Oracle VM Server for x86 Bulletin - July 2022

 

Description

The Oracle VM Server for x86 Bulletin lists all CVEs that had been resolved and announced in Oracle VM Server for x86 Security Advisories (OVMSA) in the last one month prior to the release of the bulletin. Oracle VM Server for x86 Bulletins are published on the same day as Oracle Critical Patch Updates are released. These bulletins will also be updated for the following two months after their release (i.e., the two months between the normal quarterly Critical Patch Update publication dates) to cover all CVEs that had been resolved in those two months following the bulletin's publication. In addition, Oracle VM Server for x86 Bulletins may also be updated for vulnerability issues deemed too critical to wait for the next scheduled bulletin publication date.

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Oracle VM Server for x86 Bulletin security patches as soon as possible.

 

Patch Availability

Please see ULN Advisory https://linux.oracle.com/ovm-bulletin-pad

 

Oracle VM Server for x86 Bulletin Schedule

Oracle VM Server for x86 Bulletins are released on the third Tuesday of January, April, July, and October. The next four dates are:

  • 18 October 2022
  • 17 January 2023
  • 18 April 2023
  • 18 July 2023

References

 

Modification History

Date Note
2022-September-20 Rev 3. New CVEs added
2022-August-16 Rev 2. New CVEs added
2022-July-19 Rev 1. Initial Release

Oracle VM Server for x86 Executive Summary

This Oracle VM Server for x86 Bulletin contains 13 new security patches for the Oracle VM Server for x86.

Oracle VM Server for x86 Risk Matrix

Revision 3: Published on 2022-09-20

CVE# Product Component Remote Exploit without Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2022-1011 Oracle VM Server for x86 Unbreakable Enterprise kernel No 7.0 Local High Low None Unchanged High High High 3
CVE-2021-33655 Oracle VM Server for x86 Unbreakable Enterprise kernel No 6.7 Local Low High None Unchanged High High High 3
CVE-2021-33656 Oracle VM Server for x86 Unbreakable Enterprise kernel No 6.7 Local Low High None Unchanged High High High 3
CVE-2022-2588 Oracle VM Server for x86 Unbreakable Enterprise kernel No 6.7 Local Low High None Unchanged High High High 3
CVE-2022-21123 Oracle VM Server for x86 xen No 6.1 Local Low Low None Unchanged High Low None 3
CVE-2020-36516 Oracle VM Server for x86 Unbreakable Enterprise kernel No 5.9 Network High Low None Unchanged None High Low 3
CVE-2022-21127 Oracle VM Server for x86 xen No 5.6 Local High Low None Changed High None None 3
CVE-2019-9213 Oracle VM Server for x86 Unbreakable Enterprise kernel No 5.5 Local Low Low None Unchanged None None High 3
CVE-2022-21125 Oracle VM Server for x86 xen No 5.5 Local Low Low None Unchanged High None None 3
CVE-2022-21166 Oracle VM Server for x86 xen No 5.5 Local Low Low None Unchanged High None None 3
CVE-2020-36557 Oracle VM Server for x86 Unbreakable Enterprise kernel No 4.1 Local High High None Unchanged None None High 3
CVE-2020-36558 Oracle VM Server for x86 Unbreakable Enterprise kernel No 4.1 Local High High None Unchanged None None High 3
CVE-2022-21546 Oracle VM Server for x86 Unbreakable Enterprise kernel No 4.1 Local High High None Unchanged None None High 3

Revision 2: Published on 2022-08-16

CVE# Product Component Remote Exploit without Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2022-32250 Oracle VM Server for x86 Unbreakable Enterprise kernel No 7.8 Local Low Low None Unchanged High High High 3
CVE-2022-0492 Oracle VM Server for x86 Unbreakable Enterprise kernel No 7.0 Local High Low None Unchanged High High High 3
CVE-2022-2588 Oracle VM Server for x86 Unbreakable Enterprise kernel No 6.7 Local Low High None Unchanged High High High 3
CVE-2022-21123 Oracle VM Server for x86 microcode_ctl No 6.1 Local Low Low None Unchanged High Low None 3
CVE-2022-21127 Oracle VM Server for x86 microcode_ctl No 5.6 Local High Low None Changed High None None 3
CVE-2022-33981 Oracle VM Server for x86 Unbreakable Enterprise kernel No 5.5 Local Low Low None Unchanged None None High 3
CVE-2022-21125 Oracle VM Server for x86 microcode_ctl No 5.5 Local Low Low None Unchanged High None None 3
CVE-2022-21166 Oracle VM Server for x86 microcode_ctl No 5.5 Local Low Low None Unchanged High None None 3

Revision 1: Published on 2022-07-19

CVE# Product Component Remote Exploit without Auth.? CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2022-28388 Oracle VM Server for x86 Unbreakable Enterprise kernel No 7.0 Local High Low None Unchanged High High High 3
CVE-2022-28390 Oracle VM Server for x86 Unbreakable Enterprise kernel No 7.0 Local High Low None Unchanged High High High 3
CVE-2020-1971 Oracle VM Server for x86 openssl Yes 5.9 Network High None None Unchanged None None High 3
CVE-2022-1652 Oracle VM Server for x86 Unbreakable Enterprise kernel No 5.3 Local High Low None Changed Low Low Low 3