OracleVM 3.4 : Unbreakable / etc (OVMSA-2018-0008) (Meltdown) (Spectre)

medium Nessus Plugin ID 105762

Synopsis

The remote OracleVM host is missing one or more security updates.

Description

The remote OracleVM system is missing necessary patches to address critical security updates :

- x86/ia32: save and clear registers on syscall. (Jamie Iles) [Orabug: 27355759] (CVE-2017-5754)

- x86/IBRS: Save current status of MSR_IA32_SPEC_CTRL (Boris Ostrovsky)

- pti: Rename X86_FEATURE_KAISER to X86_FEATURE_PTI (Pavel Tatashin) [Orabug: 27352353] (CVE-2017-5754)

- usb/core: usb_alloc_dev: fix setting of ->portnum (Nicolai Stange)

- x86/spec_ctrl: Add missing IBRS_DISABLE (Konrad Rzeszutek Wilk)

- Make use of ibrs_inuse consistent. (Jun Nakajima)

- x86/kvm: Set IBRS on VMEXIT if guest disabled it.
(Konrad Rzeszutek Wilk)

- Re-introduce clearing of r12-15, rbp, rbx (Kris Van Hees) [Orabug: 27352353] (CVE-2017-5754)

- x86: more ibrs/pti fixes (Pavel Tatashin) [Orabug:
27352353] (CVE-2017-5754)

- x86/spec: Actually do the check for in_use on ENABLE_IBRS (Konrad Rzeszutek Wilk) (CVE-2017-5715)

- kvm: svm: Expose the CPUID.0x80000008 ebx flag. (Konrad Rzeszutek Wilk) (CVE-2017-5715)

- x86/spec_ctrl: Provide the sysfs version of the ibrs_enabled (Konrad Rzeszutek Wilk) (CVE-2017-5715)

- x86: Use better #define for FEATURE_ENABLE_IBRS and 0 (Konrad Rzeszutek Wilk) (CVE-2017-5715)

- x86: Instead of 0x2, 0x4, and 0x1 use #defines. (Konrad Rzeszutek Wilk) (CVE-2017-5715)

- kpti: Disable when running under Xen PV (Konrad Rzeszutek Wilk) [Orabug: 27352353] (CVE-2017-5754)

- x86: Don't ENABLE_IBRS in nmi when we are still running on user cr3 (Konrad Rzeszutek Wilk) (CVE-2017-5715)

- x86/enter: Use IBRS on syscall and interrupts - fix ia32 path (Konrad Rzeszutek Wilk) (CVE-2017-5715)

- x86: Fix spectre/kpti integration (Konrad Rzeszutek Wilk) [Orabug: 27352353] (CVE-2017-5754)

- PTI: unbreak EFI old_memmap (Jiri Kosina) [Orabug:
27352353] (CVE-2017-5754)

- KAISER KABI tweaks. (Martin K. Petersen) [Orabug:
27352353] (CVE-2017-5754)

- x86/ldt: fix crash in ldt freeing. (Jamie Iles) [Orabug:
27352353] (CVE-2017-5754)

- x86/entry: Define 'cpu_current_top_of_stack' for 64-bit code (Denys Vlasenko) [Orabug: 27352353] (CVE-2017-5754)

- x86/entry: Remove unused 'kernel_stack' per-cpu variable (Denys Vlasenko) [Orabug: 27352353] (CVE-2017-5754)

- x86/entry: Stop using PER_CPU_VAR(kernel_stack) (Denys Vlasenko) [Orabug: 27352353] (CVE-2017-5754)

- kaiser: Set _PAGE_NX only if supported (Guenter Roeck) [Orabug: 27352353] (CVE-2017-5754)

- x86/vdso: Get pvclock data from the vvar VMA instead of the fixmap (Andy Lutomirski) [Orabug: 27352353] (CVE-2017-5754)

- KPTI: Report when enabled (Kees Cook) [Orabug: 27352353] (CVE-2017-5754)

- KPTI: Rename to PAGE_TABLE_ISOLATION (Kees Cook) [Orabug: 27352353] (CVE-2017-5754)

- x86/kaiser: Move feature detection up (Borislav Petkov) [Orabug: 27352353] (CVE-2017-5754)

- x86/kaiser: Reenable PARAVIRT (Borislav Petkov) [Orabug:
27352353] (CVE-2017-5754)

- x86/paravirt: Don't patch flush_tlb_single (Thomas Gleixner) [Orabug: 27352353] (CVE-2017-5754)

- kaiser: kaiser_flush_tlb_on_return_to_user check PCID (Hugh Dickins) [Orabug: 27352353] (CVE-2017-5754)

- kaiser: asm/tlbflush.h handle noPGE at lower level (Hugh Dickins) [Orabug: 27352353] (CVE-2017-5754)

- kaiser: drop is_atomic arg to kaiser_pagetable_walk (Hugh Dickins) [Orabug: 27352353] (CVE-2017-5754)

- kaiser: use ALTERNATIVE instead of x86_cr3_pcid_noflush (Hugh Dickins) [Orabug: 27352353] (CVE-2017-5754)

- x86/kaiser: Check boottime cmdline params (Borislav Petkov) [Orabug: 27352353] (CVE-2017-5754)

- x86/kaiser: Rename and simplify X86_FEATURE_KAISER handling (Borislav Petkov) [Orabug: 27352353] (CVE-2017-5754)

- kaiser: add 'nokaiser' boot option, using ALTERNATIVE (Hugh Dickins) [Orabug: 27352353] (CVE-2017-5754)

- kaiser: fix unlikely error in alloc_ldt_struct (Hugh Dickins) [Orabug: 27352353] (CVE-2017-5754)

- kaiser: _pgd_alloc without __GFP_REPEAT to avoid stalls (Hugh Dickins) [Orabug: 27352353] (CVE-2017-5754)

- kaiser: paranoid_entry pass cr3 need to paranoid_exit (Hugh Dickins) [Orabug: 27352353] (CVE-2017-5754)

- kaiser: x86_cr3_pcid_noflush and x86_cr3_pcid_user (Hugh Dickins) [Orabug: 27352353] (CVE-2017-5754)

- kaiser: PCID 0 for kernel and 128 for user (Hugh Dickins) [Orabug: 27352353] (CVE-2017-5754)

- kaiser: load_new_mm_cr3 let SWITCH_USER_CR3 flush user (Hugh Dickins) [Orabug: 27352353] (CVE-2017-5754)

- kaiser: enhanced by kernel and user PCIDs (Dave Hansen) [Orabug: 27352353] (CVE-2017-5754)

- kaiser: vmstat show NR_KAISERTABLE as nr_overhead (Hugh Dickins) [Orabug: 27352353] (CVE-2017-5754)

- kaiser: delete KAISER_REAL_SWITCH option (Hugh Dickins) [Orabug: 27352353] (CVE-2017-5754)

- kaiser: name that 0x1000 KAISER_SHADOW_PGD_OFFSET (Hugh Dickins) [Orabug: 27352353] (CVE-2017-5754)

- kaiser: cleanups while trying for gold link (Hugh Dickins) [Orabug: 27352353] (CVE-2017-5754)

- kaiser: kaiser_remove_mapping move along the pgd (Hugh Dickins) [Orabug: 27352353] (CVE-2017-5754)

- kaiser: tidied up kaiser_add/remove_mapping slightly (Hugh Dickins) [Orabug: 27352353] (CVE-2017-5754)

- kaiser: tidied up asm/kaiser.h somewhat (Hugh Dickins) [Orabug: 27352353] (CVE-2017-5754)

- kaiser: ENOMEM if kaiser_pagetable_walk NULL (Hugh Dickins) [Orabug: 27352353] (CVE-2017-5754)

- kaiser: fix perf crashes (Hugh Dickins) [Orabug:
27352353] (CVE-2017-5754)

- kaiser: fix regs to do_nmi ifndef CONFIG_KAISER (Hugh Dickins) [Orabug: 27352353] (CVE-2017-5754)

- kaiser: KAISER depends on SMP (Hugh Dickins) [Orabug:
27352353] (CVE-2017-5754)

- kaiser: fix build and FIXME in alloc_ldt_struct (Hugh Dickins) [Orabug: 27352353] (CVE-2017-5754)

- kaiser: stack map PAGE_SIZE at THREAD_SIZE-PAGE_SIZE (Hugh Dickins) [Orabug: 27352353] (CVE-2017-5754)

- kaiser: do not set _PAGE_NX on pgd_none (Hugh Dickins) [Orabug: 27352353] (CVE-2017-5754)

- kaiser: merged update (Dave Hansen) [Orabug: 27352353] (CVE-2017-5754)

- KAISER: Kernel Address Isolation (Richard Fellner) [Orabug: 27352353] (CVE-2017-5754)

- x86/boot: Add early cmdline parsing for options with arguments (Tom Lendacky) [Orabug: 27352353] (CVE-2017-5754)

- x86/mm/64: Fix reboot interaction with CR4.PCIDE (Andy Lutomirski) [Orabug: 27352353] (CVE-2017-5754)

- x86/mm: Enable CR4.PCIDE on supported systems (Andy Lutomirski) [Orabug: 27352353] (CVE-2017-5754)

- x86/mm: Add the 'nopcid' boot option to turn off PCID (Andy Lutomirski) [Orabug: 27352353] (CVE-2017-5754)

- x86/mm: Disable PCID on 32-bit kernels (Andy Lutomirski) [Orabug: 27352353] (CVE-2017-5754)

- x86/mm: Remove the UP asm/tlbflush.h code, always use the (formerly) SMP code (Andy Lutomirski) [Orabug:
27352353] (CVE-2017-5754)

- x86/mm: Reimplement flush_tlb_page using flush_tlb_mm_range (Andy Lutomirski) [Orabug: 27352353] (CVE-2017-5754)

- x86/mm: Make flush_tlb_mm_range more predictable (Andy Lutomirski) [Orabug: 27352353] (CVE-2017-5754)

- x86/mm: Remove flush_tlb and flush_tlb_current_task (Andy Lutomirski) [Orabug: 27352353] (CVE-2017-5754)

- x86/vm86/32: Switch to flush_tlb_mm_range in mark_screen_rdonly (Andy Lutomirski) [Orabug: 27352353] (CVE-2017-5754)

- x86/irq: Do not substract irq_tlb_count from irq_call_count (Aaron Lu) [Orabug: 27352353] (CVE-2017-5754)

- sched/core: Idle_task_exit shouldn't use switch_mm_irqs_off (Andy Lutomirski) [Orabug: 27352353] (CVE-2017-5754)

- ARM: Hide finish_arch_post_lock_switch from modules (Steven Rostedt) [Orabug: 27352353] (CVE-2017-5754)

- x86/mm, sched/core: Turn off IRQs in switch_mm (Andy Lutomirski) [Orabug: 27352353] (CVE-2017-5754)

- x86/mm, sched/core: Uninline switch_mm (Andy Lutomirski) [Orabug: 27352353] (CVE-2017-5754)

- x86/mm: Build arch/x86/mm/tlb.c even on !SMP (Andy Lutomirski) [Orabug: 27352353] (CVE-2017-5754)

- sched/core: Add switch_mm_irqs_off and use it in the scheduler (Andy Lutomirski) [Orabug: 27352353] (CVE-2017-5754)

- mm/mmu_context, sched/core: Fix mmu_context.h assumption (Ingo Molnar) [Orabug: 27352353] (CVE-2017-5754)

- x86/mm: If INVPCID is available, use it to flush global mappings (Andy Lutomirski) [Orabug: 27352353] (CVE-2017-5754)

- x86/mm: Add a 'noinvpcid' boot option to turn off INVPCID (Andy Lutomirski) [Orabug: 27352353] (CVE-2017-5754)

- x86/mm: Fix INVPCID asm constraint (Borislav Petkov) [Orabug: 27352353] (CVE-2017-5754)

- x86/mm: Add INVPCID helpers (Andy Lutomirski) [Orabug:
27352353] (CVE-2017-5754)

Solution

Update the affected kernel-uek / kernel-uek-firmware packages.

See Also

http://www.nessus.org/u?d39633bb

Plugin Details

Severity: Medium

ID: 105762

File Name: oraclevm_OVMSA-2018-0008.nasl

Version: 3.7

Type: local

Published: 1/12/2018

Updated: 9/27/2019

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: High

Score: 8.1

CVSS v2

Risk Factor: Medium

Base Score: 4.7

Temporal Score: 4.1

Vector: CVSS2#AV:L/AC:M/Au:N/C:C/I:N/A:N

CVSS v3

Risk Factor: Medium

Base Score: 5.6

Temporal Score: 5.4

Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:H/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:oracle:vm:kernel-uek, p-cpe:/a:oracle:vm:kernel-uek-firmware, cpe:/o:oracle:vm_server:3.4

Required KB Items: Host/local_checks_enabled, Host/OracleVM/release, Host/OracleVM/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 1/11/2018

Vulnerability Publication Date: 1/4/2018

Reference Information

CVE: CVE-2017-5715, CVE-2017-5754

IAVA: 2018-A-0019, 2018-A-0020