Oracle VM Server for x86 Bulletin - April 2017


Description

The Oracle VM Server for x86 Bulletin lists all CVEs that had been resolved and announced in Oracle VM Server for x86 Security Advisories (OVMSA) in the last one month prior to the release of the bulletin. Oracle VM Server for x86 Bulletins are published on the same day as Oracle Critical Patch Updates are released. These bulletins will also be updated for the following two months after their release (i.e., the two months between the normal quarterly Critical Patch Update publication dates) to cover all CVEs that had been resolved in those two months following the bulletin's publication. In addition, Oracle VM Server for x86 Bulletins may also be updated for vulnerability fixes deemed too critical to wait for the next scheduled bulletin publication date.

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Oracle VM Server for x86 Bulletin fixes as soon as possible.


Patch Availability

Please see ULN Advisory http://linux.oracle.com/ovm-bulletin-pad


Oracle VM Server for x86 Bulletin Schedule

Oracle VM Server for x86 Bulletins are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:

  • 18 July 2017
  • 17 October 2017
  • 16 January 2018
  • 17 April 2018

References


Modification History


2017-June-19 Rev 3. New CVEs added.
2017-May-18 Rev 2. New CVEs added.
2017-April-18 Rev 1. Initial Release

 

Oracle VM Server for x86 Executive Summary

 

This Oracle VM Server for x86 Bulletin contains 114 new security fixes for the Oracle VM Server for x86.  62 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. 

 

Oracle VM Server for x86 Risk Matrix


Revision 3: Published on 2017-06-19



CVE# Product Component Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected
Base Score Access Vector Access Complexity Authen-
tication
Confiden-
tiality
Integrity Avail-
ability
CVE-2017-7895 Oracle VM Server for x86 Unbreakable Enterprise kernel Yes 10.0 Network Low None Complete Complete Complete 3.3
CVE-2017-8890 Oracle VM Server for x86 Unbreakable Enterprise kernel Yes 10.0 Network Low None Complete Complete Complete 3.3,3.4
CVE-2017-8779 Oracle VM Server for x86 libtirpc Yes 7.8 Network Low None None None Complete 3.3,3.4
CVE-2017-8779 Oracle VM Server for x86 rpcbind Yes 7.8 Network Low None None None Complete 3.3,3.4
CVE-2017-7308 Oracle VM Server for x86 Unbreakable Enterprise kernel No 7.2 Local Low None Complete Complete Complete 3.3,3.4
CVE-2017-1000367 Oracle VM Server for x86 sudo No 6.9 Local Medium None Complete Complete Complete 3.3,3.4
CVE-2017-7502 Oracle VM Server for x86 nss Yes 5.0 Network Low None None None Partial 3.3,3.4
 

 

Revision 2: Published on 2017-05-18



CVE# Product Component Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected
Base Score Access Vector Access Complexity Authen-
tication
Confiden-
tiality
Integrity Avail-
ability
CVE-2017-7895 Oracle VM Server for x86 Unbreakable Enterprise kernel Yes 10.0 Network Low None Complete Complete Complete 3.2,3.3,3.4
CVE-2017-5461 Oracle VM Server for x86 nss nss-util Yes 7.5 Network Low None Partial Partial Partial 3.3,3.4
CVE-2017-2647 Oracle VM Server for x86 Unbreakable Enterprise kernel No 7.2 Local Low None Complete Complete Complete 3.2,3.3
CVE-2017-7184 Oracle VM Server for x86 Unbreakable Enterprise kernel No 7.2 Local Low None Complete Complete Complete 3.2,3.3
CVE-2017-7228 Oracle VM Server for x86 xen No 7.2 Local Low None Complete Complete Complete 3.2,3.3,3.4
CVE-2017-8903 Oracle VM Server for x86 xen No 7.2 Local Low None Complete Complete Complete 3.2,3.3,3.4
CVE-2017-5986 Oracle VM Server for x86 Unbreakable Enterprise kernel Yes 7.1 Network Medium None None None Complete 3.2,3.3
CVE-2017-8291 Oracle VM Server for x86 ghostscript Yes 6.8 Network Medium None Partial Partial Partial 3.3,3.4
CVE-2016-10249 Oracle VM Server for x86 jasper Yes 6.8 Network Medium None Partial Partial Partial 3.3,3.4
CVE-2016-10251 Oracle VM Server for x86 jasper Yes 6.8 Network Medium None Partial Partial Partial 3.3,3.4
CVE-2016-8654 Oracle VM Server for x86 jasper Yes 6.8 Network Medium None Partial Partial Partial 3.3,3.4
CVE-2016-9560 Oracle VM Server for x86 jasper Yes 6.8 Network Medium None Partial Partial Partial 3.3,3.4
CVE-2017-8904 Oracle VM Server for x86 xen No 6.8 Local Low Single Complete Complete Complete 3.2,3.3,3.4
CVE-2017-8905 Oracle VM Server for x86 xen No 6.8 Local Low Single Complete Complete Complete 3.2,3.3,3.4
CVE-2015-5203 Oracle VM Server for x86 jasper Yes 5.1 Network High None Partial Partial Partial 3.3,3.4
CVE-2015-5221 Oracle VM Server for x86 jasper Yes 5.1 Network High None Partial Partial Partial 3.3,3.4
CVE-2016-1577 Oracle VM Server for x86 jasper Yes 5.1 Network High None Partial Partial Partial 3.3,3.4
CVE-2016-8690 Oracle VM Server for x86 jasper Yes 5.1 Network High None Partial Partial Partial 3.3,3.4
CVE-2016-8693 Oracle VM Server for x86 jasper Yes 5.1 Network High None Partial Partial Partial 3.3,3.4
CVE-2016-8884 Oracle VM Server for x86 jasper Yes 5.1 Network High None Partial Partial Partial 3.3,3.4
CVE-2016-8885 Oracle VM Server for x86 jasper Yes 5.1 Network High None Partial Partial Partial 3.3,3.4
CVE-2016-9262 Oracle VM Server for x86 jasper Yes 5.1 Network High None Partial Partial Partial 3.3,3.4
CVE-2016-9591 Oracle VM Server for x86 jasper Yes 5.1 Network High None Partial Partial Partial 3.3,3.4
CVE-2017-6214 Oracle VM Server for x86 Unbreakable Enterprise kernel Yes 5.0 Network Low None None None Partial 3.2,3.3
CVE-2015-6937 Oracle VM Server for x86 Unbreakable Enterprise kernel No 4.9 Local Low None None None Complete 3.2
CVE-2017-2583 Oracle VM Server for x86 Unbreakable Enterprise kernel No 4.9 Adjacent network Medium Single Partial Partial Partial 3.2,3.3
CVE-2016-9603 Oracle VM Server for x86 qemu-kvm No 4.9 Adjacent network Medium Single Partial Partial Partial 3.4
CVE-2017-7980 Oracle VM Server for x86 qemu-kvm No 4.9 Adjacent network Medium Single Partial Partial Partial 3.4
CVE-2016-9603 Oracle VM Server for x86 xen No 4.9 Adjacent network Medium Single Partial Partial Partial 3.2,3.3,3.4
CVE-2017-2615 Oracle VM Server for x86 xen No 4.9 Adjacent network Medium Single Partial Partial Partial 3.2,3.3,3.4
CVE-2017-2620 Oracle VM Server for x86 xen No 4.9 Adjacent network Medium Single Partial Partial Partial 3.2,3.3,3.4
CVE-2016-10208 Oracle VM Server for x86 Unbreakable Enterprise kernel No 4.7 Local Medium None None None Complete 3.3
CVE-2017-5669 Oracle VM Server for x86 Unbreakable Enterprise kernel No 4.6 Local Low None Partial Partial Partial 3.2,3.3
CVE-2016-10248 Oracle VM Server for x86 jasper Yes 4.3 Network Medium None None None Partial 3.3,3.4
CVE-2016-1867 Oracle VM Server for x86 jasper Yes 4.3 Network Medium None None None Partial 3.3,3.4
CVE-2016-2089 Oracle VM Server for x86 jasper Yes 4.3 Network Medium None None None Partial 3.3,3.4
CVE-2016-2116 Oracle VM Server for x86 jasper Yes 4.3 Network Medium None None None Partial 3.3,3.4
CVE-2016-8691 Oracle VM Server for x86 jasper Yes 4.3 Network Medium None None None Partial 3.3,3.4
CVE-2016-8692 Oracle VM Server for x86 jasper Yes 4.3 Network Medium None None None Partial 3.3,3.4
CVE-2016-8883 Oracle VM Server for x86 jasper Yes 4.3 Network Medium None None None Partial 3.3,3.4
CVE-2016-9388 Oracle VM Server for x86 jasper Yes 4.3 Network Medium None None None Partial 3.3,3.4
CVE-2016-9389 Oracle VM Server for x86 jasper Yes 4.3 Network Medium None None None Partial 3.3,3.4
CVE-2016-9390 Oracle VM Server for x86 jasper Yes 4.3 Network Medium None None None Partial 3.3,3.4
CVE-2016-9391 Oracle VM Server for x86 jasper Yes 4.3 Network Medium None None None Partial 3.3,3.4
CVE-2016-9392 Oracle VM Server for x86 jasper Yes 4.3 Network Medium None None None Partial 3.3,3.4
CVE-2016-9393 Oracle VM Server for x86 jasper Yes 4.3 Network Medium None None None Partial 3.3,3.4
CVE-2016-9394 Oracle VM Server for x86 jasper Yes 4.3 Network Medium None None None Partial 3.3,3.4
CVE-2016-9583 Oracle VM Server for x86 jasper Yes 4.3 Network Medium None None None Partial 3.3,3.4
CVE-2015-5257 Oracle VM Server for x86 Unbreakable Enterprise kernel No 4.0 Local High None None None Complete 3.2,3.3
CVE-2016-2782 Oracle VM Server for x86 Unbreakable Enterprise kernel No 4.0 Local High None None None Complete 3.2,3.3
CVE-2017-2633 Oracle VM Server for x86 qemu-kvm No 3.8 Adjacent network Medium Single None Partial Partial 3.4
CVE-2017-7718 Oracle VM Server for x86 qemu-kvm No 2.9 Adjacent network High Single Partial None Partial 3.4
CVE-2016-9387 Oracle VM Server for x86 jasper Yes 2.6 Network High None None Partial None 3.3,3.4
CVE-2016-9600 Oracle VM Server for x86 jasper Yes 2.6 Network High None None None Partial 3.3,3.4
CVE-2015-6252 Oracle VM Server for x86 Unbreakable Enterprise kernel No 1.5 Local Medium Single None None Partial 3.2,3.3
CVE-2015-9731 Oracle VM Server for x86 Unbreakable Enterprise kernel Yes 0.0 Network Undefined None None None None 3.2,3.3
CVE-2017-3136 Oracle VM Server for x86 bind Yes 0.0 Network Undefined None None None None 3.3,3.4
CVE-2017-3137 Oracle VM Server for x86 bind Yes 0.0 Network Undefined None None None None 3.3,3.4
CVE-2017-3139 Oracle VM Server for x86 bind Yes 0.0 Network Undefined None None None None 3.3,3.4
 

 

Revision 1: Published on 2017-04-18



CVE# Product Component Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected
Base Score Access Vector Access Complexity Authen-
tication
Confiden-
tiality
Integrity Avail-
ability
CVE-2016-10229 Oracle VM Server for x86 Unbreakable Enterprise kernel Yes 10.0 Network Low None Complete Complete Complete 3.2
CVE-2017-6001 Oracle VM Server for x86 Unbreakable Enterprise kernel Yes 7.6 Network High None Complete Complete Complete 3.4
CVE-2017-5897 Oracle VM Server for x86 Unbreakable Enterprise kernel Yes 7.5 Network Low None Partial Partial Partial 3.4
CVE-2017-5336 Oracle VM Server for x86 gnutls Yes 7.5 Network Low None Partial Partial Partial 3.3,3.4
CVE-2017-5337 Oracle VM Server for x86 gnutls Yes 7.5 Network Low None Partial Partial Partial 3.3,3.4
CVE-2015-4700 Oracle VM Server for x86 Unbreakable Enterprise kernel No 7.2 Local Low None Complete Complete Complete 3.2,3.3
CVE-2017-2636 Oracle VM Server for x86 Unbreakable Enterprise kernel No 7.2 Local Low None Complete Complete Complete 3.2,3.3,3.4
CVE-2017-6347 Oracle VM Server for x86 Unbreakable Enterprise kernel No 7.2 Local Low None Complete Complete Complete 3.4
CVE-2017-7184 Oracle VM Server for x86 Unbreakable Enterprise kernel No 7.2 Local Low None Complete Complete Complete 3.4
CVE-2017-7187 Oracle VM Server for x86 Unbreakable Enterprise kernel No 7.2 Local Low None Complete Complete Complete 3.2,3.3,3.4
CVE-2017-5986 Oracle VM Server for x86 Unbreakable Enterprise kernel Yes 7.1 Network Medium None None None Complete 3.4
CVE-2016-10088 Oracle VM Server for x86 Unbreakable Enterprise kernel No 6.9 Local Medium None Complete Complete Complete 3.2,3.3,3.4
CVE-2016-7543 Oracle VM Server for x86 bash No 6.9 Local Medium None Complete Complete Complete 3.3,3.4
CVE-2016-8399 Oracle VM Server for x86 Unbreakable Enterprise kernel No 6.8 Local Low Single Complete Complete Complete 3.2,3.3,3.4
CVE-2016-8632 Oracle VM Server for x86 Unbreakable Enterprise kernel No 6.8 Local Low Single Complete Complete Complete 3.4
CVE-2016-5139 Oracle VM Server for x86 openjpeg Yes 6.8 Network Medium None Partial Partial Partial 3.3,3.4
CVE-2016-5158 Oracle VM Server for x86 openjpeg Yes 6.8 Network Medium None Partial Partial Partial 3.3,3.4
CVE-2016-5159 Oracle VM Server for x86 openjpeg Yes 6.8 Network Medium None Partial Partial Partial 3.3,3.4
CVE-2016-9675 Oracle VM Server for x86 openjpeg Yes 6.8 Network Medium None Partial Partial Partial 3.3,3.4
CVE-2016-7910 Oracle VM Server for x86 Unbreakable Enterprise kernel No 6.2 Local High None Complete Complete Complete 3.2,3.3,3.4
CVE-2015-8325 Oracle VM Server for x86 openssh No 6.2 Local High None Complete Complete Complete 3.3,3.4
CVE-2016-8633 Oracle VM Server for x86 Unbreakable Enterprise kernel No 5.9 Local Medium None Partial Partial Complete 3.2,3.3,3.4
CVE-2016-7163 Oracle VM Server for x86 openjpeg Yes 5.8 Network Medium None None Partial Partial 3.3,3.4
CVE-2014-9761 Oracle VM Server for x86 glibc Yes 5.1 Network High None Partial Partial Partial 3.3,3.4
CVE-2015-8778 Oracle VM Server for x86 glibc Yes 5.1 Network High None Partial Partial Partial 3.3,3.4
CVE-2015-8779 Oracle VM Server for x86 glibc Yes 5.1 Network High None Partial Partial Partial 3.3,3.4
CVE-2016-10142 Oracle VM Server for x86 Unbreakable Enterprise kernel Yes 5.0 Network Low None None None Partial 3.2,3.3
CVE-2017-5970 Oracle VM Server for x86 Unbreakable Enterprise kernel Yes 5.0 Network Low None None None Partial 3.3,3.4
CVE-2017-6214 Oracle VM Server for x86 Unbreakable Enterprise kernel Yes 5.0 Network Low None None None Partial 3.4
CVE-2017-5335 Oracle VM Server for x86 gnutls Yes 5.0 Network Low None None None Partial 3.3,3.4
CVE-2015-8952 Oracle VM Server for x86 Unbreakable Enterprise kernel No 4.9 Local Low None None None Complete 3.4
CVE-2016-10147 Oracle VM Server for x86 Unbreakable Enterprise kernel No 4.9 Local Low None None None Complete 3.4
CVE-2016-3140 Oracle VM Server for x86 Unbreakable Enterprise kernel No 4.9 Local Low None None None Complete 3.2,3.3,3.4
CVE-2016-3951 Oracle VM Server for x86 Unbreakable Enterprise kernel No 4.9 Local Low None None None Complete 3.4
CVE-2016-8645 Oracle VM Server for x86 Unbreakable Enterprise kernel No 4.9 Local Low None None None Complete 3.2,3.3,3.4
CVE-2017-2583 Oracle VM Server for x86 Unbreakable Enterprise kernel No 4.9 Adjacent network Medium Single Partial Partial Partial 3.4
CVE-2016-10208 Oracle VM Server for x86 Unbreakable Enterprise kernel No 4.7 Local Medium None None None Complete 3.4
CVE-2015-5707 Oracle VM Server for x86 Unbreakable Enterprise kernel No 4.6 Local Low None Partial Partial Partial 3.2,3.3
CVE-2016-3672 Oracle VM Server for x86 Unbreakable Enterprise kernel No 4.6 Local Low None Partial Partial Partial 3.2,3.3,3.4
CVE-2017-6345 Oracle VM Server for x86 Unbreakable Enterprise kernel No 4.6 Local Low None Partial Partial Partial 3.2,3.3,3.4
CVE-2016-7425 Oracle VM Server for x86 Unbreakable Enterprise kernel No 4.4 Local Medium None Partial Partial Partial 3.2,3.3,3.4
CVE-2015-8869 Oracle VM Server for x86 ocaml No 4.4 Local Medium None Partial Partial Partial 3.3,3.4
CVE-2017-2596 Oracle VM Server for x86 Unbreakable Enterprise kernel No 4.3 Adjacent network High Single None None Complete 3.4
CVE-2016-8610 Oracle VM Server for x86 gnutls Yes 4.3 Network Medium None None None Partial 3.3,3.4
CVE-2015-8776 Oracle VM Server for x86 glibc Yes 4.0 Network High None Partial None Partial 3.3,3.4
CVE-2016-3712 Oracle VM Server for x86 qemu-kvm No 3.8 Adjacent network Medium Single Partial None Partial 3.4
CVE-2016-0634 Oracle VM Server for x86 bash No 3.7 Local High None Partial Partial Partial 3.3,3.4
CVE-2016-7097 Oracle VM Server for x86 Unbreakable Enterprise kernel No 3.3 Local Medium None Partial Partial None 3.4
CVE-2016-9588 Oracle VM Server for x86 Unbreakable Enterprise kernel No 3.3 Adjacent network Low None None None Partial 3.3,3.4
CVE-2016-9756 Oracle VM Server for x86 Unbreakable Enterprise kernel No 2.3 Adjacent network Medium Single Partial None None 3.4
CVE-2016-4580 Oracle VM Server for x86 Unbreakable Enterprise kernel No 2.1 Local Low None Partial None None 3.2,3.3
CVE-2016-9178 Oracle VM Server for x86 Unbreakable Enterprise kernel No 1.9 Local Medium None Partial None None 3.3,3.4
CVE-2016-9401 Oracle VM Server for x86 bash No 1.9 Local Medium None None None Partial 3.3,3.4
CVE-2015-8569 Oracle VM Server for x86 Unbreakable Enterprise kernel No 1.7 Local Low Single Partial None None 3.3
CVE-2017-2616 Oracle VM Server for x86 coreutils Yes 0.0 Network Undefined None None None None 3.3,3.4
CVE-2017-2628 Oracle VM Server for x86 curl Yes 0.0 Network Undefined None None None None 3.3,3.4