprise kernel No 4.3 Physical Low Low None Unchanged None None High 3.4
CVE-2019-19537 Oracle VM Server for x86 Unbreakable Enterprise kernel No 4.2 Physical High None None Unchanged None None High 3.4
CVE-2019-19057 Oracle VM Server for x86 Unbreakable Enterprise kernel No 3.3 Local Low Low None Unchanged None None Low 3.4
CVE-2020-8616 Oracle VM Server for X86 bind Undefined 3.3,3.4
CVE-2020-8617 Oracle VM Server for X86 bind Undefined 3.3,3.4

Revision 2: Published on 2020-05-18

CVE# Product Component Remote Exploit without Auth.? CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2020-5208 Oracle VM Server for x86 ipmitool No 8.8 Network Low Low None Unchanged High High High 3.3,3.4
CVE-2019-11135 Oracle VM Server for x86 xen No 6.5 Local Low Low None Changed High None None 3.4

Revision 1: Published on 2020-04-14

CVE# Product Component Remote Exploit without Auth.? CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2020-8608 Oracle VM Server for x86 qemu-kvm Yes 9.8 Network Low None None Unchanged High High High 3.4
CVE-2020-10531 Oracle VM Server for x86 icu Yes 8.8 Network Low None Required Unchanged High High High 3.3,3.4