Oracle VM Server for x86 Bulletin - July 2020


Description

The Oracle VM Server for x86 Bulletin lists all CVEs that had been resolved and announced in Oracle VM Server for x86 Security Advisories (OVMSA) in the last one month prior to the release of the bulletin. Oracle VM Server for x86 Bulletins are published on the same day as Oracle Critical Patch Updates are released. These bulletins will also be updated for the following two months after their release (i.e., the two months between the normal quarterly Critical Patch Update publication dates) to cover all CVEs that had been resolved in those two months following the bulletin's publication. In addition, Oracle VM Server for x86 Bulletins may also be updated for vulnerability issues deemed too critical to wait for the next scheduled bulletin publication date.

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Oracle VM Server for x86 Bulletin security patches as soon as possible.


Patch Availability

Please see ULN Advisory https://linux.oracle.com/ovm-bulletin-pad


Oracle VM Server for x86 Bulletin Schedule

Oracle VM Server for x86 Bulletins are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:

  • 20 October 2020
  • 19 January 2021
  • 20 April 2021
  • 20 July 2021

References


Modification History

Date Note
2020-September-21 Rev 3. New CVEs added.
2020-August-17 Rev 2. New CVEs added.
2020-July-14 Rev 1. Initial Release

Oracle VM Server for x86 Executive Summary

This Oracle VM Server for x86 Bulletin contains 27 new security patches for the Oracle VM Server for x86.  25 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. 

 

Oracle VM Server for x86 Risk Matrix

Revision 3: Published on 2020-09-21

CVE# Product Component Remote Exploit without Auth.? CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2017-16644 Oracle VM Server for X86 Unbreakable Enterprise kernel Undefined 3.4
CVE-2019-10638 Oracle VM Server for X86 Unbreakable Enterprise kernel Undefined 3.4
CVE-2019-10639 Oracle VM Server for X86 Unbreakable Enterprise kernel Undefined 3.4
CVE-2019-19049 Oracle VM Server for X86 Unbreakable Enterprise kernel Undefined 3.4
CVE-2019-19062 Oracle VM Server for X86 Unbreakable Enterprise kernel Undefined 3.4
CVE-2019-19535 Oracle VM Server for X86 Unbreakable Enterprise kernel Undefined 3.4
CVE-2019-20811 Oracle VM Server for X86 Unbreakable Enterprise kernel Undefined 3.4
CVE-2020-10732 Oracle VM Server for X86 Unbreakable Enterprise kernel Undefined 3.4
CVE-2019-5482 Oracle VM Server for X86 curl Undefined 3.4
CVE-2019-18660 Oracle VM Server for X86 kernel Undefined 3.4
CVE-2018-20852 Oracle VM Server for X86 python Undefined 3.4
CVE-2020-14364 Oracle VM Server for X86 xen Undefined 3.4

Revision 2: Published on 2020-08-17

CVE# Product Component Remote Exploit without Auth.? CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2019-19054 Oracle VM Server for X86 Unbreakable Enterprise kernel Undefined 3.4
CVE-2020-12888 Oracle VM Server for X86 Unbreakable Enterprise kernel Undefined 3.4
CVE-2020-14416 Oracle VM Server for X86 Unbreakable Enterprise kernel Undefined 3.4
CVE-2020-15565 Oracle VM Server for X86 xen Undefined 3.4
CVE-2020-15567 Oracle VM Server for X86 xen Undefined 3.4

Revision 1: Published on 2020-07-14

CVE# Product Component Remote Exploit without Auth.? CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2020-0548 Oracle VM Server for x86 microcode_ctl No 5.5 Local Low Low None Unchanged High None None 3.3,3.4
CVE-2020-0549 Oracle VM Server for x86 microcode_ctl No 5.5 Local Low Low None Unchanged High None None 3.3,3.4
CVE-2017-16538 Oracle VM Server for X86 Unbreakable Enterprise kernel Undefined 3.4
CVE-2019-15214 Oracle VM Server for X86 Unbreakable Enterprise kernel Undefined 3.4
CVE-2019-19533 Oracle VM Server for X86 Unbreakable Enterprise kernel Undefined 3.4
CVE-2019-19534 Oracle VM Server for X86 Unbreakable Enterprise kernel Undefined 3.4
CVE-2019-19536 Oracle VM Server for X86 Unbreakable Enterprise kernel Undefined 3.4
CVE-2020-0543 Oracle VM Server for X86 Unbreakable Enterprise kernel Undefined 3.4
CVE-2020-0543 Oracle VM Server for X86 microcode_ctl Undefined 3.3,3.4
CVE-2017-15289 Oracle VM Server for X86 xen Undefined 3.4
CVE-2017-18030 Oracle VM Server for X86 xen Undefined 3.4
CVE-2020-0543 Oracle VM Server for X86 xen Undefined 3.4