Oracle VM Server for x86 Bulletin

Cloud Account Sign in to Cloud Sign Up for Free Cloud Tier

Oracle Account

Oracle VM Server for x86 Bulletin - April 2019

Description

The Oracle VM Server for x86 Bulletin lists all CVEs that had been resolved and announced in Oracle VM Server for x86 Security Advisories (OVMSA) in the last one month prior to the release of the bulletin. Oracle VM Server for x86 Bulletins are published on the same day as Oracle Critical Patch Updates are released. These bulletins will also be updated for the following two months after their release (i.e., the two months between the normal quarterly Critical Patch Update publication dates) to cover all CVEs that had been resolved in those two months following the bulletin's publication. In addition, Oracle VM Server for x86 Bulletins may also be updated for vulnerability fixes deemed too critical to wait for the next scheduled bulletin publication date.

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Oracle VM Server for x86 Bulletin fixes as soon as possible.

Patch Availability

Please see ULN Advisory https://linux.oracle.com/ovm-bulletin-pad

Oracle VM Server for x86 Bulletin Schedule

Oracle VM Server for x86 Bulletins are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:

16 July 2019
15 October 2019
14 January 2020
14 April 2020

References

Oracle Critical Patch Updates and Security Alerts main page [ Oracle Technology Network ]
CVRF XML version of the risk matrix [ Oracle Technology Network ]
Oracle Critical Patch Updates and Security Alerts - Frequently Asked Questions [ CPU FAQ ]
Risk Matrix definitions [ Risk Matrix Definitions ]
Use of Common Vulnerability Scoring System (CVSS) by Oracle [ Oracle CVSS Scoring ]

Modification History

2019-June-18	Rev 3. New CVEs added.
2019-May-17	Rev 2. New CVEs added.
2019-April-16	Rev 1. Initial Release

Oracle VM Server for x86 Executive Summary

This Oracle VM Server for x86 Bulletin contains 26 new security fixes for the Oracle VM Server for x86. 26 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.

Oracle VM Server for x86 Risk Matrix

Revision 3: Published on 2019-06-18

CVE#	Product	Component	Remote Exploit without Auth.?	CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)							Supported Versions Affected
CVE#	Product	Component	Remote Exploit without Auth.?	Base Score	Access Vector	Access Complexity	Authentication	Confidentiality	Integrity	Availability	Supported Versions Affected
CVE-2015-5327	Oracle VM Server for x86	Unbreakable Enterprise kernel	Undefined								3.4
CVE-2017-18360	Oracle VM Server for x86	Unbreakable Enterprise kernel	Undefined								3.4
CVE-2018-12127	Oracle VM Server for x86	Unbreakable Enterprise kernel	Undefined								3.4
CVE-2018-12130	Oracle VM Server for x86	Unbreakable Enterprise kernel	Undefined								3.4
CVE-2018-14633	Oracle VM Server for x86	Unbreakable Enterprise kernel	Undefined								3.4
CVE-2018-19985	Oracle VM Server for x86	Unbreakable Enterprise kernel	Undefined								3.4
CVE-2018-20836	Oracle VM Server for x86	Unbreakable Enterprise kernel	Undefined								3.4
CVE-2019-11190	Oracle VM Server for x86	Unbreakable Enterprise kernel	Undefined								3.4
CVE-2019-11477	Oracle VM Server for x86	Unbreakable Enterprise kernel	Undefined								3.4
CVE-2019-11478	Oracle VM Server for x86	Unbreakable Enterprise kernel	Undefined								3.4
CVE-2019-11479	Oracle VM Server for x86	Unbreakable Enterprise kernel	Undefined								3.4
CVE-2019-11810	Oracle VM Server for x86	Unbreakable Enterprise kernel	Undefined								3.4
CVE-2019-11815	Oracle VM Server for x86	Unbreakable Enterprise kernel	Undefined								3.4
CVE-2019-11884	Oracle VM Server for x86	Unbreakable Enterprise kernel	Undefined								3.4
CVE-2019-3459	Oracle VM Server for x86	Unbreakable Enterprise kernel	Undefined								3.4
CVE-2019-3819	Oracle VM Server for x86	Unbreakable Enterprise kernel	Undefined								3.4
CVE-2019-9636	Oracle VM Server for x86	python	Undefined								3.3,3.4

Revision 2: Published on 2019-05-17

CVE#	Product	Component	Remote Exploit without Auth.?	CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)							Supported Versions Affected
CVE#	Product	Component	Remote Exploit without Auth.?	Base Score	Access Vector	Access Complexity	Authentication	Confidentiality	Integrity	Availability	Supported Versions Affected
CVE-2017-13305	Oracle VM Server for x86	Unbreakable Enterprise kernel	Undefined								3.4
CVE-2018-1066	Oracle VM Server for x86	Unbreakable Enterprise kernel	Undefined								3.4
CVE-2018-10881	Oracle VM Server for x86	Unbreakable Enterprise kernel	Undefined								3.4
CVE-2018-10882	Oracle VM Server for x86	Unbreakable Enterprise kernel	Undefined								3.4
CVE-2018-12126	Oracle VM Server for x86	Unbreakable Enterprise kernel	Undefined								3.4
CVE-2018-12127	Oracle VM Server for x86	Unbreakable Enterprise kernel	Undefined								3.4
CVE-2018-12130	Oracle VM Server for x86	Unbreakable Enterprise kernel	Undefined								3.4
CVE-2019-11091	Oracle VM Server for x86	Unbreakable Enterprise kernel	Undefined								3.4
CVE-2019-3701	Oracle VM Server for x86	Unbreakable Enterprise kernel	Undefined								3.4
CVE-2018-12126	Oracle VM Server for x86	qemu-kvm	Undefined								3.4
CVE-2018-12127	Oracle VM Server for x86	qemu-kvm	Undefined								3.4
CVE-2018-12130	Oracle VM Server for x86	qemu-kvm	Undefined								3.4
CVE-2019-11091	Oracle VM Server for x86	qemu-kvm	Undefined								3.4
CVE-2018-12126	Oracle VM Server for x86	xen	Undefined								3.4
CVE-2018-12127	Oracle VM Server for x86	xen	Undefined								3.4
CVE-2018-12130	Oracle VM Server for x86	xen	Undefined								3.4
CVE-2019-11091	Oracle VM Server for x86	xen	Undefined								3.4

Revision 1: Published on 2019-04-16

CVE#	Product	Component	Remote Exploit without Auth.?	CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)							Supported Versions Affected
CVE#	Product	Component	Remote Exploit without Auth.?	Base Score	Access Vector	Access Complexity	Authentication	Confidentiality	Integrity	Availability	Supported Versions Affected
CVE-2018-10879	Oracle VM Server for x86	Unbreakable Enterprise kernel	Undefined								3.4
CVE-2018-15473	Oracle VM Server for x86	openssh	Undefined								3.3,3.4