"Venom" Vulnerability - CVE-2015-3456


PURPOSE


The purpose of this document is to list Oracle products that include QEMU in their distribution, either directly or via inclusion of a component that includes QEMU, and to document their current status with respect to the publicly disclosed vulnerability CVE-2015-3456.

Specifically, this document will list:  (1) Oracle products that are likely vulnerable to CVE-2015-3456 and have fixes available from Oracle, and (2) Oracle products that are likely vulnerable to CVE-2015-3456 but for which no fixes are currently available.

Oracle has assessed the impact of vulnerability CVE-2015-3456 only against product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy.  Oracle has not assessed the impact of this vulnerability against products that are no longer supported by Oracle. When product versions for a given product are not specifically listed in this document, it implies all those versions for that product which are currently supported by Oracle.
 

DETAILS


Background

Vulnerabilities affecting QEMU were publicly disclosed. The Oracle Global Product Security and Development teams are investigating the inclusion of QEMU in Oracle products and will provide mitigation instructions when available for these affected Oracle products. For additional details, see the Oracle Security Alert for CVE-2015-3456.

These product lists will be updated without additional emails being sent to customers and OTN Security Alerts subscribers. Thus, customers will need to check back for updates.

Below is the list of affected products and mitigation instructions as of July 30, 2015 at 01:30 PM Pacific.


1.0 Oracle products that are likely vulnerable to CVE-2015-3456 and have fixes currently available


Global Product Security has determined that the following 14 Oracle products have included in their distributions QEMU versions that have been reported as vulnerable to CVE-2015-3456. Oracle has issued fixes for these products per the table below. Refer to the individual Patch Availability Documents for information regarding the specific CVEs addressed.

Patch availability information is provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. Oracle recommends that customers remain on actively supported versions to ensure that they continue to receive security fixes from Oracle.
 

Patch Availability Table
Affected Products Patch Availability
Oracle Communications Diameter Signaling Router [Product ID 10899] MOS note 2037627.1
Oracle Communications Performance Intelligence Center Software [Product ID 11044] MOS note 2037652.1
Oracle Communications Policy Management [Product ID 10900] MOS note 2037648.1
Oracle Communications User Data Repository [Product ID 11108] MOS note 2037626.1
Oracle Database Appliance [Product ID 9435] MOS note 2011698.1
Oracle Exadata Database Machine [Product ID 2546] MOS note 2011997.1
Oracle Exalogic Elastic Cloud [Product ID 9415] MOS note 2010875.1
Oracle Exalytics In-Memory Machine [Product ID 9736] MOS note 2011585.1
Oracle Linux [Product ID 1309] MOS note 2010871.1
Oracle VM for x86 [Product ID 4455] MOS note 2010871.1
Oracle VM VirtualBox [Product ID 8370] MOS note 2010871.1
PeopleSoft PeopleTools [Product ID 5085] MOS note 2035907.1
Tekelec HLR Router [Product ID 11047] MOS note 2037623.1
Virtual Compute Appliance [Product ID 10635] MOS note 2010871.1

 

2.0 Oracle products that are likely vulnerable to CVE-2015-3456 but for which no fixes are yet available

No products remain in this category. Note that Oracle has published My Oracle Support Note 2010538.1 to provide information related to Oracle’s handling of Linux security fixes prior to their availability on Oracle-engineered systems.