Oracle VM Server for x86 Bulletin - July 2016

Description

The Oracle VM Server for x86 Bulletin lists all CVEs that had been resolved and announced in Oracle VM Server for x86 Security Advisories (OVMSA) in the last one month prior to the release of the bulletin. Oracle VM Server for x86 Bulletins are published on the same day as Oracle Critical Patch Updates are released. These bulletins will also be updated for the following two months after their release (i.e., the two months between the normal quarterly Critical Patch Update publication dates) to cover all CVEs that had been resolved in those two months following the bulletin's publication. In addition, Oracle VM Server for x86 Bulletins may also be updated for vulnerability fixes deemed too critical to wait for the next scheduled bulletin publication date.

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Oracle VM Server for x86 Bulletin fixes as soon as possible.

Patch Availability

Please see ULN Advisory http://linux.oracle.com/ovm-bulletin-pad

Oracle VM Server for x86 Bulletin Schedule

Oracle VM Server for x86 Bulletins are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:

  • 18 October 2016
  • 17 January 2017
  • 18 April 2017
  • 18 July 2017

References

Modification History

2016-September-19 Rev 3. New CVEs added.
2016-August-19 Rev 2. New CVEs added.
2016-July-19 Rev 1. Initial Release

Oracle VM Server for x86 Executive Summary

This Oracle VM Server for x86 Bulletin contains 125 new security fixes for the Oracle VM Server for x86. 86 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.

Oracle VM Server for x86 Risk Matrix

Revision 3: Published on 2016-09-19

CVE# Product Component Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected
Base Score Access Vector Access Complexity Authen­tication Confid­entiality Inte­grity Avail­ability
CVE-2016-7154 Oracle VM Server for x86 xen No 8.3 Adjacent network Low None Complete Complete Complete 3.4
CVE-2016-7092 Oracle VM Server for x86 xen Yes 0.0 Network Undefined None None None None 3.2,3.3,3.4
CVE-2016-7094 Oracle VM Server for x86 xen Yes 0.0 Network Undefined None None None None 3.2,3.3,3.4

Revision 2: Published on 2016-08-19

CVE# Product Component Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected
Base Score Access Vector Access Complexity Authen­tication Confid­entiality Inte­grity Avail­ability
CVE-2015-8550 Oracle VM Server for x86 xen No 7.4 Adjacent network Medium Single Complete Complete Complete 3.3
CVE-2016-4470 Oracle VM Server for x86 Unbreakable Enterprise kernel No 6.9 Local Medium None Complete Complete Complete 3.3,3.4
CVE-2015-7554 Oracle VM Server for x86 libtiff Yes 6.8 Network Medium None Partial Partial Partial 3.3,3.4
CVE-2015-8784 Oracle VM Server for x86 libtiff Yes 6.8 Network Medium None Partial Partial Partial 3.3,3.4
CVE-2016-3632 Oracle VM Server for x86 libtiff Yes 6.8 Network Medium None Partial Partial Partial 3.3,3.4
CVE-2016-3945 Oracle VM Server for x86 libtiff Yes 6.8 Network Medium None Partial Partial Partial 3.3,3.4
CVE-2016-3990 Oracle VM Server for x86 libtiff Yes 6.8 Network Medium None Partial Partial Partial 3.3,3.4
CVE-2016-3991 Oracle VM Server for x86 libtiff Yes 6.8 Network Medium None Partial Partial Partial 3.3,3.4
CVE-2016-5320 Oracle VM Server for x86 libtiff Yes 6.8 Network Medium None Partial Partial Partial 3.3,3.4
CVE-2016-3710 Oracle VM Server for x86 xen No 6.5 Adjacent network High Single Complete Complete Complete 3.3,3.4
CVE-2015-8660 Oracle VM Server for x86 Unbreakable Enterprise kernel No 6.0 Local High Single Complete Complete Complete 3.4
CVE-2016-4962 Oracle VM Server for x86 xen No 6.0 Network Medium Single Partial Partial Partial 3.3,3.4
CVE-2016-6258 Oracle VM Server for x86 xen No 6.0 Network Medium Single Partial Partial Partial 3.2,3.3,3.4
CVE-2016-5696 Oracle VM Server for x86 Unbreakable Enterprise kernel Yes 5.8 Network Medium None None Partial Partial 3.3,3.4
CVE-2014-9655 Oracle VM Server for x86 libtiff Yes 5.8 Network Medium None Partial None Partial 3.3,3.4
CVE-2015-1547 Oracle VM Server for x86 libtiff Yes 5.8 Network Medium None None Partial Partial 3.3,3.4
CVE-2016-3960 Oracle VM Server for x86 xen No 5.8 Adjacent network Medium Single None Partial Complete 3.2,3.3,3.4
CVE-2014-3672 Oracle VM Server for x86 xen No 5.2 Adjacent network Medium Single None None Complete 3.2,3.3,3.4
CVE-2016-2270 Oracle VM Server for x86 xen No 5.2 Adjacent network Medium Single None None Complete 3.4
CVE-2016-1000110 Oracle VM Server for x86 python Yes 5.0 Network Low None None Partial None 3.3,3.4
CVE-2016-6197 Oracle VM Server for x86 kernel-uek No 4.7 Local Medium None None None Complete 3.4
CVE-2016-6198 Oracle VM Server for x86 kernel-uek No 4.7 Local Medium None None None Complete 3.4
CVE-2014-9330 Oracle VM Server for x86 libtiff Yes 4.3 Network Medium None None None Partial 3.3,3.4
CVE-2015-8665 Oracle VM Server for x86 libtiff Yes 4.3 Network Medium None None None Partial 3.3,3.4
CVE-2015-8668 Oracle VM Server for x86 libtiff Yes 4.3 Network Medium None None None Partial 3.3,3.4
CVE-2015-8683 Oracle VM Server for x86 libtiff Yes 4.3 Network Medium None None None Partial 3.3,3.4
CVE-2015-8781 Oracle VM Server for x86 libtiff Yes 4.3 Network Medium None None None Partial 3.3,3.4
CVE-2015-8782 Oracle VM Server for x86 libtiff Yes 4.3 Network Medium None None None Partial 3.3,3.4
CVE-2015-8783 Oracle VM Server for x86 libtiff Yes 4.3 Network Medium None None None Partial 3.3,3.4
CVE-2016-4480 Oracle VM Server for x86 xen No 4.3 Adjacent network High None Partial Partial Partial 3.2,3.3,3.4
CVE-2016-3158 Oracle VM Server for x86 xen No 3.8 Adjacent network Medium Single Partial Partial None 3.3,3.4
CVE-2016-3159 Oracle VM Server for x86 xen No 3.8 Adjacent network Medium Single Partial Partial None 3.3,3.4
CVE-2016-3712 Oracle VM Server for x86 xen No 3.8 Adjacent network Medium Single Partial None Partial 3.3,3.4
CVE-2014-8127 Oracle VM Server for x86 libtiff No 3.6 Local Low None Partial None Partial 3.3,3.4
CVE-2014-8129 Oracle VM Server for x86 libtiff No 3.6 Local Low None Partial None Partial 3.3,3.4
CVE-2016-2117 Oracle VM Server for x86 kernel-uek Yes 2.6 Network High None Partial None None 3.3,3.4
CVE-2016-5403 Oracle VM Server for x86 qemu-kvm No 2.3 Adjacent network Medium Single None None Partial 3.4
CVE-2014-8130 Oracle VM Server for x86 libtiff No 2.1 Local Low None None None Partial 3.3,3.4

Revision 1: Published on 2016-07-19

CVE# Product Component Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected
Base Score Access Vector Access Complexity Authen­tication Confid­entiality Inte­grity Avail­ability
CVE-2013-6435 Oracle VM Server for x86 rpm Yes 7.6 Network High None Complete Complete Complete 3.2
CVE-2013-0292 Oracle VM Server for x86 dbus-glib No 6.9 Local Medium None Complete Complete Complete 3.2
CVE-2016-4565 Oracle VM Server for x86 kernel-uek No 6.9 Local Medium None Complete Complete Complete 3.2
CVE-2016-4565 Oracle VM Server for x86 kernel-uek No 6.9 Local Medium None Complete Complete Complete 3.3,3.4
CVE-2013-2174 Oracle VM Server for x86 curl Yes 6.8 Network Medium None Partial Partial Partial 3.2
CVE-2016-1834 Oracle VM Server for x86 libxml2 Yes 6.8 Network Medium None Partial Partial Partial 3.3,3.4
CVE-2013-5605 Oracle VM Server for x86 nspr Yes 6.8 Network Medium None Partial Partial Partial 3.2
CVE-2014-1544 Oracle VM Server for x86 nspr Yes 6.8 Network Medium None Partial Partial Partial 3.2
CVE-2015-7181 Oracle VM Server for x86 nspr Yes 6.8 Network Medium None Partial Partial Partial 3.2
CVE-2015-7182 Oracle VM Server for x86 nspr Yes 6.8 Network Medium None Partial Partial Partial 3.2
CVE-2015-7183 Oracle VM Server for x86 nspr Yes 6.8 Network Medium None Partial Partial Partial 3.2
CVE-2013-5605 Oracle VM Server for x86 nss Yes 6.8 Network Medium None Partial Partial Partial 3.2
CVE-2014-1544 Oracle VM Server for x86 nss Yes 6.8 Network Medium None Partial Partial Partial 3.2
CVE-2015-7181 Oracle VM Server for x86 nss Yes 6.8 Network Medium None Partial Partial Partial 3.2
CVE-2015-7182 Oracle VM Server for x86 nss Yes 6.8 Network Medium None Partial Partial Partial 3.2
CVE-2015-7183 Oracle VM Server for x86 nss Yes 6.8 Network Medium None Partial Partial Partial 3.2
CVE-2016-1950 Oracle VM Server for x86 nss Yes 6.8 Network Medium None Partial Partial Partial 3.2
CVE-2012-0060 Oracle VM Server for x86 rpm Yes 6.8 Network Medium None Partial Partial Partial 3.2
CVE-2012-0061 Oracle VM Server for x86 rpm Yes 6.8 Network Medium None Partial Partial Partial 3.2
CVE-2012-0815 Oracle VM Server for x86 rpm Yes 6.8 Network Medium None Partial Partial Partial 3.2
CVE-2014-0106 Oracle VM Server for x86 sudo No 6.6 Local Medium Single Complete Complete Complete 3.2
CVE-2015-7504 Oracle VM Server for x86 xen No 6.5 Adjacent network High Single Complete Complete Complete 3.2
CVE-2015-8554 Oracle VM Server for x86 xen No 6.5 Adjacent network High Single Complete Complete Complete 3.2
CVE-2016-3710 Oracle VM Server for x86 xen No 6.5 Adjacent network High Single Complete Complete Complete 3.2
CVE-2014-1568 Oracle VM Server for x86 nss Yes 5.8 Network Medium None Partial Partial None 3.2
CVE-2015-3197 Oracle VM Server for x86 openssl Yes 5.8 Network Medium None Partial Partial None 3.2
CVE-2016-0800 Oracle VM Server for x86 openssl Yes 5.8 Network Medium None Partial Partial None 3.2
CVE-2012-3440 Oracle VM Server for x86 sudo No 5.6 Local High None None Complete Complete 3.2
CVE-2015-5307 Oracle VM Server for x86 xen No 5.2 Adjacent network Medium Single None None Complete 3.2
CVE-2015-8104 Oracle VM Server for x86 xen No 5.2 Adjacent network Medium Single None None Complete 3.2
CVE-2016-2270 Oracle VM Server for x86 xen No 5.2 Adjacent network Medium Single None None Complete 3.2
CVE-2016-1840 Oracle VM Server for x86 libxml2 Yes 5.1 Network High None Partial Partial Partial 3.3,3.4
CVE-2016-4448 Oracle VM Server for x86 libxml2 Yes 5.1 Network High None Partial Partial Partial 3.3,3.4
CVE-2013-1620 Oracle VM Server for x86 nspr Yes 5.1 Network High None Partial Partial Partial 3.2
CVE-2016-1978 Oracle VM Server for x86 nspr Yes 5.1 Network High None Partial Partial Partial 3.2
CVE-2016-1979 Oracle VM Server for x86 nspr Yes 5.1 Network High None Partial Partial Partial 3.2
CVE-2013-1620 Oracle VM Server for x86 nss Yes 5.1 Network High None Partial Partial Partial 3.2
CVE-2014-1490 Oracle VM Server for x86 nss Yes 5.1 Network High None Partial Partial Partial 3.2
CVE-2014-1545 Oracle VM Server for x86 nss Yes 5.1 Network High None Partial Partial Partial 3.2
CVE-2015-2721 Oracle VM Server for x86 nss Yes 5.1 Network High None Partial Partial Partial 3.2
CVE-2016-1978 Oracle VM Server for x86 nss Yes 5.1 Network High None Partial Partial Partial 3.2
CVE-2016-1979 Oracle VM Server for x86 nss Yes 5.1 Network High None Partial Partial Partial 3.2
CVE-2016-2105 Oracle VM Server for x86 openssl Yes 5.1 Network High None Partial Partial Partial 3.2
CVE-2016-2106 Oracle VM Server for x86 openssl Yes 5.1 Network High None Partial Partial Partial 3.2
CVE-2012-5195 Oracle VM Server for x86 perl Yes 5.1 Network High None Partial Partial Partial 3.2
CVE-2012-6329 Oracle VM Server for x86 perl Yes 5.1 Network High None Partial Partial Partial 3.2
CVE-2012-5166 Oracle VM Server for x86 bind Yes 5.0 Network Low None None None Partial 3.2
CVE-2014-8500 Oracle VM Server for x86 bind Yes 5.0 Network Low None None None Partial 3.2
CVE-2015-5477 Oracle VM Server for x86 bind Yes 5.0 Network Low None None None Partial 3.2
CVE-2015-5722 Oracle VM Server for x86 bind Yes 5.0 Network Low None None None Partial 3.2
CVE-2016-1285 Oracle VM Server for x86 bind Yes 5.0 Network Low None None None Partial 3.2
CVE-2016-1286 Oracle VM Server for x86 bind Yes 5.0 Network Low None None None Partial 3.2
CVE-2015-6908 Oracle VM Server for x86 openldap Yes 5.0 Network Low None None None Partial 3.2
CVE-2013-1667 Oracle VM Server for x86 perl Yes 5.0 Network Low None None None Partial 3.2
CVE-2016-3115 Oracle VM Server for x86 openssh No 4.9 Network Medium Single Partial Partial None 3.2
CVE-2011-4339 Oracle VM Server for x86 OpenIPMI No 4.7 Local Medium None None None Complete 3.2
CVE-2015-8000 Oracle VM Server for x86 bind Yes 4.3 Network Medium None None None Partial 3.2
CVE-2013-1944 Oracle VM Server for x86 curl Yes 4.3 Network Medium None None Partial None 3.2
CVE-2014-3660 Oracle VM Server for x86 libxml2 Yes 4.3 Network Medium None None None Partial 3.2
CVE-2016-1762 Oracle VM Server for x86 libxml2 Yes 4.3 Network Medium None None None Partial 3.3,3.4
CVE-2016-1833 Oracle VM Server for x86 libxml2 Yes 4.3 Network Medium None None None Partial 3.3,3.4
CVE-2016-1835 Oracle VM Server for x86 libxml2 Yes 4.3 Network Medium None None None Partial 3.3,3.4
CVE-2016-1836 Oracle VM Server for x86 libxml2 Yes 4.3 Network Medium None None None Partial 3.3,3.4
CVE-2016-1837 Oracle VM Server for x86 libxml2 Yes 4.3 Network Medium None None None Partial 3.3,3.4
CVE-2016-1838 Oracle VM Server for x86 libxml2 Yes 4.3 Network Medium None None None Partial 3.3,3.4
CVE-2016-1839 Oracle VM Server for x86 libxml2 Yes 4.3 Network Medium None None None Partial 3.3,3.4
CVE-2016-3627 Oracle VM Server for x86 libxml2 Yes 4.3 Network Medium None None None Partial 3.3,3.4
CVE-2016-3705 Oracle VM Server for x86 libxml2 Yes 4.3 Network Medium None None None Partial 3.3,3.4
CVE-2016-4447 Oracle VM Server for x86 libxml2 Yes 4.3 Network Medium None None None Partial 3.3,3.4
CVE-2016-4449 Oracle VM Server for x86 libxml2 Yes 4.3 Network Medium None None Partial None 3.3,3.4
CVE-2012-0441 Oracle VM Server for x86 nspr Yes 4.3 Network Medium None None None Partial 3.2
CVE-2013-0791 Oracle VM Server for x86 nspr Yes 4.3 Network Medium None None None Partial 3.2
CVE-2013-1739 Oracle VM Server for x86 nspr Yes 4.3 Network Medium None None None Partial 3.2
CVE-2013-1741 Oracle VM Server for x86 nspr Yes 4.3 Network Medium None None None Partial 3.2
CVE-2013-5606 Oracle VM Server for x86 nspr Yes 4.3 Network Medium None None None Partial 3.2
CVE-2013-5607 Oracle VM Server for x86 nspr Yes 4.3 Network Medium None None None Partial 3.2
CVE-2012-0441 Oracle VM Server for x86 nss Yes 4.3 Network Medium None None None Partial 3.2
CVE-2013-0791 Oracle VM Server for x86 nss Yes 4.3 Network Medium None None None Partial 3.2
CVE-2013-1739 Oracle VM Server for x86 nss Yes 4.3 Network Medium None None None Partial 3.2
CVE-2013-1740 Oracle VM Server for x86 nss Yes 4.3 Network Medium None Partial None None 3.2
CVE-2013-1741 Oracle VM Server for x86 nss Yes 4.3 Network Medium None None None Partial 3.2
CVE-2013-5606 Oracle VM Server for x86 nss Yes 4.3 Network Medium None None None Partial 3.2
CVE-2013-5607 Oracle VM Server for x86 nss Yes 4.3 Network Medium None None None Partial 3.2
CVE-2014-1491 Oracle VM Server for x86 nss Yes 4.3 Network Medium None Partial None None 3.2
CVE-2015-2730 Oracle VM Server for x86 nss Yes 4.3 Network Medium None Partial None None 3.2
CVE-2013-4449 Oracle VM Server for x86 openldap Yes 4.3 Network Medium None None None Partial 3.2
CVE-2015-5600 Oracle VM Server for x86 openssh Yes 4.3 Network Medium None None Partial None 3.2
CVE-2015-3195 Oracle VM Server for x86 openssl Yes 4.3 Network Medium None Partial None None 3.2
CVE-2016-0797 Oracle VM Server for x86 openssl Yes 4.3 Network Medium None None None Partial 3.2
CVE-2013-1776 Oracle VM Server for x86 sudo No 3.6 Local Low None Partial Partial None 3.2
CVE-2013-2776 Oracle VM Server for x86 sudo No 3.6 Local Low None Partial Partial None 3.2
CVE-2015-8704 Oracle VM Server for x86 bind No 3.5 Network Medium Single None None Partial 3.2
CVE-2012-3571 Oracle VM Server for x86 dhcp No 3.3 Adjacent network Low None None None Partial 3.2
CVE-2014-1492 Oracle VM Server for x86 nss Yes 2.6 Network High None None Partial None 3.2
CVE-2016-0799 Oracle VM Server for x86 openssl Yes 2.6 Network High None None None Partial 3.2
CVE-2012-5526 Oracle VM Server for x86 perl Yes 2.6 Network High None None Partial None 3.2
CVE-2013-1775 Oracle VM Server for x86 sudo No 2.1 Local Low None None Partial None 3.2
CVE-2013-4242 Oracle VM Server for x86 libgcrypt No 1.9 Local Medium None Partial None None 3.2
CVE-2016-2109 Oracle VM Server for x86 openssl No 1.9 Local Medium None None None Partial 3.2
CVE-2012-2664 Oracle VM Server for x86 sos No 1.9 Local Medium None Partial None None 3.2
CVE-2015-8555 Oracle VM Server for x86 xen No 1.8 Adjacent network High None Partial None None 3.2