ID CVE-2015-2151
Summary The x86 emulator in Xen 3.2.x through 4.5.x does not properly ignore segment overrides for instructions with register operands, which allows local guest users to obtain sensitive information, cause a denial of service (memory corruption), or possibly execute arbitrary code via unspecified vectors.
References
Vulnerable Configurations
  • Fedora 20
    cpe:2.3:o:fedoraproject:fedora:20
  • Fedora 21
    cpe:2.3:o:fedoraproject:fedora:21
  • Fedora 22
    cpe:2.3:o:fedoraproject:fedora:22
  • Debian Linux 7.0
    cpe:2.3:o:debian:debian_linux:7.0
  • Xen Xen 3.2.0
    cpe:2.3:o:xen:xen:3.2.0
  • Xen Xen 3.2.1
    cpe:2.3:o:xen:xen:3.2.1
  • Xen Xen 3.2.2
    cpe:2.3:o:xen:xen:3.2.2
  • Xen Xen 3.2.3
    cpe:2.3:o:xen:xen:3.2.3
  • Xen 3.3.0
    cpe:2.3:o:xen:xen:3.3.0
  • Xen 3.3.1
    cpe:2.3:o:xen:xen:3.3.1
  • Xen 3.3.2
    cpe:2.3:o:xen:xen:3.3.2
  • Xen 3.4.0
    cpe:2.3:o:xen:xen:3.4.0
  • Xen 3.4.1
    cpe:2.3:o:xen:xen:3.4.1
  • Xen 3.4.2
    cpe:2.3:o:xen:xen:3.4.2
  • Xen 3.4.3
    cpe:2.3:o:xen:xen:3.4.3
  • Xen 3.4.4
    cpe:2.3:o:xen:xen:3.4.4
  • Xen 4.0.0
    cpe:2.3:o:xen:xen:4.0.0
  • Xen 4.0.1
    cpe:2.3:o:xen:xen:4.0.1
  • Xen 4.0.2
    cpe:2.3:o:xen:xen:4.0.2
  • Xen 4.0.3
    cpe:2.3:o:xen:xen:4.0.3
  • Xen 4.0.4
    cpe:2.3:o:xen:xen:4.0.4
  • Xen 4.1.0
    cpe:2.3:o:xen:xen:4.1.0
  • Xen 4.1.1
    cpe:2.3:o:xen:xen:4.1.1
  • Xen 4.1.2
    cpe:2.3:o:xen:xen:4.1.2
  • Xen 4.1.3
    cpe:2.3:o:xen:xen:4.1.3
  • Xen 4.1.4
    cpe:2.3:o:xen:xen:4.1.4
  • Xen 4.1.5
    cpe:2.3:o:xen:xen:4.1.5
  • Xen 4.1.6.1
    cpe:2.3:o:xen:xen:4.1.6.1
  • Xen 4.2.0
    cpe:2.3:o:xen:xen:4.2.0
  • Xen 4.2.1
    cpe:2.3:o:xen:xen:4.2.1
  • Xen 4.2.2
    cpe:2.3:o:xen:xen:4.2.2
  • Xen 4.2.3
    cpe:2.3:o:xen:xen:4.2.3
  • Xen Xen 4.3.0
    cpe:2.3:o:xen:xen:4.3.0
  • Xen 4.3.1
    cpe:2.3:o:xen:xen:4.3.1
  • Xen 4.4.0
    cpe:2.3:o:xen:xen:4.4.0
  • Xen 4.4.0 release candidate 1
    cpe:2.3:o:xen:xen:4.4.0:rc1
  • Xen Xen 4.4.1
    cpe:2.3:o:xen:xen:4.4.1
  • Xen Xen 4.5.0
    cpe:2.3:o:xen:xen:4.5.0
CVSS
Base: 7.2 (as of 23-08-2016 - 14:35)
Impact:
Exploitability:
CWE CWE-264
CAPEC
  • Accessing, Modifying or Executing Executable Files
    An attack of this type exploits a system's configuration that allows an attacker to either directly access an executable file, for example through shell access; or in a possible worst case allows an attacker to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.
  • Leverage Executable Code in Non-Executable Files
    An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
  • Blue Boxing
    This type of attack against older telephone switches and trunks has been around for decades. A tone is sent by an adversary to impersonate a supervisor signal which has the effect of rerouting or usurping command of the line. While the US infrastructure proper may not contain widespread vulnerabilities to this type of attack, many companies are connected globally through call centers and business process outsourcing. These international systems may be operated in countries which have not upgraded Telco infrastructure and so are vulnerable to Blue boxing. Blue boxing is a result of failure on the part of the system to enforce strong authorization for administrative functions. While the infrastructure is different than standard current applications like web applications, there are historical lessons to be learned to upgrade the access control for administrative functions.
  • Restful Privilege Elevation
    Rest uses standard HTTP (Get, Put, Delete) style permissions methods, but these are not necessarily correlated generally with back end programs. Strict interpretation of HTTP get methods means that these HTTP Get services should not be used to delete information on the server, but there is no access control mechanism to back up this logic. This means that unless the services are properly ACL'd and the application's service implementation are following these guidelines then an HTTP request can easily execute a delete or update on the server side. The attacker identifies a HTTP Get URL such as http://victimsite/updateOrder, which calls out to a program to update orders on a database or other resource. The URL is not idempotent so the request can be submitted multiple times by the attacker, additionally, the attacker may be able to exploit the URL published as a Get method that actually performs updates (instead of merely retrieving data). This may result in malicious or inadvertent altering of data on the server.
  • Target Programs with Elevated Privileges
    This attack targets programs running with elevated privileges. The attacker would try to leverage a bug in the running program and get arbitrary code to execute with elevated privileges. For instance an attacker would look for programs that write to the system directories or registry keys (such as HKLM, which stores a number of critical Windows environment variables). These programs are typically running with elevated privileges and have usually not been designed with security in mind. Such programs are excellent exploit targets because they yield lots of power when they break. The malicious user try to execute its code at the same level as a privileged system call.
  • Manipulating Input to File System Calls
    An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.
Access
VectorComplexityAuthentication
LOCAL LOW NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
nessus via4
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201604-03.NASL
    description The remote host is affected by the vulnerability described in GLSA-201604-03 (Xen: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Xen. Please review the CVE identifiers referenced below for details. Impact : A local attacker could possibly cause a Denial of Service condition or obtain sensitive information. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-01-26
    plugin id 90380
    published 2016-04-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90380
    title GLSA-201604-03 : Xen: Multiple vulnerabilities (Venom)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_83A2841727E311E5A4A5002590263BF5.NASL
    description The Xen Project reports : Instructions with register operands ignore eventual segment overrides encoded for them. Due to an insufficiently conditional assignment such a bogus segment override can, however, corrupt a pointer used subsequently to store the result of the instruction. A malicious guest might be able to read sensitive data relating to other guests, or to cause denial of service on the host. Arbitrary code execution, and therefore privilege escalation, cannot be excluded.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 84708
    published 2015-07-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=84708
    title FreeBSD : xen-kernel -- Hypervisor memory corruption due to x86 emulator flaw (83a28417-27e3-11e5-a4a5-002590263bf5)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2016-0450.NASL
    description From Red Hat Security Advisory 2016:0450 : Updated kernel packages that fix two security issues and two bugs are now available for Red Hat Enterprise Linux 5. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. * An integer overflow flaw was found in the way the Linux kernel's Frame Buffer device implementation mapped kernel memory to user space via the mmap syscall. A local user able to access a frame buffer device file (/dev/fb*) could possibly use this flaw to escalate their privileges on the system. (CVE-2013-2596, Important) * It was found that the Xen hypervisor x86 CPU emulator implementation did not correctly handle certain instructions with segment overrides, potentially resulting in a memory corruption. A malicious guest user could use this flaw to read arbitrary data relating to other guests, cause a denial of service on the host, or potentially escalate their privileges on the host. (CVE-2015-2151, Important) This update also fixes the following bugs : * Previously, the CPU power of a CPU group could be zero. As a consequence, a kernel panic occurred at 'find_busiest_group+570' with do_divide_error. The provided patch ensures that the division is only performed if the CPU power is not zero, and the aforementioned panic no longer occurs. (BZ#1209728) * Prior to this update, a bug occurred when performing an online resize of an ext4 file system which had been previously converted from ext3. As a consequence, the kernel crashed. The provided patch fixes online resizing for such file systems by limiting the blockgroup search loop for non-extent files, and the mentioned kernel crash no longer occurs. (BZ#1301100) All kernel users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 89953
    published 2016-03-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=89953
    title Oracle Linux 5 : kernel (ELSA-2016-0450)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2015-0035.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : - x86emul: fully ignore segment override for register-only operations (Jan Beulich) (CVE-2015-2151) This is XSA-123
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 81874
    published 2015-03-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=81874
    title OracleVM 2.2 : xen (OVMSA-2015-0035)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-3181.NASL
    description Multiple security issues have been found in the Xen virtualisation solution : - CVE-2015-2044 Information leak via x86 system device emulation. - CVE-2015-2045 Information leak in the HYPERVISOR_xen_version() hypercall. - CVE-2015-2151 Missing input sanitising in the x86 emulator could result in information disclosure, denial of service or potentially privilege escalation. In addition the Xen developers reported an unfixable limitation in the handling of non-standard PCI devices. Please refer to for further information.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 81748
    published 2015-03-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=81748
    title Debian DSA-3181-1 : xen - security update
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20160315_KERNEL_ON_SL5_X.NASL
    description - An integer overflow flaw was found in the way the Linux kernel's Frame Buffer device implementation mapped kernel memory to user space via the mmap syscall. A local user able to access a frame buffer device file (/dev/fb*) could possibly use this flaw to escalate their privileges on the system. (CVE-2013-2596, Important) - It was found that the Xen hypervisor x86 CPU emulator implementation did not correctly handle certain instructions with segment overrides, potentially resulting in a memory corruption. A malicious guest user could use this flaw to read arbitrary data relating to other guests, cause a denial of service on the host, or potentially escalate their privileges on the host. (CVE-2015-2151, Important) This update also fixes the following bugs : - Previously, the CPU power of a CPU group could be zero. As a consequence, a kernel panic occurred at 'find_busiest_group+570' with do_divide_error. The provided patch ensures that the division is only performed if the CPU power is not zero, and the aforementioned panic no longer occurs. - Prior to this update, a bug occurred when performing an online resize of an ext4 file system which had been previously converted from ext3. As a consequence, the kernel crashed. The provided patch fixes online resizing for such file systems by limiting the blockgroup search loop for non- extent files, and the mentioned kernel crash no longer occurs. The system must be rebooted for this update to take effect.
    last seen 2019-02-21
    modified 2018-12-28
    plugin id 89957
    published 2016-03-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=89957
    title Scientific Linux Security Update : kernel on SL5.x i386/x86_64
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2015-0032.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : - x86emul: fully ignore segment override for register-only operations For ModRM encoded instructions with register operands we must not overwrite ea.mem.seg (if a - bogus in that case - segment override was present) as it aliases with ea.reg. This is CVE-2015-2151 / XSA-123. (CVE-2015-2151)
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 81768
    published 2015-03-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=81768
    title OracleVM 3.2 : xen (OVMSA-2015-0032)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2015-0031.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : - x86emul: fully ignore segment override for register-only operations For ModRM encoded instructions with register operands we must not overwrite ea.mem.seg (if a - bogus in that case - segment override was present) as it aliases with ea.reg. This is CVE-2015-2151 / XSA-123. (CVE-2015-2151)
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 81767
    published 2015-03-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=81767
    title OracleVM 3.3 : xen (OVMSA-2015-0031)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2016-0450.NASL
    description Updated kernel packages that fix two security issues and two bugs are now available for Red Hat Enterprise Linux 5. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. * An integer overflow flaw was found in the way the Linux kernel's Frame Buffer device implementation mapped kernel memory to user space via the mmap syscall. A local user able to access a frame buffer device file (/dev/fb*) could possibly use this flaw to escalate their privileges on the system. (CVE-2013-2596, Important) * It was found that the Xen hypervisor x86 CPU emulator implementation did not correctly handle certain instructions with segment overrides, potentially resulting in a memory corruption. A malicious guest user could use this flaw to read arbitrary data relating to other guests, cause a denial of service on the host, or potentially escalate their privileges on the host. (CVE-2015-2151, Important) This update also fixes the following bugs : * Previously, the CPU power of a CPU group could be zero. As a consequence, a kernel panic occurred at 'find_busiest_group+570' with do_divide_error. The provided patch ensures that the division is only performed if the CPU power is not zero, and the aforementioned panic no longer occurs. (BZ#1209728) * Prior to this update, a bug occurred when performing an online resize of an ext4 file system which had been previously converted from ext3. As a consequence, the kernel crashed. The provided patch fixes online resizing for such file systems by limiting the blockgroup search loop for non-extent files, and the mentioned kernel crash no longer occurs. (BZ#1301100) All kernel users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 89956
    published 2016-03-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=89956
    title RHEL 5 : kernel (RHSA-2016:0450)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2015-0613-1.NASL
    description The XEN hypervisor received updates to fix various security issues and bugs. The following security issues were fixed : - CVE-2015-2151: XSA-123: A hypervisor memory corruption due to x86 emulator flaw. - CVE-2015-2045: XSA-122: Information leak through version information hypercall. - CVE-2015-2044: XSA-121: Information leak via internal x86 system device emulation. - CVE-2015-2152: XSA-119: HVM qemu was unexpectedly enabling emulated VGA graphics backends. - CVE-2014-3615: Information leakage when guest sets high graphics resolution. - CVE-2015-0361: XSA-116: A xen crash due to use after free on hvm guest teardown. - CVE-2014-9065, CVE-2014-9066: XSA-114: xen: p2m lock starvation. Also the following bugs were fixed : - bnc#919098 - XEN blktap device intermittently fails to connect - bnc#882089 - Windows 2012 R2 fails to boot up with greater than 60 vcpus - bnc#903680 - Problems with detecting free loop devices on Xen guest startup - bnc#861318 - xentop reports 'Found interface vif101.0 but domain 101 does not exist.' - Update seabios to rel-1.7.3.1 which is the correct version for Xen 4.4 - Enhancement to virsh/libvirtd 'send-key' command The xen side small fix. (FATE#317240) - bnc#901488 - Intel ixgbe driver assigns rx/tx queues per core resulting in irq problems on servers with a large amount of CPU cores - bnc#910254 - SLES11 SP3 Xen VT-d igb NIC doesn't work - Add domain_migrate_constraints_set API to Xend's http interface (FATE#317239) - Restore missing fixes from block-dmmd script - bnc#904255 - XEN boot hangs in early boot on UEFI system - bsc#912011 - high ping latency after upgrade to latest SLES11SP3 on xen Dom0 - Fix missing banner by restoring the figlet program. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 83707
    published 2015-05-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=83707
    title SUSE SLED12 / SLES12 Security Update : Xen (SUSE-SU-2015:0613-1)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2018-0248.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2018-0248 for details.
    last seen 2019-02-21
    modified 2018-11-19
    plugin id 111992
    published 2018-08-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111992
    title OracleVM 3.4 : xen (OVMSA-2018-0248) (Bunker Buster) (Foreshadow) (Meltdown) (POODLE) (Spectre)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2016-0450.NASL
    description Updated kernel packages that fix two security issues and two bugs are now available for Red Hat Enterprise Linux 5. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. * An integer overflow flaw was found in the way the Linux kernel's Frame Buffer device implementation mapped kernel memory to user space via the mmap syscall. A local user able to access a frame buffer device file (/dev/fb*) could possibly use this flaw to escalate their privileges on the system. (CVE-2013-2596, Important) * It was found that the Xen hypervisor x86 CPU emulator implementation did not correctly handle certain instructions with segment overrides, potentially resulting in a memory corruption. A malicious guest user could use this flaw to read arbitrary data relating to other guests, cause a denial of service on the host, or potentially escalate their privileges on the host. (CVE-2015-2151, Important) This update also fixes the following bugs : * Previously, the CPU power of a CPU group could be zero. As a consequence, a kernel panic occurred at 'find_busiest_group+570' with do_divide_error. The provided patch ensures that the division is only performed if the CPU power is not zero, and the aforementioned panic no longer occurs. (BZ#1209728) * Prior to this update, a bug occurred when performing an online resize of an ext4 file system which had been previously converted from ext3. As a consequence, the kernel crashed. The provided patch fixes online resizing for such file systems by limiting the blockgroup search loop for non-extent files, and the mentioned kernel crash no longer occurs. (BZ#1301100) All kernel users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 89968
    published 2016-03-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=89968
    title CentOS 5 : kernel (CESA-2016:0450)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2015-434.NASL
    description Xen was updated to 4.4.2 to fix multiple vulnerabilities and non-security bugs. The following vulnerabilities were fixed : - CVE-2015-4103: Potential unintended writes to host MSI message data field via qemu (XSA-128) (boo#931625) - CVE-2015-4104: PCI MSI mask bits inadvertently exposed to guests (XSA-129) (boo#931626) - CVE-2015-4105: Guest triggerable qemu MSI-X pass-through error messages (XSA-130) (boo#931627) - CVE-2015-4106: Unmediated PCI register access in qemu (XSA-131) (boo#931628) - CVE-2015-4164: DoS through iret hypercall handler (XSA-136) (boo#932996) - CVE-2015-4163: GNTTABOP_swap_grant_ref operation misbehavior (XSA-134) (boo#932790) - CVE-2015-3209: heap overflow in qemu pcnet controller allowing guest to host escape (XSA-135) (boo#932770) - CVE-2015-3456: Fixed a buffer overflow in the floppy drive emulation, which could be used to denial of service attacks or potential code execution against the host. () - CVE-2015-3340: Xen did not initialize certain fields, which allowed certain remote service domains to obtain sensitive information from memory via a (1) XEN_DOMCTL_gettscinfo or (2) XEN_SYSCTL_getdomaininfolist request. () - CVE-2015-2752: Long latency MMIO mapping operations are not preemptible (XSA-125 boo#922705) - CVE-2015-2756: Unmediated PCI command register access in qemu (XSA-126 boo#922706) - CVE-2015-2751: Certain domctl operations may be abused to lock up the host (XSA-127 boo#922709) - CVE-2015-2151: Hypervisor memory corruption due to x86 emulator flaw (boo#919464 XSA-123) - CVE-2015-2045: Information leak through version information hypercall (boo#918998 XSA-122) - CVE-2015-2044: Information leak via internal x86 system device emulation (boo#918995 (XSA-121) - CVE-2015-2152: HVM qemu unexpectedly enabling emulated VGA graphics backends (boo#919663 XSA-119) - CVE-2014-3615: information leakage when guest sets high resolution (boo#895528) The following non-security bugs were fixed : - xentop: Fix memory leak on read failure - boo#923758: xen dmesg contains bogus output in early boot - boo#921842: Xentop doesn't display disk statistics for VMs using qdisks - boo#919098: L3: XEN blktap device intermittently fails to connect - boo#882089: Windows 2012 R2 fails to boot up with greater than 60 vcpus - boo#903680: Problems with detecting free loop devices on Xen guest startup - boo#861318: xentop reports 'Found interface vif101.0 but domain 101 does not exist.' - boo#901488: Intel ixgbe driver assigns rx/tx queues per core resulting in irq problems on servers with a large amount of CPU cores - boo#910254: SLES11 SP3 Xen VT-d igb NIC doesn't work - boo#912011: high ping latency after upgrade to latest SLES11SP3 on xen Dom0 - boo#906689: let systemd schedule xencommons after network-online.target and remote-fs.target so that xendomains has access to remote shares The following functionality was enabled or enhanced : - Enable spice support in qemu for x86_64 - Add Qxl vga support - Enhancement to virsh/libvirtd 'send-key' command (FATE#317240) - Add domain_migrate_constraints_set API to Xend's http interface (FATE#317239)
    last seen 2019-02-21
    modified 2015-10-22
    plugin id 84333
    published 2015-06-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=84333
    title openSUSE Security Update : xen (openSUSE-2015-434) (Venom)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2015-0744-1.NASL
    description The Virtualization service XEN was updated to fix various bugs and security issues. The following security issues have been fixed : XSA-125: Long latency MMIO mapping operations were not preemptible. CVE-2015-2151: XSA-123: Instructions with register operands ignored eventual segment overrides encoded for them. Due to an insufficiently conditional assignment such a bogus segment override could have, however, corrupted a pointer used subsequently to store the result of the instruction. CVE-2015-2045: XSA-122: The code handling certain sub-operations of the HYPERVISOR_xen_version hypercall failed to fully initialize all fields of structures subsequently copied back to guest memory. Due to this hypervisor stack contents were copied into the destination of the operation, thus becoming visible to the guest. CVE-2015-2044: XSA-121: Emulation routines in the hypervisor dealing with certain system devices checked whether the access size by the guest is a supported one. When the access size is unsupported these routines failed to set the data to be returned to the guest for read accesses, so that hypervisor stack contents were copied into the destination of the operation, thus becoming visible to the guest. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-31
    plugin id 83717
    published 2015-05-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=83717
    title SUSE SLES10 Security Update : Xen (SUSE-SU-2015:0744-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2015-0745-1.NASL
    description The Virtualization service XEN was updated to fix various bugs and security issues. The following security issues have been fixed : CVE-2015-2756: XSA-126: Unmediated PCI command register access in qemu could have lead to denial of service attacks against the host, if PCI cards are passed through to guests. XSA-125: Long latency MMIO mapping operations were not preemptible. CVE-2015-2151: XSA-123: Instructions with register operands ignored eventual segment overrides encoded for them. Due to an insufficiently conditional assignment such a bogus segment override could have, however, corrupted a pointer used subsequently to store the result of the instruction. CVE-2015-2045: XSA-122: The code handling certain sub-operations of the HYPERVISOR_xen_version hypercall failed to fully initialize all fields of structures subsequently copied back to guest memory. Due to this hypervisor stack contents were copied into the destination of the operation, thus becoming visible to the guest. CVE-2015-2044: XSA-121: Emulation routines in the hypervisor dealing with certain system devices checked whether the access size by the guest is a supported one. When the access size is unsupported these routines failed to set the data to be returned to the guest for read accesses, so that hypervisor stack contents were copied into the destination of the operation, thus becoming visible to the guest. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-31
    plugin id 83718
    published 2015-05-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=83718
    title SUSE SLES11 Security Update : Xen (SUSE-SU-2015:0745-1)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2015-3721.NASL
    description HVM qemu unexpectedly enabling emulated VGA graphics backends [XSA-119, CVE-2015-2152] Hypervisor memory corruption due to x86 emulator flaw [XSA-123, CVE-2015-2151] Information leak via internal x86 system device emulation, Information leak through version information hypercall Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-19
    plugin id 82051
    published 2015-03-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=82051
    title Fedora 20 : xen-4.3.3-12.fc20 (2015-3721)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2015-3944.NASL
    description Additional patch for XSA-98 on arm64 HVM qemu unexpectedly enabling emulated VGA graphics backends [XSA-119, CVE-2015-2152] Hypervisor memory corruption due to x86 emulator flaw [XSA-123, CVE-2015-2151] enable building pngs from fig files which is working again, fix oxenstored.service preset preuninstall script, arm: vgic: incorrect rate limiting of guest triggered logging, Information leak via internal x86 system device emulation, Information leak through version information hypercall Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-19
    plugin id 82054
    published 2015-03-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=82054
    title Fedora 21 : xen-4.4.1-16.fc21 (2015-3944)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_XEN-201503-150330.NASL
    description The Virtualization service XEN was updated to fix various bugs and security issues. The following security issues have been fixed : - XSA-126: Unmediated PCI command register access in qemu could have lead to denial of service attacks against the host, if PCI cards are passed through to guests. (CVE-2015-2756) - XSA-125: Long latency MMIO mapping operations were not preemptible. - XSA-123: Instructions with register operands ignored eventual segment overrides encoded for them. Due to an insufficiently conditional assignment such a bogus segment override could have, however, corrupted a pointer used subsequently to store the result of the instruction. (CVE-2015-2151) - XSA-122: The code handling certain sub-operations of the HYPERVISOR_xen_version hypercall failed to fully initialize all fields of structures subsequently copied back to guest memory. Due to this hypervisor stack contents were copied into the destination of the operation, thus becoming visible to the guest. (CVE-2015-2045) - XSA-121: Emulation routines in the hypervisor dealing with certain system devices checked whether the access size by the guest is a supported one. When the access size is unsupported these routines failed to set the data to be returned to the guest for read accesses, so that hypervisor stack contents were copied into the destination of the operation, thus becoming visible to the guest. (CVE-2015-2044) Also fixed : - Fully virtualized guest install from network source failed with 'cannot find guest domain' in XEN. (bsc#919341)
    last seen 2019-02-21
    modified 2015-04-22
    plugin id 82990
    published 2015-04-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=82990
    title SuSE 11.3 Security Update : Xen (SAT Patch Number 10560)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2015-0746-1.NASL
    description The Virtualization service XEN was updated to fix various bugs and security issues. The following security issues have been fixed : CVE-2015-2756: XSA-126: Unmediated PCI command register access in qemu could have lead to denial of service attacks against the host, if PCI cards are passed through to guests. XSA-125: Long latency MMIO mapping operations were not preemptible. CVE-2015-2151: XSA-123: Instructions with register operands ignored eventual segment overrides encoded for them. Due to an insufficiently conditional assignment such a bogus segment override could have, however, corrupted a pointer used subsequently to store the result of the instruction. CVE-2015-2045: XSA-122: The code handling certain sub-operations of the HYPERVISOR_xen_version hypercall failed to fully initialize all fields of structures subsequently copied back to guest memory. Due to this hypervisor stack contents were copied into the destination of the operation, thus becoming visible to the guest. CVE-2015-2044: XSA-121: Emulation routines in the hypervisor dealing with certain system devices checked whether the access size by the guest is a supported one. When the access size is unsupported these routines failed to set the data to be returned to the guest for read accesses, so that hypervisor stack contents were copied into the destination of the operation, thus becoming visible to the guest. Also fixed : Regular crashes of dom-0 on different servers due to races in MCE access were fixed. bsc#907755 Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-31
    plugin id 83719
    published 2015-05-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=83719
    title SUSE SLES11 Security Update : Xen (SUSE-SU-2015:0746-1)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2015-314.NASL
    description Xen was updated to 4.3.4 to fix multiple vulnerabities and non-security bugs. The following vulnerabilities were fixed : - Long latency MMIO mapping operations are not preemptible (XSA-125 CVE-2015-2752 bnc#922705) - Unmediated PCI command register access in qemu (XSA-126 CVE-2015-2756 bnc#922706) - Hypervisor memory corruption due to x86 emulator flaw (bnc#919464 CVE-2015-2151 XSA-123) - Information leak through version information hypercall (bnc#918998 CVE-2015-2045 XSA-122) - Information leak via internal x86 system device emulation (bnc#918995 (CVE-2015-2044 XSA-121) - HVM qemu unexpectedly enabling emulated VGA graphics backends (bnc#919663 CVE-2015-2152 XSA-119) - information leakage when guest sets high resolution (bnc#895528 CVE-2014-3615) The following non-security bugs were fixed : - L3: XEN blktap device intermittently fails to connect (bnc#919098) - Problems with detecting free loop devices on Xen guest startup (bnc#903680) - xentop reports 'Found interface vif101.0 but domain 101 does not exist.' (bnc#861318) - Intel ixgbe driver assigns rx/tx queues per core resulting in irq problems on servers with a large amount of CPU cores (bnc#901488) - SLES11 SP3 Xen VT-d igb NIC doesn't work (bnc#910254)
    last seen 2019-02-21
    modified 2015-04-21
    plugin id 82907
    published 2015-04-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=82907
    title openSUSE Security Update : xen (openSUSE-2015-314)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2015-0068.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2015-0068 for details.
    last seen 2019-02-21
    modified 2018-09-05
    plugin id 84140
    published 2015-06-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=84140
    title OracleVM 3.2 : xen (OVMSA-2015-0068) (POODLE) (Venom)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2015-0747-1.NASL
    description The Virtualization service XEN was updated to fix various bugs and security issues. The following security issues have been fixed : CVE-2015-2756: XSA-126: Unmediated PCI command register access in qemu could have lead to denial of service attacks against the host, if PCI cards are passed through to guests. XSA-125: Long latency MMIO mapping operations were not preemptible. CVE-2015-2151: XSA-123: Instructions with register operands ignored eventual segment overrides encoded for them. Due to an insufficiently conditional assignment such a bogus segment override could have, however, corrupted a pointer used subsequently to store the result of the instruction. CVE-2015-2045: XSA-122: The code handling certain sub-operations of the HYPERVISOR_xen_version hypercall failed to fully initialize all fields of structures subsequently copied back to guest memory. Due to this hypervisor stack contents were copied into the destination of the operation, thus becoming visible to the guest. CVE-2015-2044: XSA-121: Emulation routines in the hypervisor dealing with certain system devices checked whether the access size by the guest is a supported one. When the access size is unsupported these routines failed to set the data to be returned to the guest for read accesses, so that hypervisor stack contents were copied into the destination of the operation, thus becoming visible to the guest. Also fixed : Fully virtualized guest install from network source failed with 'cannot find guest domain' in XEN. (bsc#919341) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-31
    plugin id 83720
    published 2015-05-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=83720
    title SUSE SLED11 / SLES11 Security Update : Xen (SUSE-SU-2015:0747-1)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2015-3935.NASL
    description Additional patch for XSA-98 on arm64 HVM qemu unexpectedly enabling emulated VGA graphics backends [XSA-119, CVE-2015-2152] Hypervisor memory corruption due to x86 emulator flaw [XSA-123, CVE-2015-2151] Information leak via internal x86 system device emulation, Information leak through version information hypercall, fix a typo in xen.fedora.systemd.patch Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-19
    plugin id 81987
    published 2015-03-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=81987
    title Fedora 22 : xen-4.5.0-6.fc22 (2015-3935)
redhat via4
advisories
bugzilla
id 1196274
title CVE-2015-2151 xen: hypervisor memory corruption due to x86 emulator flaw (xsa123)
oval
AND
  • comment Red Hat Enterprise Linux 5 is installed
    oval oval:com.redhat.rhba:tst:20070331001
  • OR
    • AND
      • comment kernel is earlier than 0:2.6.18-409.el5
        oval oval:com.redhat.rhsa:tst:20160450010
      • comment kernel is signed with Red Hat redhatrelease key
        oval oval:com.redhat.rhba:tst:20080314003
    • AND
      • comment kernel-PAE is earlier than 0:2.6.18-409.el5
        oval oval:com.redhat.rhsa:tst:20160450022
      • comment kernel-PAE is signed with Red Hat redhatrelease key
        oval oval:com.redhat.rhba:tst:20080314021
    • AND
      • comment kernel-PAE-devel is earlier than 0:2.6.18-409.el5
        oval oval:com.redhat.rhsa:tst:20160450024
      • comment kernel-PAE-devel is signed with Red Hat redhatrelease key
        oval oval:com.redhat.rhba:tst:20080314023
    • AND
      • comment kernel-debug is earlier than 0:2.6.18-409.el5
        oval oval:com.redhat.rhsa:tst:20160450008
      • comment kernel-debug is signed with Red Hat redhatrelease key
        oval oval:com.redhat.rhba:tst:20080314015
    • AND
      • comment kernel-debug-devel is earlier than 0:2.6.18-409.el5
        oval oval:com.redhat.rhsa:tst:20160450016
      • comment kernel-debug-devel is signed with Red Hat redhatrelease key
        oval oval:com.redhat.rhba:tst:20080314009
    • AND
      • comment kernel-devel is earlier than 0:2.6.18-409.el5
        oval oval:com.redhat.rhsa:tst:20160450004
      • comment kernel-devel is signed with Red Hat redhatrelease key
        oval oval:com.redhat.rhba:tst:20080314007
    • AND
      • comment kernel-doc is earlier than 0:2.6.18-409.el5
        oval oval:com.redhat.rhsa:tst:20160450002
      • comment kernel-doc is signed with Red Hat redhatrelease key
        oval oval:com.redhat.rhba:tst:20080314025
    • AND
      • comment kernel-headers is earlier than 0:2.6.18-409.el5
        oval oval:com.redhat.rhsa:tst:20160450006
      • comment kernel-headers is signed with Red Hat redhatrelease key
        oval oval:com.redhat.rhba:tst:20080314005
    • AND
      • comment kernel-kdump is earlier than 0:2.6.18-409.el5
        oval oval:com.redhat.rhsa:tst:20160450018
      • comment kernel-kdump is signed with Red Hat redhatrelease key
        oval oval:com.redhat.rhba:tst:20080314017
    • AND
      • comment kernel-kdump-devel is earlier than 0:2.6.18-409.el5
        oval oval:com.redhat.rhsa:tst:20160450020
      • comment kernel-kdump-devel is signed with Red Hat redhatrelease key
        oval oval:com.redhat.rhba:tst:20080314019
    • AND
      • comment kernel-xen is earlier than 0:2.6.18-409.el5
        oval oval:com.redhat.rhsa:tst:20160450014
      • comment kernel-xen is signed with Red Hat redhatrelease key
        oval oval:com.redhat.rhba:tst:20080314011
    • AND
      • comment kernel-xen-devel is earlier than 0:2.6.18-409.el5
        oval oval:com.redhat.rhsa:tst:20160450012
      • comment kernel-xen-devel is signed with Red Hat redhatrelease key
        oval oval:com.redhat.rhba:tst:20080314013
rhsa
id RHSA-2016:0450
released 2016-03-15
severity Important
title RHSA-2016:0450: kernel security update (Important)
rpms
  • kernel-0:2.6.18-409.el5
  • kernel-PAE-0:2.6.18-409.el5
  • kernel-PAE-devel-0:2.6.18-409.el5
  • kernel-debug-0:2.6.18-409.el5
  • kernel-debug-devel-0:2.6.18-409.el5
  • kernel-devel-0:2.6.18-409.el5
  • kernel-doc-0:2.6.18-409.el5
  • kernel-headers-0:2.6.18-409.el5
  • kernel-kdump-0:2.6.18-409.el5
  • kernel-kdump-devel-0:2.6.18-409.el5
  • kernel-xen-0:2.6.18-409.el5
  • kernel-xen-devel-0:2.6.18-409.el5
refmap via4
bid 73015
confirm
debian DSA-3181
fedora
  • FEDORA-2015-3721
  • FEDORA-2015-3935
  • FEDORA-2015-3944
gentoo GLSA-201604-03
sectrack
  • 1031806
  • 1031903
suse openSUSE-SU-2015:0732
Last major update 02-01-2017 - 21:59
Published 12-03-2015 - 10:59
Last modified 30-10-2018 - 12:26
Back to Top