Oracle Linux 7 : Unbreakable Enterprise kernel (ELSA-2018-4195)

medium Nessus Plugin ID 111725

Synopsis

The remote Oracle Linux host is missing one or more security updates.

Description

The remote Oracle Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2018-4195 advisory.

- ipv4: frags: handle possible skb truesize change (Eric Dumazet) [Orabug: 28481663] {CVE-2018-5391}
- inet: frag: enforce memory limits earlier (Eric Dumazet) [Orabug: 28481663] {CVE-2018-5391}
- x86/mm/kmmio: Make the tracer robust against L1TF (Andi Kleen) [Orabug: 28442418] {CVE-2018-3620}
- x86/mm/pat: Make set_memory_np() L1TF safe (Andi Kleen) [Orabug: 28442418] {CVE-2018-3620}
- x86/speculation/l1tf: Make pmd/pud_mknotpresent() invert (Andi Kleen) [Orabug: 28442418] {CVE-2018-3620}
- x86/speculation/l1tf: Invert all not present mappings (Andi Kleen) [Orabug: 28442418] {CVE-2018-3620}
- cpu/hotplug: Fix SMT supported evaluation (Thomas Gleixner) [Orabug: 28442418] {CVE-2018-3620}
- KVM: VMX: Tell the nested hypervisor to skip L1D flush on vmentry (Paolo Bonzini) [Orabug: 28442418] {CVE-2018-3646}
- x86/speculation: Use ARCH_CAPABILITIES to skip L1D flush on vmentry (Paolo Bonzini) [Orabug: 28442418] {CVE-2018-3620}
- x86/speculation: Simplify sysfs report of VMX L1TF vulnerability (Paolo Bonzini) [Orabug: 28442418] {CVE-2018-3620}
- Documentation/l1tf: Remove Yonah processors from not vulnerable list (Thomas Gleixner) [Orabug:
28442418] {CVE-2018-3620}
- x86/KVM/VMX: Dont set l1tf_flush_l1d from vmx_handle_external_intr() (Nicolai Stange) [Orabug:
28442418] {CVE-2018-3646}
- x86/irq: Let interrupt handlers set kvm_cpu_l1tf_flush_l1d (Nicolai Stange) [Orabug: 28442418] {CVE-2018-3646}
- x86: Dont include linux/irq.h from asm/hardirq.h (Nicolai Stange) [Orabug: 28442418] {CVE-2018-3620}
- x86/KVM/VMX: Introduce per-host-cpu analogue of l1tf_flush_l1d (Nicolai Stange) [Orabug: 28442418] {CVE-2018-3646}
- x86/KVM/VMX: Move the l1tf_flush_l1d test to vmx_l1d_flush() (Nicolai Stange) [Orabug: 28442418] {CVE-2018-3646}
- x86/KVM/VMX: Replace 'vmx_l1d_flush_always' with 'vmx_l1d_flush_cond' (Nicolai Stange) [Orabug:
28442418] {CVE-2018-3646}
- x86/KVM/VMX: Dont set l1tf_flush_l1d to true from vmx_l1d_flush() (Nicolai Stange) [Orabug: 28442418] {CVE-2018-3646}
- KVM: VMX: support MSR_IA32_ARCH_CAPABILITIES as a feature MSR (Paolo Bonzini) [Orabug: 28442418] {CVE-2018-3646}
- cpu/hotplug: detect SMT disabled by BIOS (Josh Poimboeuf) [Orabug: 28442418] {CVE-2018-3620}
- Documentation/l1tf: Fix typos (Tony Luck) [Orabug: 28442418] {CVE-2018-3620}
- x86/KVM/VMX: Initialize the vmx_l1d_flush_pages content (Nicolai Stange) [Orabug: 28442418] {CVE-2018-3646}
- x86/speculation/l1tf: Unbreak !__HAVE_ARCH_PFN_MODIFY_ALLOWED architectures (Jiri Kosina) [Orabug:
28442418] {CVE-2018-3620}
- Documentation: Add section about CPU vulnerabilities (Thomas Gleixner) [Orabug: 28442418] {CVE-2018-3620}
- x86/bugs, kvm: Introduce boot-time control of L1TF mitigations (Jiri Kosina) [Orabug: 28442418] {CVE-2018-3646}
- cpu/hotplug: Set CPU_SMT_NOT_SUPPORTED early (Thomas Gleixner) [Orabug: 28442418] {CVE-2018-3620}
- cpu/hotplug: Expose SMT control init function (Jiri Kosina) [Orabug: 28442418] {CVE-2018-3620}
- x86/kvm: Allow runtime control of L1D flush (Thomas Gleixner) [Orabug: 28442418] {CVE-2018-3646}
- x86/kvm: Serialize L1D flush parameter setter (Thomas Gleixner) [Orabug: 28442418] {CVE-2018-3646}
- x86/kvm: Add static key for flush always (Thomas Gleixner) [Orabug: 28442418] {CVE-2018-3646}
- x86/kvm: Move l1tf setup function (Thomas Gleixner) [Orabug: 28442418] {CVE-2018-3646}
- x86/l1tf: Handle EPT disabled state proper (Thomas Gleixner) [Orabug: 28442418] {CVE-2018-3620}
- x86/kvm: Drop L1TF MSR list approach (Thomas Gleixner) [Orabug: 28442418] {CVE-2018-3646}
- x86/litf: Introduce vmx status variable (Thomas Gleixner) [Orabug: 28442418] {CVE-2018-3620}
- cpu/hotplug: Online siblings when SMT control is turned on (Thomas Gleixner) [Orabug: 28442418] {CVE-2018-3620}
- x86/KVM/VMX: Use MSR save list for IA32_FLUSH_CMD if required (Konrad Rzeszutek Wilk) [Orabug:
28442418] {CVE-2018-3646}
- x86/KVM/VMX: Extend add_atomic_switch_msr() to allow VMENTER only MSRs (Konrad Rzeszutek Wilk) [Orabug:
28442418] {CVE-2018-3646}
- x86/KVM/VMX: Separate the VMX AUTOLOAD guest/host number accounting (Konrad Rzeszutek Wilk) [Orabug:
28442418] {CVE-2018-3646}
- x86/KVM/VMX: Add find_msr() helper function (Konrad Rzeszutek Wilk) [Orabug: 28442418] {CVE-2018-3646}
- x86/KVM/VMX: Split the VMX MSR LOAD structures to have an host/guest numbers (Konrad Rzeszutek Wilk) [Orabug: 28442418] {CVE-2018-3646}
- x86/KVM/VMX: Add L1D flush logic (Paolo Bonzini) [Orabug: 28442418] {CVE-2018-3646}
- x86/KVM/VMX: Add L1D MSR based flush (Paolo Bonzini) [Orabug: 28442418] {CVE-2018-3646}
- x86/KVM/VMX: Add L1D flush algorithm (Paolo Bonzini) [Orabug: 28442418] {CVE-2018-3646}
- x86/KVM/VMX: Add module argument for L1TF mitigation (Konrad Rzeszutek Wilk) [Orabug: 28442418] {CVE-2018-3646} {CVE-2018-3646}
- x86/KVM: Warn user if KVM is loaded SMT and L1TF CPU bug being present (Konrad Rzeszutek Wilk) [Orabug:
28442418] {CVE-2018-3646}
- KVM: X86: Provide a capability to disable PAUSE intercepts (Wanpeng Li) [Orabug: 28442418] {CVE-2018-3646}
- KVM: X86: Provide a capability to disable HLT intercepts (Wanpeng Li) [Orabug: 28442418] {CVE-2018-3646}
- KVM: X86: Provide a capability to disable MWAIT intercepts (Wanpeng Li) [Orabug: 28442418] {CVE-2018-3646}
- cpu/hotplug: Boot HT siblings at least once (Thomas Gleixner) [Orabug: 28442418] {CVE-2018-3620}
- Revert 'x86/apic: Ignore secondary threads if nosmt=force' (Thomas Gleixner) [Orabug: 28442418] {CVE-2018-3620}
- x86/speculation/l1tf: Fix up pte->pfn conversion for PAE (Michal Hocko) [Orabug: 28442418] {CVE-2018-3620}
- x86/speculation/l1tf: Protect PAE swap entries against L1TF (Vlastimil Babka) [Orabug: 28442418] {CVE-2018-3620}
- x86/CPU/AMD: Move TOPOEXT reenablement before reading smp_num_siblings (Borislav Petkov) [Orabug:
28442418] {CVE-2018-3620}
- x86/cpufeatures: Add detection of L1D cache flush support. (Konrad Rzeszutek Wilk) [Orabug: 28442418] {CVE-2018-3620}
- x86/speculation/l1tf: Extend 64bit swap file size limit (Vlastimil Babka) [Orabug: 28442418] {CVE-2018-3620}
- x86/apic: Ignore secondary threads if nosmt=force (Thomas Gleixner) [Orabug: 28442418] {CVE-2018-3620}
- x86/cpu/AMD: Evaluate smp_num_siblings early (Thomas Gleixner) [Orabug: 28442418] {CVE-2018-3620}
- x86/CPU/AMD: Do not check CPUID max ext level before parsing SMP info (Borislav Petkov) [Orabug:
28442418] {CVE-2018-3620}
- x86/cpu/intel: Evaluate smp_num_siblings early (Thomas Gleixner) [Orabug: 28442418] {CVE-2018-3620}
- x86/cpu/topology: Provide detect_extended_topology_early() (Thomas Gleixner) [Orabug: 28442418] {CVE-2018-3620}
- x86/cpu/common: Provide detect_ht_early() (Thomas Gleixner) [Orabug: 28442418] {CVE-2018-3620}
- x86/cpu/AMD: Remove the pointless detect_ht() call (Thomas Gleixner) [Orabug: 28442418] {CVE-2018-3620}
- x86/cpu: Remove the pointless CPU printout (Thomas Gleixner) [Orabug: 28442418] {CVE-2018-3620}
- cpu/hotplug: Provide knobs to control SMT (Thomas Gleixner) [Orabug: 28442418] {CVE-2018-3620}
- cpu/hotplug: Split do_cpu_down() (Thomas Gleixner) [Orabug: 28442418] {CVE-2018-3620}
- cpu/hotplug: Make bringup/teardown of smp threads symmetric (Thomas Gleixner) [Orabug: 28442418] {CVE-2018-3620}
- x86/topology: Provide topology_smt_supported() (Thomas Gleixner) [Orabug: 28442418] {CVE-2018-3620}
- x86/smp: Provide topology_is_primary_thread() (Thomas Gleixner) [Orabug: 28442418] {CVE-2018-3620}
- sched/smt: Update sched_smt_present at runtime (Peter Zijlstra) [Orabug: 28442418] {CVE-2018-3620}
- x86/bugs: Move the l1tf function and define pr_fmt properly (Konrad Rzeszutek Wilk) [Orabug: 28442418] {CVE-2018-3620}
- x86/speculation/l1tf: Limit swap file size to MAX_PA/2 (Andi Klein) [Orabug: 28442418] {CVE-2018-3620}
- x86/speculation/l1tf: Disallow non privileged high MMIO PROT_NONE mappings (Andi Kleen) [Orabug:
28442418] {CVE-2018-3620}
- x86/speculation/l1tf: Add sysfs reporting for l1tf (Andi Klein) [Orabug: 28442418] {CVE-2018-3620}
- x86/speculation/l1tf: Make sure the first page is always reserved (Andi Klein) [Orabug: 28442418] {CVE-2018-3620}
- x86/speculation/l1tf: Protect PROT_NONE PTEs against speculation (Andi Klein) [Orabug: 28442418] {CVE-2018-3620}
- x86/speculation/l1tf: Protect swap entries against L1TF (Linus Torvalds) [Orabug: 28442418] {CVE-2018-3620}
- x86/speculation/l1tf: Change order of offset/type in swap entry (Linus Torvalds) [Orabug: 28442418] {CVE-2018-3620}
- x86/speculation/l1tf: Increase 32bit PAE __PHYSICAL_PAGE_SHIFT (Andi Klein) [Orabug: 28442418] {CVE-2018-3620}
- x86/mm: Limit mmap() of /dev/mem to valid physical addresses (Craig Bergstrom) [Orabug: 28442418] {CVE-2018-3620} {CVE-2018-3620}
- x86/mm: Prevent non-MAP_FIXED mapping across DEFAULT_MAP_WINDOW border (Kirill A. Shutemov) [Orabug:
28442418] {CVE-2018-3620} {CVE-2018-3620}
- tcp: add tcp_ooo_try_coalesce() helper (Eric Dumazet) [Orabug: 28453849] {CVE-2018-5390}
- tcp: call tcp_drop() from tcp_data_queue_ofo() (Eric Dumazet) [Orabug: 28453849] {CVE-2018-5390}
- tcp: detect malicious patterns in tcp_collapse_ofo_queue() (Eric Dumazet) [Orabug: 28453849] {CVE-2018-5390}
- tcp: avoid collapses in tcp_prune_queue() if possible (Eric Dumazet) [Orabug: 28453849] {CVE-2018-5390}
- tcp: free batches of packets in tcp_prune_ofo_queue() (Eric Dumazet) [Orabug: 28453849] {CVE-2018-5390}
- socket: close race condition between sock_close() and sockfs_setattr() (Cong Wang) [Orabug: 28312496] {CVE-2018-12232}
- jfs: Fix inconsistency between memory allocation and ea_buf->max_size (Shankara Pailoor) [Orabug:
28312514] {CVE-2018-12233}

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://linux.oracle.com/errata/ELSA-2018-4195.html

Plugin Details

Severity: Medium

ID: 111725

File Name: oraclelinux_ELSA-2018-4195.nasl

Version: 1.14

Type: local

Agent: unix

Published: 8/15/2018

Updated: 11/1/2024

Supported Sensors: Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.2

CVSS v2

Risk Factor: Medium

Base Score: 4.7

Temporal Score: 3.5

Vector: CVSS2#AV:L/AC:M/Au:N/C:C/I:N/A:N

CVSS Score Source: CVE-2018-3646

CVSS v3

Risk Factor: Medium

Base Score: 5.6

Temporal Score: 4.9

Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:oracle:linux:kernel-uek-headers, p-cpe:/a:oracle:linux:kernel-uek-debug-devel, p-cpe:/a:oracle:linux:perf, p-cpe:/a:oracle:linux:kernel-uek-devel, cpe:/o:oracle:linux:7, p-cpe:/a:oracle:linux:kernel-uek-tools-libs-devel, p-cpe:/a:oracle:linux:kernel-uek-doc, p-cpe:/a:oracle:linux:python-perf, p-cpe:/a:oracle:linux:kernel-uek-tools, p-cpe:/a:oracle:linux:kernel-uek-tools-libs, p-cpe:/a:oracle:linux:kernel-uek, p-cpe:/a:oracle:linux:kernel-uek-debug

Required KB Items: Host/OracleLinux, Host/RedHat/release, Host/RedHat/rpm-list, Host/local_checks_enabled

Exploit Ease: No known exploits are available

Patch Publication Date: 8/14/2018

Vulnerability Publication Date: 1/25/2018

Reference Information

CVE: CVE-2018-3620, CVE-2018-3646, CVE-2018-5391