Oracle VM Server for x86 Bulletin - October 2023
Description
The Oracle VM Server for x86 Bulletin lists all CVEs that had been resolved and announced in Oracle VM Server for x86 Security Advisories (OVMSA) in the last one month prior to the release of the bulletin. Oracle VM Server for x86 Bulletins are published on the same day as Oracle Critical Patch Updates are released. These bulletins will also be updated for the following two months after their release (i.e., the two months between the normal quarterly Critical Patch Update publication dates) to cover all CVEs that had been resolved in those two months following the bulletin's publication. In addition, Oracle VM Server for x86 Bulletins may also be updated for vulnerability issues deemed too critical to wait for the next scheduled bulletin publication date.
Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Third Party Bulletin security patches as soon as possible.
Patch Availability
Please see ULN Advisory https://linux.oracle.com/ovm-bulletin-pad
Third Party Bulletin Schedule
Third Party Bulletins are released on the third Tuesday of January, April, July, and October. The next four dates are:
- 16 January 2024
- 16 April 2024
- 16 July 2024
- 15 October 2024
References
- Oracle Critical Patch Updates and Security Alerts main page
- Oracle Critical Patch Updates and Security Alerts - Frequently Asked Questions
- Risk Matrix Definitions
- Use of Common Vulnerability Scoring System (CVSS) by Oracle
- CVRF XML version of the risk matrix
Modification History
| Date | Note |
|---|---|
| 2023-December -19 | Rev 3. New CVEs added. |
| 2023-November-21 | Rev 2. New CVEs added. |
| 2023-October-17 | Rev 1. Initial Release |
Oracle VM Server for x86 Executive Summary
This Oracle VM Server for x86 Bulletin contains 17 new security patches for the Oracle VM Server for x86.
Oracle VM Server for x86 Risk Matrix
Revision: 3 Published on 2023-12-19
| CVE# | Product | Component | Remote Exploit without Auth.? | CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score |
Attack Vector |
Attack Complex |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||
| CVE-2023-45862 | Oracle VM Server for x86 | Unbreakable Enterprise kernel | Yes | 7.5 | Network | Low | None | None | Unchanged | None | None | High | 3 |
| CVE-2023-39192 | Oracle VM Server for x86 | Unbreakable Enterprise kernel | No | 6.7 | Local | Low | High | None | Changed | High | None | Low | 3 |
| CVE-2023-4207 | Oracle VM Server for x86 | Unbreakable Enterprise kernel | No | 6.4 | Local | High | High | None | Unchanged | High | High | High | 3 |
| CVE-2023-39193 | Oracle VM Server for x86 | Unbreakable Enterprise kernel | No | 5.1 | Local | Low | High | None | Unchanged | High | None | Low | 3 |
Revision: 2 Published on 2023-11-21
| CVE# | Product | Component | Remote Exploit without Auth.? | CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score |
Attack Vector |
Attack Complex |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||
| CVE-2022-34918 | Oracle VM Server for x86 | Unbreakable Enterprise kernel | No | 7.8 | Local | Low | Low | None | Unchanged | High | High | High | 3 |
| CVE-2023-35001 | Oracle VM Server for x86 | Unbreakable Enterprise kernel | No | 7.8 | Local | Low | Low | None | Unchanged | High | High | High | 3 |
| CVE-2023-3611 | Oracle VM Server for x86 | Unbreakable Enterprise kernel | No | 7.8 | Local | Low | Low | None | Unchanged | High | High | High | 3 |
| CVE-2023-3776 | Oracle VM Server for x86 | Unbreakable Enterprise kernel | No | 7.8 | Local | Low | Low | None | Unchanged | High | High | High | 3 |
| CVE-2023-40283 | Oracle VM Server for x86 | Unbreakable Enterprise kernel | No | 7.8 | Local | Low | Low | None | Unchanged | High | High | High | 3 |
| CVE-2023-2513 | Oracle VM Server for x86 | Unbreakable Enterprise kernel | No | 6.7 | Local | Low | High | None | Unchanged | High | High | High | 3 |
| CVE-2023-4387 | Oracle VM Server for x86 | Unbreakable Enterprise kernel | No | 6.6 | Network | High | High | None | Unchanged | High | High | High | 3 |
| CVE-2023-4459 | Oracle VM Server for x86 | Unbreakable Enterprise kernel | No | 6.5 | Network | Low | Low | None | Unchanged | None | None | High | 3 |
| CVE-2023-4206 | Oracle VM Server for x86 | Unbreakable Enterprise kernel | No | 6.4 | Local | High | High | None | Unchanged | High | High | High | 3 |
| CVE-2023-4208 | Oracle VM Server for x86 | Unbreakable Enterprise kernel | No | 6.4 | Local | High | High | None | Unchanged | High | High | High | 3 |
| CVE-2023-22024 | Oracle VM Server for x86 | Unbreakable Enterprise kernel | No | 5.5 | Local | Low | Low | None | Unchanged | None | None | High | 3 |
| CVE-2023-3772 | Oracle VM Server for x86 | Unbreakable Enterprise kernel | No | 5.5 | Local | Low | Low | None | Unchanged | None | None | High | 3 |
Revision: 1 Published on 2023-10-17
| CVE# | Product | Component | Remote Exploit without Auth.? | CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score |
Attack Vector |
Attack Complex |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||
| CVE-2022-48174 | Oracle VM Server for x86 | busybox | Yes | 9.8 | Network | Low | None | None | Unchanged | High | High | High | 3 |