Oracle VM Server for x86 Bulletin - January 2018

Description

The Oracle VM Server for x86 Bulletin lists all CVEs that had been resolved and announced in Oracle VM Server for x86 Security Advisories (OVMSA) in the last one month prior to the release of the bulletin. Oracle VM Server for x86 Bulletins are published on the same day as Oracle Critical Patch Updates are released. These bulletins will also be updated for the following two months after their release (i.e., the two months between the normal quarterly Critical Patch Update publication dates) to cover all CVEs that had been resolved in those two months following the bulletin's publication. In addition, Oracle VM Server for x86 Bulletins may also be updated for vulnerability fixes deemed too critical to wait for the next scheduled bulletin publication date.

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Oracle VM Server for x86 Bulletin fixes as soon as possible.

Patch Availability

Please see ULN Advisory https://linux.oracle.com/ovm-bulletin-pad

Oracle VM Server for x86 Bulletin Schedule

Oracle VM Server for x86 Bulletins are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:

  • 17 April 2018
  • 17 July 2018
  • 16 October 2018
  • 15 January 2019

References

Modification History

2018-March-16 Rev 3. New CVEs added.
2018-February-16 Rev 2. New CVEs added.
2018-January-16 Rev 1. Initial Release

Oracle VM Server for x86 Executive Summary

This Oracle VM Server for x86 Bulletin contains 24 new security fixes for the Oracle VM Server for x86.  5 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.

Oracle VM Server for x86 Risk Matrix

Revision 3: Published on 2018-03-16

CVE# Product Component Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected
Base Score Access Vector Access Complexity Authen­tication Confid­entiality Inte­grity Avail­ability
CVE-2017-15289 Oracle VM Server for x86 qemu-kvm No 2.1 Local Low None None None Partial 3.4
CVE-2018-5732 Oracle VM Server for x86 dhcp Yes 0.0 Network Undefined None None None None 3.3,3.4
CVE-2018-5733 Oracle VM Server for x86 dhcp Yes 0.0 Network Undefined None None None None 3.3,3.4
CVE-2018-7540 Oracle VM Server for x86 xen Yes 0.0 Network Undefined None None None None 3.4
CVE-2018-7541 Oracle VM Server for x86 xen Yes 0.0 Network Undefined None None None None 3.4

Revision 2: Published on 2018-02-16

CVE# Product Component Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected
Base Score Access Vector Access Complexity Authen­tication Confid­entiality Inte­grity Avail­ability
CVE-2017-15115 Oracle VM Server for x86 Unbreakable Enterprise kernel No 7.2 Local Low None Complete Complete Complete 3.4
CVE-2017-8824 Oracle VM Server for x86 Unbreakable Enterprise kernel No 7.2 Local Low None Complete Complete Complete 3.4
CVE-2017-17712 Oracle VM Server for x86 Unbreakable Enterprise kernel No 6.9 Local Medium None Complete Complete Complete 3.4
CVE-2017-12193 Oracle VM Server for x86 Unbreakable Enterprise kernel No 4.9 Local Low None None None Complete 3.4
CVE-2017-5715 Oracle VM Server for x86 Unbreakable Enterprise kernel No 4.7 Local Medium None Complete None None 3.3
CVE-2017-5753 Oracle VM Server for x86 Unbreakable Enterprise kernel No 4.7 Local Medium None Complete None None 3.3
CVE-2017-5754 Oracle VM Server for x86 Unbreakable Enterprise kernel No 4.7 Local Medium None Complete None None 3.3,3.4
CVE-2017-0861 Oracle VM Server for x86 Unbreakable Enterprise kernel No 4.6 Local Low None Partial Partial Partial 3.4
CVE-2017-1000407 Oracle VM Server for x86 Unbreakable Enterprise kernel No 4.6 Adjacent network High None None None Complete 3.4
CVE-2017-14140 Oracle VM Server for x86 Unbreakable Enterprise kernel No 2.1 Local Low None Partial None None 3.4
CVE-2017-3145 Oracle VM Server for x86 bind Yes 0.0 Network Undefined None None None None 3.3,3.4

Revision 1: Published on 2018-01-16

CVE# Product Component Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected
Base Score Access Vector Access Complexity Authen­tication Confid­entiality Inte­grity Avail­ability
CVE-2017-16525 Oracle VM Server for x86 Unbreakable Enterprise kernel No 7.2 Local Low None Complete Complete Complete 3.4
CVE-2017-16526 Oracle VM Server for x86 Unbreakable Enterprise kernel No 7.2 Local Low None Complete Complete Complete 3.4
CVE-2017-16529 Oracle VM Server for x86 Unbreakable Enterprise kernel No 7.2 Local Low None Complete Complete Complete 3.4
CVE-2017-16530 Oracle VM Server for x86 Unbreakable Enterprise kernel No 7.2 Local Low None Complete Complete Complete 3.4
CVE-2017-16531 Oracle VM Server for x86 Unbreakable Enterprise kernel No 7.2 Local Low None Complete Complete Complete 3.4
CVE-2017-16533 Oracle VM Server for x86 Unbreakable Enterprise kernel No 7.2 Local Low None Complete Complete Complete 3.4
CVE-2017-16535 Oracle VM Server for x86 Unbreakable Enterprise kernel No 7.2 Local Low None Complete Complete Complete 3.4
CVE-2017-16536 Oracle VM Server for x86 Unbreakable Enterprise kernel No 7.2 Local Low None Complete Complete Complete 3.4
CVE-2017-5715 Oracle VM Server for x86 Unbreakable Enterprise kernel No 4.7 Local Medium None Complete None None 3.4
CVE-2017-5753 Oracle VM Server for x86 Unbreakable Enterprise kernel No 4.7 Local Medium None Complete None None 3.4
CVE-2017-5754 Oracle VM Server for x86 Unbreakable Enterprise kernel No 4.7 Local Medium None Complete None None 3.4
CVE-2017-5715 Oracle VM Server for x86 qemu-kvm No 4.7 Local Medium None Complete None None 3.4
CVE-2017-5715 Oracle VM Server for x86 xen No 4.7 Local Medium None Complete None None 3.4
CVE-2017-5753 Oracle VM Server for x86 xen No 4.7 Local Medium None Complete None None 3.4
CVE-2017-5754 Oracle VM Server for x86 xen No 4.7 Local Medium None Complete None None 3.4