Oracle VM Server for x86 Bulletin - October 2016

Description

The Oracle VM Server for x86 Bulletin lists all CVEs that had been resolved and announced in Oracle VM Server for x86 Security Advisories (OVMSA) in the last one month prior to the release of the bulletin. Oracle VM Server for x86 Bulletins are published on the same day as Oracle Critical Patch Updates are released. These bulletins will also be updated for the following two months after their release (i.e., the two months between the normal quarterly Critical Patch Update publication dates) to cover all CVEs that had been resolved in those two months following the bulletin's publication. In addition, Oracle VM Server for x86 Bulletins may also be updated for vulnerability fixes deemed too critical to wait for the next scheduled bulletin publication date.

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Oracle VM Server for x86 Bulletin fixes as soon as possible.

Patch Availability

Please see ULN Advisory https://linux.oracle.com/ovm-bulletin-pad

Oracle VM Server for x86 Bulletin Schedule

Oracle VM Server for x86 Bulletins are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:

  • 17 January 2017
  • 18 April 2017
  • 18 July 2017
  • 17 October 2017

References

Modification History

CVE Identifier Description
2016-December-19 Rev 3. New CVEs added.
2016-November-18 Rev 2. New CVEs added.
2016-October-18 Rev 1. Initial Release

Oracle VM Server for x86 Executive Summary

This Oracle VM Server for x86 Bulletin contains 65 new security fixes for the Oracle VM Server for x86.  22 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. 

Oracle VM Server for x86 Risk Matrix

Revision 3: Published on 2016-12-19

CVE# Product Component Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected
Base Score Access Vector Access Complexity Authen­tication Confid­entiality Inte­grity Avail­ability
CVE-2016-9383 Oracle VM Server for x86 xen No 7.5 Network Medium Single Partial Partial Complete 3.4
CVE-2016-4794 Oracle VM Server for x86 Unbreakable Enterprise kernel No 7.2 Local Low None Complete Complete Complete 3.4
CVE-2016-9555 Oracle VM Server for x86 Unbreakable Enterprise kernel Yes 7.1 Network Medium None None None Complete 3.3,3.4
CVE-2016-1583 Oracle VM Server for x86 Unbreakable Enterprise kernel No 6.9 Local Medium None Complete Complete Complete 3.2,3.4
CVE-2016-0718 Oracle VM Server for x86 expat Yes 6.8 Network Medium None Partial Partial Partial 3.3,3.4
CVE-2016-7032 Oracle VM Server for x86 sudo No 6.6 Local Medium Single Complete Complete Complete 3.3,3.4
CVE-2016-7076 Oracle VM Server for x86 sudo No 6.6 Local Medium Single Complete Complete Complete 3.3,3.4
CVE-2016-9637 Oracle VM Server for x86 xen No 6.5 Adjacent network High Single Complete Complete Complete 3.2,3.3,3.4
CVE-2016-9385 Oracle VM Server for x86 xen No 6.3 Network Medium Single None None Complete 3.2,3.3,3.4
CVE-2016-9381 Oracle VM Server for x86 xen No 6.0 Network Medium Single Partial Partial Partial 3.2,3.3,3.4
CVE-2016-9386 Oracle VM Server for x86 xen No 6.0 Network Medium Single Partial Partial Partial 3.2,3.3,3.4
CVE-2015-8956 Oracle VM Server for x86 Unbreakable Enterprise kernel No 5.4 Local Medium None Partial None Complete 3.2,3.3,3.4
CVE-2016-8650 Oracle VM Server for x86 Unbreakable Enterprise kernel No 4.9 Local Low None None None Complete 3.3,3.4
CVE-2016-7777 Oracle VM Server for x86 xen No 4.9 Network Medium Single Partial Partial None 3.2,3.3,3.4
CVE-2016-3070 Oracle VM Server for x86 Unbreakable Enterprise kernel No 4.7 Local Medium None None None Complete 3.2,3.3,3.4
CVE-2016-6327 Oracle VM Server for x86 Unbreakable Enterprise kernel No 4.7 Local Medium None None None Complete 3.3
CVE-2016-6480 Oracle VM Server for x86 Unbreakable Enterprise kernel No 4.7 Local Medium None None None Complete 3.2,3.3,3.4
CVE-2016-2053 Oracle VM Server for x86 Unbreakable Enterprise kernel No 4.6 Local Low Single None None Complete 3.3,3.4
CVE-2016-9379 Oracle VM Server for x86 xen No 4.6 Network High Single Partial Partial Partial 3.2,3.3,3.4
CVE-2016-9380 Oracle VM Server for x86 xen No 4.6 Network High Single Partial Partial Partial 3.2,3.3,3.4
CVE-2016-9382 Oracle VM Server for x86 xen No 4.6 Network High Single Partial Partial Partial 3.2,3.3,3.4
CVE-2016-3699 Oracle VM Server for x86 Unbreakable Enterprise kernel No 3.3 Local Medium None None Partial Partial 3.3,3.4
CVE-2016-6136 Oracle VM Server for x86 Unbreakable Enterprise kernel No 3.3 Local Medium None Partial None Partial 3.2,3.3,3.4
CVE-2016-4569 Oracle VM Server for x86 Unbreakable Enterprise kernel No 2.1 Local Low None Partial None None 3.2,3.3,3.4
CVE-2016-4578 Oracle VM Server for x86 Unbreakable Enterprise kernel No 2.1 Local Low None Partial None None 3.2,3.3,3.4
CVE-2016-9932 Oracle VM Server for x86 xen Yes 0.0 Network Undefined None None None None 3.2,3.3,3.4

Revision 2: Published on 2016-11-18

CVE# Product Component Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected
Base Score Access Vector Access Complexity Authen­tication Confid­entiality Inte­grity Avail­ability
CVE-2016-5485 Oracle VM Server for x86 ovm-consoled Yes 7.3 Network Low None Partial Partial Partial 3.3,3.4
CVE-2016-4997 Oracle VM Server for x86 Unbreakable Enterprise kernel No 7.2 Local Low None Complete Complete Complete 3.2
CVE-2016-4470 Oracle VM Server for x86 Unbreakable Enterprise kernel No 6.9 Local Medium None Complete Complete Complete 3.2
CVE-2016-5195 Oracle VM Server for x86 Unbreakable Enterprise kernel No 6.9 Local Medium None Complete Complete Complete 3.2
CVE-2016-5829 Oracle VM Server for x86 Unbreakable Enterprise kernel No 6.9 Local Medium None Complete Complete Complete 3.2
CVE-2016-1583 Oracle VM Server for x86 Unbreakable Enterprise kernel No 6.9 Local Medium None Complete Complete Complete 3.3,3.4
CVE-2016-5195 Oracle VM Server for x86 Unbreakable Enterprise kernel No 6.9 Local Medium None Complete Complete Complete 3.3,3.4
CVE-2016-7545 Oracle VM Server for x86 policycoreutils Yes 6.8 Network Medium None Partial Partial Partial 3.3,3.4
CVE-2016-3134 Oracle VM Server for x86 Unbreakable Enterprise kernel No 6.2 Local High None Complete Complete Complete 3.2
CVE-2016-4998 Oracle VM Server for x86 Unbreakable Enterprise kernel No 5.6 Local Low None Partial None Complete 3.2
CVE-2016-2834 Oracle VM Server for x86 nss nss-util Yes 5.1 Network High None Partial Partial Partial 3.3,3.4
CVE-2016-2834 Oracle VM Server for x86 nss Yes 5.1 Network High None Partial Partial Partial 3.2
CVE-2016-2848 Oracle VM Server for x86 bind Yes 5.0 Network Low None None None Partial 3.2,3.3,3.4
CVE-2016-8864 Oracle VM Server for x86 bind Yes 5.0 Network Low None None None Partial 3.2,3.3,3.4
CVE-2016-5285 Oracle VM Server for x86 nss nss-util Yes 4.3 Network Medium None None None Partial 3.3,3.4
CVE-2016-8635 Oracle VM Server for x86 nss nss-util Yes 4.3 Network Medium None Partial None None 3.3,3.4
CVE-2016-5285 Oracle VM Server for x86 nss Yes 4.3 Network Medium None None None Partial 3.2
CVE-2016-8635 Oracle VM Server for x86 nss Yes 4.3 Network Medium None Partial None None 3.2
CVE-2016-6313 Oracle VM Server for x86 libgcrypt Yes 4.0 Network High None Partial Partial None 3.3,3.4
CVE-2015-8374 Oracle VM Server for x86 Unbreakable Enterprise kernel No 3.5 Network Medium Single Partial None None 3.2
CVE-2016-2117 Oracle VM Server for x86 Unbreakable Enterprise kernel Yes 2.6 Network High None Partial None None 3.2

Revision 1: Published on 2016-10-18

CVE# Product Component Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected
Base Score Access Vector Access Complexity Authen­tication Confid­entiality Inte­grity Avail­ability
CVE-2016-4997 Oracle VM Server for x86 Unbreakable Enterprise kernel No 7.2 Local Low None Complete Complete Complete 3.3,3.4
CVE-2016-7039 Oracle VM Server for x86 Unbreakable Enterprise kernel Yes 7.1 Network Medium None None None Complete 3.4
CVE-2016-5829 Oracle VM Server for x86 Unbreakable Enterprise kernel No 6.9 Local Medium None Complete Complete Complete 3.3,3.4
CVE-2016-3134 Oracle VM Server for x86 Unbreakable Enterprise kernel No 6.2 Local High None Complete Complete Complete 3.3,3.4
CVE-2016-0723 Oracle VM Server for x86 Unbreakable Enterprise kernel No 5.6 Local Low None Partial None Complete 3.4
CVE-2016-4998 Oracle VM Server for x86 Unbreakable Enterprise kernel No 5.6 Local Low None Partial None Complete 3.3,3.4
CVE-2015-8787 Oracle VM Server for x86 Unbreakable Enterprise kernel Yes 5.4 Network High None None None Complete 3.4
CVE-2016-2776 Oracle VM Server for x86 bind Yes 5.0 Network Low None None None Partial 3.2,3.3,3.4
CVE-2016-2179 Oracle VM Server for x86 openssl Yes 5.0 Network Low None None None Partial 3.3,3.4
CVE-2016-6304 Oracle VM Server for x86 openssl Yes 5.0 Network Low None None None Partial 3.3,3.4
CVE-2015-8816 Oracle VM Server for x86 Unbreakable Enterprise kernel No 4.9 Local Low None None None Complete 3.4
CVE-2016-2847 Oracle VM Server for x86 Unbreakable Enterprise kernel No 4.9 Local Low None None None Complete 3.4
CVE-2016-4951 Oracle VM Server for x86 Unbreakable Enterprise kernel No 4.9 Local Low None None None Complete 3.4
CVE-2016-4581 Oracle VM Server for x86 Unbreakable Enterprise kernel No 4.7 Local Medium None None None Complete 3.4
CVE-2016-2181 Oracle VM Server for x86 openssl Yes 4.3 Network Medium None None None Partial 3.3,3.4
CVE-2016-2182 Oracle VM Server for x86 openssl Yes 4.3 Network Medium None None None Partial 3.2,3.3,3.4
CVE-2016-2183 Oracle VM Server for x86 openssl Yes 4.3 Network Medium None Partial None None 3.2
CVE-2016-6302 Oracle VM Server for x86 openssl Yes 4.3 Network Medium None None None Partial 3.3,3.4
CVE-2016-2069 Oracle VM Server for x86 Unbreakable Enterprise kernel No 3.7 Local High None Partial Partial Partial 3.4
CVE-2015-8374 Oracle VM Server for x86 Unbreakable Enterprise kernel No 3.5 Network Medium Single Partial None None 3.3
CVE-2016-2177 Oracle VM Server for x86 openssl Yes 2.6 Network High None None None Partial 3.2,3.3,3.4
CVE-2015-8785 Oracle VM Server for x86 Unbreakable Enterprise kernel No 2.1 Local Low None None None Partial 3.4
CVE-2016-4913 Oracle VM Server for x86 Unbreakable Enterprise kernel No 2.1 Local Low None Partial None None 3.4
CVE-2016-4805 Oracle VM Server for x86 Unbreakable Enterprise kernel No 1.9 Local Medium None None None Partial 3.4
CVE-2016-2178 Oracle VM Server for x86 openssl No 1.9 Local Medium None Partial None None 3.2,3.3,3.4
CVE-2016-2180 Oracle VM Server for x86 openssl No 1.9 Local Medium None None None Partial 3.3,3.4
CVE-2016-3156 Oracle VM Server for x86 Unbreakable Enterprise kernel No 1.7 Local Low Single None None Partial 3.4
CVE-2016-6306 Oracle VM Server for x86 openssl No 1.2 Local High None None None Partial 3.2,3.3,3.4