====================================================================

                           CERT-Renater

               Note d'Information No. 2015/VULN089
_____________________________________________________________________

DATE                : 18/05/2015

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Oracle VM,
                                     Oracle VM VirtualBox,
                                     Oracle Linux,
                                     Oracle Virtual Compute Appliance.
                                     Oracle Database Appliance,
                                     Oracle Exadata Database Machine,
                                     Oracle Exalogic Elastic Cloud,
                                   Oracle Exalytics In-Memory Machine.

======================================================================
http://www.oracle.com/technetwork/topics/security/alert-cve-2015-3456-2542656.html
______________________________________________________________________


Security Alert CVE-2015-3456 Released
By Eric P. Maurice-Oracle on May 15, 2015

Hi, this is Eric Maurice.

Oracle just released Security Alert CVE-2015-3456 to address the
recently publicly disclosed VENOM vulnerability, which affects various
virtualization platforms. This vulnerability results from a buffer
overflow in the QEMU's virtual Floppy Disk Controller (FDC).

While the vulnerability is not remotely exploitable without
authentication, its successful exploitation could provide the malicious
attacker, who has privileges to access the FDC on a guest operating
system, with the ability to completely take over the targeted host
system. As a result, a successful exploitation of the vulnerability can
allow a malicious attacker with the ability to escape the confine of
the virtual environment for which he/she had privileges for. This
vulnerability has received a CVSS Base Score of 6.2.

Oracle has decided to issue this Security Alert based on a number of
factors, including the potential impact of a successful exploitation of
this vulnerability, the amount of detailed information publicly
available about this flaw, and initial reports of exploit code already
“in the wild.” Oracle further recommends that customers apply the
relevant fixes as soon as they become available.

Oracle has also published a list of Oracle products that may be
affected by this vulnerability. This list will be updated as fixes
become available.

The Oracle Security and Development teams are also working with the
Oracle Cloud teams to ensure that the Oracle Cloud teams can evaluate
these fixes as they become available and be able to apply the relevant
patches in accordance with applicable change management processes in
these organizations.

For More Information:

The Security Alert Advisory is located at

http://www.oracle.com/technetwork/topics/security/alert-cve-2015-3456-2542656.html
The list of Oracle products that may be affected by this vulnerability
is published at
http://www.oracle.com/technetwork/topics/security/venom-cve-2015-3456-2542653.html


_________________________________________________________________________


"Venom" Vulnerability - CVE-2015-3456

PURPOSE

The purpose of this document is to list Oracle products that include
QEMU in their distribution, either directly or via inclusion of a
component that includes QEMU, and to document their current status with
respect to the publicly disclosed vulnerability CVE-2015-3456.

Specifically, this document will list:  (1) Oracle products that are
likely vulnerable to CVE-2015-3456 and have fixes available from
Oracle, and (2) Oracle products that are likely vulnerable to
CVE-2015-3456 but for which no fixes are currently available.

Oracle has assessed the impact of vulnerability CVE-2015-3456 only
against product versions that are covered under the Premier Support or
Extended Support phases of the Lifetime Support Policy.  Oracle has not
assessed the impact of this vulnerability against products that are no
longer supported by Oracle. When product versions for a given product
are not specifically listed in this document, it implies all those
versions for that product which are currently supported by Oracle.

DETAILS

Background

Vulnerabilities affecting QEMU were publicly disclosed. The Oracle
Global Product Security and Development teams are investigating the
inclusion of QEMU in Oracle products and will provide mitigation
instructions when available for these affected Oracle products. For
additional details, see the Oracle Security Alert for CVE-2015-3456.


Below is the list of affected products and mitigation instructions as
of May 15, 2015 at 01:00 PM Pacific.

1.0 Oracle products that are likely vulnerable to CVE-2014-7169 and
have fixes currently available

Global Product Security has determined that the following 4 Oracle
products have included in their distributions QEMU versions that have
been reported as vulnerable to CVE-2015-3456. Oracle has issued fixes
for these products per the table below. Refer to the individual Patch
Availability Documents for information regarding the specific CVEs
addressed.

Patch availability information is provided only for product versions
that are covered under the Premier Support or Extended Support phases
of the Lifetime Support Policy. Oracle recommends that customers remain
on actively supported versions to ensure that they continue to receive
security fixes from Oracle.

Patch Availability Table

Affected Products 	Patch Availability
Oracle Linux [Product ID 1903] 	MOS note 2010871.1
Oracle Virtual Compute Appliance [Product ID 10635] MOS note 2010871.1
Oracle VM [Product ID 4455] 	MOS note 2010871.1
Oracle VM VirtualBox [Product ID 8370] 	MOS note 2010871.1


2.0 Oracle products that are likely vulnerable to CVE-2015-3456 but for
which no fixes are yet available

Global Product Security has determined that the following 4 Oracle
products include QEMU in at least one distributed version and thus are
potentially subject to CVE-2015-3456, but do not yet have fixes
available. Note that Oracle has published My Oracle Support Note
2010538.1 to provide information related to Oracle’s handling of Linux
security fixes prior to their availability on Oracle-engineered systems.

    Oracle Database Appliance [Product ID 9435]
    Oracle Exadata Database Machine [Product ID 2546]
    Oracle Exalogic Elastic Cloud [Product ID 9415]
    Oracle Exalytics In-Memory Machine [Product ID 9736]



=========================================================
Serveur de référence du CERT-Renater
https://services.renater.fr/ssi/
==========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44           +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41           +
+ 75013 Paris           | email: cert@support.renater.fr +
==========================================================