Oracle VM Server for x86 Bulletin - October 2017


Description

The Oracle VM Server for x86 Bulletin lists all CVEs that had been resolved and announced in Oracle VM Server for x86 Security Advisories (OVMSA) in the last one month prior to the release of the bulletin. Oracle VM Server for x86 Bulletins are published on the same day as Oracle Critical Patch Updates are released. These bulletins will also be updated for the following two months after their release (i.e., the two months between the normal quarterly Critical Patch Update publication dates) to cover all CVEs that had been resolved in those two months following the bulletin's publication. In addition, Oracle VM Server for x86 Bulletins may also be updated for vulnerability fixes deemed too critical to wait for the next scheduled bulletin publication date.

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Oracle VM Server for x86 Bulletin fixes as soon as possible.


Patch Availability

Please see ULN Advisory http://linux.oracle.com/ovm-bulletin-pad


Oracle VM Server for x86 Bulletin Schedule

Oracle VM Server for x86 Bulletins are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:

  • 16 January 2018
  • 17 April 2018
  • 17 July 2018
  • 16 October 2018

References


Modification History


2017-December-18 Rev 3. New CVEs added.
2017-November-17 Rev 2. New CVEs added.
2017-October-17 Rev 1. Initial Release

 

Oracle VM Server for x86 Executive Summary

 

This Oracle VM Server for x86 Bulletin contains 48 new security fixes for the Oracle VM Server for x86.  19 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. 

 

Oracle VM Server for x86 Risk Matrix


Revision 3: Published on 2017-12-18



CVE# Product Component Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected
Base Score Access Vector Access Complexity Authen-
tication
Confiden-
tiality
Integrity Avail-
ability
CVE-2017-16527 Oracle VM Server for x86 Unbreakable Enterprise kernel No 7.2 Local Low None Complete Complete Complete 3.4
CVE-2017-16650 Oracle VM Server for x86 Unbreakable Enterprise kernel No 7.2 Local Low None Complete Complete Complete 3.4
CVE-2017-7889 Oracle VM Server for x86 Unbreakable Enterprise kernel No 7.2 Local Low None Complete Complete Complete 3.3
CVE-2017-15649 Oracle VM Server for x86 Unbreakable Enterprise kernel No 4.6 Local Low None Partial Partial Partial 3.4
CVE-2016-10318 Oracle VM Server for x86 Unbreakable Enterprise kernel No 4.0 Network Low Single None None Partial 3.4
CVE-2017-1000405 Oracle VM Server for x86 Unbreakable Enterprise kernel Yes 0.0 Network Undefined None None None None 3.4
CVE-2017-12190 Oracle VM Server for x86 Unbreakable Enterprise kernel Yes 0.0 Network Undefined None None None None 3.3,3.4
CVE-2017-17044 Oracle VM Server for x86 xen Yes 0.0 Network Undefined None None None None 3.2,3.3,3.4
CVE-2017-17045 Oracle VM Server for x86 xen Yes 0.0 Network Undefined None None None None 3.2,3.3,3.4
 

 

Revision 2: Published on 2017-11-17



CVE# Product Component Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected
Base Score Access Vector Access Complexity Authen-
tication
Confiden-
tiality
Integrity Avail-
ability
CVE-2017-11176 Oracle VM Server for x86 Unbreakable Enterprise kernel Yes 10.0 Network Low None Complete Complete Complete 3.3
CVE-2017-7618 Oracle VM Server for x86 Unbreakable Enterprise kernel Yes 7.8 Network Low None None None Complete 3.4
CVE-2017-10661 Oracle VM Server for x86 Unbreakable Enterprise kernel Yes 7.6 Network High None Complete Complete Complete 3.3
CVE-2016-10044 Oracle VM Server for x86 Unbreakable Enterprise kernel No 7.2 Local Low None Complete Complete Complete 3.3
CVE-2017-1000111 Oracle VM Server for x86 Unbreakable Enterprise kernel No 7.2 Local Low None Complete Complete Complete 3.3
CVE-2017-1000363 Oracle VM Server for x86 Unbreakable Enterprise kernel No 7.2 Local Low None Complete Complete Complete 3.3
CVE-2017-11473 Oracle VM Server for x86 Unbreakable Enterprise kernel No 7.2 Local Low None Complete Complete Complete 3.3
CVE-2017-7541 Oracle VM Server for x86 Unbreakable Enterprise kernel No 7.2 Local Low None Complete Complete Complete 3.4
CVE-2017-8831 Oracle VM Server for x86 Unbreakable Enterprise kernel No 7.2 Local Low None Complete Complete Complete 3.3
CVE-2017-9075 Oracle VM Server for x86 Unbreakable Enterprise kernel No 7.2 Local Low None Complete Complete Complete 3.3
CVE-2017-9077 Oracle VM Server for x86 Unbreakable Enterprise kernel No 7.2 Local Low None Complete Complete Complete 3.3
CVE-2017-14316 Oracle VM Server for x86 xen No 7.2 Local Low None Complete Complete Complete 3.2,3.3,3.4
CVE-2017-14319 Oracle VM Server for x86 xen No 7.2 Local Low None Complete Complete Complete 3.2,3.3,3.4
CVE-2017-1000112 Oracle VM Server for x86 Unbreakable Enterprise kernel No 6.9 Local Medium None Complete Complete Complete 3.4
CVE-2016-9191 Oracle VM Server for x86 Unbreakable Enterprise kernel No 5.2 Adjacent network Medium Single None None Complete 3.4
CVE-2017-12192 Oracle VM Server for x86 Unbreakable Enterprise kernel No 4.9 Local Low None None None Complete 3.4
CVE-2017-14106 Oracle VM Server for x86 Unbreakable Enterprise kernel No 4.9 Local Low None None None Complete 3.4
CVE-2017-14489 Oracle VM Server for x86 Unbreakable Enterprise kernel No 4.9 Local Low None None None Complete 3.3,3.4
CVE-2017-2671 Oracle VM Server for x86 Unbreakable Enterprise kernel No 4.9 Local Low None None None Complete 3.3
CVE-2017-7542 Oracle VM Server for x86 Unbreakable Enterprise kernel No 4.9 Local Low None None None Complete 3.3,3.4
CVE-2017-14317 Oracle VM Server for x86 xen No 4.7 Local Medium None None None Complete 3.2,3.3,3.4
CVE-2017-6462 Oracle VM Server for x86 ntp No 4.6 Local Low None Partial Partial Partial 3.3,3.4
CVE-2017-12154 Oracle VM Server for x86 Unbreakable Enterprise kernel No 4.3 Adjacent network High Single None None Complete 3.4
CVE-2017-6463 Oracle VM Server for x86 ntp No 4.0 Network Low Single None None Partial 3.3,3.4
CVE-2017-6464 Oracle VM Server for x86 ntp No 4.0 Network Low Single None None Partial 3.3,3.4
CVE-2017-1000380 Oracle VM Server for x86 Unbreakable Enterprise kernel No 2.1 Local Low None Partial None None 3.3
CVE-2017-2618 Oracle VM Server for x86 Unbreakable Enterprise kernel Yes 0.0 Network Undefined None None None None 3.4
CVE-2017-7482 Oracle VM Server for x86 Unbreakable Enterprise kernel Yes 0.0 Network Undefined None None None None 3.4
CVE-2017-15588 Oracle VM Server for x86 xen Yes 0.0 Network Undefined None None None None 3.2,3.3,3.4
CVE-2017-15589 Oracle VM Server for x86 xen Yes 0.0 Network Undefined None None None None 3.2,3.3,3.4
CVE-2017-15590 Oracle VM Server for x86 xen Yes 0.0 Network Undefined None None None None 3.2,3.3,3.4
CVE-2017-15592 Oracle VM Server for x86 xen Yes 0.0 Network Undefined None None None None 3.2,3.3,3.4
CVE-2017-15593 Oracle VM Server for x86 xen Yes 0.0 Network Undefined None None None None 3.2,3.3,3.4
CVE-2017-15594 Oracle VM Server for x86 xen Yes 0.0 Network Undefined None None None None 3.2,3.3,3.4
CVE-2017-15595 Oracle VM Server for x86 xen Yes 0.0 Network Undefined None None None None 3.2,3.3,3.4
 

 

Revision 1: Published on 2017-10-17



CVE# Product Component Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected
Base Score Access Vector Access Complexity Authen-
tication
Confiden-
tiality
Integrity Avail-
ability
CVE-2017-14491 Oracle VM Server for x86 dnsmasq Yes 10.0 Network Low None Complete Complete Complete 3.4
CVE-2017-1000251 Oracle VM Server for x86 Unbreakable Enterprise kernel No 6.8 Adjacent network High None Complete Complete Complete 3.3,3.4
CVE-2017-12134 Oracle VM Server for x86 Unbreakable Enterprise kernel Yes 0.0 Network Undefined None None None None 3.3
CVE-2017-7805 Oracle VM Server for x86 nss Yes 0.0 Network Undefined None None None None 3.3,3.4