Oracle VM Server for x86 Bulletin

Cloud Account Sign in to Cloud Sign Up for Free Cloud Tier

Oracle Account

Oracle VM Server for x86 Bulletin - October 2017

Description

The Oracle VM Server for x86 Bulletin lists all CVEs that had been resolved and announced in Oracle VM Server for x86 Security Advisories (OVMSA) in the last one month prior to the release of the bulletin. Oracle VM Server for x86 Bulletins are published on the same day as Oracle Critical Patch Updates are released. These bulletins will also be updated for the following two months after their release (i.e., the two months between the normal quarterly Critical Patch Update publication dates) to cover all CVEs that had been resolved in those two months following the bulletin's publication. In addition, Oracle VM Server for x86 Bulletins may also be updated for vulnerability fixes deemed too critical to wait for the next scheduled bulletin publication date.

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Oracle VM Server for x86 Bulletin fixes as soon as possible.

Patch Availability

Please see ULN Advisory http://linux.oracle.com/ovm-bulletin-pad

Oracle VM Server for x86 Bulletin Schedule

Oracle VM Server for x86 Bulletins are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:

16 January 2018
17 April 2018
17 July 2018
16 October 2018

References

Oracle Critical Patch Updates and Security Alerts main page [ Oracle Technology Network ]
CVRF XML version of the risk matrix [ Oracle Technology Network ]
Oracle Critical Patch Updates and Security Alerts - Frequently Asked Questions [ CPU FAQ ]
Risk Matrix definitions [ Risk Matrix Definitions ]
Use of Common Vulnerability Scoring System (CVSS) by Oracle [ Oracle CVSS Scoring ]

Modification History

2017-December-18	Rev 3. New CVEs added.
2017-November-17	Rev 2. New CVEs added.
2017-October-17	Rev 1. Initial Release

Oracle VM Server for x86 Executive Summary

This Oracle VM Server for x86 Bulletin contains 48 new security fixes for the Oracle VM Server for x86. 19 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.

Oracle VM Server for x86 Risk Matrix

Revision 3: Published on 2017-12-18

CVE#	Product	Component	Remote Exploit without Auth.?	CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)							Supported Versions Affected
CVE#	Product	Component	Remote Exploit without Auth.?	Base Score	Access Vector	Access Complexity	Authentication	Confidentiality	Integrity	Availability	Supported Versions Affected
CVE-2017-16527	Oracle VM Server for x86	Unbreakable Enterprise kernel	No	7.2	Local	Low	None	Complete	Complete	Complete	3.4
CVE-2017-16650	Oracle VM Server for x86	Unbreakable Enterprise kernel	No	7.2	Local	Low	None	Complete	Complete	Complete	3.4
CVE-2017-7889	Oracle VM Server for x86	Unbreakable Enterprise kernel	No	7.2	Local	Low	None	Complete	Complete	Complete	3.3
CVE-2017-15649	Oracle VM Server for x86	Unbreakable Enterprise kernel	No	4.6	Local	Low	None	Partial	Partial	Partial	3.4
CVE-2016-10318	Oracle VM Server for x86	Unbreakable Enterprise kernel	No	4.0	Network	Low	Single	None	None	Partial	3.4
CVE-2017-1000405	Oracle VM Server for x86	Unbreakable Enterprise kernel	Yes	0.0	Network	Undefined	None	None	None	None	3.4
CVE-2017-12190	Oracle VM Server for x86	Unbreakable Enterprise kernel	Yes	0.0	Network	Undefined	None	None	None	None	3.3,3.4
CVE-2017-17044	Oracle VM Server for x86	xen	Yes	0.0	Network	Undefined	None	None	None	None	3.2,3.3,3.4
CVE-2017-17045	Oracle VM Server for x86	xen	Yes	0.0	Network	Undefined	None	None	None	None	3.2,3.3,3.4

Revision 2: Published on 2017-11-17

CVE#	Product	Component	Remote Exploit without Auth.?	CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)							Supported Versions Affected
CVE#	Product	Component	Remote Exploit without Auth.?	Base Score	Access Vector	Access Complexity	Authentication	Confidentiality	Integrity	Availability	Supported Versions Affected
CVE-2017-11176	Oracle VM Server for x86	Unbreakable Enterprise kernel	Yes	10.0	Network	Low	None	Complete	Complete	Complete	3.3
CVE-2017-7618	Oracle VM Server for x86	Unbreakable Enterprise kernel	Yes	7.8	Network	Low	None	None	None	Complete	3.4
CVE-2017-10661	Oracle VM Server for x86	Unbreakable Enterprise kernel	Yes	7.6	Network	High	None	Complete	Complete	Complete	3.3
CVE-2016-10044	Oracle VM Server for x86	Unbreakable Enterprise kernel	No	7.2	Local	Low	None	Complete	Complete	Complete	3.3
CVE-2017-1000111	Oracle VM Server for x86	Unbreakable Enterprise kernel	No	7.2	Local	Low	None	Complete	Complete	Complete	3.3
CVE-2017-1000363	Oracle VM Server for x86	Unbreakable Enterprise kernel	No	7.2	Local	Low	None	Complete	Complete	Complete	3.3
CVE-2017-11473	Oracle VM Server for x86	Unbreakable Enterprise kernel	No	7.2	Local	Low	None	Complete	Complete	Complete	3.3
CVE-2017-7541	Oracle VM Server for x86	Unbreakable Enterprise kernel	No	7.2	Local	Low	None	Complete	Complete	Complete	3.4
CVE-2017-8831	Oracle VM Server for x86	Unbreakable Enterprise kernel	No	7.2	Local	Low	None	Complete	Complete	Complete	3.3
CVE-2017-9075	Oracle VM Server for x86	Unbreakable Enterprise kernel	No	7.2	Local	Low	None	Complete	Complete	Complete	3.3
CVE-2017-9077	Oracle VM Server for x86	Unbreakable Enterprise kernel	No	7.2	Local	Low	None	Complete	Complete	Complete	3.3
CVE-2017-14316	Oracle VM Server for x86	xen	No	7.2	Local	Low	None	Complete	Complete	Complete	3.2,3.3,3.4
CVE-2017-14319	Oracle VM Server for x86	xen	No	7.2	Local	Low	None	Complete	Complete	Complete	3.2,3.3,3.4
CVE-2017-1000112	Oracle VM Server for x86	Unbreakable Enterprise kernel	No	6.9	Local	Medium	None	Complete	Complete	Complete	3.4
CVE-2016-9191	Oracle VM Server for x86	Unbreakable Enterprise kernel	No	5.2	Adjacent network	Medium	Single	None	None	Complete	3.4
CVE-2017-12192	Oracle VM Server for x86	Unbreakable Enterprise kernel	No	4.9	Local	Low	None	None	None	Complete	3.4
CVE-2017-14106	Oracle VM Server for x86	Unbreakable Enterprise kernel	No	4.9	Local	Low	None	None	None	Complete	3.4
CVE-2017-14489	Oracle VM Server for x86	Unbreakable Enterprise kernel	No	4.9	Local	Low	None	None	None	Complete	3.3,3.4
CVE-2017-2671	Oracle VM Server for x86	Unbreakable Enterprise kernel	No	4.9	Local	Low	None	None	None	Complete	3.3
CVE-2017-7542	Oracle VM Server for x86	Unbreakable Enterprise kernel	No	4.9	Local	Low	None	None	None	Complete	3.3,3.4
CVE-2017-14317	Oracle VM Server for x86	xen	No	4.7	Local	Medium	None	None	None	Complete	3.2,3.3,3.4
CVE-2017-6462	Oracle VM Server for x86	ntp	No	4.6	Local	Low	None	Partial	Partial	Partial	3.3,3.4
CVE-2017-12154	Oracle VM Server for x86	Unbreakable Enterprise kernel	No	4.3	Adjacent network	High	Single	None	None	Complete	3.4
CVE-2017-6463	Oracle VM Server for x86	ntp	No	4.0	Network	Low	Single	None	None	Partial	3.3,3.4
CVE-2017-6464	Oracle VM Server for x86	ntp	No	4.0	Network	Low	Single	None	None	Partial	3.3,3.4
CVE-2017-1000380	Oracle VM Server for x86	Unbreakable Enterprise kernel	No	2.1	Local	Low	None	Partial	None	None	3.3
CVE-2017-2618	Oracle VM Server for x86	Unbreakable Enterprise kernel	Yes	0.0	Network	Undefined	None	None	None	None	3.4
CVE-2017-7482	Oracle VM Server for x86	Unbreakable Enterprise kernel	Yes	0.0	Network	Undefined	None	None	None	None	3.4
CVE-2017-15588	Oracle VM Server for x86	xen	Yes	0.0	Network	Undefined	None	None	None	None	3.2,3.3,3.4
CVE-2017-15589	Oracle VM Server for x86	xen	Yes	0.0	Network	Undefined	None	None	None	None	3.2,3.3,3.4
CVE-2017-15590	Oracle VM Server for x86	xen	Yes	0.0	Network	Undefined	None	None	None	None	3.2,3.3,3.4
CVE-2017-15592	Oracle VM Server for x86	xen	Yes	0.0	Network	Undefined	None	None	None	None	3.2,3.3,3.4
CVE-2017-15593	Oracle VM Server for x86	xen	Yes	0.0	Network	Undefined	None	None	None	None	3.2,3.3,3.4
CVE-2017-15594	Oracle VM Server for x86	xen	Yes	0.0	Network	Undefined	None	None	None	None	3.2,3.3,3.4
CVE-2017-15595	Oracle VM Server for x86	xen	Yes	0.0	Network	Undefined	None	None	None	None	3.2,3.3,3.4

Revision 1: Published on 2017-10-17

CVE#	Product	Component	Remote Exploit without Auth.?	CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)							Supported Versions Affected
CVE#	Product	Component	Remote Exploit without Auth.?	Base Score	Access Vector	Access Complexity	Authentication	Confidentiality	Integrity	Availability	Supported Versions Affected
CVE-2017-14491	Oracle VM Server for x86	dnsmasq	Yes	10.0	Network	Low	None	Complete	Complete	Complete	3.4
CVE-2017-1000251	Oracle VM Server for x86	Unbreakable Enterprise kernel	No	6.8	Adjacent network	High	None	Complete	Complete	Complete	3.3,3.4
CVE-2017-12134	Oracle VM Server for x86	Unbreakable Enterprise kernel	Yes	0.0	Network	Undefined	None	None	None	None	3.3
CVE-2017-7805	Oracle VM Server for x86	nss	Yes	0.0	Network	Undefined	None	None	None	None	3.3,3.4