Oracle VM Server for x86 Bulletin

Cloud Account Sign in to Cloud Sign Up for Free Cloud Tier

Oracle Account

Oracle VM Server for x86 Bulletin - April 2023

Description

The Oracle VM Server for x86 Bulletin lists all CVEs that had been resolved and announced in Oracle VM Server for x86 Security Advisories (OVMSA) in the last one month prior to the release of the bulletin. Oracle VM Server for x86 Bulletins are published on the same day as Oracle Critical Patch Updates are released. These bulletins will also be updated for the following two months after their release (i.e., the two months between the normal quarterly Critical Patch Update publication dates) to cover all CVEs that had been resolved in those two months following the bulletin's publication. In addition, Oracle VM Server for x86 Bulletins may also be updated for vulnerability issues deemed too critical to wait for the next scheduled bulletin publication date.

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Oracle VM Server for x86 Bulletin security patches as soon as possible.

Patch Availability

Please see ULN Advisory https://linux.oracle.com/ovm-bulletin-pad

Oracle VM Server for x86 Bulletin Schedule

Oracle VM Server for x86 Bulletins are released on the third Tuesday of January, April, July, and October. The next four dates are:

18 July 2023
17 October 2023
16 January 2024
16 April 2024

References

Modification History

Date	Note
2023-May-16	Rev 2. New CVEs added
2023-April-18	Rev 1. Initial Release

Oracle VM Server for x86 Executive Summary

This Oracle VM Server for x86 Bulletin contains 23 new security patches for the Oracle VM Server for x86.

Oracle VM Server for x86 Risk Matrix

Revision 2: Published on 2023-05-16

CVE#	Product	Component	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected
CVE#	Product	Component	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected
CVE-2022-25235	Oracle VM Server for x86	expat	Yes	9.8	Network	Low	None	None	Unchanged	High	High	High	3
CVE-2022-25236	Oracle VM Server for x86	expat	Yes	9.8	Network	Low	None	None	Unchanged	High	High	High	3
CVE-2022-25315	Oracle VM Server for x86	expat	Yes	9.8	Network	Low	None	None	Unchanged	High	High	High	3
CVE-2022-40674	Oracle VM Server for x86	expat	Yes	9.8	Network	Low	None	None	Unchanged	High	High	High	3
CVE-2018-25032	Oracle VM Server for x86	zlib	Yes	8.2	Network	Low	None	None	Unchanged	None	Low	High	3
CVE-2022-24903	Oracle VM Server for x86	rsyslog	Yes	8.1	Network	High	None	None	Unchanged	High	High	High	3
CVE-2023-0767	Oracle VM Server for x86	nss	Yes	7.5	Network	High	None	Required	Unchanged	High	High	High	3
CVE-2022-0778	Oracle VM Server for x86	openssl	Yes	7.5	Network	Low	None	None	Unchanged	None	None	High	3
CVE-2023-0286	Oracle VM Server for x86	openssl	Yes	7.4	Network	High	None	None	Unchanged	High	None	High	3
CVE-2022-42898	Oracle VM Server for x86	krb5	No	6.4	Network	High	Low	None	Unchanged	Low	High	Low	3

Revision 1: Published on 2023-04-17

CVE#	Product	Component	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected
CVE#	Product	Component	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected
CVE-2022-42309	Oracle VM Server for x86	xen	No	8.8	Local	Low	Low	None	Changed	High	High	High	3
CVE-2019-5489	Oracle VM Server for x86	Unbreakable Enterprise kernel	No	7.1	Network	High	Low	None	Changed	High	Low	None	3
CVE-2022-42320	Oracle VM Server for x86	xen	No	7.0	Local	High	Low	None	Unchanged	High	High	High	3
CVE-2023-0394	Oracle VM Server for x86	Unbreakable Enterprise kernel	No	6.5	Adjacent	Low	None	None	Unchanged	None	None	High	3
CVE-2022-42311	Oracle VM Server for x86	xen	No	6.5	Local	Low	Low	None	Changed	None	None	High	3
CVE-2022-42312	Oracle VM Server for x86	xen	No	6.5	Local	Low	Low	None	Changed	None	None	High	3
CVE-2022-42313	Oracle VM Server for x86	xen	No	6.5	Local	Low	Low	None	Changed	None	None	High	3
CVE-2022-42314	Oracle VM Server for x86	xen	No	6.5	Local	Low	Low	None	Changed	None	None	High	3
CVE-2022-42315	Oracle VM Server for x86	xen	No	6.5	Local	Low	Low	None	Changed	None	None	High	3
CVE-2022-42316	Oracle VM Server for x86	xen	No	6.5	Local	Low	Low	None	Changed	None	None	High	3
CVE-2022-42317	Oracle VM Server for x86	xen	No	6.5	Local	Low	Low	None	Changed	None	None	High	3
CVE-2022-42318	Oracle VM Server for x86	xen	No	6.5	Local	Low	Low	None	Changed	None	None	High	3
CVE-2022-42319	Oracle VM Server for x86	xen	No	6.5	Local	Low	Low	None	Changed	None	None	High	3
CVE-2022-42321	Oracle VM Server for x86	xen	No	6.5	Local	Low	Low	None	Changed	None	None	High	3
CVE-2023-1073	Oracle VM Server for x86	Unbreakable Enterprise kernel	No	6.3	Physical	High	Low	None	Unchanged	High	High	High	3
CVE-2020-0404	Oracle VM Server for x86	Unbreakable Enterprise kernel	No	5.5	Local	Low	Low	None	Unchanged	None	None	High	3
CVE-2023-1095	Oracle VM Server for x86	Unbreakable Enterprise kernel	No	5.5	Local	Low	Low	None	Unchanged	None	None	High	3
CVE-2022-42310	Oracle VM Server for x86	xen	No	5.5	Local	Low	Low	None	Unchanged	None	None	High	3
CVE-2022-42322	Oracle VM Server for x86	xen	No	5.5	Local	Low	Low	None	Unchanged	None	None	High	3
CVE-2022-42323	Oracle VM Server for x86	xen	No	5.5	Local	Low	Low	None	Unchanged	None	None	High	3
CVE-2022-42325	Oracle VM Server for x86	xen	No	5.5	Local	Low	Low	None	Unchanged	None	None	High	3
CVE-2022-42326	Oracle VM Server for x86	xen	No	5.5	Local	Low	Low	None	Unchanged	None	None	High	3
CVE-2023-1074	Oracle VM Server for x86	Unbreakable Enterprise kernel	No	4.7	Local	High	Low	None	Unchanged	None	None	High	3