Oracle Linux Bulletin - October 2019
Description
The Oracle Linux Bulletin lists all CVEs that had been resolved and announced in Oracle Linux Security Advisories (ELSA) in the last one month prior to the release of the bulletin. Oracle Linux Bulletins are published on the same day as Oracle Critical Patch Updates are released. These bulletins will also be updated for the following two months after their release (i.e., the two months between the normal quarterly Critical Patch Update publication dates) to cover all CVEs that had been resolved in those two months following the bulletin's publication. In addition, Oracle Linux Bulletins may also be updated for vulnerability issues deemed too critical to wait for the next scheduled bulletin publication date.
Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Oracle Linux Bulletin security patches as soon as possible.
Patch Availability
Please see ULN Advisory https://linux.oracle.com/ol-pad-bulletin
Oracle Linux Bulletin Schedule
Oracle Linux Bulletins are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:
- 14 January 2020
- 14 April 2020
- 14 July 2020
- 20 October 2020
References
- Oracle Critical Patch Updates and Security Alerts main page [ Oracle Technology Network ]
- CVRF XML version of the risk matrix [ Oracle Technology Network ]
- Oracle Critical Patch Updates and Security Alerts - Frequently Asked Questions [ CPU FAQ ]
- Risk Matrix definitions [ Risk Matrix Definitions ]
- Use of Common Vulnerability Scoring System (CVSS) by Oracle [ Oracle CVSS Scoring ]
Modification History
| Date | Note |
|---|---|
| 2019-December-18 | Rev 3. New CVEs added |
| 2019-November-21 | Rev 2. New CVEs added |
| 2019-October-15 | Rev 1. Initial Release |
Oracle Linux Executive Summary
This Oracle Linux Bulletin contains 19 new security patches for the Oracle Linux. 14 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.
Oracle Linux Risk Matrix
Revision 3: Published on 2019-12-18
| CVE# | Product | Component | Remote Exploit without Auth.? |
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) | Supported Versions Affected |
||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score |
Attack Vector |
Attack Complexity |
Privs Req'd |
User Interact |
Scope | Confiden- tiality |
Integrity | Avail- ability |
|||||
| CVE-2019-11729 | Oracle Linux | nss, nss-softokn, nss-util | Yes | 7.5 | Network | Low | None | None | Unchanged | None | None | High | 6 |
| CVE-2018-20169 | Oracle Linux | Unbreakable Enterprise kernel | Undefined | 6 | |||||||||
Revision 2: Published on 2019-11-21
| CVE# | Product | Component | Remote Exploit without Auth.? |
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) | Supported Versions Affected |
||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score |
Attack Vector |
Attack Complexity |
Privs Req'd |
User Interact |
Scope | Confiden- tiality |
Integrity | Avail- ability |
|||||
| CVE-2019-11478 | Oracle Linux | Unbreakable Enterprise kernel | Yes | 7.5 | Network | Low | None | None | Unchanged | None | None | High | 6 |
| CVE-2019-12749 | Oracle Linux | dbus | No | 7.1 | Local | Low | Low | None | Unchanged | High | High | None | 8 |
| CVE-2018-12181 | Oracle Linux | edk2 | Undefined | 8 | |||||||||
| CVE-2015-1593 | Oracle Linux | kernel | Undefined | 8 | |||||||||
| CVE-2018-16884 | Oracle Linux | kernel | Undefined | 8 | |||||||||
| CVE-2018-19985 | Oracle Linux | kernel | Undefined | 8 | |||||||||
| CVE-2018-20169 | Oracle Linux | kernel | Undefined | 8 | |||||||||
| CVE-2019-11833 | Oracle Linux | kernel | Undefined | 8 | |||||||||
| CVE-2019-11884 | Oracle Linux | kernel | Undefined | 8 | |||||||||
| CVE-2019-3459 | Oracle Linux | kernel | Undefined | 8 | |||||||||
| CVE-2019-5489 | Oracle Linux | kernel | Undefined | 8 | |||||||||
| CVE-2019-7222 | Oracle Linux | kernel | Undefined | 8 | |||||||||
| CVE-2019-3877 | Oracle Linux | mod_auth_mellon | Undefined | 8 | |||||||||
Revision 1: Published on 2019-10-15
| CVE# | Product | Component | Remote Exploit without Auth.? |
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) | Supported Versions Affected |
||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score |
Attack Vector |
Attack Complexity |
Privs Req'd |
User Interact |
Scope | Confiden- tiality |
Integrity | Avail- ability |
|||||
| CVE-2018-11806 | Oracle Linux | qemu-kvm | No | 8.2 | Local | Low | High | None | Changed | High | High | High | 6 |
| CVE-2019-6778 | Oracle Linux | qemu-kvm | No | 7.8 | Local | Low | Low | None | Unchanged | High | High | High | 6 |
| CVE-2018-17962 | Oracle Linux | qemu-kvm | Yes | 7.5 | Network | Low | None | None | Unchanged | None | None | High | 6 |
| CVE-2019-12155 | Oracle Linux | qemu-kvm | Yes | 7.5 | Network | Low | None | None | Unchanged | None | None | High | 6 |
| CVE-2018-10839 | Oracle Linux | qemu-kvm | No | 6.5 | Network | Low | Low | None | Unchanged | None | None | High | 6 |