Detections
Analytics

OracleVM 3.3 / 3.4 : microcode_ctl (OVMSA-2020-0026) (Spectre)

medium Nessus Plugin ID 137739

Language:

Synopsis

The remote OracleVM host is missing a security update.

Description

The remote OracleVM system is missing necessary patches to address critical security updates :

 - update 06-2d-07 to 0x71a

 - update 06-55-04 to 0x2006906

 - update 06-55-07 to 0x5002f01

 - merge Oracle changes for early load via dracut

 - enable late load on install for UEK4 kernels marked safe (except BDW-79)

 - set early_microcode='no' in virtualized guests to avoid early load bugs [Orabug: 30618737]

 - Update Intel CPU microcode to microcode-20200602 release, addresses CVE-2020-0543, CVE-2020-0548, CVE-2020-0549 (#1795353, #1795357, #1827186) :

 - Update of 06-3c-03/0x32 (HSW C0) microcode from revision 0x27 up to 0x28

- Update of 06-3d-04/0xc0 (BDW-U/Y E0/F0) microcode from revision 0x2e up to 0x2f

- Update of 06-45-01/0x72 (HSW-U C0/D0) microcode from revision 0x25 up to 0x26

- Update of 06-46-01/0x32 (HSW-H C0) microcode from revision 0x1b up to 0x1c

- Update of 06-47-01/0x22 (BDW-H/Xeon E3 E0/G0) microcode from revision 0x21 up to 0x22

- Update of 06-4e-03/0xc0 (SKL-U/Y D0) microcode from revision 0xd6 up to 0xdc

- Update of 06-55-03/0x97 (SKX-SP B1) microcode from revision 0x1000151 up to 0x1000157

- Update of 06-55-04/0xb7 (SKX-SP H0/M0/U0, SKX-D M1) microcode (in intel-06-55-04/intel-ucode/06-55-04) from revision 0x2000065 up to 0x2006906

- Update of 06-55-06/0xbf (CLX-SP B0) microcode from revision 0x400002c up to 0x4002f01

- Update of 06-55-07/0xbf (CLX-SP B1) microcode from revision 0x500002c up to 0x5002f01

- Update of 06-5e-03/0x36 (SKL-H/S R0/N0) microcode from revision 0xd6 up to 0xdc

- Update of 06-8e-09/0x10 (AML-Y22 H0) microcode from revision 0xca up to 0xd6

- Update of 06-8e-09/0xc0 (KBL-U/Y H0) microcode from revision 0xca up to 0xd6

- Update of 06-8e-0a/0xc0 (CFL-U43e D0) microcode from revision 0xca up to 0xd6

- Update of 06-8e-0b/0xd0 (WHL-U W0) microcode from revision 0xca up to 0xd6

- Update of 06-8e-0c/0x94 (AML-Y42 V0, CML-Y42 V0, WHL-U V0) microcode from revision 0xca up to 0xd6

- Update of 06-9e-09/0x2a (KBL-G/H/S/X/Xeon E3 B0) microcode from revision 0xca up to 0xd6

- Update of 06-9e-0a/0x22 (CFL-H/S/Xeon E3 U0) microcode from revision 0xca up to 0xd6

- Update of 06-9e-0b/0x02 (CFL-S B0) microcode from revision 0xca up to 0xd6

- Update of 06-9e-0c/0x22 (CFL-H/S P0) microcode from revision 0xca up to 0xd6

- Update of 06-9e-0d/0x22 (CFL-H R0) microcode from revision 0xca up to 0xd6.

 - Update Intel CPU microcode to microcode-20200520 release (#1839193) :

 - Update of 06-2d-06/0x6d (SNB-E/EN/EP C1/M0) microcode from revision 0x61f up to 0x621

- Update of 06-2d-07/0x6d (SNB-E/EN/EP C2/M1) microcode from revision 0x718 up to 0x71a

- Update of 06-7e-05/0x80 (ICL-U/Y D1) microcode from revision 0x46 up to 0x78.

 - Narrow down SKL-SP/W/X blacklist to exclude Server/FPGA/Fabric segment models (#1835555).

 - Do not update 06-55-04 (SKL-SP/W/X) to revision 0x2000065, use 0x2000064 by default (#1774635).

 - Update Intel CPU microcode to microcode-20191115 release :

 - Update of 06-4e-03/0xc0 (SKL-U/Y D0) from revision 0xd4 up to 0xd6

- Update of 06-5e-03/0x36 (SKL-H/S/Xeon E3 R0/N0) from revision 0xd4 up to 0xd6

- Update of 06-8e-09/0x10 (AML-Y 2+2 H0) from revision 0xc6 up to 0xca

- Update of 06-8e-09/0xc0 (KBL-U/Y H0) from revision 0xc6 up to 0xca

- Update of 06-8e-0a/0xc0 (CFL-U 4+3e D0) from revision 0xc6 up to 0xca

- Update of 06-8e-0b/0xd0 (WHL-U W0) from revision 0xc6 up to 0xca

- Update of 06-8e-0c/0x94 (AML-Y V0, CML-U 4+2 V0, WHL-U V0) from revision 0xc6 up to 0xca

- Update of 06-9e-09/0x2a (KBL-G/X H0, KBL-H/S/Xeon E3 B0) from revision 0xc6 up to 0xca

- Update of 06-9e-0a/0x22 (CFL-H/S/Xeon E U0) from revision 0xc6 up to 0xca

- Update of 06-9e-0b/0x02 (CFL-S B0) from revision 0xc6 up to 0xca

- Update of 06-9e-0c/0x22 (CFL-S/Xeon E P0) from revision 0xc6 up to 0xca

- Update of 06-9e-0d/0x22 (CFL-H/S R0) from revision 0xc6 up to 0xca

- Update of 06-a6-00/0x80 (CML-U 6+2 A0) from revision 0xc6 up to 0xca.

 - Update Intel CPU microcode to microcode-20191113 release :

 - Update of 06-9e-0c (CFL-H/S P0) microcode from revision 0xae up to 0xc6.

 - Drop 0001-releasenote-changes-summary-fixes.patch.

 - Package the publicy available microcode-20191112 release (#1755021) :

 - Addition of 06-4d-08/0x1 (AVN B0/C0) microcode at revision 0x12d

- Addition of 06-55-06/0xbf (CSL-SP B0) microcode at revision 0x400002c

- Addition of 06-7a-08/0x1 (GLK R0) microcode at revision 0x16

- Update of 06-55-03/0x97 (SKL-SP B1) microcode from revision 0x1000150 up to 0x1000151

- Update of 06-55-04/0xb7 (SKL-SP H0/M0/U0, SKL-D M1) microcode from revision 0x2000064 up to 0x2000065

- Update of 06-55-07/0xbf (CSL-SP B1) microcode from revision 0x500002b up to 0x500002c

- Update of 06-7a-01/0x1 (GLK B0) microcode from revision 0x2e up to 0x32

- Include 06-9e-0c (CFL-H/S P0) microcode from the microcode-20190918 release.

 - Correct the releasenote file (0001-releasenote-changes-summary-fixes.patch).

 - Update README.caveats with the link to the new Knowledge Base article.

 - Fix the incorrect 'Source2:' tag.

 - Intel CPU microcode update to 20191112, addresses CVE-2017-5715, CVE-2019-0117, CVE-2019-11135, CVE-2019-11139 (#1764049, #1764062, #1764953,

 - Addition of 06-a6-00/0x80 (CML-U 6+2 A0) microcode at revision 0xc6

- Addition of 06-66-03/0x80 (CNL-U D0) microcode at revision 0x2a

- Addition of 06-55-03/0x97 (SKL-SP B1) microcode at revision 0x1000150

- Addition of 06-7e-05/0x80 (ICL-U/Y D1) microcode at revision 0x46

- Update of 06-4e-03/0xc0 (SKL-U/Y D0) microcode from revision 0xcc to 0xd4

- Update of 06-5e-03/0x36 (SKL-H/S/Xeon E3 R0/N0) microcode from revision 0xcc to 0xd4

 - Update of 06-8e-09/0x10 (AML-Y 2+2 H0) microcode from revision 0xb4 to 0xc6

- Update of 06-8e-09/0xc0 (KBL-U/Y H0) microcode from revision 0xb4 to 0xc6

- Update of 06-8e-0a/0xc0 (CFL-U 4+3e D0) microcode from revision 0xb4 to 0xc6

- Update of 06-8e-0b/0xd0 (WHL-U W0) microcode from revision 0xb8 to 0xc6

- Update of 06-8e-0c/0x94 (AML-Y V0) microcode from revision 0xb8 to 0xc6

- Update of 06-8e-0c/0x94 (CML-U 4+2 V0) microcode from revision 0xb8 to 0xc6

- Update of 06-8e-0c/0x94 (WHL-U V0) microcode from revision 0xb8 to 0xc6

- Update of 06-9e-09/0x2a (KBL-G/X H0) microcode from revision 0xb4 to 0xc6

- Update of 06-9e-09/0x2a (KBL-H/S/Xeon E3 B0) microcode from revision 0xb4 to 0xc6

- Update of 06-9e-0a/0x22 (CFL-H/S/Xeon E U0) microcode from revision 0xb4 to 0xc6

- Update of 06-9e-0b/0x02 (CFL-S B0) microcode from revision 0xb4 to 0xc6

- Update of 06-9e-0d/0x22 (CFL-H R0) microcode from revision 0xb8 to 0xc6.

 - Do not update 06-2d-07 (SNB-E/EN/EP) to revision 0x718, use 0x714 by default (#1758382).

 - Revert more strict model check code, as it requires request_firmware-based microcode loading mechanism and breaks enabling of microcode with caveats.

 - Intel CPU microcode update to 20190918 (#1753540).

 - Intel CPU microcode update to 20190618 (#1717238).

 - Remove disclaimer, as it is not as important now to justify kmsg/log pollution its contents are partially adopted in README.caveats.

 - Intel CPU microcode update to 20190514a (#1711938).

 - Intel CPU microcode update to 20190507_Public_DEMO (#1697960).

 - Intel CPU microcode update to 20190312 (#1697960).

 - Fix disclaimer path in %post script.

 - Fix installation path for the disclaimer file.

 - Add README.caveats documentation file.

 - Use check_caveats from the RHEL 7 package in order to support overrides.

 - Disable 06-4f-01 microcode in config (#1622180).

 - Intel CPU microcode update to 20180807a (#1614427).

 - Add check for minimal microcode version to reload_microcode.

 - Intel CPU microcode update to 20180807.

 - Resolves: #1614427.

 - Intel CPU microcode update to 20180703

 - Add infrastructure for handling kernel-version-dependant microcode

 - Resolves: #1574593

 - Intel CPU microcode update to 20180613.

 - Resolves: #1573451

 - Update AMD microcode to 2018-05-24

 - Resolves: #1584192

 - Update AMD microcode

 - Resolves: #1574591

 - Update disclaimer text

 - Resolves: #1574588

 - Intel CPU microcode update to 20180425.

 - Resolves: #1574588

 - Revert Microcode from Intel and AMD for Side Channel attack

 - Resolves: #1533941

 - Update microcode data file to 20180108 revision.

 - Resolves: #1527354

 - Update Intel CPU microde for 06-3f-02, 06-4f-01, and 06-55-04

 - Add amd microcode_amd_fam17h.bin data file

 - Resolves: #1527354

 - Update microcode data file to 20170707 revision.

 - Resolves: #1465143

 - Revert microcode_amd_fam15h.bin to version from amd-ucode-2012-09-10

 - Resolves: #1322525

 - Update microcode data file to 20161104 revision.

 - Add workaround for E5-26xxv4

 - Resolves: #1346045

 - Update microcode data file to 20160714 revision.

 - Resolves: #1346045

 - Update amd microcode data file to amd-ucode-2013-11-07

 - Resolves: #1322525

 - Update microcode data file to 20151106 revision.

 - Resolves: #1244968

 - Remove bad file permissions on /lib/udev/rules.d/89-microcode.rules

 - Resolves: #1201276

 - Update microcode data file to 20150121 revision.

 - Resolves: #1123992

 - Update microcode data file to 20140624 revision.

 - Resolves: #1113394

 - Update microcode data file to 20140430 revision.

 - Resolves: #1036240

Solution

Update the affected microcode_ctl package.

See Also

https://oss.oracle.com/pipermail/oraclevm-errata/2020-June/000988.html

https://oss.oracle.com/pipermail/oraclevm-errata/2020-June/000986.html

Plugin Details

Severity: Medium

ID: 137739

File Name: oraclevm_OVMSA-2020-0026.nasl

Version: 1.6

Type: local

Published: 6/23/2020

Updated: 3/6/2024

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.6

CVSS v2

Risk Factor: Low

Base Score: 2.1

Temporal Score: 1.8

Vector: CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:N

CVSS Score Source: CVE-2020-0549

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 6.2

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:H/RL:O/RC:C

CVSS Score Source: CVE-2019-11135

Vulnerability Information

CPE: p-cpe:/a:oracle:vm:microcode_ctl, cpe:/o:oracle:vm_server:3.3, cpe:/o:oracle:vm_server:3.4

Required KB Items: Host/local_checks_enabled, Host/OracleVM/release, Host/OracleVM/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 6/22/2020

Vulnerability Publication Date: 1/4/2018

Reference Information

CVE: CVE-2017-5715, CVE-2019-0117, CVE-2019-11135, CVE-2019-11139, CVE-2020-0543, CVE-2020-0548, CVE-2020-0549