Oracle Security Alert for CVE-2015-3456
Description
This Security Alert addresses security issue CVE-2015-3456 ("VENOM"), a buffer overflow vulnerability in QEMU's virtual Floppy Disk Controller (FDC). The vulnerable FDC code is included in various virtualization platforms and is used in some Oracle products. The vulnerability may be exploitable by an attacker who has access to an account on the guest operating system with privilege to access the FDC. The attacker may be able to send malicious code to the FDC that is executed in the context of the hypervisor process on the host operating system. This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without the need for a username and password.
Due to the severity of this vulnerability, Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible.
This Security Alert is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle's use of CVRF is available at: http://www.oracle.com/security-alerts/cpufaq.html#CVRF.
Affected Products and Versions
The security vulnerability addressed by this Security Alert directly affects the products listed in the categories below. Please click on the link in the Patch Availability column or in the Patch Availability Table to access the documentation for those patches.
Oracle products and systems that include the products listed in this Alert are likely also affected. Customers should refer to Venom vulnerability - CVE-2015-3456 for additional information about those products. Oracle is investigating and will provide fixes for affected products as soon as they have been fully tested and determined to provide effective mitigation against this vulnerability. The product lists will be updated without additional emails being sent to customers and OTN Security Alerts subscribers. Thus, customers will need to check back for updates.
The list of affected product releases and versions that are in Premier Support or Extended Support, under the Oracle Lifetime Support Policy is as follows:
| Affected Products and Versions | Patch Availability |
|---|---|
| VirtualBox 3.2, 4.0, 4.1, 4.2, 4.3 prior to 4.3.28 | Oracle Linux and Virtualization |
| Oracle VM 2.2, 3.2, 3.3 | Oracle Linux and Virtualization |
| Oracle Linux 5, 6, 7 | Oracle Linux and Virtualization |
Supported Products and Versions
Patch availability information is provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. We recommend that customers remain on actively supported versions to ensure that they continue to receive security fixes from Oracle.
Product releases that are not under Premier Support or Extended Support are not tested for the presence of the vulnerability addressed by this Security Alert. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities.
Products in Extended Support
Security Alert fixes are available to customers who have purchased Extended Support under the Lifetime Support Policy. Customers must have a valid Extended Support service contract to apply Security Alert fixes for products in the Extended Support Phase.
Oracle Cloud
The Oracle security and development teams are investigating this issue and are developing fixes for the affected products and services. The Oracle Cloud teams are evaluating these fixes as they become available and will be applying the relevant patches in accordance with applicable change management processes.
- Oracle Managed Cloud Services (OMCS) Customers should contact their Service Delivery Manager (SDM). CRM On Demand customers should request status via SR.
- Oracle Cloud for Industry (OCI) and Micros Cloud Customers should contact gbu-risk-compliance-resp_ww@oracle.com.
- Oracle Public Cloud (OPC) Customers should submit a Service Request within their designated support system to request an update which is specific to the services they have purchased.
Customers requiring additional information which is not addressed in this communication may obtain more information as follows:
Patch Availability Table and Risk Matrix
The security fixes in this Security Alert are cumulative; the latest updates includes all fixes from previous Critical Patch Updates and Security Alerts.
Patch Availability Table
| Product Group | Risk Matrix | Patch Availability and Installation Information |
|---|---|---|
| Oracle Linux and Virtualization | Oracle Linux and Virtualization | Oracle Security Alert for CVE-2015-3456 My Oracle Support Note 2010871.1. |
References
- Oracle Critical Patch Updates and Security Alerts main page [ Oracle Technology Network ]
- Oracle Critical Patch Updates and Security Alerts - Frequently Asked Questions [ CPU FAQ ]
- Risk Matrix definitions [ Risk Matrix Definitions ]
- Use of Common Vulnerability Scoring System (CVSS) by Oracle [ Oracle CVSS Scoring ]
- English text version of risk matrix [ Oracle Technology Network ]
- CVRF XML version of the risk matrix [ Oracle Technology Network ]
Modification History
| Date | Comments |
|---|---|
| 2015-May-15 | Rev 1. Initial Release |
Appendix - Oracle Linux and Virtualization
Oracle Linux Executive Summary
This Security Alert contains 1 new security fix for Oracle Linux. This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.
Oracle Linux Risk Matrix
| CVE# | Component | Protocol | Sub-component | Remote Exploit without Auth.? | CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score | Access Vector | Access Complexity | Authentication | Confidentiality | Integrity | Availability | |||||||
| CVE-2015-3456 21092510 | Oracle Linux | None | Xen, Qemu-KVM | No | 6.2 | Local | High | None | Complete | Complete | Complete | 5, 6, 7 | |
Oracle Virtualization Executive Summary
This Security Alert contains 2 new security fixes for Oracle Virtualization. Neither of these vulnerabilities may be remotely exploitable without authentication, i.e., neither may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.
Oracle Virtualization Risk Matrix
| CVE# | Component | Protocol | Sub-component | Remote Exploit without Auth.? | CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score | Access Vector | Access Complexity | Authentication | Confidentiality | Integrity | Availability | |||||||
| CVE-2015-3456 20993910 | Oracle VM | None | Xen Hypervisor | No | 6.2 | Local | High | None | Complete | Complete | Complete | 2.2, 3.2, 3.3 | |
| CVE-2015-3456 21027512 | Oracle VM VirtualBox | None | Core | No | 6.2 | Local | High | None | Complete | Complete | Complete | 3.2, 4.0, 4.1, 4.2, 4.3 prior to 4.3.28 | See Note 1 |
Notes:
- The CVSS score assumes that the virtualization software is running on the host operating system as a privileged user. When this is not the case, the corresponding CVSS impact scores for Confidentiality, Integrity, and Availability are "Partial+" instead of "Complete", lowering the CVSS Base Score. For example, a Base Score of 6.2 becomes 3.7