Oracle VM Server for x86 Bulletin - January 2019

Description

The Oracle VM Server for x86 Bulletin lists all CVEs that had been resolved and announced in Oracle VM Server for x86 Security Advisories (OVMSA) in the last one month prior to the release of the bulletin. Oracle VM Server for x86 Bulletins are published on the same day as Oracle Critical Patch Updates are released. These bulletins will also be updated for the following two months after their release (i.e., the two months between the normal quarterly Critical Patch Update publication dates) to cover all CVEs that had been resolved in those two months following the bulletin's publication. In addition, Oracle VM Server for x86 Bulletins may also be updated for vulnerability fixes deemed too critical to wait for the next scheduled bulletin publication date.

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Oracle VM Server for x86 Bulletin fixes as soon as possible.

Patch Availability

Please see ULN Advisory http://linux.oracle.com/ovm-bulletin-pad

Oracle VM Server for x86 Bulletin Schedule

Oracle VM Server for x86 Bulletins are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:

  • 16 April 2019
  • 16 July 2019
  • 15 October 2019
  • 14 January 2020

References

Modification History

2019-March-18 Rev 3. New CVEs added.
2019-February-19 Rev 2. New CVEs added.
2019-January-15 Rev 1. Initial Release

Oracle VM Server for x86 Executive Summary

This Oracle VM Server for x86 Bulletin contains 25 new security fixes for the Oracle VM Server for x86. 25 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.

Oracle VM Server for x86 Risk Matrix

Revision 3: Published on 2019-03-18

CVE# Product Component Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected
Base Score Access Vector Access Complexity Authen­tication Confid­entiality Inte­grity Avail­ability
CVE-2017-17807 Oracle VM Server for x86 Unbreakable Enterprise kernel Undefined 3.4
CVE-2018-10876 Oracle VM Server for x86 Unbreakable Enterprise kernel Undefined 3.4
CVE-2018-10877 Oracle VM Server for x86 Unbreakable Enterprise kernel Undefined 3.4
CVE-2018-10878 Oracle VM Server for x86 Unbreakable Enterprise kernel Undefined 3.4
CVE-2018-16862 Oracle VM Server for x86 Unbreakable Enterprise kernel Undefined 3.4
CVE-2018-18559 Oracle VM Server for x86 Unbreakable Enterprise kernel Undefined 3.4
CVE-2018-9568 Oracle VM Server for x86 Unbreakable Enterprise kernel Undefined 3.4
CVE-2019-6133 Oracle VM Server for x86 polkit Undefined 3.3,3.4

Revision 2: Published on 2019-02-19

CVE# Product Component Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected
Base Score Access Vector Access Complexity Authen­tication Confid­entiality Inte­grity Avail­ability
CVE-2017-12153 Oracle VM Server for x86 Unbreakable Enterprise kernel Undefined 3.4
CVE-2017-18079 Oracle VM Server for x86 Unbreakable Enterprise kernel Undefined 3.4
CVE-2017-18174 Oracle VM Server for x86 Unbreakable Enterprise kernel Undefined 3.4
CVE-2017-18221 Oracle VM Server for x86 Unbreakable Enterprise kernel Undefined 3.4
CVE-2017-18255 Oracle VM Server for x86 Unbreakable Enterprise kernel Undefined 3.4
CVE-2017-9725 Oracle VM Server for x86 Unbreakable Enterprise kernel Undefined 3.4
CVE-2018-1092 Oracle VM Server for x86 Unbreakable Enterprise kernel Undefined 3.4
CVE-2018-1094 Oracle VM Server for x86 Unbreakable Enterprise kernel Undefined 3.4
CVE-2018-17972 Oracle VM Server for x86 Unbreakable Enterprise kernel Undefined 3.4
CVE-2018-18397 Oracle VM Server for x86 Unbreakable Enterprise kernel Undefined 3.4
CVE-2018-19824 Oracle VM Server for x86 Unbreakable Enterprise kernel Undefined 3.4
CVE-2018-3639 Oracle VM Server for x86 Unbreakable Enterprise kernel Undefined 3.4
CVE-2018-7995 Oracle VM Server for x86 Unbreakable Enterprise kernel Undefined 3.4
CVE-2018-9363 Oracle VM Server for x86 Unbreakable Enterprise kernel Undefined 3.4
CVE-2018-9516 Oracle VM Server for x86 Unbreakable Enterprise kernel Undefined 3.4
CVE-2019-5489 Oracle VM Server for x86 Unbreakable Enterprise kernel Undefined 3.4

Revision 1: Published on 2019-01-15

CVE# Product Component Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected
Base Score Access Vector Access Complexity Authen­tication Confid­entiality Inte­grity Avail­ability
CVE-2018-12327 Oracle VM Server for x86 ntp Undefined 3.3,3.4