Oracle VM Server for x86 Bulletin - April 2019


Description

The Oracle VM Server for x86 Bulletin lists all CVEs that had been resolved and announced in Oracle VM Server for x86 Security Advisories (OVMSA) in the last one month prior to the release of the bulletin. Oracle VM Server for x86 Bulletins are published on the same day as Oracle Critical Patch Updates are released. These bulletins will also be updated for the following two months after their release (i.e., the two months between the normal quarterly Critical Patch Update publication dates) to cover all CVEs that had been resolved in those two months following the bulletin's publication. In addition, Oracle VM Server for x86 Bulletins may also be updated for vulnerability fixes deemed too critical to wait for the next scheduled bulletin publication date.

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Oracle VM Server for x86 Bulletin fixes as soon as possible.


Patch Availability

Please see ULN Advisory https://linux.oracle.com/ovm-bulletin-pad


Oracle VM Server for x86 Bulletin Schedule

Oracle VM Server for x86 Bulletins are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:

  • 16 July 2019
  • 15 October 2019
  • 14 January 2020
  • 14 April 2020

References


Modification History


2019-June-18 Rev 3. New CVEs added.
2019-May-17 Rev 2. New CVEs added.
2019-April-16 Rev 1. Initial Release

 

Oracle VM Server for x86 Executive Summary

 

This Oracle VM Server for x86 Bulletin contains 26 new security fixes for the Oracle VM Server for x86.  26 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. 

 

Oracle VM Server for x86 Risk Matrix


Revision 3: Published on 2019-06-18



CVE# Product Component Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected
Base Score Access Vector Access Complexity Authen-
tication
Confiden-
tiality
Integrity Avail-
ability
CVE-2015-5327 Oracle VM Server for x86 Unbreakable Enterprise kernel Undefined 3.4
CVE-2017-18360 Oracle VM Server for x86 Unbreakable Enterprise kernel Undefined 3.4
CVE-2018-12127 Oracle VM Server for x86 Unbreakable Enterprise kernel Undefined 3.4
CVE-2018-12130 Oracle VM Server for x86 Unbreakable Enterprise kernel Undefined 3.4
CVE-2018-14633 Oracle VM Server for x86 Unbreakable Enterprise kernel Undefined 3.4
CVE-2018-19985 Oracle VM Server for x86 Unbreakable Enterprise kernel Undefined 3.4
CVE-2018-20836 Oracle VM Server for x86 Unbreakable Enterprise kernel Undefined 3.4
CVE-2019-11190 Oracle VM Server for x86 Unbreakable Enterprise kernel Undefined 3.4
CVE-2019-11477 Oracle VM Server for x86 Unbreakable Enterprise kernel Undefined 3.4
CVE-2019-11478 Oracle VM Server for x86 Unbreakable Enterprise kernel Undefined 3.4
CVE-2019-11479 Oracle VM Server for x86 Unbreakable Enterprise kernel Undefined 3.4
CVE-2019-11810 Oracle VM Server for x86 Unbreakable Enterprise kernel Undefined 3.4
CVE-2019-11815 Oracle VM Server for x86 Unbreakable Enterprise kernel Undefined 3.4
CVE-2019-11884 Oracle VM Server for x86 Unbreakable Enterprise kernel Undefined 3.4
CVE-2019-3459 Oracle VM Server for x86 Unbreakable Enterprise kernel Undefined 3.4
CVE-2019-3819 Oracle VM Server for x86 Unbreakable Enterprise kernel Undefined 3.4
CVE-2019-9636 Oracle VM Server for x86 python Undefined 3.3,3.4
 

 

Revision 2: Published on 2019-05-17



CVE# Product Component Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected
Base Score Access Vector Access Complexity Authen-
tication
Confiden-
tiality
Integrity Avail-
ability
CVE-2017-13305 Oracle VM Server for x86 Unbreakable Enterprise kernel Undefined 3.4
CVE-2018-1066 Oracle VM Server for x86 Unbreakable Enterprise kernel Undefined 3.4
CVE-2018-10881 Oracle VM Server for x86 Unbreakable Enterprise kernel Undefined 3.4
CVE-2018-10882 Oracle VM Server for x86 Unbreakable Enterprise kernel Undefined 3.4
CVE-2018-12126 Oracle VM Server for x86 Unbreakable Enterprise kernel Undefined 3.4
CVE-2018-12127 Oracle VM Server for x86 Unbreakable Enterprise kernel Undefined 3.4
CVE-2018-12130 Oracle VM Server for x86 Unbreakable Enterprise kernel Undefined 3.4
CVE-2019-11091 Oracle VM Server for x86 Unbreakable Enterprise kernel Undefined 3.4
CVE-2019-3701 Oracle VM Server for x86 Unbreakable Enterprise kernel Undefined 3.4
CVE-2018-12126 Oracle VM Server for x86 qemu-kvm Undefined 3.4
CVE-2018-12127 Oracle VM Server for x86 qemu-kvm Undefined 3.4
CVE-2018-12130 Oracle VM Server for x86 qemu-kvm Undefined 3.4
CVE-2019-11091 Oracle VM Server for x86 qemu-kvm Undefined 3.4
CVE-2018-12126 Oracle VM Server for x86 xen Undefined 3.4
CVE-2018-12127 Oracle VM Server for x86 xen Undefined 3.4
CVE-2018-12130 Oracle VM Server for x86 xen Undefined 3.4
CVE-2019-11091 Oracle VM Server for x86 xen Undefined 3.4
 

 

Revision 1: Published on 2019-04-16



CVE# Product Component Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected
Base Score Access Vector Access Complexity Authen-
tication
Confiden-
tiality
Integrity Avail-
ability
CVE-2018-10879 Oracle VM Server for x86 Unbreakable Enterprise kernel Undefined 3.4
CVE-2018-15473 Oracle VM Server for x86 openssh Undefined 3.3,3.4