Vulnerabilites related to xen - xen
cve-2018-15468
Vulnerability from cvelistv5
Published
2018-08-17 17:00
Modified
2024-08-05 09:54
Severity ?
EPSS score ?
Summary
An issue was discovered in Xen through 4.11.x. The DEBUGCTL MSR contains several debugging features, some of which virtualise cleanly, but some do not. In particular, Branch Trace Store is not virtualised by the processor, and software has to be careful to configure it suitably not to lock up the core. As a result, it must only be available to fully trusted guests. Unfortunately, in the case that vPMU is disabled, all value checking was skipped, allowing the guest to choose any MSR_DEBUGCTL setting it likes. A malicious or buggy guest administrator (on Intel x86 HVM or PVH) can lock up the entire host, causing a Denial of Service.
References
▼ | URL | Tags |
---|---|---|
http://xenbits.xen.org/xsa/advisory-269.html | x_refsource_MISC | |
https://security.gentoo.org/glsa/201810-06 | vendor-advisory, x_refsource_GENTOO |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-05T09:54:03.455Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "http://xenbits.xen.org/xsa/advisory-269.html" }, { "name": "GLSA-201810-06", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "https://security.gentoo.org/glsa/201810-06" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "datePublic": "2018-08-17T00:00:00", "descriptions": [ { "lang": "en", "value": "An issue was discovered in Xen through 4.11.x. The DEBUGCTL MSR contains several debugging features, some of which virtualise cleanly, but some do not. In particular, Branch Trace Store is not virtualised by the processor, and software has to be careful to configure it suitably not to lock up the core. As a result, it must only be available to fully trusted guests. Unfortunately, in the case that vPMU is disabled, all value checking was skipped, allowing the guest to choose any MSR_DEBUGCTL setting it likes. A malicious or buggy guest administrator (on Intel x86 HVM or PVH) can lock up the entire host, causing a Denial of Service." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2018-10-31T09:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "http://xenbits.xen.org/xsa/advisory-269.html" }, { "name": "GLSA-201810-06", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "https://security.gentoo.org/glsa/201810-06" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2018-15468", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "An issue was discovered in Xen through 4.11.x. The DEBUGCTL MSR contains several debugging features, some of which virtualise cleanly, but some do not. In particular, Branch Trace Store is not virtualised by the processor, and software has to be careful to configure it suitably not to lock up the core. As a result, it must only be available to fully trusted guests. Unfortunately, in the case that vPMU is disabled, all value checking was skipped, allowing the guest to choose any MSR_DEBUGCTL setting it likes. A malicious or buggy guest administrator (on Intel x86 HVM or PVH) can lock up the entire host, causing a Denial of Service." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "http://xenbits.xen.org/xsa/advisory-269.html", "refsource": "MISC", "url": "http://xenbits.xen.org/xsa/advisory-269.html" }, { "name": "GLSA-201810-06", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201810-06" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2018-15468", "datePublished": "2018-08-17T17:00:00", "dateReserved": "2018-08-17T00:00:00", "dateUpdated": "2024-08-05T09:54:03.455Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2021-28694
Vulnerability from cvelistv5
Published
2021-08-27 18:46
Modified
2024-08-03 21:47
Severity ?
EPSS score ?
Summary
IOMMU page mapping issues on x86 T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Both AMD and Intel allow ACPI tables to specify regions of memory which should be left untranslated, which typically means these addresses should pass the translation phase unaltered. While these are typically device specific ACPI properties, they can also be specified to apply to a range of devices, or even all devices. On all systems with such regions Xen failed to prevent guests from undoing/replacing such mappings (CVE-2021-28694). On AMD systems, where a discontinuous range is specified by firmware, the supposedly-excluded middle range will also be identity-mapped (CVE-2021-28695). Further, on AMD systems, upon de-assigment of a physical device from a guest, the identity mappings would be left in place, allowing a guest continued access to ranges of memory which it shouldn't have access to anymore (CVE-2021-28696).
References
▼ | URL | Tags |
---|---|---|
https://xenbits.xenproject.org/xsa/advisory-378.txt | x_refsource_MISC | |
http://www.openwall.com/lists/oss-security/2021/09/01/1 | mailing-list, x_refsource_MLIST | |
http://www.openwall.com/lists/oss-security/2021/09/01/5 | mailing-list, x_refsource_MLIST | |
http://www.openwall.com/lists/oss-security/2021/09/01/6 | mailing-list, x_refsource_MLIST | |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LPRVHW4J4ZCPPOHZEWP5MOJT7XDGFFPJ/ | vendor-advisory, x_refsource_FEDORA | |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FZCNPSRPGFCQRYE2BI4D4Q4SCE56ANV2/ | vendor-advisory, x_refsource_FEDORA | |
https://www.debian.org/security/2021/dsa-4977 | vendor-advisory, x_refsource_DEBIAN | |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2VQCFAPBNGBBAOMJZG6QBREOG5IIDZID/ | vendor-advisory, x_refsource_FEDORA | |
https://security.gentoo.org/glsa/202208-23 | vendor-advisory, x_refsource_GENTOO |
Impacted products
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T21:47:33.139Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://xenbits.xenproject.org/xsa/advisory-378.txt" }, { "name": "[oss-security] 20210901 Xen Security Advisory 378 v3 (CVE-2021-28694,CVE-2021-28695,CVE-2021-28696) - IOMMU page mapping issues on x86", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2021/09/01/1" }, { "name": "[oss-security] 20210901 Re: Xen Security Advisory 378 v3 (CVE-2021-28694,CVE-2021-28695,CVE-2021-28696) - IOMMU page mapping issues on x86", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2021/09/01/5" }, { "name": "[oss-security] 20210901 Re: Xen Security Advisory 378 v3 (CVE-2021-28694,CVE-2021-28695,CVE-2021-28696) - IOMMU page mapping issues on x86", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2021/09/01/6" }, { "name": "FEDORA-2021-4f129cc0c1", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LPRVHW4J4ZCPPOHZEWP5MOJT7XDGFFPJ/" }, { "name": "FEDORA-2021-d68ed12e46", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FZCNPSRPGFCQRYE2BI4D4Q4SCE56ANV2/" }, { "name": "DSA-4977", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "https://www.debian.org/security/2021/dsa-4977" }, { "name": "FEDORA-2021-081f9bf5d2", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2VQCFAPBNGBBAOMJZG6QBREOG5IIDZID/" }, { "name": "GLSA-202208-23", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "https://security.gentoo.org/glsa/202208-23" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "xen", "vendor": "Xen", "versions": [ { "status": "affected", "version": "4.11.x" } ] }, { "product": "xen", "vendor": "Xen", "versions": [ { "status": "affected", "version": "xen-unstable" } ] }, { "product": "xen", "vendor": "Xen", "versions": [ { "status": "affected", "version": "4.12.x" } ] }, { "product": "xen", "vendor": "Xen", "versions": [ { "status": "affected", "version": "4.14.x" } ] }, { "product": "xen", "vendor": "Xen", "versions": [ { "status": "affected", "version": "4.15.x" } ] }, { "product": "xen", "vendor": "Xen", "versions": [ { "status": "affected", "version": "4.13.x" } ] } ], "credits": [ { "lang": "en", "value": "{\u0027credit_data\u0027: {\u0027description\u0027: {\u0027description_data\u0027: [{\u0027lang\u0027: \u0027eng\u0027, \u0027value\u0027: \u0027This issue was discovered by Jan Beulich of SUSE.\u0027}]}}}" } ], "descriptions": [ { "lang": "en", "value": "IOMMU page mapping issues on x86 T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Both AMD and Intel allow ACPI tables to specify regions of memory which should be left untranslated, which typically means these addresses should pass the translation phase unaltered. While these are typically device specific ACPI properties, they can also be specified to apply to a range of devices, or even all devices. On all systems with such regions Xen failed to prevent guests from undoing/replacing such mappings (CVE-2021-28694). On AMD systems, where a discontinuous range is specified by firmware, the supposedly-excluded middle range will also be identity-mapped (CVE-2021-28695). Further, on AMD systems, upon de-assigment of a physical device from a guest, the identity mappings would be left in place, allowing a guest continued access to ranges of memory which it shouldn\u0027t have access to anymore (CVE-2021-28696)." } ], "metrics": [ { "other": { "content": { "description": { "description_data": [ { "lang": "eng", "value": "The precise impact is system specific, but can - on affected systems -\nbe any or all of privilege escalation, denial of service, or information\nleaks." } ] } }, "type": "unknown" } } ], "problemTypes": [ { "descriptions": [ { "description": "unknown", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2022-08-14T20:11:57", "orgId": "23aa2041-22e1-471f-9209-9b7396fa234f", "shortName": "XEN" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://xenbits.xenproject.org/xsa/advisory-378.txt" }, { "name": "[oss-security] 20210901 Xen Security Advisory 378 v3 (CVE-2021-28694,CVE-2021-28695,CVE-2021-28696) - IOMMU page mapping issues on x86", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://www.openwall.com/lists/oss-security/2021/09/01/1" }, { "name": "[oss-security] 20210901 Re: Xen Security Advisory 378 v3 (CVE-2021-28694,CVE-2021-28695,CVE-2021-28696) - IOMMU page mapping issues on x86", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://www.openwall.com/lists/oss-security/2021/09/01/5" }, { "name": "[oss-security] 20210901 Re: Xen Security Advisory 378 v3 (CVE-2021-28694,CVE-2021-28695,CVE-2021-28696) - IOMMU page mapping issues on x86", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://www.openwall.com/lists/oss-security/2021/09/01/6" }, { "name": "FEDORA-2021-4f129cc0c1", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LPRVHW4J4ZCPPOHZEWP5MOJT7XDGFFPJ/" }, { "name": "FEDORA-2021-d68ed12e46", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FZCNPSRPGFCQRYE2BI4D4Q4SCE56ANV2/" }, { "name": "DSA-4977", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "https://www.debian.org/security/2021/dsa-4977" }, { "name": "FEDORA-2021-081f9bf5d2", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2VQCFAPBNGBBAOMJZG6QBREOG5IIDZID/" }, { "name": "GLSA-202208-23", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "https://security.gentoo.org/glsa/202208-23" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security@xen.org", "ID": "CVE-2021-28694", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "xen", "version": { "version_data": [ { "version_value": "4.11.x" } ] } }, { "product_name": "xen", "version": { "version_data": [ { "version_value": "xen-unstable" } ] } }, { "product_name": "xen", "version": { "version_data": [ { "version_value": "4.12.x" } ] } }, { "product_name": "xen", "version": { "version_data": [ { "version_value": "4.14.x" } ] } }, { "product_name": "xen", "version": { "version_data": [ { "version_value": "4.15.x" } ] } }, { "product_name": "xen", "version": { "version_data": [ { "version_value": "4.13.x" } ] } } ] }, "vendor_name": "Xen" } ] } }, "configuration": { "configuration_data": { "description": { "description_data": [ { "lang": "eng", "value": "The vulnerability is only exploitable by guests granted access to\nphysical devices (ie, via PCI passthrough).\n\nAll versions of Xen are affected.\n\nOnly x86 systems with IOMMUs and with firmware specifying memory regions\nto be identity mapped are affected. Other x86 systems are not affected.\n\nWhether a particular system whose ACPI tables declare such memory\nregion(s) is actually affected cannot be known without knowing when\nand/or how these regions are used. For example, if these regions were\nused only during system boot, there would not be any vulnerability.\nThe necessary knowledge can only be obtained from, collectively, the\nhardware and firmware manufacturers.\n\nOn Arm hardware IOMMU use is not security supported. Accordingly, we\nhave not undertaken an analysis of these issues for Arm systems." } ] } } }, "credit": { "credit_data": { "description": { "description_data": [ { "lang": "eng", "value": "This issue was discovered by Jan Beulich of SUSE." } ] } } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "IOMMU page mapping issues on x86 T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Both AMD and Intel allow ACPI tables to specify regions of memory which should be left untranslated, which typically means these addresses should pass the translation phase unaltered. While these are typically device specific ACPI properties, they can also be specified to apply to a range of devices, or even all devices. On all systems with such regions Xen failed to prevent guests from undoing/replacing such mappings (CVE-2021-28694). On AMD systems, where a discontinuous range is specified by firmware, the supposedly-excluded middle range will also be identity-mapped (CVE-2021-28695). Further, on AMD systems, upon de-assigment of a physical device from a guest, the identity mappings would be left in place, allowing a guest continued access to ranges of memory which it shouldn\u0027t have access to anymore (CVE-2021-28696)." } ] }, "impact": { "impact_data": { "description": { "description_data": [ { "lang": "eng", "value": "The precise impact is system specific, but can - on affected systems -\nbe any or all of privilege escalation, denial of service, or information\nleaks." } ] } } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "unknown" } ] } ] }, "references": { "reference_data": [ { "name": "https://xenbits.xenproject.org/xsa/advisory-378.txt", "refsource": "MISC", "url": "https://xenbits.xenproject.org/xsa/advisory-378.txt" }, { "name": "[oss-security] 20210901 Xen Security Advisory 378 v3 (CVE-2021-28694,CVE-2021-28695,CVE-2021-28696) - IOMMU page mapping issues on x86", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2021/09/01/1" }, { "name": "[oss-security] 20210901 Re: Xen Security Advisory 378 v3 (CVE-2021-28694,CVE-2021-28695,CVE-2021-28696) - IOMMU page mapping issues on x86", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2021/09/01/5" }, { "name": "[oss-security] 20210901 Re: Xen Security Advisory 378 v3 (CVE-2021-28694,CVE-2021-28695,CVE-2021-28696) - IOMMU page mapping issues on x86", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2021/09/01/6" }, { "name": "FEDORA-2021-4f129cc0c1", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LPRVHW4J4ZCPPOHZEWP5MOJT7XDGFFPJ/" }, { "name": "FEDORA-2021-d68ed12e46", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FZCNPSRPGFCQRYE2BI4D4Q4SCE56ANV2/" }, { "name": "DSA-4977", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2021/dsa-4977" }, { "name": "FEDORA-2021-081f9bf5d2", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2VQCFAPBNGBBAOMJZG6QBREOG5IIDZID/" }, { "name": "GLSA-202208-23", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202208-23" } ] }, "workaround": { "workaround_data": { "description": { "description_data": [ { "lang": "eng", "value": "Not permitting untrusted guests access to phsyical devices will avoid\nthe vulnerability.\n\nLikewise, limiting untrusted guest access to physical devices whose\nfirmware-provided ACPI tables declare identity mappings, will avoid\nthe vulnerability. (Provided that there are no identity mapped\nregions which are specified by the ACPI tables to apply globally.)\n\nNote that a system is still vulnerable if a guest was trusted, while\nit had such a device assigned, and then has the device removed in\nanticipation of the guest becoming untrusted (because of, for example,\nthe insertion of an untrusted kernel module)," } ] } } } } } }, "cveMetadata": { "assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f", "assignerShortName": "XEN", "cveId": "CVE-2021-28694", "datePublished": "2021-08-27T18:46:32", "dateReserved": "2021-03-18T00:00:00", "dateUpdated": "2024-08-03T21:47:33.139Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2015-8341
Vulnerability from cvelistv5
Published
2015-12-17 19:00
Modified
2024-08-06 08:13
Severity ?
EPSS score ?
Summary
The libxl toolstack library in Xen 4.1.x through 4.6.x does not properly release mappings of files used as kernels and initial ramdisks when managing multiple domains in the same process, which allows attackers to cause a denial of service (memory and disk consumption) by starting domains.
References
▼ | URL | Tags |
---|---|---|
http://www.debian.org/security/2016/dsa-3519 | vendor-advisory, x_refsource_DEBIAN | |
http://xenbits.xen.org/xsa/advisory-160.html | x_refsource_CONFIRM | |
http://www.securitytracker.com/id/1034389 | vdb-entry, x_refsource_SECTRACK | |
https://security.gentoo.org/glsa/201604-03 | vendor-advisory, x_refsource_GENTOO |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-06T08:13:32.258Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "DSA-3519", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "http://www.debian.org/security/2016/dsa-3519" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://xenbits.xen.org/xsa/advisory-160.html" }, { "name": "1034389", "tags": [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred" ], "url": "http://www.securitytracker.com/id/1034389" }, { "name": "GLSA-201604-03", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "https://security.gentoo.org/glsa/201604-03" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "datePublic": "2015-12-08T00:00:00", "descriptions": [ { "lang": "en", "value": "The libxl toolstack library in Xen 4.1.x through 4.6.x does not properly release mappings of files used as kernels and initial ramdisks when managing multiple domains in the same process, which allows attackers to cause a denial of service (memory and disk consumption) by starting domains." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2017-06-30T16:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "name": "DSA-3519", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "http://www.debian.org/security/2016/dsa-3519" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://xenbits.xen.org/xsa/advisory-160.html" }, { "name": "1034389", "tags": [ "vdb-entry", "x_refsource_SECTRACK" ], "url": "http://www.securitytracker.com/id/1034389" }, { "name": "GLSA-201604-03", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "https://security.gentoo.org/glsa/201604-03" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2015-8341", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "The libxl toolstack library in Xen 4.1.x through 4.6.x does not properly release mappings of files used as kernels and initial ramdisks when managing multiple domains in the same process, which allows attackers to cause a denial of service (memory and disk consumption) by starting domains." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "DSA-3519", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2016/dsa-3519" }, { "name": "http://xenbits.xen.org/xsa/advisory-160.html", "refsource": "CONFIRM", "url": "http://xenbits.xen.org/xsa/advisory-160.html" }, { "name": "1034389", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1034389" }, { "name": "GLSA-201604-03", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201604-03" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2015-8341", "datePublished": "2015-12-17T19:00:00", "dateReserved": "2015-11-25T00:00:00", "dateUpdated": "2024-08-06T08:13:32.258Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2014-1895
Vulnerability from cvelistv5
Published
2014-04-01 01:00
Modified
2024-08-06 09:58
Severity ?
EPSS score ?
Summary
Off-by-one error in the flask_security_avc_cachestats function in xsm/flask/flask_op.c in Xen 4.2.x and 4.3.x, when the maximum number of physical CPUs are in use, allows local users to cause a denial of service (host crash) or obtain sensitive information from hypervisor memory by leveraging a FLASK_AVC_CACHESTAT hypercall, which triggers a buffer over-read.
References
▼ | URL | Tags |
---|---|---|
http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00011.html | vendor-advisory, x_refsource_SUSE | |
http://security.gentoo.org/glsa/glsa-201407-03.xml | vendor-advisory, x_refsource_GENTOO | |
http://xenbits.xen.org/xsa/advisory-85.html | x_refsource_CONFIRM | |
http://www.openwall.com/lists/oss-security/2014/02/07/12 | mailing-list, x_refsource_MLIST | |
http://www.openwall.com/lists/oss-security/2014/02/10/6 | mailing-list, x_refsource_MLIST |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-06T09:58:15.560Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "SUSE-SU-2014:0373", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00011.html" }, { "name": "GLSA-201407-03", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "http://security.gentoo.org/glsa/glsa-201407-03.xml" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://xenbits.xen.org/xsa/advisory-85.html" }, { "name": "[oss-security] 20140207 Re: Xen Security Advisory 84 - integer overflow in several XSM/Flask hypercalls", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2014/02/07/12" }, { "name": "[oss-security] 20140210 Xen Security Advisory 85 (CVE-2014-1895) - Off-by-one error in FLASK_AVC_CACHESTAT hypercall", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2014/02/10/6" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "datePublic": "2014-02-06T00:00:00", "descriptions": [ { "lang": "en", "value": "Off-by-one error in the flask_security_avc_cachestats function in xsm/flask/flask_op.c in Xen 4.2.x and 4.3.x, when the maximum number of physical CPUs are in use, allows local users to cause a denial of service (host crash) or obtain sensitive information from hypervisor memory by leveraging a FLASK_AVC_CACHESTAT hypercall, which triggers a buffer over-read." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2017-01-04T17:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "name": "SUSE-SU-2014:0373", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00011.html" }, { "name": "GLSA-201407-03", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "http://security.gentoo.org/glsa/glsa-201407-03.xml" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://xenbits.xen.org/xsa/advisory-85.html" }, { "name": "[oss-security] 20140207 Re: Xen Security Advisory 84 - integer overflow in several XSM/Flask hypercalls", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://www.openwall.com/lists/oss-security/2014/02/07/12" }, { "name": "[oss-security] 20140210 Xen Security Advisory 85 (CVE-2014-1895) - Off-by-one error in FLASK_AVC_CACHESTAT hypercall", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://www.openwall.com/lists/oss-security/2014/02/10/6" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2014-1895", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Off-by-one error in the flask_security_avc_cachestats function in xsm/flask/flask_op.c in Xen 4.2.x and 4.3.x, when the maximum number of physical CPUs are in use, allows local users to cause a denial of service (host crash) or obtain sensitive information from hypervisor memory by leveraging a FLASK_AVC_CACHESTAT hypercall, which triggers a buffer over-read." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "SUSE-SU-2014:0373", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00011.html" }, { "name": "GLSA-201407-03", "refsource": "GENTOO", "url": "http://security.gentoo.org/glsa/glsa-201407-03.xml" }, { "name": "http://xenbits.xen.org/xsa/advisory-85.html", "refsource": "CONFIRM", "url": "http://xenbits.xen.org/xsa/advisory-85.html" }, { "name": "[oss-security] 20140207 Re: Xen Security Advisory 84 - integer overflow in several XSM/Flask hypercalls", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2014/02/07/12" }, { "name": "[oss-security] 20140210 Xen Security Advisory 85 (CVE-2014-1895) - Off-by-one error in FLASK_AVC_CACHESTAT hypercall", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2014/02/10/6" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2014-1895", "datePublished": "2014-04-01T01:00:00", "dateReserved": "2014-02-07T00:00:00", "dateUpdated": "2024-08-06T09:58:15.560Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2018-19964
Vulnerability from cvelistv5
Published
2018-12-08 04:00
Modified
2024-08-05 11:51
Severity ?
EPSS score ?
Summary
An issue was discovered in Xen 4.11.x allowing x86 guest OS users to cause a denial of service (host OS hang) because the p2m lock remains unavailable indefinitely in certain error conditions.
References
▼ | URL | Tags |
---|---|---|
https://xenbits.xen.org/xsa/advisory-277.html | x_refsource_MISC | |
http://www.securityfocus.com/bid/106182 | vdb-entry, x_refsource_BID |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-05T11:51:17.909Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://xenbits.xen.org/xsa/advisory-277.html" }, { "name": "106182", "tags": [ "vdb-entry", "x_refsource_BID", "x_transferred" ], "url": "http://www.securityfocus.com/bid/106182" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "datePublic": "2018-12-07T00:00:00", "descriptions": [ { "lang": "en", "value": "An issue was discovered in Xen 4.11.x allowing x86 guest OS users to cause a denial of service (host OS hang) because the p2m lock remains unavailable indefinitely in certain error conditions." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2018-12-13T10:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://xenbits.xen.org/xsa/advisory-277.html" }, { "name": "106182", "tags": [ "vdb-entry", "x_refsource_BID" ], "url": "http://www.securityfocus.com/bid/106182" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2018-19964", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "An issue was discovered in Xen 4.11.x allowing x86 guest OS users to cause a denial of service (host OS hang) because the p2m lock remains unavailable indefinitely in certain error conditions." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "https://xenbits.xen.org/xsa/advisory-277.html", "refsource": "MISC", "url": "https://xenbits.xen.org/xsa/advisory-277.html" }, { "name": "106182", "refsource": "BID", "url": "http://www.securityfocus.com/bid/106182" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2018-19964", "datePublished": "2018-12-08T04:00:00", "dateReserved": "2018-12-07T00:00:00", "dateUpdated": "2024-08-05T11:51:17.909Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-45819
Vulnerability from cvelistv5
Published
2024-12-19 12:00
Modified
2024-12-31 18:57
Severity ?
EPSS score ?
Summary
PVH guests have their ACPI tables constructed by the toolstack. The
construction involves building the tables in local memory, which are
then copied into guest memory. While actually used parts of the local
memory are filled in correctly, excess space that is being allocated is
left with its prior contents.
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-12-19T12:04:50.065Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "url": "http://www.openwall.com/lists/oss-security/2024/11/12/1" }, { "url": "http://xenbits.xen.org/xsa/advisory-464.html" }, { "url": "http://www.openwall.com/lists/oss-security/2024/11/12/10" }, { "url": "http://www.openwall.com/lists/oss-security/2024/11/12/7" } ], "title": "CVE Program Container" }, { "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2024-45819", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-12-31T18:56:31.915960Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-276", "description": "CWE-276 Incorrect Default Permissions", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-12-31T18:57:41.513Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unknown", "product": "Xen", "vendor": "Xen", "versions": [ { "status": "unknown", "version": "consult Xen advisory XSA-464" } ] } ], "configurations": [ { "lang": "en", "value": "Xen versions 4.8 and onwards are vulnerable. Xen 4.7 and older are not\nvulnerable.\n\nOnly x86 systems running PVH guests are vulnerable. Architectures other\nthan x86 are not vulnerable.\n\nOnly PVH guests can leverage the vulnerability. HVM and PV guests\ncannot leverage the vulnerability. Note that PV guests when run inside\nthe (PVH) shim can\u0027t leverage the vulnerability." } ], "credits": [ { "lang": "en", "type": "finder", "value": "This issue was discovered by Jason Andryuk of AMD." } ], "datePublic": "2024-11-12T12:00:00Z", "descriptions": [ { "lang": "en", "value": "PVH guests have their ACPI tables constructed by the toolstack. The\nconstruction involves building the tables in local memory, which are\nthen copied into guest memory. While actually used parts of the local\nmemory are filled in correctly, excess space that is being allocated is\nleft with its prior contents." } ], "impacts": [ { "descriptions": [ { "lang": "en", "value": "An unprivileged guest may be able to access sensitive information\npertaining to the host, control domain, or other guests." } ] } ], "providerMetadata": { "dateUpdated": "2024-12-19T12:00:50.271Z", "orgId": "23aa2041-22e1-471f-9209-9b7396fa234f", "shortName": "XEN" }, "references": [ { "url": "https://xenbits.xenproject.org/xsa/advisory-464.html" } ], "title": "libxl leaks data to PVH guests via ACPI tables", "workarounds": [ { "lang": "en", "value": "Running only PV or HVM guests will avoid this vulnerability." } ] } }, "cveMetadata": { "assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f", "assignerShortName": "XEN", "cveId": "CVE-2024-45819", "datePublished": "2024-12-19T12:00:50.271Z", "dateReserved": "2024-09-09T14:43:11.826Z", "dateUpdated": "2024-12-31T18:57:41.513Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2015-8555
Vulnerability from cvelistv5
Published
2016-04-13 15:00
Modified
2024-08-06 08:20
Severity ?
EPSS score ?
Summary
Xen 4.6.x, 4.5.x, 4.4.x, 4.3.x, and earlier do not initialize x86 FPU stack and XMM registers when XSAVE/XRSTOR are not used to manage guest extended register state, which allows local guest domains to obtain sensitive information from other domains via unspecified vectors.
References
▼ | URL | Tags |
---|---|---|
http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html | x_refsource_CONFIRM | |
http://www.debian.org/security/2016/dsa-3519 | vendor-advisory, x_refsource_DEBIAN | |
http://www.securitytracker.com/id/1034477 | vdb-entry, x_refsource_SECTRACK | |
http://www.securityfocus.com/bid/79543 | vdb-entry, x_refsource_BID | |
http://xenbits.xen.org/xsa/advisory-165.html | x_refsource_CONFIRM | |
https://security.gentoo.org/glsa/201604-03 | vendor-advisory, x_refsource_GENTOO | |
http://support.citrix.com/article/CTX203879 | x_refsource_CONFIRM |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-06T08:20:43.162Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html" }, { "name": "DSA-3519", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "http://www.debian.org/security/2016/dsa-3519" }, { "name": "1034477", "tags": [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred" ], "url": "http://www.securitytracker.com/id/1034477" }, { "name": "79543", "tags": [ "vdb-entry", "x_refsource_BID", "x_transferred" ], "url": "http://www.securityfocus.com/bid/79543" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://xenbits.xen.org/xsa/advisory-165.html" }, { "name": "GLSA-201604-03", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "https://security.gentoo.org/glsa/201604-03" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://support.citrix.com/article/CTX203879" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "datePublic": "2015-12-17T00:00:00", "descriptions": [ { "lang": "en", "value": "Xen 4.6.x, 4.5.x, 4.4.x, 4.3.x, and earlier do not initialize x86 FPU stack and XMM registers when XSAVE/XRSTOR are not used to manage guest extended register state, which allows local guest domains to obtain sensitive information from other domains via unspecified vectors." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2017-06-30T16:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html" }, { "name": "DSA-3519", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "http://www.debian.org/security/2016/dsa-3519" }, { "name": "1034477", "tags": [ "vdb-entry", "x_refsource_SECTRACK" ], "url": "http://www.securitytracker.com/id/1034477" }, { "name": "79543", "tags": [ "vdb-entry", "x_refsource_BID" ], "url": "http://www.securityfocus.com/bid/79543" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://xenbits.xen.org/xsa/advisory-165.html" }, { "name": "GLSA-201604-03", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "https://security.gentoo.org/glsa/201604-03" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://support.citrix.com/article/CTX203879" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2015-8555", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Xen 4.6.x, 4.5.x, 4.4.x, 4.3.x, and earlier do not initialize x86 FPU stack and XMM registers when XSAVE/XRSTOR are not used to manage guest extended register state, which allows local guest domains to obtain sensitive information from other domains via unspecified vectors." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html", "refsource": "CONFIRM", "url": "http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html" }, { "name": "DSA-3519", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2016/dsa-3519" }, { "name": "1034477", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1034477" }, { "name": "79543", "refsource": "BID", "url": "http://www.securityfocus.com/bid/79543" }, { "name": "http://xenbits.xen.org/xsa/advisory-165.html", "refsource": "CONFIRM", "url": "http://xenbits.xen.org/xsa/advisory-165.html" }, { "name": "GLSA-201604-03", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201604-03" }, { "name": "http://support.citrix.com/article/CTX203879", "refsource": "CONFIRM", "url": "http://support.citrix.com/article/CTX203879" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2015-8555", "datePublished": "2016-04-13T15:00:00", "dateReserved": "2015-12-14T00:00:00", "dateUpdated": "2024-08-06T08:20:43.162Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2016-2271
Vulnerability from cvelistv5
Published
2016-02-19 16:00
Modified
2024-08-05 23:24
Severity ?
EPSS score ?
Summary
VMX in Xen 4.6.x and earlier, when using an Intel or Cyrix CPU, allows local HVM guest users to cause a denial of service (guest crash) via vectors related to a non-canonical RIP.
References
▼ | URL | Tags |
---|---|---|
http://www.debian.org/security/2016/dsa-3519 | vendor-advisory, x_refsource_DEBIAN | |
http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177990.html | vendor-advisory, x_refsource_FEDORA | |
http://lists.fedoraproject.org/pipermail/package-announce/2016-March/178518.html | vendor-advisory, x_refsource_FEDORA | |
http://www.securitytracker.com/id/1035043 | vdb-entry, x_refsource_SECTRACK | |
http://xenbits.xen.org/xsa/advisory-170.html | x_refsource_CONFIRM | |
http://support.citrix.com/article/CTX209443 | x_refsource_CONFIRM | |
https://security.gentoo.org/glsa/201604-03 | vendor-advisory, x_refsource_GENTOO |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-05T23:24:48.528Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "DSA-3519", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "http://www.debian.org/security/2016/dsa-3519" }, { "name": "FEDORA-2016-e48f4bd14f", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177990.html" }, { "name": "FEDORA-2016-f8121efdac", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-March/178518.html" }, { "name": "1035043", "tags": [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred" ], "url": "http://www.securitytracker.com/id/1035043" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://xenbits.xen.org/xsa/advisory-170.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://support.citrix.com/article/CTX209443" }, { "name": "GLSA-201604-03", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "https://security.gentoo.org/glsa/201604-03" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "datePublic": "2016-02-07T00:00:00", "descriptions": [ { "lang": "en", "value": "VMX in Xen 4.6.x and earlier, when using an Intel or Cyrix CPU, allows local HVM guest users to cause a denial of service (guest crash) via vectors related to a non-canonical RIP." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2017-06-30T16:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "name": "DSA-3519", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "http://www.debian.org/security/2016/dsa-3519" }, { "name": "FEDORA-2016-e48f4bd14f", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177990.html" }, { "name": "FEDORA-2016-f8121efdac", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-March/178518.html" }, { "name": "1035043", "tags": [ "vdb-entry", "x_refsource_SECTRACK" ], "url": "http://www.securitytracker.com/id/1035043" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://xenbits.xen.org/xsa/advisory-170.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://support.citrix.com/article/CTX209443" }, { "name": "GLSA-201604-03", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "https://security.gentoo.org/glsa/201604-03" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2016-2271", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "VMX in Xen 4.6.x and earlier, when using an Intel or Cyrix CPU, allows local HVM guest users to cause a denial of service (guest crash) via vectors related to a non-canonical RIP." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "DSA-3519", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2016/dsa-3519" }, { "name": "FEDORA-2016-e48f4bd14f", "refsource": "FEDORA", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177990.html" }, { "name": "FEDORA-2016-f8121efdac", "refsource": "FEDORA", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-March/178518.html" }, { "name": "1035043", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1035043" }, { "name": "http://xenbits.xen.org/xsa/advisory-170.html", "refsource": "CONFIRM", "url": "http://xenbits.xen.org/xsa/advisory-170.html" }, { "name": "http://support.citrix.com/article/CTX209443", "refsource": "CONFIRM", "url": "http://support.citrix.com/article/CTX209443" }, { "name": "GLSA-201604-03", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201604-03" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2016-2271", "datePublished": "2016-02-19T16:00:00", "dateReserved": "2016-02-09T00:00:00", "dateUpdated": "2024-08-05T23:24:48.528Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2020-15565
Vulnerability from cvelistv5
Published
2020-07-07 12:25
Modified
2024-08-04 13:22
Severity ?
EPSS score ?
Summary
An issue was discovered in Xen through 4.13.x, allowing x86 Intel HVM guest OS users to cause a host OS denial of service or possibly gain privileges because of insufficient cache write-back under VT-d. When page tables are shared between IOMMU and CPU, changes to them require flushing of both TLBs. Furthermore, IOMMUs may be non-coherent, and hence prior to flushing IOMMU TLBs, a CPU cache also needs writing back to memory after changes were made. Such writing back of cached data was missing in particular when splitting large page mappings into smaller granularity ones. A malicious guest may be able to retain read/write DMA access to frames returned to Xen's free pool, and later reused for another purpose. Host crashes (leading to a Denial of Service) and privilege escalation cannot be ruled out. Xen versions from at least 3.2 onwards are affected. Only x86 Intel systems are affected. x86 AMD as well as Arm systems are not affected. Only x86 HVM guests using hardware assisted paging (HAP), having a passed through PCI device assigned, and having page table sharing enabled can leverage the vulnerability. Note that page table sharing will be enabled (by default) only if Xen considers IOMMU and CPU large page size support compatible.
References
▼ | URL | Tags |
---|---|---|
http://xenbits.xen.org/xsa/advisory-321.html | x_refsource_MISC | |
http://www.openwall.com/lists/oss-security/2020/07/07/4 | mailing-list, x_refsource_MLIST | |
https://www.debian.org/security/2020/dsa-4723 | vendor-advisory, x_refsource_DEBIAN | |
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00024.html | vendor-advisory, x_refsource_SUSE | |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VB3QJJZV23Z2IDYEMIHELWYSQBUEW6JP/ | vendor-advisory, x_refsource_FEDORA | |
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00031.html | vendor-advisory, x_refsource_SUSE | |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MXESCOVI7AVRNC7HEAMFM7PMEO6D3AUH/ | vendor-advisory, x_refsource_FEDORA | |
https://security.gentoo.org/glsa/202007-02 | vendor-advisory, x_refsource_GENTOO |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T13:22:29.188Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "http://xenbits.xen.org/xsa/advisory-321.html" }, { "name": "[oss-security] 20200707 Xen Security Advisory 321 v3 (CVE-2020-15565) - insufficient cache write-back under VT-d", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2020/07/07/4" }, { "name": "DSA-4723", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "https://www.debian.org/security/2020/dsa-4723" }, { "name": "openSUSE-SU-2020:0965", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00024.html" }, { "name": "FEDORA-2020-fbc13516af", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VB3QJJZV23Z2IDYEMIHELWYSQBUEW6JP/" }, { "name": "openSUSE-SU-2020:0985", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00031.html" }, { "name": "FEDORA-2020-76cf2b0f0a", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MXESCOVI7AVRNC7HEAMFM7PMEO6D3AUH/" }, { "name": "GLSA-202007-02", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "https://security.gentoo.org/glsa/202007-02" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "descriptions": [ { "lang": "en", "value": "An issue was discovered in Xen through 4.13.x, allowing x86 Intel HVM guest OS users to cause a host OS denial of service or possibly gain privileges because of insufficient cache write-back under VT-d. When page tables are shared between IOMMU and CPU, changes to them require flushing of both TLBs. Furthermore, IOMMUs may be non-coherent, and hence prior to flushing IOMMU TLBs, a CPU cache also needs writing back to memory after changes were made. Such writing back of cached data was missing in particular when splitting large page mappings into smaller granularity ones. A malicious guest may be able to retain read/write DMA access to frames returned to Xen\u0027s free pool, and later reused for another purpose. Host crashes (leading to a Denial of Service) and privilege escalation cannot be ruled out. Xen versions from at least 3.2 onwards are affected. Only x86 Intel systems are affected. x86 AMD as well as Arm systems are not affected. Only x86 HVM guests using hardware assisted paging (HAP), having a passed through PCI device assigned, and having page table sharing enabled can leverage the vulnerability. Note that page table sharing will be enabled (by default) only if Xen considers IOMMU and CPU large page size support compatible." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2020-07-27T00:06:09", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "http://xenbits.xen.org/xsa/advisory-321.html" }, { "name": "[oss-security] 20200707 Xen Security Advisory 321 v3 (CVE-2020-15565) - insufficient cache write-back under VT-d", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://www.openwall.com/lists/oss-security/2020/07/07/4" }, { "name": "DSA-4723", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "https://www.debian.org/security/2020/dsa-4723" }, { "name": "openSUSE-SU-2020:0965", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00024.html" }, { "name": "FEDORA-2020-fbc13516af", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VB3QJJZV23Z2IDYEMIHELWYSQBUEW6JP/" }, { "name": "openSUSE-SU-2020:0985", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00031.html" }, { "name": "FEDORA-2020-76cf2b0f0a", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MXESCOVI7AVRNC7HEAMFM7PMEO6D3AUH/" }, { "name": "GLSA-202007-02", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "https://security.gentoo.org/glsa/202007-02" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2020-15565", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "An issue was discovered in Xen through 4.13.x, allowing x86 Intel HVM guest OS users to cause a host OS denial of service or possibly gain privileges because of insufficient cache write-back under VT-d. When page tables are shared between IOMMU and CPU, changes to them require flushing of both TLBs. Furthermore, IOMMUs may be non-coherent, and hence prior to flushing IOMMU TLBs, a CPU cache also needs writing back to memory after changes were made. Such writing back of cached data was missing in particular when splitting large page mappings into smaller granularity ones. A malicious guest may be able to retain read/write DMA access to frames returned to Xen\u0027s free pool, and later reused for another purpose. Host crashes (leading to a Denial of Service) and privilege escalation cannot be ruled out. Xen versions from at least 3.2 onwards are affected. Only x86 Intel systems are affected. x86 AMD as well as Arm systems are not affected. Only x86 HVM guests using hardware assisted paging (HAP), having a passed through PCI device assigned, and having page table sharing enabled can leverage the vulnerability. Note that page table sharing will be enabled (by default) only if Xen considers IOMMU and CPU large page size support compatible." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "http://xenbits.xen.org/xsa/advisory-321.html", "refsource": "MISC", "url": "http://xenbits.xen.org/xsa/advisory-321.html" }, { "name": "[oss-security] 20200707 Xen Security Advisory 321 v3 (CVE-2020-15565) - insufficient cache write-back under VT-d", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2020/07/07/4" }, { "name": "DSA-4723", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2020/dsa-4723" }, { "name": "openSUSE-SU-2020:0965", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00024.html" }, { "name": "FEDORA-2020-fbc13516af", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VB3QJJZV23Z2IDYEMIHELWYSQBUEW6JP/" }, { "name": "openSUSE-SU-2020:0985", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00031.html" }, { "name": "FEDORA-2020-76cf2b0f0a", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MXESCOVI7AVRNC7HEAMFM7PMEO6D3AUH/" }, { "name": "GLSA-202007-02", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202007-02" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-15565", "datePublished": "2020-07-07T12:25:00", "dateReserved": "2020-07-06T00:00:00", "dateUpdated": "2024-08-04T13:22:29.188Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2019-17345
Vulnerability from cvelistv5
Published
2019-10-08 00:02
Modified
2024-08-05 01:40
Severity ?
EPSS score ?
Summary
An issue was discovered in Xen 4.8.x through 4.11.x allowing x86 PV guest OS users to cause a denial of service because mishandling of failed IOMMU operations causes a bug check during the cleanup of a crashed guest.
References
▼ | URL | Tags |
---|---|---|
http://xenbits.xen.org/xsa/advisory-291.html | x_refsource_CONFIRM | |
https://xenbits.xen.org/xsa/advisory-291.html | x_refsource_MISC | |
http://www.openwall.com/lists/oss-security/2019/10/25/4 | mailing-list, x_refsource_MLIST | |
https://www.debian.org/security/2020/dsa-4602 | vendor-advisory, x_refsource_DEBIAN | |
https://seclists.org/bugtraq/2020/Jan/21 | mailing-list, x_refsource_BUGTRAQ |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-05T01:40:14.525Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://xenbits.xen.org/xsa/advisory-291.html" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://xenbits.xen.org/xsa/advisory-291.html" }, { "name": "[oss-security] 20191025 Xen Security Advisory 291 v3 (CVE-2019-17345) - x86/PV: page type reference counting issue with failed IOMMU update", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2019/10/25/4" }, { "name": "DSA-4602", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "https://www.debian.org/security/2020/dsa-4602" }, { "name": "20200114 [SECURITY] [DSA 4602-1] xen security update", "tags": [ "mailing-list", "x_refsource_BUGTRAQ", "x_transferred" ], "url": "https://seclists.org/bugtraq/2020/Jan/21" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "descriptions": [ { "lang": "en", "value": "An issue was discovered in Xen 4.8.x through 4.11.x allowing x86 PV guest OS users to cause a denial of service because mishandling of failed IOMMU operations causes a bug check during the cleanup of a crashed guest." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2020-01-14T22:06:13", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "http://xenbits.xen.org/xsa/advisory-291.html" }, { "tags": [ "x_refsource_MISC" ], "url": "https://xenbits.xen.org/xsa/advisory-291.html" }, { "name": "[oss-security] 20191025 Xen Security Advisory 291 v3 (CVE-2019-17345) - x86/PV: page type reference counting issue with failed IOMMU update", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://www.openwall.com/lists/oss-security/2019/10/25/4" }, { "name": "DSA-4602", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "https://www.debian.org/security/2020/dsa-4602" }, { "name": "20200114 [SECURITY] [DSA 4602-1] xen security update", "tags": [ "mailing-list", "x_refsource_BUGTRAQ" ], "url": "https://seclists.org/bugtraq/2020/Jan/21" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-17345", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "An issue was discovered in Xen 4.8.x through 4.11.x allowing x86 PV guest OS users to cause a denial of service because mishandling of failed IOMMU operations causes a bug check during the cleanup of a crashed guest." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "http://xenbits.xen.org/xsa/advisory-291.html", "refsource": "CONFIRM", "url": "http://xenbits.xen.org/xsa/advisory-291.html" }, { "name": "https://xenbits.xen.org/xsa/advisory-291.html", "refsource": "MISC", "url": "https://xenbits.xen.org/xsa/advisory-291.html" }, { "name": "[oss-security] 20191025 Xen Security Advisory 291 v3 (CVE-2019-17345) - x86/PV: page type reference counting issue with failed IOMMU update", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2019/10/25/4" }, { "name": "DSA-4602", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2020/dsa-4602" }, { "name": "20200114 [SECURITY] [DSA 4602-1] xen security update", "refsource": "BUGTRAQ", "url": "https://seclists.org/bugtraq/2020/Jan/21" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-17345", "datePublished": "2019-10-08T00:02:29", "dateReserved": "2019-10-07T00:00:00", "dateUpdated": "2024-08-05T01:40:14.525Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2020-25603
Vulnerability from cvelistv5
Published
2020-09-23 21:34
Modified
2024-08-04 15:33
Severity ?
EPSS score ?
Summary
An issue was discovered in Xen through 4.14.x. There are missing memory barriers when accessing/allocating an event channel. Event channels control structures can be accessed lockless as long as the port is considered to be valid. Such a sequence is missing an appropriate memory barrier (e.g., smp_*mb()) to prevent both the compiler and CPU from re-ordering access. A malicious guest may be able to cause a hypervisor crash resulting in a Denial of Service (DoS). Information leak and privilege escalation cannot be excluded. Systems running all versions of Xen are affected. Whether a system is vulnerable will depend on the CPU and compiler used to build Xen. For all systems, the presence and the scope of the vulnerability depend on the precise re-ordering performed by the compiler used to build Xen. We have not been able to survey compilers; consequently we cannot say which compiler(s) might produce vulnerable code (with which code generation options). GCC documentation clearly suggests that re-ordering is possible. Arm systems will also be vulnerable if the CPU is able to re-order memory access. Please consult your CPU vendor. x86 systems are only vulnerable if a compiler performs re-ordering.
References
▼ | URL | Tags |
---|---|---|
https://xenbits.xen.org/xsa/advisory-340.html | x_refsource_MISC | |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4JRXMKEMQRQYWYEPHVBIWUEAVQ3LU4FN/ | vendor-advisory, x_refsource_FEDORA | |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DA633Y3G5KX7MKRN4PFEGM3IVTJMBEOM/ | vendor-advisory, x_refsource_FEDORA | |
https://www.debian.org/security/2020/dsa-4769 | vendor-advisory, x_refsource_DEBIAN | |
http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00008.html | vendor-advisory, x_refsource_SUSE | |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RJZERRBJN6E6STDCHT4JHP4MI6TKBCJE/ | vendor-advisory, x_refsource_FEDORA | |
https://security.gentoo.org/glsa/202011-06 | vendor-advisory, x_refsource_GENTOO |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T15:33:05.752Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://xenbits.xen.org/xsa/advisory-340.html" }, { "name": "FEDORA-2020-306b84fd07", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4JRXMKEMQRQYWYEPHVBIWUEAVQ3LU4FN/" }, { "name": "FEDORA-2020-f668e579be", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DA633Y3G5KX7MKRN4PFEGM3IVTJMBEOM/" }, { "name": "DSA-4769", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "https://www.debian.org/security/2020/dsa-4769" }, { "name": "openSUSE-SU-2020:1608", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00008.html" }, { "name": "FEDORA-2020-d46fe34349", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RJZERRBJN6E6STDCHT4JHP4MI6TKBCJE/" }, { "name": "GLSA-202011-06", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "https://security.gentoo.org/glsa/202011-06" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "descriptions": [ { "lang": "en", "value": "An issue was discovered in Xen through 4.14.x. There are missing memory barriers when accessing/allocating an event channel. Event channels control structures can be accessed lockless as long as the port is considered to be valid. Such a sequence is missing an appropriate memory barrier (e.g., smp_*mb()) to prevent both the compiler and CPU from re-ordering access. A malicious guest may be able to cause a hypervisor crash resulting in a Denial of Service (DoS). Information leak and privilege escalation cannot be excluded. Systems running all versions of Xen are affected. Whether a system is vulnerable will depend on the CPU and compiler used to build Xen. For all systems, the presence and the scope of the vulnerability depend on the precise re-ordering performed by the compiler used to build Xen. We have not been able to survey compilers; consequently we cannot say which compiler(s) might produce vulnerable code (with which code generation options). GCC documentation clearly suggests that re-ordering is possible. Arm systems will also be vulnerable if the CPU is able to re-order memory access. Please consult your CPU vendor. x86 systems are only vulnerable if a compiler performs re-ordering." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2020-11-11T05:06:30", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://xenbits.xen.org/xsa/advisory-340.html" }, { "name": "FEDORA-2020-306b84fd07", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4JRXMKEMQRQYWYEPHVBIWUEAVQ3LU4FN/" }, { "name": "FEDORA-2020-f668e579be", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DA633Y3G5KX7MKRN4PFEGM3IVTJMBEOM/" }, { "name": "DSA-4769", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "https://www.debian.org/security/2020/dsa-4769" }, { "name": "openSUSE-SU-2020:1608", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00008.html" }, { "name": "FEDORA-2020-d46fe34349", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RJZERRBJN6E6STDCHT4JHP4MI6TKBCJE/" }, { "name": "GLSA-202011-06", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "https://security.gentoo.org/glsa/202011-06" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2020-25603", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "An issue was discovered in Xen through 4.14.x. There are missing memory barriers when accessing/allocating an event channel. Event channels control structures can be accessed lockless as long as the port is considered to be valid. Such a sequence is missing an appropriate memory barrier (e.g., smp_*mb()) to prevent both the compiler and CPU from re-ordering access. A malicious guest may be able to cause a hypervisor crash resulting in a Denial of Service (DoS). Information leak and privilege escalation cannot be excluded. Systems running all versions of Xen are affected. Whether a system is vulnerable will depend on the CPU and compiler used to build Xen. For all systems, the presence and the scope of the vulnerability depend on the precise re-ordering performed by the compiler used to build Xen. We have not been able to survey compilers; consequently we cannot say which compiler(s) might produce vulnerable code (with which code generation options). GCC documentation clearly suggests that re-ordering is possible. Arm systems will also be vulnerable if the CPU is able to re-order memory access. Please consult your CPU vendor. x86 systems are only vulnerable if a compiler performs re-ordering." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "https://xenbits.xen.org/xsa/advisory-340.html", "refsource": "MISC", "url": "https://xenbits.xen.org/xsa/advisory-340.html" }, { "name": "FEDORA-2020-306b84fd07", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4JRXMKEMQRQYWYEPHVBIWUEAVQ3LU4FN/" }, { "name": "FEDORA-2020-f668e579be", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DA633Y3G5KX7MKRN4PFEGM3IVTJMBEOM/" }, { "name": "DSA-4769", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2020/dsa-4769" }, { "name": "openSUSE-SU-2020:1608", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00008.html" }, { "name": "FEDORA-2020-d46fe34349", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RJZERRBJN6E6STDCHT4JHP4MI6TKBCJE/" }, { "name": "GLSA-202011-06", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202011-06" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-25603", "datePublished": "2020-09-23T21:34:56", "dateReserved": "2020-09-16T00:00:00", "dateUpdated": "2024-08-04T15:33:05.752Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2014-1666
Vulnerability from cvelistv5
Published
2014-01-26 11:00
Modified
2024-08-06 09:50
Severity ?
EPSS score ?
Summary
The do_physdev_op function in Xen 4.1.5, 4.1.6.1, 4.2.2 through 4.2.3, and 4.3.x does not properly restrict access to the (1) PHYSDEVOP_prepare_msix and (2) PHYSDEVOP_release_msix operations, which allows local PV guests to cause a denial of service (host or guest malfunction) or possibly gain privileges via unspecified vectors.
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-06T09:50:10.726Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "102536", "tags": [ "vdb-entry", "x_refsource_OSVDB", "x_transferred" ], "url": "http://osvdb.org/102536" }, { "name": "65125", "tags": [ "vdb-entry", "x_refsource_BID", "x_transferred" ], "url": "http://www.securityfocus.com/bid/65125" }, { "name": "xen-cve20141666-priv-esc(90675)", "tags": [ "vdb-entry", "x_refsource_XF", "x_transferred" ], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90675" }, { "name": "SUSE-SU-2014:0373", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00011.html" }, { "name": "FEDORA-2014-1552", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-February/127607.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://support.citrix.com/article/CTX200288" }, { "name": "GLSA-201407-03", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "http://security.gentoo.org/glsa/glsa-201407-03.xml" }, { "name": "FEDORA-2014-1559", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-February/127580.html" }, { "name": "[oss-security] 20140123 Xen Security Advisory 87 (CVE-2014-1666) - PHYSDEVOP_{prepare,release}_msix exposed to unprivileged guests", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2014/01/24/6" }, { "name": "1029684", "tags": [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred" ], "url": "http://www.securitytracker.com/id/1029684" }, { "name": "SUSE-SU-2014:0372", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00010.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://xenbits.xen.org/xsa/advisory-87.html" }, { "name": "56650", "tags": [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred" ], "url": "http://secunia.com/advisories/56650" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "http://xenbits.xen.org/xsa/xsa87-unstable-4.3.patch" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "datePublic": "2014-01-23T00:00:00", "descriptions": [ { "lang": "en", "value": "The do_physdev_op function in Xen 4.1.5, 4.1.6.1, 4.2.2 through 4.2.3, and 4.3.x does not properly restrict access to the (1) PHYSDEVOP_prepare_msix and (2) PHYSDEVOP_release_msix operations, which allows local PV guests to cause a denial of service (host or guest malfunction) or possibly gain privileges via unspecified vectors." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2018-01-02T19:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "name": "102536", "tags": [ "vdb-entry", "x_refsource_OSVDB" ], "url": "http://osvdb.org/102536" }, { "name": "65125", "tags": [ "vdb-entry", "x_refsource_BID" ], "url": "http://www.securityfocus.com/bid/65125" }, { "name": "xen-cve20141666-priv-esc(90675)", "tags": [ "vdb-entry", "x_refsource_XF" ], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90675" }, { "name": "SUSE-SU-2014:0373", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00011.html" }, { "name": "FEDORA-2014-1552", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-February/127607.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://support.citrix.com/article/CTX200288" }, { "name": "GLSA-201407-03", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "http://security.gentoo.org/glsa/glsa-201407-03.xml" }, { "name": "FEDORA-2014-1559", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-February/127580.html" }, { "name": "[oss-security] 20140123 Xen Security Advisory 87 (CVE-2014-1666) - PHYSDEVOP_{prepare,release}_msix exposed to unprivileged guests", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://www.openwall.com/lists/oss-security/2014/01/24/6" }, { "name": "1029684", "tags": [ "vdb-entry", "x_refsource_SECTRACK" ], "url": "http://www.securitytracker.com/id/1029684" }, { "name": "SUSE-SU-2014:0372", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00010.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://xenbits.xen.org/xsa/advisory-87.html" }, { "name": "56650", "tags": [ "third-party-advisory", "x_refsource_SECUNIA" ], "url": "http://secunia.com/advisories/56650" }, { "tags": [ "x_refsource_MISC" ], "url": "http://xenbits.xen.org/xsa/xsa87-unstable-4.3.patch" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2014-1666", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "The do_physdev_op function in Xen 4.1.5, 4.1.6.1, 4.2.2 through 4.2.3, and 4.3.x does not properly restrict access to the (1) PHYSDEVOP_prepare_msix and (2) PHYSDEVOP_release_msix operations, which allows local PV guests to cause a denial of service (host or guest malfunction) or possibly gain privileges via unspecified vectors." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "102536", "refsource": "OSVDB", "url": "http://osvdb.org/102536" }, { "name": "65125", "refsource": "BID", "url": "http://www.securityfocus.com/bid/65125" }, { "name": "xen-cve20141666-priv-esc(90675)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90675" }, { "name": "SUSE-SU-2014:0373", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00011.html" }, { "name": "FEDORA-2014-1552", "refsource": "FEDORA", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-February/127607.html" }, { "name": "http://support.citrix.com/article/CTX200288", "refsource": "CONFIRM", "url": "http://support.citrix.com/article/CTX200288" }, { "name": "GLSA-201407-03", "refsource": "GENTOO", "url": "http://security.gentoo.org/glsa/glsa-201407-03.xml" }, { "name": "FEDORA-2014-1559", "refsource": "FEDORA", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-February/127580.html" }, { "name": "[oss-security] 20140123 Xen Security Advisory 87 (CVE-2014-1666) - PHYSDEVOP_{prepare,release}_msix exposed to unprivileged guests", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2014/01/24/6" }, { "name": "1029684", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1029684" }, { "name": "SUSE-SU-2014:0372", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00010.html" }, { "name": "http://xenbits.xen.org/xsa/advisory-87.html", "refsource": "CONFIRM", "url": "http://xenbits.xen.org/xsa/advisory-87.html" }, { "name": "56650", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/56650" }, { "name": "http://xenbits.xen.org/xsa/xsa87-unstable-4.3.patch", "refsource": "MISC", "url": "http://xenbits.xen.org/xsa/xsa87-unstable-4.3.patch" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2014-1666", "datePublished": "2014-01-26T11:00:00", "dateReserved": "2014-01-24T00:00:00", "dateUpdated": "2024-08-06T09:50:10.726Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2012-4536
Vulnerability from cvelistv5
Published
2012-11-21 23:00
Modified
2024-08-06 20:42
Severity ?
EPSS score ?
Summary
The (1) domain_pirq_to_emuirq and (2) physdev_unmap_pirq functions in Xen 2.2 allows local guest OS administrators to cause a denial of service (Xen crash) via a crafted pirq value that triggers an out-of-bounds read.
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-06T20:42:54.680Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "55082", "tags": [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred" ], "url": "http://secunia.com/advisories/55082" }, { "name": "51413", "tags": [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred" ], "url": "http://secunia.com/advisories/51413" }, { "name": "51200", "tags": [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred" ], "url": "http://secunia.com/advisories/51200" }, { "name": "GLSA-201309-24", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "http://security.gentoo.org/glsa/glsa-201309-24.xml" }, { "name": "SUSE-SU-2012:1486", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2012-11/msg00008.html" }, { "name": "xen-domainpirqtoemuirq-dos(80023)", "tags": [ "vdb-entry", "x_refsource_XF", "x_transferred" ], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/80023" }, { "name": "[Xen-announce] 20121113 Xen Security Advisory 21 (CVE-2012-4536) - pirq range check DoS vulnerability", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://lists.xen.org/archives/html/xen-announce/2012-11/msg00003.html" }, { "name": "[oss-security] 20121113 Xen Security Advisory 21 (CVE-2012-4536) - pirq range check DoS vulnerability", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2012/11/13/2" }, { "name": "1027760", "tags": [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred" ], "url": "http://www.securitytracker.com/id?1027760" }, { "name": "87297", "tags": [ "vdb-entry", "x_refsource_OSVDB", "x_transferred" ], "url": "http://osvdb.org/87297" }, { "name": "openSUSE-SU-2012:1572", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2012-11/msg00017.html" }, { "name": "SUSE-SU-2012:1487", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2012-11/msg00009.html" }, { "name": "51352", "tags": [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred" ], "url": "http://secunia.com/advisories/51352" }, { "name": "51324", "tags": [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred" ], "url": "http://secunia.com/advisories/51324" }, { "name": "GLSA-201604-03", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "https://security.gentoo.org/glsa/201604-03" }, { "name": "56498", "tags": [ "vdb-entry", "x_refsource_BID", "x_transferred" ], "url": "http://www.securityfocus.com/bid/56498" }, { "name": "openSUSE-SU-2012:1573", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2012-11/msg00018.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "datePublic": "2012-11-13T00:00:00", "descriptions": [ { "lang": "en", "value": "The (1) domain_pirq_to_emuirq and (2) physdev_unmap_pirq functions in Xen 2.2 allows local guest OS administrators to cause a denial of service (Xen crash) via a crafted pirq value that triggers an out-of-bounds read." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2017-08-28T12:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat" }, "references": [ { "name": "55082", "tags": [ "third-party-advisory", "x_refsource_SECUNIA" ], "url": "http://secunia.com/advisories/55082" }, { "name": "51413", "tags": [ "third-party-advisory", "x_refsource_SECUNIA" ], "url": "http://secunia.com/advisories/51413" }, { "name": "51200", "tags": [ "third-party-advisory", "x_refsource_SECUNIA" ], "url": "http://secunia.com/advisories/51200" }, { "name": "GLSA-201309-24", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "http://security.gentoo.org/glsa/glsa-201309-24.xml" }, { "name": "SUSE-SU-2012:1486", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2012-11/msg00008.html" }, { "name": "xen-domainpirqtoemuirq-dos(80023)", "tags": [ "vdb-entry", "x_refsource_XF" ], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/80023" }, { "name": "[Xen-announce] 20121113 Xen Security Advisory 21 (CVE-2012-4536) - pirq range check DoS vulnerability", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://lists.xen.org/archives/html/xen-announce/2012-11/msg00003.html" }, { "name": "[oss-security] 20121113 Xen Security Advisory 21 (CVE-2012-4536) - pirq range check DoS vulnerability", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://www.openwall.com/lists/oss-security/2012/11/13/2" }, { "name": "1027760", "tags": [ "vdb-entry", "x_refsource_SECTRACK" ], "url": "http://www.securitytracker.com/id?1027760" }, { "name": "87297", "tags": [ "vdb-entry", "x_refsource_OSVDB" ], "url": "http://osvdb.org/87297" }, { "name": "openSUSE-SU-2012:1572", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2012-11/msg00017.html" }, { "name": "SUSE-SU-2012:1487", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2012-11/msg00009.html" }, { "name": "51352", "tags": [ "third-party-advisory", "x_refsource_SECUNIA" ], "url": "http://secunia.com/advisories/51352" }, { "name": "51324", "tags": [ "third-party-advisory", "x_refsource_SECUNIA" ], "url": "http://secunia.com/advisories/51324" }, { "name": "GLSA-201604-03", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "https://security.gentoo.org/glsa/201604-03" }, { "name": "56498", "tags": [ "vdb-entry", "x_refsource_BID" ], "url": "http://www.securityfocus.com/bid/56498" }, { "name": "openSUSE-SU-2012:1573", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2012-11/msg00018.html" } ] } }, "cveMetadata": { "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2012-4536", "datePublished": "2012-11-21T23:00:00", "dateReserved": "2012-08-21T00:00:00", "dateUpdated": "2024-08-06T20:42:54.680Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2014-8594
Vulnerability from cvelistv5
Published
2014-11-19 18:00
Modified
2024-08-06 13:25
Severity ?
EPSS score ?
Summary
The do_mmu_update function in arch/x86/mm.c in Xen 4.x through 4.4.x does not properly restrict updates to only PV page tables, which allows remote PV guests to cause a denial of service (NULL pointer dereference) by leveraging hardware emulation services for HVM guests using Hardware Assisted Paging (HAP).
References
▼ | URL | Tags |
---|---|---|
https://security.gentoo.org/glsa/201504-04 | vendor-advisory, x_refsource_GENTOO | |
http://secunia.com/advisories/62672 | third-party-advisory, x_refsource_SECUNIA | |
http://xenbits.xen.org/xsa/advisory-109.html | x_refsource_CONFIRM | |
http://www.securityfocus.com/bid/71149 | vdb-entry, x_refsource_BID | |
http://www.debian.org/security/2015/dsa-3140 | vendor-advisory, x_refsource_DEBIAN | |
http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00005.html | vendor-advisory, x_refsource_SUSE | |
http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00010.html | vendor-advisory, x_refsource_SUSE | |
https://exchange.xforce.ibmcloud.com/vulnerabilities/98767 | vdb-entry, x_refsource_XF |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-06T13:25:59.938Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "GLSA-201504-04", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "https://security.gentoo.org/glsa/201504-04" }, { "name": "62672", "tags": [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred" ], "url": "http://secunia.com/advisories/62672" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://xenbits.xen.org/xsa/advisory-109.html" }, { "name": "71149", "tags": [ "vdb-entry", "x_refsource_BID", "x_transferred" ], "url": "http://www.securityfocus.com/bid/71149" }, { "name": "DSA-3140", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "http://www.debian.org/security/2015/dsa-3140" }, { "name": "openSUSE-SU-2015:0226", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00005.html" }, { "name": "openSUSE-SU-2015:0256", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00010.html" }, { "name": "xen-cve20148594-sec-byass(98767)", "tags": [ "vdb-entry", "x_refsource_XF", "x_transferred" ], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/98767" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "datePublic": "2014-11-18T00:00:00", "descriptions": [ { "lang": "en", "value": "The do_mmu_update function in arch/x86/mm.c in Xen 4.x through 4.4.x does not properly restrict updates to only PV page tables, which allows remote PV guests to cause a denial of service (NULL pointer dereference) by leveraging hardware emulation services for HVM guests using Hardware Assisted Paging (HAP)." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2017-09-07T15:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "name": "GLSA-201504-04", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "https://security.gentoo.org/glsa/201504-04" }, { "name": "62672", "tags": [ "third-party-advisory", "x_refsource_SECUNIA" ], "url": "http://secunia.com/advisories/62672" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://xenbits.xen.org/xsa/advisory-109.html" }, { "name": "71149", "tags": [ "vdb-entry", "x_refsource_BID" ], "url": "http://www.securityfocus.com/bid/71149" }, { "name": "DSA-3140", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "http://www.debian.org/security/2015/dsa-3140" }, { "name": "openSUSE-SU-2015:0226", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00005.html" }, { "name": "openSUSE-SU-2015:0256", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00010.html" }, { "name": "xen-cve20148594-sec-byass(98767)", "tags": [ "vdb-entry", "x_refsource_XF" ], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/98767" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2014-8594", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "The do_mmu_update function in arch/x86/mm.c in Xen 4.x through 4.4.x does not properly restrict updates to only PV page tables, which allows remote PV guests to cause a denial of service (NULL pointer dereference) by leveraging hardware emulation services for HVM guests using Hardware Assisted Paging (HAP)." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "GLSA-201504-04", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201504-04" }, { "name": "62672", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/62672" }, { "name": "http://xenbits.xen.org/xsa/advisory-109.html", "refsource": "CONFIRM", "url": "http://xenbits.xen.org/xsa/advisory-109.html" }, { "name": "71149", "refsource": "BID", "url": "http://www.securityfocus.com/bid/71149" }, { "name": "DSA-3140", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2015/dsa-3140" }, { "name": "openSUSE-SU-2015:0226", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00005.html" }, { "name": "openSUSE-SU-2015:0256", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00010.html" }, { "name": "xen-cve20148594-sec-byass(98767)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/98767" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2014-8594", "datePublished": "2014-11-19T18:00:00", "dateReserved": "2014-11-04T00:00:00", "dateUpdated": "2024-08-06T13:25:59.938Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2020-25601
Vulnerability from cvelistv5
Published
2020-09-23 21:14
Modified
2024-08-04 15:33
Severity ?
EPSS score ?
Summary
An issue was discovered in Xen through 4.14.x. There is a lack of preemption in evtchn_reset() / evtchn_destroy(). In particular, the FIFO event channel model allows guests to have a large number of event channels active at a time. Closing all of these (when resetting all event channels or when cleaning up after the guest) may take extended periods of time. So far, there was no arrangement for preemption at suitable intervals, allowing a CPU to spend an almost unbounded amount of time in the processing of these operations. Malicious or buggy guest kernels can mount a Denial of Service (DoS) attack affecting the entire system. All Xen versions are vulnerable in principle. Whether versions 4.3 and older are vulnerable depends on underlying hardware characteristics.
References
▼ | URL | Tags |
---|---|---|
https://xenbits.xen.org/xsa/advisory-344.html | x_refsource_MISC | |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4JRXMKEMQRQYWYEPHVBIWUEAVQ3LU4FN/ | vendor-advisory, x_refsource_FEDORA | |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DA633Y3G5KX7MKRN4PFEGM3IVTJMBEOM/ | vendor-advisory, x_refsource_FEDORA | |
https://www.debian.org/security/2020/dsa-4769 | vendor-advisory, x_refsource_DEBIAN | |
http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00008.html | vendor-advisory, x_refsource_SUSE | |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RJZERRBJN6E6STDCHT4JHP4MI6TKBCJE/ | vendor-advisory, x_refsource_FEDORA | |
https://security.gentoo.org/glsa/202011-06 | vendor-advisory, x_refsource_GENTOO |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T15:33:05.776Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://xenbits.xen.org/xsa/advisory-344.html" }, { "name": "FEDORA-2020-306b84fd07", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4JRXMKEMQRQYWYEPHVBIWUEAVQ3LU4FN/" }, { "name": "FEDORA-2020-f668e579be", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DA633Y3G5KX7MKRN4PFEGM3IVTJMBEOM/" }, { "name": "DSA-4769", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "https://www.debian.org/security/2020/dsa-4769" }, { "name": "openSUSE-SU-2020:1608", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00008.html" }, { "name": "FEDORA-2020-d46fe34349", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RJZERRBJN6E6STDCHT4JHP4MI6TKBCJE/" }, { "name": "GLSA-202011-06", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "https://security.gentoo.org/glsa/202011-06" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "descriptions": [ { "lang": "en", "value": "An issue was discovered in Xen through 4.14.x. There is a lack of preemption in evtchn_reset() / evtchn_destroy(). In particular, the FIFO event channel model allows guests to have a large number of event channels active at a time. Closing all of these (when resetting all event channels or when cleaning up after the guest) may take extended periods of time. So far, there was no arrangement for preemption at suitable intervals, allowing a CPU to spend an almost unbounded amount of time in the processing of these operations. Malicious or buggy guest kernels can mount a Denial of Service (DoS) attack affecting the entire system. All Xen versions are vulnerable in principle. Whether versions 4.3 and older are vulnerable depends on underlying hardware characteristics." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2020-11-11T05:06:37", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://xenbits.xen.org/xsa/advisory-344.html" }, { "name": "FEDORA-2020-306b84fd07", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4JRXMKEMQRQYWYEPHVBIWUEAVQ3LU4FN/" }, { "name": "FEDORA-2020-f668e579be", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DA633Y3G5KX7MKRN4PFEGM3IVTJMBEOM/" }, { "name": "DSA-4769", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "https://www.debian.org/security/2020/dsa-4769" }, { "name": "openSUSE-SU-2020:1608", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00008.html" }, { "name": "FEDORA-2020-d46fe34349", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RJZERRBJN6E6STDCHT4JHP4MI6TKBCJE/" }, { "name": "GLSA-202011-06", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "https://security.gentoo.org/glsa/202011-06" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2020-25601", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "An issue was discovered in Xen through 4.14.x. There is a lack of preemption in evtchn_reset() / evtchn_destroy(). In particular, the FIFO event channel model allows guests to have a large number of event channels active at a time. Closing all of these (when resetting all event channels or when cleaning up after the guest) may take extended periods of time. So far, there was no arrangement for preemption at suitable intervals, allowing a CPU to spend an almost unbounded amount of time in the processing of these operations. Malicious or buggy guest kernels can mount a Denial of Service (DoS) attack affecting the entire system. All Xen versions are vulnerable in principle. Whether versions 4.3 and older are vulnerable depends on underlying hardware characteristics." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "https://xenbits.xen.org/xsa/advisory-344.html", "refsource": "MISC", "url": "https://xenbits.xen.org/xsa/advisory-344.html" }, { "name": "FEDORA-2020-306b84fd07", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4JRXMKEMQRQYWYEPHVBIWUEAVQ3LU4FN/" }, { "name": "FEDORA-2020-f668e579be", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DA633Y3G5KX7MKRN4PFEGM3IVTJMBEOM/" }, { "name": "DSA-4769", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2020/dsa-4769" }, { "name": "openSUSE-SU-2020:1608", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00008.html" }, { "name": "FEDORA-2020-d46fe34349", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RJZERRBJN6E6STDCHT4JHP4MI6TKBCJE/" }, { "name": "GLSA-202011-06", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202011-06" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-25601", "datePublished": "2020-09-23T21:14:03", "dateReserved": "2020-09-16T00:00:00", "dateUpdated": "2024-08-04T15:33:05.776Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2013-0152
Vulnerability from cvelistv5
Published
2013-02-13 01:00
Modified
2024-08-06 14:18
Severity ?
EPSS score ?
Summary
Memory leak in Xen 4.2 and unstable allows local HVM guests to cause a denial of service (host memory consumption) by performing nested virtualization in a way that triggers errors that are not properly handled.
References
▼ | URL | Tags |
---|---|---|
http://secunia.com/advisories/55082 | third-party-advisory, x_refsource_SECUNIA | |
http://www.securitytracker.com/id/1028032 | vdb-entry, x_refsource_SECTRACK | |
http://security.gentoo.org/glsa/glsa-201309-24.xml | vendor-advisory, x_refsource_GENTOO | |
http://www.openwall.com/lists/oss-security/2013/01/23/8 | mailing-list, x_refsource_MLIST |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-06T14:18:09.329Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "55082", "tags": [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred" ], "url": "http://secunia.com/advisories/55082" }, { "name": "1028032", "tags": [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred" ], "url": "http://www.securitytracker.com/id/1028032" }, { "name": "GLSA-201309-24", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "http://security.gentoo.org/glsa/glsa-201309-24.xml" }, { "name": "[oss-security] 20130123 Xen Security Advisory 35 (CVE-2013-0152) - Nested HVM exposes host to being driven out of memory by guest", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2013/01/23/8" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "datePublic": "2013-01-23T00:00:00", "descriptions": [ { "lang": "en", "value": "Memory leak in Xen 4.2 and unstable allows local HVM guests to cause a denial of service (host memory consumption) by performing nested virtualization in a way that triggers errors that are not properly handled." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2013-10-11T09:00:00", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat" }, "references": [ { "name": "55082", "tags": [ "third-party-advisory", "x_refsource_SECUNIA" ], "url": "http://secunia.com/advisories/55082" }, { "name": "1028032", "tags": [ "vdb-entry", "x_refsource_SECTRACK" ], "url": "http://www.securitytracker.com/id/1028032" }, { "name": "GLSA-201309-24", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "http://security.gentoo.org/glsa/glsa-201309-24.xml" }, { "name": "[oss-security] 20130123 Xen Security Advisory 35 (CVE-2013-0152) - Nested HVM exposes host to being driven out of memory by guest", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://www.openwall.com/lists/oss-security/2013/01/23/8" } ] } }, "cveMetadata": { "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2013-0152", "datePublished": "2013-02-13T01:00:00", "dateReserved": "2012-12-06T00:00:00", "dateUpdated": "2024-08-06T14:18:09.329Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2017-7995
Vulnerability from cvelistv5
Published
2017-05-03 19:00
Modified
2024-08-05 16:19
Severity ?
EPSS score ?
Summary
Xen PV guest before Xen 4.3 checked access permissions to MMIO ranges only after accessing them, allowing host PCI device space memory reads, leading to information disclosure. This is an error in the get_user function. NOTE: the upstream Xen Project considers versions before 4.5.x to be EOL.
References
▼ | URL | Tags |
---|---|---|
http://www.securityfocus.com/bid/98314 | vdb-entry, x_refsource_BID | |
https://bugzilla.suse.com/show_bug.cgi?id=1033948 | x_refsource_CONFIRM | |
http://lists.opensuse.org/opensuse-security-announce/2017-05/msg00005.html | x_refsource_CONFIRM |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-05T16:19:29.765Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "98314", "tags": [ "vdb-entry", "x_refsource_BID", "x_transferred" ], "url": "http://www.securityfocus.com/bid/98314" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://bugzilla.suse.com/show_bug.cgi?id=1033948" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2017-05/msg00005.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "datePublic": "2017-05-03T00:00:00", "descriptions": [ { "lang": "en", "value": "Xen PV guest before Xen 4.3 checked access permissions to MMIO ranges only after accessing them, allowing host PCI device space memory reads, leading to information disclosure. This is an error in the get_user function. NOTE: the upstream Xen Project considers versions before 4.5.x to be EOL." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2017-05-08T09:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "name": "98314", "tags": [ "vdb-entry", "x_refsource_BID" ], "url": "http://www.securityfocus.com/bid/98314" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://bugzilla.suse.com/show_bug.cgi?id=1033948" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2017-05/msg00005.html" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2017-7995", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Xen PV guest before Xen 4.3 checked access permissions to MMIO ranges only after accessing them, allowing host PCI device space memory reads, leading to information disclosure. This is an error in the get_user function. NOTE: the upstream Xen Project considers versions before 4.5.x to be EOL." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "98314", "refsource": "BID", "url": "http://www.securityfocus.com/bid/98314" }, { "name": "https://bugzilla.suse.com/show_bug.cgi?id=1033948", "refsource": "CONFIRM", "url": "https://bugzilla.suse.com/show_bug.cgi?id=1033948" }, { "name": "http://lists.opensuse.org/opensuse-security-announce/2017-05/msg00005.html", "refsource": "CONFIRM", "url": "http://lists.opensuse.org/opensuse-security-announce/2017-05/msg00005.html" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2017-7995", "datePublished": "2017-05-03T19:00:00", "dateReserved": "2017-04-21T00:00:00", "dateUpdated": "2024-08-05T16:19:29.765Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2017-10919
Vulnerability from cvelistv5
Published
2017-07-05 01:00
Modified
2024-08-05 17:50
Severity ?
EPSS score ?
Summary
Xen through 4.8.x mishandles virtual interrupt injection, which allows guest OS users to cause a denial of service (hypervisor crash), aka XSA-223.
References
▼ | URL | Tags |
---|---|---|
https://security.gentoo.org/glsa/201708-03 | vendor-advisory, x_refsource_GENTOO | |
http://www.debian.org/security/2017/dsa-3969 | vendor-advisory, x_refsource_DEBIAN | |
http://www.securityfocus.com/bid/99159 | vdb-entry, x_refsource_BID | |
http://www.securitytracker.com/id/1038733 | vdb-entry, x_refsource_SECTRACK | |
https://xenbits.xen.org/xsa/advisory-223.html | x_refsource_CONFIRM |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-05T17:50:12.714Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "GLSA-201708-03", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "https://security.gentoo.org/glsa/201708-03" }, { "name": "DSA-3969", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "http://www.debian.org/security/2017/dsa-3969" }, { "name": "99159", "tags": [ "vdb-entry", "x_refsource_BID", "x_transferred" ], "url": "http://www.securityfocus.com/bid/99159" }, { "name": "1038733", "tags": [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred" ], "url": "http://www.securitytracker.com/id/1038733" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://xenbits.xen.org/xsa/advisory-223.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "datePublic": "2017-07-04T00:00:00", "descriptions": [ { "lang": "en", "value": "Xen through 4.8.x mishandles virtual interrupt injection, which allows guest OS users to cause a denial of service (hypervisor crash), aka XSA-223." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2017-11-03T18:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "name": "GLSA-201708-03", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "https://security.gentoo.org/glsa/201708-03" }, { "name": "DSA-3969", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "http://www.debian.org/security/2017/dsa-3969" }, { "name": "99159", "tags": [ "vdb-entry", "x_refsource_BID" ], "url": "http://www.securityfocus.com/bid/99159" }, { "name": "1038733", "tags": [ "vdb-entry", "x_refsource_SECTRACK" ], "url": "http://www.securitytracker.com/id/1038733" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://xenbits.xen.org/xsa/advisory-223.html" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2017-10919", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Xen through 4.8.x mishandles virtual interrupt injection, which allows guest OS users to cause a denial of service (hypervisor crash), aka XSA-223." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "GLSA-201708-03", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201708-03" }, { "name": "DSA-3969", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2017/dsa-3969" }, { "name": "99159", "refsource": "BID", "url": "http://www.securityfocus.com/bid/99159" }, { "name": "1038733", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1038733" }, { "name": "https://xenbits.xen.org/xsa/advisory-223.html", "refsource": "CONFIRM", "url": "https://xenbits.xen.org/xsa/advisory-223.html" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2017-10919", "datePublished": "2017-07-05T01:00:00", "dateReserved": "2017-07-04T00:00:00", "dateUpdated": "2024-08-05T17:50:12.714Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2015-2044
Vulnerability from cvelistv5
Published
2015-03-12 14:00
Modified
2024-08-06 05:02
Severity ?
EPSS score ?
Summary
The emulation routines for unspecified X86 devices in Xen 3.2.x through 4.5.x does not properly initialize data, which allow local HVM guest users to obtain sensitive information via vectors involving an unsupported access size.
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-06T05:02:43.163Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www1.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-423503.htm" }, { "name": "GLSA-201504-04", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "https://security.gentoo.org/glsa/201504-04" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://support.citrix.com/article/CTX200484" }, { "name": "FEDORA-2015-3944", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-March/152776.html" }, { "name": "FEDORA-2015-3721", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-March/152588.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://xenbits.xen.org/xsa/advisory-121.html" }, { "name": "1031836", "tags": [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred" ], "url": "http://www.securitytracker.com/id/1031836" }, { "name": "72954", "tags": [ "vdb-entry", "x_refsource_BID", "x_transferred" ], "url": "http://www.securityfocus.com/bid/72954" }, { "name": "DSA-3181", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "http://www.debian.org/security/2015/dsa-3181" }, { "name": "FEDORA-2015-3935", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-March/152483.html" }, { "name": "openSUSE-SU-2015:0732", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2015-04/msg00014.html" }, { "name": "1031806", "tags": [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred" ], "url": "http://www.securitytracker.com/id/1031806" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "datePublic": "2015-03-05T00:00:00", "descriptions": [ { "lang": "en", "value": "The emulation routines for unspecified X86 devices in Xen 3.2.x through 4.5.x does not properly initialize data, which allow local HVM guest users to obtain sensitive information via vectors involving an unsupported access size." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2016-12-30T16:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www1.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-423503.htm" }, { "name": "GLSA-201504-04", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "https://security.gentoo.org/glsa/201504-04" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://support.citrix.com/article/CTX200484" }, { "name": "FEDORA-2015-3944", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-March/152776.html" }, { "name": "FEDORA-2015-3721", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-March/152588.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://xenbits.xen.org/xsa/advisory-121.html" }, { "name": "1031836", "tags": [ "vdb-entry", "x_refsource_SECTRACK" ], "url": "http://www.securitytracker.com/id/1031836" }, { "name": "72954", "tags": [ "vdb-entry", "x_refsource_BID" ], "url": "http://www.securityfocus.com/bid/72954" }, { "name": "DSA-3181", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "http://www.debian.org/security/2015/dsa-3181" }, { "name": "FEDORA-2015-3935", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-March/152483.html" }, { "name": "openSUSE-SU-2015:0732", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2015-04/msg00014.html" }, { "name": "1031806", "tags": [ "vdb-entry", "x_refsource_SECTRACK" ], "url": "http://www.securitytracker.com/id/1031806" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2015-2044", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "The emulation routines for unspecified X86 devices in Xen 3.2.x through 4.5.x does not properly initialize data, which allow local HVM guest users to obtain sensitive information via vectors involving an unsupported access size." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "http://www1.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-423503.htm", "refsource": "CONFIRM", "url": "http://www1.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-423503.htm" }, { "name": "GLSA-201504-04", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201504-04" }, { "name": "http://support.citrix.com/article/CTX200484", "refsource": "CONFIRM", "url": "http://support.citrix.com/article/CTX200484" }, { "name": "FEDORA-2015-3944", "refsource": "FEDORA", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-March/152776.html" }, { "name": "FEDORA-2015-3721", "refsource": "FEDORA", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-March/152588.html" }, { "name": "http://xenbits.xen.org/xsa/advisory-121.html", "refsource": "CONFIRM", "url": "http://xenbits.xen.org/xsa/advisory-121.html" }, { "name": "1031836", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1031836" }, { "name": "72954", "refsource": "BID", "url": "http://www.securityfocus.com/bid/72954" }, { "name": "DSA-3181", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2015/dsa-3181" }, { "name": "FEDORA-2015-3935", "refsource": "FEDORA", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-March/152483.html" }, { "name": "openSUSE-SU-2015:0732", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2015-04/msg00014.html" }, { "name": "1031806", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1031806" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2015-2044", "datePublished": "2015-03-12T14:00:00", "dateReserved": "2015-02-20T00:00:00", "dateUpdated": "2024-08-06T05:02:43.163Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2015-5166
Vulnerability from cvelistv5
Published
2015-08-12 14:00
Modified
2024-08-06 06:41
Severity ?
EPSS score ?
Summary
Use-after-free vulnerability in QEMU in Xen 4.5.x and earlier does not completely unplug emulated block devices, which allows local HVM guest users to gain privileges by unplugging a block device twice.
References
▼ | URL | Tags |
---|---|---|
http://lists.fedoraproject.org/pipermail/package-announce/2015-September/167820.html | vendor-advisory, x_refsource_FEDORA | |
http://lists.fedoraproject.org/pipermail/package-announce/2015-September/165373.html | vendor-advisory, x_refsource_FEDORA | |
http://lists.fedoraproject.org/pipermail/package-announce/2015-September/167792.html | vendor-advisory, x_refsource_FEDORA | |
http://www.securityfocus.com/bid/76152 | vdb-entry, x_refsource_BID | |
http://www.securitytracker.com/id/1033175 | vdb-entry, x_refsource_SECTRACK | |
http://xenbits.xen.org/xsa/advisory-139.html | x_refsource_CONFIRM |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-06T06:41:07.558Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "FEDORA-2015-15944", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-September/167820.html" }, { "name": "FEDORA-2015-14361", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-September/165373.html" }, { "name": "FEDORA-2015-15946", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-September/167792.html" }, { "name": "76152", "tags": [ "vdb-entry", "x_refsource_BID", "x_transferred" ], "url": "http://www.securityfocus.com/bid/76152" }, { "name": "1033175", "tags": [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred" ], "url": "http://www.securitytracker.com/id/1033175" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://xenbits.xen.org/xsa/advisory-139.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "datePublic": "2015-08-03T00:00:00", "descriptions": [ { "lang": "en", "value": "Use-after-free vulnerability in QEMU in Xen 4.5.x and earlier does not completely unplug emulated block devices, which allows local HVM guest users to gain privileges by unplugging a block device twice." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2016-12-20T16:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat" }, "references": [ { "name": "FEDORA-2015-15944", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-September/167820.html" }, { "name": "FEDORA-2015-14361", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-September/165373.html" }, { "name": "FEDORA-2015-15946", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-September/167792.html" }, { "name": "76152", "tags": [ "vdb-entry", "x_refsource_BID" ], "url": "http://www.securityfocus.com/bid/76152" }, { "name": "1033175", "tags": [ "vdb-entry", "x_refsource_SECTRACK" ], "url": "http://www.securitytracker.com/id/1033175" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://xenbits.xen.org/xsa/advisory-139.html" } ] } }, "cveMetadata": { "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2015-5166", "datePublished": "2015-08-12T14:00:00", "dateReserved": "2015-07-01T00:00:00", "dateUpdated": "2024-08-06T06:41:07.558Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-31142
Vulnerability from cvelistv5
Published
2024-05-16 13:39
Modified
2024-08-02 01:46
Severity ?
EPSS score ?
Summary
Because of a logical error in XSA-407 (Branch Type Confusion), the
mitigation is not applied properly when it is intended to be used.
XSA-434 (Speculative Return Stack Overflow) uses the same
infrastructure, so is equally impacted.
For more details, see:
https://xenbits.xen.org/xsa/advisory-407.html
https://xenbits.xen.org/xsa/advisory-434.html
References
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2024-31142", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-05-20T13:51:28.453648Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-04T17:36:07.065Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T01:46:04.491Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://xenbits.xenproject.org/xsa/advisory-455.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unknown", "product": "Xen", "vendor": "Xen", "versions": [ { "status": "unknown", "version": "consult Xen advisory XSA-455" } ] } ], "configurations": [ { "lang": "en", "value": "All versions of Xen containing the XSA-407 fixes are vulnerable.\n\nSee XSAs 407 and 434 for details on which hardware is susceptible to\nBTC/SRSO.\n" } ], "credits": [ { "lang": "en", "type": "finder", "value": "This issue was discovered by Andrew Cooper of XenServer.\n" } ], "datePublic": "2024-04-09T16:29:00Z", "descriptions": [ { "lang": "en", "value": "Because of a logical error in XSA-407 (Branch Type Confusion), the\nmitigation is not applied properly when it is intended to be used.\nXSA-434 (Speculative Return Stack Overflow) uses the same\ninfrastructure, so is equally impacted.\n\nFor more details, see:\n https://xenbits.xen.org/xsa/advisory-407.html\n https://xenbits.xen.org/xsa/advisory-434.html\n" } ], "impacts": [ { "descriptions": [ { "lang": "en", "value": "XSAs 407 and 434 are unmitigated, even when the patches are in place.\n" } ] } ], "providerMetadata": { "dateUpdated": "2024-05-16T13:39:42.774Z", "orgId": "23aa2041-22e1-471f-9209-9b7396fa234f", "shortName": "XEN" }, "references": [ { "url": "https://xenbits.xenproject.org/xsa/advisory-455.html" } ], "title": "x86: Incorrect logic for BTC/SRSO mitigations", "workarounds": [ { "lang": "en", "value": "There are no mitigations.\n" } ] } }, "cveMetadata": { "assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f", "assignerShortName": "XEN", "cveId": "CVE-2024-31142", "datePublished": "2024-05-16T13:39:42.774Z", "dateReserved": "2024-03-28T18:14:12.892Z", "dateUpdated": "2024-08-02T01:46:04.491Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2017-17563
Vulnerability from cvelistv5
Published
2017-12-12 22:00
Modified
2024-08-05 20:51
Severity ?
EPSS score ?
Summary
An issue was discovered in Xen through 4.9.x allowing guest OS users to cause a denial of service (host OS crash) or gain host OS privileges by leveraging an incorrect mask for reference-count overflow checking in shadow mode.
References
▼ | URL | Tags |
---|---|---|
http://www.securityfocus.com/bid/102169 | vdb-entry, x_refsource_BID | |
http://www.securitytracker.com/id/1040769 | vdb-entry, x_refsource_SECTRACK | |
https://lists.debian.org/debian-lts-announce/2018/01/msg00003.html | mailing-list, x_refsource_MLIST | |
https://lists.debian.org/debian-lts-announce/2018/10/msg00009.html | mailing-list, x_refsource_MLIST | |
http://www.openwall.com/lists/oss-security/2017/12/12/2 | x_refsource_CONFIRM | |
https://security.gentoo.org/glsa/201801-14 | vendor-advisory, x_refsource_GENTOO | |
https://xenbits.xen.org/xsa/advisory-249.html | x_refsource_CONFIRM | |
https://www.debian.org/security/2018/dsa-4112 | vendor-advisory, x_refsource_DEBIAN | |
https://support.citrix.com/article/CTX232096 | x_refsource_CONFIRM |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-05T20:51:32.233Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "102169", "tags": [ "vdb-entry", "x_refsource_BID", "x_transferred" ], "url": "http://www.securityfocus.com/bid/102169" }, { "name": "1040769", "tags": [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred" ], "url": "http://www.securitytracker.com/id/1040769" }, { "name": "[debian-lts-announce] 20180105 [SECURITY] [DLA 1230-1] xen security update", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2018/01/msg00003.html" }, { "name": "[debian-lts-announce] 20181018 [SECURITY] [DLA 1549-1] xen security update", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2018/10/msg00009.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2017/12/12/2" }, { "name": "GLSA-201801-14", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "https://security.gentoo.org/glsa/201801-14" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://xenbits.xen.org/xsa/advisory-249.html" }, { "name": "DSA-4112", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "https://www.debian.org/security/2018/dsa-4112" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://support.citrix.com/article/CTX232096" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "datePublic": "2017-12-12T00:00:00", "descriptions": [ { "lang": "en", "value": "An issue was discovered in Xen through 4.9.x allowing guest OS users to cause a denial of service (host OS crash) or gain host OS privileges by leveraging an incorrect mask for reference-count overflow checking in shadow mode." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2018-10-19T09:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "name": "102169", "tags": [ "vdb-entry", "x_refsource_BID" ], "url": "http://www.securityfocus.com/bid/102169" }, { "name": "1040769", "tags": [ "vdb-entry", "x_refsource_SECTRACK" ], "url": "http://www.securitytracker.com/id/1040769" }, { "name": "[debian-lts-announce] 20180105 [SECURITY] [DLA 1230-1] xen security update", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.debian.org/debian-lts-announce/2018/01/msg00003.html" }, { "name": "[debian-lts-announce] 20181018 [SECURITY] [DLA 1549-1] xen security update", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.debian.org/debian-lts-announce/2018/10/msg00009.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.openwall.com/lists/oss-security/2017/12/12/2" }, { "name": "GLSA-201801-14", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "https://security.gentoo.org/glsa/201801-14" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://xenbits.xen.org/xsa/advisory-249.html" }, { "name": "DSA-4112", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "https://www.debian.org/security/2018/dsa-4112" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://support.citrix.com/article/CTX232096" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2017-17563", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "An issue was discovered in Xen through 4.9.x allowing guest OS users to cause a denial of service (host OS crash) or gain host OS privileges by leveraging an incorrect mask for reference-count overflow checking in shadow mode." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "102169", "refsource": "BID", "url": "http://www.securityfocus.com/bid/102169" }, { "name": "1040769", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1040769" }, { "name": "[debian-lts-announce] 20180105 [SECURITY] [DLA 1230-1] xen security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2018/01/msg00003.html" }, { "name": "[debian-lts-announce] 20181018 [SECURITY] [DLA 1549-1] xen security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2018/10/msg00009.html" }, { "name": "http://www.openwall.com/lists/oss-security/2017/12/12/2", "refsource": "CONFIRM", "url": "http://www.openwall.com/lists/oss-security/2017/12/12/2" }, { "name": "GLSA-201801-14", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201801-14" }, { "name": "https://xenbits.xen.org/xsa/advisory-249.html", "refsource": "CONFIRM", "url": "https://xenbits.xen.org/xsa/advisory-249.html" }, { "name": "DSA-4112", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2018/dsa-4112" }, { "name": "https://support.citrix.com/article/CTX232096", "refsource": "CONFIRM", "url": "https://support.citrix.com/article/CTX232096" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2017-17563", "datePublished": "2017-12-12T22:00:00", "dateReserved": "2017-12-12T00:00:00", "dateUpdated": "2024-08-05T20:51:32.233Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2013-2196
Vulnerability from cvelistv5
Published
2013-08-23 16:00
Modified
2024-08-06 15:27
Severity ?
EPSS score ?
Summary
Multiple unspecified vulnerabilities in the Elf parser (libelf) in Xen 4.2.x and earlier allow local guest administrators with certain permissions to have an unspecified impact via a crafted kernel, related to "other problems" that are not CVE-2013-2194 or CVE-2013-2195.
References
▼ | URL | Tags |
---|---|---|
http://lists.opensuse.org/opensuse-security-announce/2014-04/msg00000.html | vendor-advisory, x_refsource_SUSE | |
http://secunia.com/advisories/55082 | third-party-advisory, x_refsource_SECUNIA | |
http://security.gentoo.org/glsa/glsa-201309-24.xml | vendor-advisory, x_refsource_GENTOO | |
http://www.openwall.com/lists/oss-security/2013/06/20/4 | mailing-list, x_refsource_MLIST | |
http://www.openwall.com/lists/oss-security/2013/06/20/2 | mailing-list, x_refsource_MLIST | |
http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00021.html | vendor-advisory, x_refsource_SUSE | |
http://www.debian.org/security/2014/dsa-3006 | vendor-advisory, x_refsource_DEBIAN | |
http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00015.html | vendor-advisory, x_refsource_SUSE | |
http://support.citrix.com/article/CTX138058 | x_refsource_CONFIRM |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-06T15:27:41.094Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "SUSE-SU-2014:0470", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2014-04/msg00000.html" }, { "name": "55082", "tags": [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred" ], "url": "http://secunia.com/advisories/55082" }, { "name": "GLSA-201309-24", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "http://security.gentoo.org/glsa/glsa-201309-24.xml" }, { "name": "[oss-security] 20130620 Xen Security Advisory 55 (CVE-2013-2194,CVE-2013-2195,CVE-2013-2196) - Multiple vulnerabilities in libelf PV kernel handling", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2013/06/20/4" }, { "name": "[oss-security] 20130620 Re: Xen Security Advisory 55 - Multiple vulnerabilities in libelf PV kernel handling", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2013/06/20/2" }, { "name": "SUSE-SU-2014:0446", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00021.html" }, { "name": "DSA-3006", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "http://www.debian.org/security/2014/dsa-3006" }, { "name": "SUSE-SU-2014:0411", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00015.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://support.citrix.com/article/CTX138058" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "datePublic": "2013-06-20T00:00:00", "descriptions": [ { "lang": "en", "value": "Multiple unspecified vulnerabilities in the Elf parser (libelf) in Xen 4.2.x and earlier allow local guest administrators with certain permissions to have an unspecified impact via a crafted kernel, related to \"other problems\" that are not CVE-2013-2194 or CVE-2013-2195." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2014-12-09T18:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat" }, "references": [ { "name": "SUSE-SU-2014:0470", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2014-04/msg00000.html" }, { "name": "55082", "tags": [ "third-party-advisory", "x_refsource_SECUNIA" ], "url": "http://secunia.com/advisories/55082" }, { "name": "GLSA-201309-24", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "http://security.gentoo.org/glsa/glsa-201309-24.xml" }, { "name": "[oss-security] 20130620 Xen Security Advisory 55 (CVE-2013-2194,CVE-2013-2195,CVE-2013-2196) - Multiple vulnerabilities in libelf PV kernel handling", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://www.openwall.com/lists/oss-security/2013/06/20/4" }, { "name": "[oss-security] 20130620 Re: Xen Security Advisory 55 - Multiple vulnerabilities in libelf PV kernel handling", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://www.openwall.com/lists/oss-security/2013/06/20/2" }, { "name": "SUSE-SU-2014:0446", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00021.html" }, { "name": "DSA-3006", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "http://www.debian.org/security/2014/dsa-3006" }, { "name": "SUSE-SU-2014:0411", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00015.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://support.citrix.com/article/CTX138058" } ] } }, "cveMetadata": { "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2013-2196", "datePublished": "2013-08-23T16:00:00", "dateReserved": "2013-02-19T00:00:00", "dateUpdated": "2024-08-06T15:27:41.094Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2019-19578
Vulnerability from cvelistv5
Published
2019-12-11 16:53
Modified
2024-08-05 02:16
Severity ?
EPSS score ?
Summary
An issue was discovered in Xen through 4.12.x allowing x86 PV guest OS users to cause a denial of service via degenerate chains of linear pagetables, because of an incorrect fix for CVE-2017-15595. "Linear pagetables" is a technique which involves either pointing a pagetable at itself, or to another pagetable of the same or higher level. Xen has limited support for linear pagetables: A page may either point to itself, or point to another pagetable of the same level (i.e., L2 to L2, L3 to L3, and so on). XSA-240 introduced an additional restriction that limited the "depth" of such chains by allowing pages to either *point to* other pages of the same level, or *be pointed to* by other pages of the same level, but not both. To implement this, we keep track of the number of outstanding times a page points to or is pointed to another page table, to prevent both from happening at the same time. Unfortunately, the original commit introducing this reset this count when resuming validation of a partially-validated pagetable, incorrectly dropping some "linear_pt_entry" counts. If an attacker could engineer such a situation to occur, they might be able to make loops or other arbitrary chains of linear pagetables, as described in XSA-240. A malicious or buggy PV guest may cause the hypervisor to crash, resulting in Denial of Service (DoS) affecting the entire host. Privilege escalation and information leaks cannot be excluded. All versions of Xen are vulnerable. Only x86 systems are affected. Arm systems are not affected. Only x86 PV guests can leverage the vulnerability. x86 HVM and PVH guests cannot leverage the vulnerability. Only systems which have enabled linear pagetables are vulnerable. Systems which have disabled linear pagetables, either by selecting CONFIG_PV_LINEAR_PT=n when building the hypervisor, or adding pv-linear-pt=false on the command-line, are not vulnerable.
References
▼ | URL | Tags |
---|---|---|
https://xenbits.xen.org/xsa/advisory-309.html | x_refsource_MISC | |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D5R73AYE53QA32KTMHUVKCX6E52CIS43/ | vendor-advisory, x_refsource_FEDORA | |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/34HBFTYNMQMWIO2GGK7DB6KV4M6R5YPV/ | vendor-advisory, x_refsource_FEDORA | |
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00011.html | vendor-advisory, x_refsource_SUSE | |
https://www.debian.org/security/2020/dsa-4602 | vendor-advisory, x_refsource_DEBIAN | |
https://seclists.org/bugtraq/2020/Jan/21 | mailing-list, x_refsource_BUGTRAQ | |
https://security.gentoo.org/glsa/202003-56 | vendor-advisory, x_refsource_GENTOO |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-05T02:16:48.452Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://xenbits.xen.org/xsa/advisory-309.html" }, { "name": "FEDORA-2019-6aad703290", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D5R73AYE53QA32KTMHUVKCX6E52CIS43/" }, { "name": "FEDORA-2019-2e12bd3a9a", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/34HBFTYNMQMWIO2GGK7DB6KV4M6R5YPV/" }, { "name": "openSUSE-SU-2020:0011", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00011.html" }, { "name": "DSA-4602", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "https://www.debian.org/security/2020/dsa-4602" }, { "name": "20200114 [SECURITY] [DSA 4602-1] xen security update", "tags": [ "mailing-list", "x_refsource_BUGTRAQ", "x_transferred" ], "url": "https://seclists.org/bugtraq/2020/Jan/21" }, { "name": "GLSA-202003-56", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "https://security.gentoo.org/glsa/202003-56" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "descriptions": [ { "lang": "en", "value": "An issue was discovered in Xen through 4.12.x allowing x86 PV guest OS users to cause a denial of service via degenerate chains of linear pagetables, because of an incorrect fix for CVE-2017-15595. \"Linear pagetables\" is a technique which involves either pointing a pagetable at itself, or to another pagetable of the same or higher level. Xen has limited support for linear pagetables: A page may either point to itself, or point to another pagetable of the same level (i.e., L2 to L2, L3 to L3, and so on). XSA-240 introduced an additional restriction that limited the \"depth\" of such chains by allowing pages to either *point to* other pages of the same level, or *be pointed to* by other pages of the same level, but not both. To implement this, we keep track of the number of outstanding times a page points to or is pointed to another page table, to prevent both from happening at the same time. Unfortunately, the original commit introducing this reset this count when resuming validation of a partially-validated pagetable, incorrectly dropping some \"linear_pt_entry\" counts. If an attacker could engineer such a situation to occur, they might be able to make loops or other arbitrary chains of linear pagetables, as described in XSA-240. A malicious or buggy PV guest may cause the hypervisor to crash, resulting in Denial of Service (DoS) affecting the entire host. Privilege escalation and information leaks cannot be excluded. All versions of Xen are vulnerable. Only x86 systems are affected. Arm systems are not affected. Only x86 PV guests can leverage the vulnerability. x86 HVM and PVH guests cannot leverage the vulnerability. Only systems which have enabled linear pagetables are vulnerable. Systems which have disabled linear pagetables, either by selecting CONFIG_PV_LINEAR_PT=n when building the hypervisor, or adding pv-linear-pt=false on the command-line, are not vulnerable." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2020-03-26T14:06:09", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://xenbits.xen.org/xsa/advisory-309.html" }, { "name": "FEDORA-2019-6aad703290", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D5R73AYE53QA32KTMHUVKCX6E52CIS43/" }, { "name": "FEDORA-2019-2e12bd3a9a", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/34HBFTYNMQMWIO2GGK7DB6KV4M6R5YPV/" }, { "name": "openSUSE-SU-2020:0011", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00011.html" }, { "name": "DSA-4602", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "https://www.debian.org/security/2020/dsa-4602" }, { "name": "20200114 [SECURITY] [DSA 4602-1] xen security update", "tags": [ "mailing-list", "x_refsource_BUGTRAQ" ], "url": "https://seclists.org/bugtraq/2020/Jan/21" }, { "name": "GLSA-202003-56", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "https://security.gentoo.org/glsa/202003-56" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-19578", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "An issue was discovered in Xen through 4.12.x allowing x86 PV guest OS users to cause a denial of service via degenerate chains of linear pagetables, because of an incorrect fix for CVE-2017-15595. \"Linear pagetables\" is a technique which involves either pointing a pagetable at itself, or to another pagetable of the same or higher level. Xen has limited support for linear pagetables: A page may either point to itself, or point to another pagetable of the same level (i.e., L2 to L2, L3 to L3, and so on). XSA-240 introduced an additional restriction that limited the \"depth\" of such chains by allowing pages to either *point to* other pages of the same level, or *be pointed to* by other pages of the same level, but not both. To implement this, we keep track of the number of outstanding times a page points to or is pointed to another page table, to prevent both from happening at the same time. Unfortunately, the original commit introducing this reset this count when resuming validation of a partially-validated pagetable, incorrectly dropping some \"linear_pt_entry\" counts. If an attacker could engineer such a situation to occur, they might be able to make loops or other arbitrary chains of linear pagetables, as described in XSA-240. A malicious or buggy PV guest may cause the hypervisor to crash, resulting in Denial of Service (DoS) affecting the entire host. Privilege escalation and information leaks cannot be excluded. All versions of Xen are vulnerable. Only x86 systems are affected. Arm systems are not affected. Only x86 PV guests can leverage the vulnerability. x86 HVM and PVH guests cannot leverage the vulnerability. Only systems which have enabled linear pagetables are vulnerable. Systems which have disabled linear pagetables, either by selecting CONFIG_PV_LINEAR_PT=n when building the hypervisor, or adding pv-linear-pt=false on the command-line, are not vulnerable." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "https://xenbits.xen.org/xsa/advisory-309.html", "refsource": "MISC", "url": "https://xenbits.xen.org/xsa/advisory-309.html" }, { "name": "FEDORA-2019-6aad703290", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D5R73AYE53QA32KTMHUVKCX6E52CIS43/" }, { "name": "FEDORA-2019-2e12bd3a9a", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/34HBFTYNMQMWIO2GGK7DB6KV4M6R5YPV/" }, { "name": "openSUSE-SU-2020:0011", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00011.html" }, { "name": "DSA-4602", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2020/dsa-4602" }, { "name": "20200114 [SECURITY] [DSA 4602-1] xen security update", "refsource": "BUGTRAQ", "url": "https://seclists.org/bugtraq/2020/Jan/21" }, { "name": "GLSA-202003-56", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202003-56" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-19578", "datePublished": "2019-12-11T16:53:45", "dateReserved": "2019-12-04T00:00:00", "dateUpdated": "2024-08-05T02:16:48.452Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2021-28710
Vulnerability from cvelistv5
Published
2021-11-21 14:18
Modified
2024-08-03 21:47
Severity ?
EPSS score ?
Summary
certain VT-d IOMMUs may not work in shared page table mode For efficiency reasons, address translation control structures (page tables) may (and, on suitable hardware, by default will) be shared between CPUs, for second-level translation (EPT), and IOMMUs. These page tables are presently set up to always be 4 levels deep. However, an IOMMU may require the use of just 3 page table levels. In such a configuration the lop level table needs to be stripped before inserting the root table's address into the hardware pagetable base register. When sharing page tables, Xen erroneously skipped this stripping. Consequently, the guest is able to write to leaf page table entries.
References
▼ | URL | Tags |
---|---|---|
https://xenbits.xenproject.org/xsa/advisory-390.txt | x_refsource_MISC | |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I7ZGWVVRI4XY2XSTBI3XEMWBXPDVX6OT/ | vendor-advisory, x_refsource_FEDORA | |
https://security.gentoo.org/glsa/202208-23 | vendor-advisory, x_refsource_GENTOO |
Impacted products
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T21:47:33.159Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://xenbits.xenproject.org/xsa/advisory-390.txt" }, { "name": "FEDORA-2021-03645e9807", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I7ZGWVVRI4XY2XSTBI3XEMWBXPDVX6OT/" }, { "name": "GLSA-202208-23", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "https://security.gentoo.org/glsa/202208-23" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "xen", "vendor": "Xen", "versions": [ { "lessThan": "4.12", "status": "unknown", "version": "unspecified", "versionType": "custom" }, { "lessThan": "unspecified", "status": "affected", "version": "4.15.x", "versionType": "custom" }, { "lessThan": "unspecified", "status": "unaffected", "version": "next of xen-unstable", "versionType": "custom" } ] } ], "credits": [ { "lang": "en", "value": "{\u0027credit_data\u0027: {\u0027description\u0027: {\u0027description_data\u0027: [{\u0027lang\u0027: \u0027eng\u0027, \u0027value\u0027: \u0027This issue was discovered by Jan Beulich of SUSE.\u0027}]}}}" } ], "descriptions": [ { "lang": "en", "value": "certain VT-d IOMMUs may not work in shared page table mode For efficiency reasons, address translation control structures (page tables) may (and, on suitable hardware, by default will) be shared between CPUs, for second-level translation (EPT), and IOMMUs. These page tables are presently set up to always be 4 levels deep. However, an IOMMU may require the use of just 3 page table levels. In such a configuration the lop level table needs to be stripped before inserting the root table\u0027s address into the hardware pagetable base register. When sharing page tables, Xen erroneously skipped this stripping. Consequently, the guest is able to write to leaf page table entries." } ], "metrics": [ { "other": { "content": { "description": { "description_data": [ { "lang": "eng", "value": "A malicious guest may be able to escalate its privileges to that of\nthe host." } ] } }, "type": "unknown" } } ], "problemTypes": [ { "descriptions": [ { "description": "unknown", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2022-08-14T20:09:18", "orgId": "23aa2041-22e1-471f-9209-9b7396fa234f", "shortName": "XEN" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://xenbits.xenproject.org/xsa/advisory-390.txt" }, { "name": "FEDORA-2021-03645e9807", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I7ZGWVVRI4XY2XSTBI3XEMWBXPDVX6OT/" }, { "name": "GLSA-202208-23", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "https://security.gentoo.org/glsa/202208-23" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security@xen.org", "ID": "CVE-2021-28710", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "xen", "version": { "version_data": [ { "version_affected": "?\u003c", "version_value": "4.12" }, { "version_affected": "\u003e=", "version_value": "4.15.x" }, { "version_affected": "!\u003e", "version_value": "xen-unstable" } ] } } ] }, "vendor_name": "Xen" } ] } }, "configuration": { "configuration_data": { "description": { "description_data": [ { "lang": "eng", "value": "Xen version 4.15 is vulnerable. Xen versions 4.14 and earlier are not\nvulnerable.\n\nOnly x86 Intel systems with IOMMU(s) in use are affected. Arm\nsystems, non-Intel x86 systems, and x86 systems without IOMMU are not\naffected.\n\nOnly HVM guests with passed-through PCI devices and configured to share\nIOMMU and EPT page tables are able to leverage the vulnerability on\naffected hardware. Note that page table sharing is the default\nconfiguration on capable hardware.\n\nSystems are only affected if the IOMMU used for a passed through\ndevice requires the use of page tables less than 4 levels deep. We\nare informed that this is the case for some at least Ivybridge and\nearlier \"client\" chips; additionally it might be possible for such a\nsituation to arise when Xen is running nested under another\nhypervisor, if an (emulated) Intel IOMMU is made available to Xen." } ] } } }, "credit": { "credit_data": { "description": { "description_data": [ { "lang": "eng", "value": "This issue was discovered by Jan Beulich of SUSE." } ] } } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "certain VT-d IOMMUs may not work in shared page table mode For efficiency reasons, address translation control structures (page tables) may (and, on suitable hardware, by default will) be shared between CPUs, for second-level translation (EPT), and IOMMUs. These page tables are presently set up to always be 4 levels deep. However, an IOMMU may require the use of just 3 page table levels. In such a configuration the lop level table needs to be stripped before inserting the root table\u0027s address into the hardware pagetable base register. When sharing page tables, Xen erroneously skipped this stripping. Consequently, the guest is able to write to leaf page table entries." } ] }, "impact": { "impact_data": { "description": { "description_data": [ { "lang": "eng", "value": "A malicious guest may be able to escalate its privileges to that of\nthe host." } ] } } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "unknown" } ] } ] }, "references": { "reference_data": [ { "name": "https://xenbits.xenproject.org/xsa/advisory-390.txt", "refsource": "MISC", "url": "https://xenbits.xenproject.org/xsa/advisory-390.txt" }, { "name": "FEDORA-2021-03645e9807", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I7ZGWVVRI4XY2XSTBI3XEMWBXPDVX6OT/" }, { "name": "GLSA-202208-23", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202208-23" } ] }, "workaround": { "workaround_data": { "description": { "description_data": [ { "lang": "eng", "value": "Suppressing the use of shared page tables avoids the vulnerability.\nThis can be achieved globally by passing \"iommu=no-sharept\" on the\nhypervisor command line. This can also be achieved on a per-guest basis\nvia the \"passthrough=sync_pt\" xl guest configuration file option." } ] } } } } } }, "cveMetadata": { "assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f", "assignerShortName": "XEN", "cveId": "CVE-2021-28710", "datePublished": "2021-11-21T14:18:23", "dateReserved": "2021-03-18T00:00:00", "dateUpdated": "2024-08-03T21:47:33.159Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2016-9386
Vulnerability from cvelistv5
Published
2017-01-23 21:00
Modified
2024-08-06 02:50
Severity ?
EPSS score ?
Summary
The x86 emulator in Xen does not properly treat x86 NULL segments as unusable when accessing memory, which might allow local HVM guest users to gain privileges via vectors involving "unexpected" base/limit values.
References
▼ | URL | Tags |
---|---|---|
http://www.securityfocus.com/bid/94471 | vdb-entry, x_refsource_BID | |
https://security.gentoo.org/glsa/201612-56 | vendor-advisory, x_refsource_GENTOO | |
https://support.citrix.com/article/CTX218775 | x_refsource_CONFIRM | |
http://xenbits.xen.org/xsa/advisory-191.html | x_refsource_CONFIRM | |
http://www.securitytracker.com/id/1037340 | vdb-entry, x_refsource_SECTRACK |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-06T02:50:37.602Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "94471", "tags": [ "vdb-entry", "x_refsource_BID", "x_transferred" ], "url": "http://www.securityfocus.com/bid/94471" }, { "name": "GLSA-201612-56", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "https://security.gentoo.org/glsa/201612-56" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://support.citrix.com/article/CTX218775" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://xenbits.xen.org/xsa/advisory-191.html" }, { "name": "1037340", "tags": [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred" ], "url": "http://www.securitytracker.com/id/1037340" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "datePublic": "2016-11-22T00:00:00", "descriptions": [ { "lang": "en", "value": "The x86 emulator in Xen does not properly treat x86 NULL segments as unusable when accessing memory, which might allow local HVM guest users to gain privileges via vectors involving \"unexpected\" base/limit values." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2017-06-30T16:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "name": "94471", "tags": [ "vdb-entry", "x_refsource_BID" ], "url": "http://www.securityfocus.com/bid/94471" }, { "name": "GLSA-201612-56", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "https://security.gentoo.org/glsa/201612-56" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://support.citrix.com/article/CTX218775" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://xenbits.xen.org/xsa/advisory-191.html" }, { "name": "1037340", "tags": [ "vdb-entry", "x_refsource_SECTRACK" ], "url": "http://www.securitytracker.com/id/1037340" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2016-9386", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "The x86 emulator in Xen does not properly treat x86 NULL segments as unusable when accessing memory, which might allow local HVM guest users to gain privileges via vectors involving \"unexpected\" base/limit values." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "94471", "refsource": "BID", "url": "http://www.securityfocus.com/bid/94471" }, { "name": "GLSA-201612-56", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201612-56" }, { "name": "https://support.citrix.com/article/CTX218775", "refsource": "CONFIRM", "url": "https://support.citrix.com/article/CTX218775" }, { "name": "http://xenbits.xen.org/xsa/advisory-191.html", "refsource": "CONFIRM", "url": "http://xenbits.xen.org/xsa/advisory-191.html" }, { "name": "1037340", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1037340" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2016-9386", "datePublished": "2017-01-23T21:00:00", "dateReserved": "2016-11-17T00:00:00", "dateUpdated": "2024-08-06T02:50:37.602Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2012-5511
Vulnerability from cvelistv5
Published
2012-12-13 11:00
Modified
2024-08-06 21:05
Severity ?
EPSS score ?
Summary
Stack-based buffer overflow in the dirty video RAM tracking functionality in Xen 3.4 through 4.1 allows local HVM guest OS administrators to cause a denial of service (crash) via a large bitmap image.
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-06T21:05:47.348Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "55082", "tags": [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred" ], "url": "http://secunia.com/advisories/55082" }, { "name": "openSUSE-SU-2013:0133", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2013-01/msg00011.html" }, { "name": "[oss-security] 20121203 Xen Security Advisory 27 (CVE-2012-5511) - several HVM operations do not validate the range of their inputs", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2012/12/03/10" }, { "name": "openSUSE-SU-2013:0637", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-updates/2013-04/msg00052.html" }, { "name": "56796", "tags": [ "vdb-entry", "x_refsource_BID", "x_transferred" ], "url": "http://www.securityfocus.com/bid/56796" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://support.citrix.com/article/CTX135777" }, { "name": "GLSA-201309-24", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "http://security.gentoo.org/glsa/glsa-201309-24.xml" }, { "name": "DSA-2636", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "http://www.debian.org/security/2013/dsa-2636" }, { "name": "51397", "tags": [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred" ], "url": "http://secunia.com/advisories/51397" }, { "name": "openSUSE-SU-2012:1685", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2012-12/msg00018.html" }, { "name": "51486", "tags": [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred" ], "url": "http://secunia.com/advisories/51486" }, { "name": "51487", "tags": [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred" ], "url": "http://secunia.com/advisories/51487" }, { "name": "88129", "tags": [ "vdb-entry", "x_refsource_OSVDB", "x_transferred" ], "url": "http://www.osvdb.org/88129" }, { "name": "openSUSE-SU-2013:0636", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-updates/2013-04/msg00051.html" }, { "name": "SUSE-SU-2014:0446", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00021.html" }, { "name": "openSUSE-SU-2012:1687", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2012-12/msg00019.html" }, { "name": "SUSE-SU-2012:1615", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2012-12/msg00001.html" }, { "name": "xen-hvm-dos(80484)", "tags": [ "vdb-entry", "x_refsource_XF", "x_transferred" ], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/80484" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "datePublic": "2012-12-03T00:00:00", "descriptions": [ { "lang": "en", "value": "Stack-based buffer overflow in the dirty video RAM tracking functionality in Xen 3.4 through 4.1 allows local HVM guest OS administrators to cause a denial of service (crash) via a large bitmap image." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2017-08-28T12:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat" }, "references": [ { "name": "55082", "tags": [ "third-party-advisory", "x_refsource_SECUNIA" ], "url": "http://secunia.com/advisories/55082" }, { "name": "openSUSE-SU-2013:0133", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2013-01/msg00011.html" }, { "name": "[oss-security] 20121203 Xen Security Advisory 27 (CVE-2012-5511) - several HVM operations do not validate the range of their inputs", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://www.openwall.com/lists/oss-security/2012/12/03/10" }, { "name": "openSUSE-SU-2013:0637", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-updates/2013-04/msg00052.html" }, { "name": "56796", "tags": [ "vdb-entry", "x_refsource_BID" ], "url": "http://www.securityfocus.com/bid/56796" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://support.citrix.com/article/CTX135777" }, { "name": "GLSA-201309-24", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "http://security.gentoo.org/glsa/glsa-201309-24.xml" }, { "name": "DSA-2636", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "http://www.debian.org/security/2013/dsa-2636" }, { "name": "51397", "tags": [ "third-party-advisory", "x_refsource_SECUNIA" ], "url": "http://secunia.com/advisories/51397" }, { "name": "openSUSE-SU-2012:1685", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2012-12/msg00018.html" }, { "name": "51486", "tags": [ "third-party-advisory", "x_refsource_SECUNIA" ], "url": "http://secunia.com/advisories/51486" }, { "name": "51487", "tags": [ "third-party-advisory", "x_refsource_SECUNIA" ], "url": "http://secunia.com/advisories/51487" }, { "name": "88129", "tags": [ "vdb-entry", "x_refsource_OSVDB" ], "url": "http://www.osvdb.org/88129" }, { "name": "openSUSE-SU-2013:0636", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-updates/2013-04/msg00051.html" }, { "name": "SUSE-SU-2014:0446", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00021.html" }, { "name": "openSUSE-SU-2012:1687", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2012-12/msg00019.html" }, { "name": "SUSE-SU-2012:1615", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2012-12/msg00001.html" }, { "name": "xen-hvm-dos(80484)", "tags": [ "vdb-entry", "x_refsource_XF" ], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/80484" } ] } }, "cveMetadata": { "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2012-5511", "datePublished": "2012-12-13T11:00:00", "dateReserved": "2012-10-24T00:00:00", "dateUpdated": "2024-08-06T21:05:47.348Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2021-28699
Vulnerability from cvelistv5
Published
2021-08-27 18:21
Modified
2024-08-03 21:47
Severity ?
EPSS score ?
Summary
inadequate grant-v2 status frames array bounds check The v2 grant table interface separates grant attributes from grant status. That is, when operating in this mode, a guest has two tables. As a result, guests also need to be able to retrieve the addresses that the new status tracking table can be accessed through. For 32-bit guests on x86, translation of requests has to occur because the interface structure layouts commonly differ between 32- and 64-bit. The translation of the request to obtain the frame numbers of the grant status table involves translating the resulting array of frame numbers. Since the space used to carry out the translation is limited, the translation layer tells the core function the capacity of the array within translation space. Unfortunately the core function then only enforces array bounds to be below 8 times the specified value, and would write past the available space if enough frame numbers needed storing.
References
▼ | URL | Tags |
---|---|---|
https://xenbits.xenproject.org/xsa/advisory-382.txt | x_refsource_MISC | |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LPRVHW4J4ZCPPOHZEWP5MOJT7XDGFFPJ/ | vendor-advisory, x_refsource_FEDORA | |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FZCNPSRPGFCQRYE2BI4D4Q4SCE56ANV2/ | vendor-advisory, x_refsource_FEDORA | |
https://www.debian.org/security/2021/dsa-4977 | vendor-advisory, x_refsource_DEBIAN | |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2VQCFAPBNGBBAOMJZG6QBREOG5IIDZID/ | vendor-advisory, x_refsource_FEDORA | |
https://security.gentoo.org/glsa/202208-23 | vendor-advisory, x_refsource_GENTOO |
Impacted products
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T21:47:33.197Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://xenbits.xenproject.org/xsa/advisory-382.txt" }, { "name": "FEDORA-2021-4f129cc0c1", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LPRVHW4J4ZCPPOHZEWP5MOJT7XDGFFPJ/" }, { "name": "FEDORA-2021-d68ed12e46", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FZCNPSRPGFCQRYE2BI4D4Q4SCE56ANV2/" }, { "name": "DSA-4977", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "https://www.debian.org/security/2021/dsa-4977" }, { "name": "FEDORA-2021-081f9bf5d2", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2VQCFAPBNGBBAOMJZG6QBREOG5IIDZID/" }, { "name": "GLSA-202208-23", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "https://security.gentoo.org/glsa/202208-23" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "xen", "vendor": "Xen", "versions": [ { "lessThan": "4.12", "status": "unknown", "version": "unspecified", "versionType": "custom" }, { "lessThan": "unspecified", "status": "affected", "version": "4.11.x", "versionType": "custom" }, { "lessThan": "unspecified", "status": "unaffected", "version": "next of xen-unstable", "versionType": "custom" } ] } ], "credits": [ { "lang": "en", "value": "{\u0027credit_data\u0027: {\u0027description\u0027: {\u0027description_data\u0027: [{\u0027lang\u0027: \u0027eng\u0027, \u0027value\u0027: \u0027This issue was discovered by Jan Beulich of SUSE.\u0027}]}}}" } ], "descriptions": [ { "lang": "en", "value": "inadequate grant-v2 status frames array bounds check The v2 grant table interface separates grant attributes from grant status. That is, when operating in this mode, a guest has two tables. As a result, guests also need to be able to retrieve the addresses that the new status tracking table can be accessed through. For 32-bit guests on x86, translation of requests has to occur because the interface structure layouts commonly differ between 32- and 64-bit. The translation of the request to obtain the frame numbers of the grant status table involves translating the resulting array of frame numbers. Since the space used to carry out the translation is limited, the translation layer tells the core function the capacity of the array within translation space. Unfortunately the core function then only enforces array bounds to be below 8 times the specified value, and would write past the available space if enough frame numbers needed storing." } ], "metrics": [ { "other": { "content": { "description": { "description_data": [ { "lang": "eng", "value": "Malicious or buggy guest kernels may be able to mount a Denial of\nService (DoS) attack affecting the entire system. Privilege escalation\nand information leaks cannot be ruled out." } ] } }, "type": "unknown" } } ], "problemTypes": [ { "descriptions": [ { "description": "unknown", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2022-08-14T20:12:37", "orgId": "23aa2041-22e1-471f-9209-9b7396fa234f", "shortName": "XEN" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://xenbits.xenproject.org/xsa/advisory-382.txt" }, { "name": "FEDORA-2021-4f129cc0c1", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LPRVHW4J4ZCPPOHZEWP5MOJT7XDGFFPJ/" }, { "name": "FEDORA-2021-d68ed12e46", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FZCNPSRPGFCQRYE2BI4D4Q4SCE56ANV2/" }, { "name": "DSA-4977", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "https://www.debian.org/security/2021/dsa-4977" }, { "name": "FEDORA-2021-081f9bf5d2", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2VQCFAPBNGBBAOMJZG6QBREOG5IIDZID/" }, { "name": "GLSA-202208-23", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "https://security.gentoo.org/glsa/202208-23" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security@xen.org", "ID": "CVE-2021-28699", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "xen", "version": { "version_data": [ { "version_affected": "?\u003c", "version_value": "4.12" }, { "version_affected": "\u003e=", "version_value": "4.11.x" }, { "version_affected": "!\u003e", "version_value": "xen-unstable" } ] } } ] }, "vendor_name": "Xen" } ] } }, "configuration": { "configuration_data": { "description": { "description_data": [ { "lang": "eng", "value": "All Xen versions from 4.10 onwards are affected. Xen versions 4.9 and\nolder are not affected.\n\nOnly 32-bit x86 guests permitted to use grant table version 2 interfaces\ncan leverage this vulnerability. 64-bit x86 guests cannot leverage this\nvulnerability, but note that HVM and PVH guests are free to alter their\nbitness as they see fit. On Arm, grant table v2 use is explicitly\nunsupported.\n\nOnly guests permitted to have 8177 or more grant table frames can\nleverage this vulnerability." } ] } } }, "credit": { "credit_data": { "description": { "description_data": [ { "lang": "eng", "value": "This issue was discovered by Jan Beulich of SUSE." } ] } } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "inadequate grant-v2 status frames array bounds check The v2 grant table interface separates grant attributes from grant status. That is, when operating in this mode, a guest has two tables. As a result, guests also need to be able to retrieve the addresses that the new status tracking table can be accessed through. For 32-bit guests on x86, translation of requests has to occur because the interface structure layouts commonly differ between 32- and 64-bit. The translation of the request to obtain the frame numbers of the grant status table involves translating the resulting array of frame numbers. Since the space used to carry out the translation is limited, the translation layer tells the core function the capacity of the array within translation space. Unfortunately the core function then only enforces array bounds to be below 8 times the specified value, and would write past the available space if enough frame numbers needed storing." } ] }, "impact": { "impact_data": { "description": { "description_data": [ { "lang": "eng", "value": "Malicious or buggy guest kernels may be able to mount a Denial of\nService (DoS) attack affecting the entire system. Privilege escalation\nand information leaks cannot be ruled out." } ] } } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "unknown" } ] } ] }, "references": { "reference_data": [ { "name": "https://xenbits.xenproject.org/xsa/advisory-382.txt", "refsource": "MISC", "url": "https://xenbits.xenproject.org/xsa/advisory-382.txt" }, { "name": "FEDORA-2021-4f129cc0c1", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LPRVHW4J4ZCPPOHZEWP5MOJT7XDGFFPJ/" }, { "name": "FEDORA-2021-d68ed12e46", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FZCNPSRPGFCQRYE2BI4D4Q4SCE56ANV2/" }, { "name": "DSA-4977", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2021/dsa-4977" }, { "name": "FEDORA-2021-081f9bf5d2", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2VQCFAPBNGBBAOMJZG6QBREOG5IIDZID/" }, { "name": "GLSA-202208-23", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202208-23" } ] }, "workaround": { "workaround_data": { "description": { "description_data": [ { "lang": "eng", "value": "The problem can be avoided by not increasing too much the number of\ngrants Xen would allow guests to establish. The limit is controlled by\nthe \"gnttab_max_frames\" Xen command line option and the\n\"max_grant_frames\" xl domain configuration setting.\n\n- From Xen 4.14 onwards it is also possible to alter the system wide upper\nbound of the number of grants Xen would allow guests to establish by\nwriting to the /params/gnttab_max_frames hypervisor file system node.\nNote however that changing the value this way will only affect guests\nyet to be created on the respective host.\n\nSuppressing use of grant table v2 interfaces for 32-bit x86 guests will\nalso avoid this vulnerability." } ] } } } } } }, "cveMetadata": { "assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f", "assignerShortName": "XEN", "cveId": "CVE-2021-28699", "datePublished": "2021-08-27T18:21:40", "dateReserved": "2021-03-18T00:00:00", "dateUpdated": "2024-08-03T21:47:33.197Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2019-17347
Vulnerability from cvelistv5
Published
2019-10-08 00:02
Modified
2024-08-05 01:40
Severity ?
EPSS score ?
Summary
An issue was discovered in Xen through 4.11.x allowing x86 PV guest OS users to cause a denial of service or gain privileges because a guest can manipulate its virtualised %cr4 in a way that is incompatible with Linux (and possibly other guest kernels).
References
▼ | URL | Tags |
---|---|---|
http://xenbits.xen.org/xsa/advisory-293.html | x_refsource_CONFIRM | |
https://xenbits.xen.org/xsa/advisory-293.html | x_refsource_MISC | |
http://www.openwall.com/lists/oss-security/2019/10/25/8 | mailing-list, x_refsource_MLIST | |
https://www.debian.org/security/2020/dsa-4602 | vendor-advisory, x_refsource_DEBIAN | |
https://seclists.org/bugtraq/2020/Jan/21 | mailing-list, x_refsource_BUGTRAQ |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-05T01:40:14.444Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://xenbits.xen.org/xsa/advisory-293.html" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://xenbits.xen.org/xsa/advisory-293.html" }, { "name": "[oss-security] 20191025 Xen Security Advisory 293 v4 (CVE-2019-17347) - x86: PV kernel context switch corruption", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2019/10/25/8" }, { "name": "DSA-4602", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "https://www.debian.org/security/2020/dsa-4602" }, { "name": "20200114 [SECURITY] [DSA 4602-1] xen security update", "tags": [ "mailing-list", "x_refsource_BUGTRAQ", "x_transferred" ], "url": "https://seclists.org/bugtraq/2020/Jan/21" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "descriptions": [ { "lang": "en", "value": "An issue was discovered in Xen through 4.11.x allowing x86 PV guest OS users to cause a denial of service or gain privileges because a guest can manipulate its virtualised %cr4 in a way that is incompatible with Linux (and possibly other guest kernels)." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2020-01-14T22:06:24", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "http://xenbits.xen.org/xsa/advisory-293.html" }, { "tags": [ "x_refsource_MISC" ], "url": "https://xenbits.xen.org/xsa/advisory-293.html" }, { "name": "[oss-security] 20191025 Xen Security Advisory 293 v4 (CVE-2019-17347) - x86: PV kernel context switch corruption", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://www.openwall.com/lists/oss-security/2019/10/25/8" }, { "name": "DSA-4602", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "https://www.debian.org/security/2020/dsa-4602" }, { "name": "20200114 [SECURITY] [DSA 4602-1] xen security update", "tags": [ "mailing-list", "x_refsource_BUGTRAQ" ], "url": "https://seclists.org/bugtraq/2020/Jan/21" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-17347", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "An issue was discovered in Xen through 4.11.x allowing x86 PV guest OS users to cause a denial of service or gain privileges because a guest can manipulate its virtualised %cr4 in a way that is incompatible with Linux (and possibly other guest kernels)." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "http://xenbits.xen.org/xsa/advisory-293.html", "refsource": "CONFIRM", "url": "http://xenbits.xen.org/xsa/advisory-293.html" }, { "name": "https://xenbits.xen.org/xsa/advisory-293.html", "refsource": "MISC", "url": "https://xenbits.xen.org/xsa/advisory-293.html" }, { "name": "[oss-security] 20191025 Xen Security Advisory 293 v4 (CVE-2019-17347) - x86: PV kernel context switch corruption", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2019/10/25/8" }, { "name": "DSA-4602", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2020/dsa-4602" }, { "name": "20200114 [SECURITY] [DSA 4602-1] xen security update", "refsource": "BUGTRAQ", "url": "https://seclists.org/bugtraq/2020/Jan/21" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-17347", "datePublished": "2019-10-08T00:02:04", "dateReserved": "2019-10-07T00:00:00", "dateUpdated": "2024-08-05T01:40:14.444Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2015-7311
Vulnerability from cvelistv5
Published
2015-10-01 20:00
Modified
2024-08-06 07:43
Severity ?
EPSS score ?
Summary
libxl in Xen 4.1.x through 4.6.x does not properly handle the readonly flag on disks when using the qemu-xen device model, which allows local guest users to write to a read-only disk image.
References
▼ | URL | Tags |
---|---|---|
http://xenbits.xen.org/xsa/advisory-142.html | x_refsource_CONFIRM | |
http://lists.opensuse.org/opensuse-updates/2015-12/msg00053.html | vendor-advisory, x_refsource_SUSE | |
https://bugzilla.redhat.com/show_bug.cgi?id=1257893 | x_refsource_CONFIRM | |
http://www.debian.org/security/2015/dsa-3414 | vendor-advisory, x_refsource_DEBIAN | |
http://www.securitytracker.com/id/1033633 | vdb-entry, x_refsource_SECTRACK | |
http://www.securityfocus.com/bid/76823 | vdb-entry, x_refsource_BID | |
http://lists.fedoraproject.org/pipermail/package-announce/2015-September/167820.html | vendor-advisory, x_refsource_FEDORA | |
http://lists.fedoraproject.org/pipermail/package-announce/2015-September/167792.html | vendor-advisory, x_refsource_FEDORA | |
https://security.gentoo.org/glsa/201604-03 | vendor-advisory, x_refsource_GENTOO | |
http://lists.fedoraproject.org/pipermail/package-announce/2015-September/167077.html | vendor-advisory, x_refsource_FEDORA |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-06T07:43:46.158Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://xenbits.xen.org/xsa/advisory-142.html" }, { "name": "openSUSE-SU-2015:2250", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-updates/2015-12/msg00053.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1257893" }, { "name": "DSA-3414", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "http://www.debian.org/security/2015/dsa-3414" }, { "name": "1033633", "tags": [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred" ], "url": "http://www.securitytracker.com/id/1033633" }, { "name": "76823", "tags": [ "vdb-entry", "x_refsource_BID", "x_transferred" ], "url": "http://www.securityfocus.com/bid/76823" }, { "name": "FEDORA-2015-15944", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-September/167820.html" }, { "name": "FEDORA-2015-15946", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-September/167792.html" }, { "name": "GLSA-201604-03", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "https://security.gentoo.org/glsa/201604-03" }, { "name": "FEDORA-2015-15943", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-September/167077.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "datePublic": "2015-09-22T00:00:00", "descriptions": [ { "lang": "en", "value": "libxl in Xen 4.1.x through 4.6.x does not properly handle the readonly flag on disks when using the qemu-xen device model, which allows local guest users to write to a read-only disk image." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2017-06-30T16:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "http://xenbits.xen.org/xsa/advisory-142.html" }, { "name": "openSUSE-SU-2015:2250", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-updates/2015-12/msg00053.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1257893" }, { "name": "DSA-3414", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "http://www.debian.org/security/2015/dsa-3414" }, { "name": "1033633", "tags": [ "vdb-entry", "x_refsource_SECTRACK" ], "url": "http://www.securitytracker.com/id/1033633" }, { "name": "76823", "tags": [ "vdb-entry", "x_refsource_BID" ], "url": "http://www.securityfocus.com/bid/76823" }, { "name": "FEDORA-2015-15944", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-September/167820.html" }, { "name": "FEDORA-2015-15946", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-September/167792.html" }, { "name": "GLSA-201604-03", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "https://security.gentoo.org/glsa/201604-03" }, { "name": "FEDORA-2015-15943", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-September/167077.html" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2015-7311", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "libxl in Xen 4.1.x through 4.6.x does not properly handle the readonly flag on disks when using the qemu-xen device model, which allows local guest users to write to a read-only disk image." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "http://xenbits.xen.org/xsa/advisory-142.html", "refsource": "CONFIRM", "url": "http://xenbits.xen.org/xsa/advisory-142.html" }, { "name": "openSUSE-SU-2015:2250", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-updates/2015-12/msg00053.html" }, { "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1257893", "refsource": "CONFIRM", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1257893" }, { "name": "DSA-3414", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2015/dsa-3414" }, { "name": "1033633", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1033633" }, { "name": "76823", "refsource": "BID", "url": "http://www.securityfocus.com/bid/76823" }, { "name": "FEDORA-2015-15944", "refsource": "FEDORA", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-September/167820.html" }, { "name": "FEDORA-2015-15946", "refsource": "FEDORA", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-September/167792.html" }, { "name": "GLSA-201604-03", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201604-03" }, { "name": "FEDORA-2015-15943", "refsource": "FEDORA", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-September/167077.html" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2015-7311", "datePublished": "2015-10-01T20:00:00", "dateReserved": "2015-09-22T00:00:00", "dateUpdated": "2024-08-06T07:43:46.158Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2017-14316
Vulnerability from cvelistv5
Published
2017-09-12 15:00
Modified
2024-08-05 19:20
Severity ?
EPSS score ?
Summary
A parameter verification issue was discovered in Xen through 4.9.x. The function `alloc_heap_pages` allows callers to specify the first NUMA node that should be used for allocations through the `memflags` parameter; the node is extracted using the `MEMF_get_node` macro. While the function checks to see if the special constant `NUMA_NO_NODE` is specified, it otherwise does not handle the case where `node >= MAX_NUMNODES`. This allows an out-of-bounds access to an internal array.
References
▼ | URL | Tags |
---|---|---|
http://www.securityfocus.com/bid/100818 | vdb-entry, x_refsource_BID | |
http://xenbits.xen.org/xsa/advisory-231.html | x_refsource_CONFIRM | |
https://support.citrix.com/article/CTX227185 | x_refsource_CONFIRM | |
https://www.debian.org/security/2017/dsa-4050 | vendor-advisory, x_refsource_DEBIAN | |
https://lists.debian.org/debian-lts-announce/2018/10/msg00009.html | mailing-list, x_refsource_MLIST | |
http://www.securitytracker.com/id/1039348 | vdb-entry, x_refsource_SECTRACK |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-05T19:20:41.467Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "100818", "tags": [ "vdb-entry", "x_refsource_BID", "x_transferred" ], "url": "http://www.securityfocus.com/bid/100818" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://xenbits.xen.org/xsa/advisory-231.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://support.citrix.com/article/CTX227185" }, { "name": "DSA-4050", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "https://www.debian.org/security/2017/dsa-4050" }, { "name": "[debian-lts-announce] 20181018 [SECURITY] [DLA 1549-1] xen security update", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2018/10/msg00009.html" }, { "name": "1039348", "tags": [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred" ], "url": "http://www.securitytracker.com/id/1039348" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "datePublic": "2017-09-12T00:00:00", "descriptions": [ { "lang": "en", "value": "A parameter verification issue was discovered in Xen through 4.9.x. The function `alloc_heap_pages` allows callers to specify the first NUMA node that should be used for allocations through the `memflags` parameter; the node is extracted using the `MEMF_get_node` macro. While the function checks to see if the special constant `NUMA_NO_NODE` is specified, it otherwise does not handle the case where `node \u003e= MAX_NUMNODES`. This allows an out-of-bounds access to an internal array." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2018-10-19T09:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "name": "100818", "tags": [ "vdb-entry", "x_refsource_BID" ], "url": "http://www.securityfocus.com/bid/100818" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://xenbits.xen.org/xsa/advisory-231.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://support.citrix.com/article/CTX227185" }, { "name": "DSA-4050", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "https://www.debian.org/security/2017/dsa-4050" }, { "name": "[debian-lts-announce] 20181018 [SECURITY] [DLA 1549-1] xen security update", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.debian.org/debian-lts-announce/2018/10/msg00009.html" }, { "name": "1039348", "tags": [ "vdb-entry", "x_refsource_SECTRACK" ], "url": "http://www.securitytracker.com/id/1039348" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2017-14316", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "A parameter verification issue was discovered in Xen through 4.9.x. The function `alloc_heap_pages` allows callers to specify the first NUMA node that should be used for allocations through the `memflags` parameter; the node is extracted using the `MEMF_get_node` macro. While the function checks to see if the special constant `NUMA_NO_NODE` is specified, it otherwise does not handle the case where `node \u003e= MAX_NUMNODES`. This allows an out-of-bounds access to an internal array." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "100818", "refsource": "BID", "url": "http://www.securityfocus.com/bid/100818" }, { "name": "http://xenbits.xen.org/xsa/advisory-231.html", "refsource": "CONFIRM", "url": "http://xenbits.xen.org/xsa/advisory-231.html" }, { "name": "https://support.citrix.com/article/CTX227185", "refsource": "CONFIRM", "url": "https://support.citrix.com/article/CTX227185" }, { "name": "DSA-4050", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2017/dsa-4050" }, { "name": "[debian-lts-announce] 20181018 [SECURITY] [DLA 1549-1] xen security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2018/10/msg00009.html" }, { "name": "1039348", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1039348" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2017-14316", "datePublished": "2017-09-12T15:00:00", "dateReserved": "2017-09-12T00:00:00", "dateUpdated": "2024-08-05T19:20:41.467Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2015-8550
Vulnerability from cvelistv5
Published
2016-04-14 14:00
Modified
2024-08-06 08:20
Severity ?
EPSS score ?
Summary
Xen, when used on a system providing PV backends, allows local guest OS administrators to cause a denial of service (host OS crash) or gain privileges by writing to memory shared between the frontend and backend, aka a double fetch vulnerability.
References
▼ | URL | Tags |
---|---|---|
http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html | x_refsource_CONFIRM | |
http://www.debian.org/security/2016/dsa-3519 | vendor-advisory, x_refsource_DEBIAN | |
http://www.securityfocus.com/bid/79592 | vdb-entry, x_refsource_BID | |
http://xenbits.xen.org/xsa/advisory-155.html | x_refsource_CONFIRM | |
http://lists.opensuse.org/opensuse-security-announce/2016-07/msg00005.html | vendor-advisory, x_refsource_SUSE | |
http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00045.html | vendor-advisory, x_refsource_SUSE | |
http://www.securitytracker.com/id/1034479 | vdb-entry, x_refsource_SECTRACK | |
https://security.gentoo.org/glsa/201604-03 | vendor-advisory, x_refsource_GENTOO | |
http://www.debian.org/security/2016/dsa-3471 | vendor-advisory, x_refsource_DEBIAN | |
http://www.debian.org/security/2016/dsa-3434 | vendor-advisory, x_refsource_DEBIAN | |
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00094.html | vendor-advisory, x_refsource_SUSE |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-06T08:20:43.458Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html" }, { "name": "DSA-3519", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "http://www.debian.org/security/2016/dsa-3519" }, { "name": "79592", "tags": [ "vdb-entry", "x_refsource_BID", "x_transferred" ], "url": "http://www.securityfocus.com/bid/79592" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://xenbits.xen.org/xsa/advisory-155.html" }, { "name": "SUSE-SU-2016:1764", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-07/msg00005.html" }, { "name": "SUSE-SU-2016:1102", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00045.html" }, { "name": "1034479", "tags": [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred" ], "url": "http://www.securitytracker.com/id/1034479" }, { "name": "GLSA-201604-03", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "https://security.gentoo.org/glsa/201604-03" }, { "name": "DSA-3471", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "http://www.debian.org/security/2016/dsa-3471" }, { "name": "DSA-3434", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "http://www.debian.org/security/2016/dsa-3434" }, { "name": "SUSE-SU-2016:0911", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00094.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "datePublic": "2015-12-17T00:00:00", "descriptions": [ { "lang": "en", "value": "Xen, when used on a system providing PV backends, allows local guest OS administrators to cause a denial of service (host OS crash) or gain privileges by writing to memory shared between the frontend and backend, aka a double fetch vulnerability." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2017-11-03T18:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html" }, { "name": "DSA-3519", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "http://www.debian.org/security/2016/dsa-3519" }, { "name": "79592", "tags": [ "vdb-entry", "x_refsource_BID" ], "url": "http://www.securityfocus.com/bid/79592" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://xenbits.xen.org/xsa/advisory-155.html" }, { "name": "SUSE-SU-2016:1764", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-07/msg00005.html" }, { "name": "SUSE-SU-2016:1102", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00045.html" }, { "name": "1034479", "tags": [ "vdb-entry", "x_refsource_SECTRACK" ], "url": "http://www.securitytracker.com/id/1034479" }, { "name": "GLSA-201604-03", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "https://security.gentoo.org/glsa/201604-03" }, { "name": "DSA-3471", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "http://www.debian.org/security/2016/dsa-3471" }, { "name": "DSA-3434", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "http://www.debian.org/security/2016/dsa-3434" }, { "name": "SUSE-SU-2016:0911", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00094.html" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2015-8550", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Xen, when used on a system providing PV backends, allows local guest OS administrators to cause a denial of service (host OS crash) or gain privileges by writing to memory shared between the frontend and backend, aka a double fetch vulnerability." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html", "refsource": "CONFIRM", "url": "http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html" }, { "name": "DSA-3519", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2016/dsa-3519" }, { "name": "79592", "refsource": "BID", "url": "http://www.securityfocus.com/bid/79592" }, { "name": "http://xenbits.xen.org/xsa/advisory-155.html", "refsource": "CONFIRM", "url": "http://xenbits.xen.org/xsa/advisory-155.html" }, { "name": "SUSE-SU-2016:1764", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-07/msg00005.html" }, { "name": "SUSE-SU-2016:1102", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00045.html" }, { "name": "1034479", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1034479" }, { "name": "GLSA-201604-03", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201604-03" }, { "name": "DSA-3471", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2016/dsa-3471" }, { "name": "DSA-3434", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2016/dsa-3434" }, { "name": "SUSE-SU-2016:0911", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00094.html" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2015-8550", "datePublished": "2016-04-14T14:00:00", "dateReserved": "2015-12-14T00:00:00", "dateUpdated": "2024-08-06T08:20:43.458Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2022-33745
Vulnerability from cvelistv5
Published
2022-07-26 00:00
Modified
2024-08-03 08:09
Severity ?
EPSS score ?
Summary
insufficient TLB flush for x86 PV guests in shadow mode For migration as well as to work around kernels unaware of L1TF (see XSA-273), PV guests may be run in shadow paging mode. To address XSA-401, code was moved inside a function in Xen. This code movement missed a variable changing meaning / value between old and new code positions. The now wrong use of the variable did lead to a wrong TLB flush condition, omitting flushes where such are necessary.
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T08:09:22.681Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://xenbits.xenproject.org/xsa/advisory-408.txt" }, { "tags": [ "x_transferred" ], "url": "http://xenbits.xen.org/xsa/advisory-408.html" }, { "name": "[oss-security] 20220726 Xen Security Advisory 408 v2 (CVE-2022-33745) - insufficient TLB flush for x86 PV guests in shadow mode", "tags": [ "mailing-list", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2022/07/26/2" }, { "name": "[oss-security] 20220726 Xen Security Advisory 408 v3 (CVE-2022-33745) - insufficient TLB flush for x86 PV guests in shadow mode", "tags": [ "mailing-list", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2022/07/26/3" }, { "name": "FEDORA-2022-4f7cd241e2", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HUFIMNGYP5VQAA6KE3T2I5GW6UP6F7BS/" }, { "name": "FEDORA-2022-a0d7a5eaf2", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MYI3OMJ7RIZNL3C6GUWNANNPEUUID6FM/" }, { "name": "DSA-5272", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://www.debian.org/security/2022/dsa-5272" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "xen", "vendor": "Xen", "versions": [ { "status": "unknown", "version": "consult Xen advisory XSA-408" } ] } ], "credits": [ { "lang": "en", "value": "{\u0027credit_data\u0027: {\u0027description\u0027: {\u0027description_data\u0027: [{\u0027lang\u0027: \u0027eng\u0027, \u0027value\u0027: \u0027This issue was discovered by Charles Arnold of SUSE.\u0027}]}}}" } ], "descriptions": [ { "lang": "en", "value": "insufficient TLB flush for x86 PV guests in shadow mode For migration as well as to work around kernels unaware of L1TF (see XSA-273), PV guests may be run in shadow paging mode. To address XSA-401, code was moved inside a function in Xen. This code movement missed a variable changing meaning / value between old and new code positions. The now wrong use of the variable did lead to a wrong TLB flush condition, omitting flushes where such are necessary." } ], "metrics": [ { "other": { "content": { "description": { "description_data": [ { "lang": "eng", "value": "The known (observed) impact would be a Denial of Service (DoS) affecting\nthe entire host, due to running out of memory. Privilege escalation and\ninformation leaks cannot be ruled out." } ] } }, "type": "unknown" } } ], "problemTypes": [ { "descriptions": [ { "description": "unknown", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2022-11-07T00:00:00", "orgId": "23aa2041-22e1-471f-9209-9b7396fa234f", "shortName": "XEN" }, "references": [ { "url": "https://xenbits.xenproject.org/xsa/advisory-408.txt" }, { "url": "http://xenbits.xen.org/xsa/advisory-408.html" }, { "name": "[oss-security] 20220726 Xen Security Advisory 408 v2 (CVE-2022-33745) - insufficient TLB flush for x86 PV guests in shadow mode", "tags": [ "mailing-list" ], "url": "http://www.openwall.com/lists/oss-security/2022/07/26/2" }, { "name": "[oss-security] 20220726 Xen Security Advisory 408 v3 (CVE-2022-33745) - insufficient TLB flush for x86 PV guests in shadow mode", "tags": [ "mailing-list" ], "url": "http://www.openwall.com/lists/oss-security/2022/07/26/3" }, { "name": "FEDORA-2022-4f7cd241e2", "tags": [ "vendor-advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HUFIMNGYP5VQAA6KE3T2I5GW6UP6F7BS/" }, { "name": "FEDORA-2022-a0d7a5eaf2", "tags": [ "vendor-advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MYI3OMJ7RIZNL3C6GUWNANNPEUUID6FM/" }, { "name": "DSA-5272", "tags": [ "vendor-advisory" ], "url": "https://www.debian.org/security/2022/dsa-5272" } ] } }, "cveMetadata": { "assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f", "assignerShortName": "XEN", "cveId": "CVE-2022-33745", "datePublished": "2022-07-26T00:00:00", "dateReserved": "2022-06-15T00:00:00", "dateUpdated": "2024-08-03T08:09:22.681Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2022-23036
Vulnerability from cvelistv5
Published
2022-03-10 19:20
Modified
2024-08-03 03:28
Severity ?
EPSS score ?
Summary
Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn't check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042
References
▼ | URL | Tags |
---|---|---|
https://xenbits.xenproject.org/xsa/advisory-396.txt | x_refsource_MISC | |
https://lists.debian.org/debian-lts-announce/2022/07/msg00000.html | mailing-list, x_refsource_MLIST |
Impacted products
Vendor | Product | Version | ||
---|---|---|---|---|
unspecified | unspecified |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T03:28:42.946Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://xenbits.xenproject.org/xsa/advisory-396.txt" }, { "name": "[debian-lts-announce] 20220701 [SECURITY] [DLA 3065-1] linux security update", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2022/07/msg00000.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "unspecified", "vendor": "unspecified", "versions": [ { "status": "unknown", "version": "consult Xen advisory XSA-396" } ] } ], "credits": [ { "lang": "en", "value": "{\u0027credit_data\u0027: {\u0027description\u0027: {\u0027description_data\u0027: [{\u0027lang\u0027: \u0027eng\u0027, \u0027value\u0027: \u0027This issue was discovered by Demi Marie Obenour and Simon Gaiser of\\nInvisible Things Lab.\u0027}]}}}" } ], "descriptions": [ { "lang": "en", "value": "Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn\u0027t check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042" } ], "metrics": [ { "other": { "content": { "description": { "description_data": [ { "lang": "eng", "value": "Due to race conditions and missing tests of return codes in the Linux\nPV device frontend drivers a malicious backend could gain access (read\nand write) to memory pages it shouldn\u0027t have, or it could directly\ntrigger Denial of Service (DoS) in the guest." } ] } }, "type": "unknown" } } ], "problemTypes": [ { "descriptions": [ { "description": "unknown", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2022-07-01T13:06:57", "orgId": "23aa2041-22e1-471f-9209-9b7396fa234f", "shortName": "XEN" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://xenbits.xenproject.org/xsa/advisory-396.txt" }, { "name": "[debian-lts-announce] 20220701 [SECURITY] [DLA 3065-1] linux security update", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.debian.org/debian-lts-announce/2022/07/msg00000.html" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security@xen.org", "ID": "CVE-2022-23036", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "", "version": { "version_data": [ { "version_affected": "?", "version_value": "consult Xen advisory XSA-396" } ] } } ] }, "vendor_name": "" } ] } }, "configuration": { "configuration_data": { "description": { "description_data": [ { "lang": "eng", "value": "All Linux guests using PV devices are vulnerable in case potentially\nmalicious PV device backends are being used." } ] } } }, "credit": { "credit_data": { "description": { "description_data": [ { "lang": "eng", "value": "This issue was discovered by Demi Marie Obenour and Simon Gaiser of\nInvisible Things Lab." } ] } } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn\u0027t check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042" } ] }, "impact": { "impact_data": { "description": { "description_data": [ { "lang": "eng", "value": "Due to race conditions and missing tests of return codes in the Linux\nPV device frontend drivers a malicious backend could gain access (read\nand write) to memory pages it shouldn\u0027t have, or it could directly\ntrigger Denial of Service (DoS) in the guest." } ] } } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "unknown" } ] } ] }, "references": { "reference_data": [ { "name": "https://xenbits.xenproject.org/xsa/advisory-396.txt", "refsource": "MISC", "url": "https://xenbits.xenproject.org/xsa/advisory-396.txt" }, { "name": "[debian-lts-announce] 20220701 [SECURITY] [DLA 3065-1] linux security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2022/07/msg00000.html" } ] }, "workaround": { "workaround_data": { "description": { "description_data": [ { "lang": "eng", "value": "There is no mitigation available other than not using PV devices in case\na backend is suspected to be potentially malicious." } ] } } } } } }, "cveMetadata": { "assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f", "assignerShortName": "XEN", "cveId": "CVE-2022-23036", "datePublished": "2022-03-10T19:20:15", "dateReserved": "2022-01-10T00:00:00", "dateUpdated": "2024-08-03T03:28:42.946Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2017-12137
Vulnerability from cvelistv5
Published
2017-08-24 14:00
Modified
2024-08-05 18:28
Severity ?
EPSS score ?
Summary
arch/x86/mm.c in Xen allows local PV guest OS users to gain host OS privileges via vectors related to map_grant_ref.
References
▼ | URL | Tags |
---|---|---|
https://support.citrix.com/article/CTX225941 | x_refsource_CONFIRM | |
http://www.openwall.com/lists/oss-security/2017/08/15/2 | mailing-list, x_refsource_MLIST | |
http://www.securitytracker.com/id/1039174 | vdb-entry, x_refsource_SECTRACK | |
https://bugzilla.redhat.com/show_bug.cgi?id=1477657 | x_refsource_MISC | |
http://www.debian.org/security/2017/dsa-3969 | vendor-advisory, x_refsource_DEBIAN | |
https://security.gentoo.org/glsa/201801-14 | vendor-advisory, x_refsource_GENTOO | |
http://www.securityfocus.com/bid/100342 | vdb-entry, x_refsource_BID | |
http://xenbits.xen.org/xsa/advisory-227.html | x_refsource_CONFIRM |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-05T18:28:16.519Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://support.citrix.com/article/CTX225941" }, { "name": "[oss-security] 20170815 Xen Security Advisory 227 (CVE-2017-12137) - x86: PV privilege escalation via map_grant_ref", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2017/08/15/2" }, { "name": "1039174", "tags": [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred" ], "url": "http://www.securitytracker.com/id/1039174" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1477657" }, { "name": "DSA-3969", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "http://www.debian.org/security/2017/dsa-3969" }, { "name": "GLSA-201801-14", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "https://security.gentoo.org/glsa/201801-14" }, { "name": "100342", "tags": [ "vdb-entry", "x_refsource_BID", "x_transferred" ], "url": "http://www.securityfocus.com/bid/100342" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://xenbits.xen.org/xsa/advisory-227.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "datePublic": "2017-08-15T00:00:00", "descriptions": [ { "lang": "en", "value": "arch/x86/mm.c in Xen allows local PV guest OS users to gain host OS privileges via vectors related to map_grant_ref." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2018-01-15T10:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://support.citrix.com/article/CTX225941" }, { "name": "[oss-security] 20170815 Xen Security Advisory 227 (CVE-2017-12137) - x86: PV privilege escalation via map_grant_ref", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://www.openwall.com/lists/oss-security/2017/08/15/2" }, { "name": "1039174", "tags": [ "vdb-entry", "x_refsource_SECTRACK" ], "url": "http://www.securitytracker.com/id/1039174" }, { "tags": [ "x_refsource_MISC" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1477657" }, { "name": "DSA-3969", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "http://www.debian.org/security/2017/dsa-3969" }, { "name": "GLSA-201801-14", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "https://security.gentoo.org/glsa/201801-14" }, { "name": "100342", "tags": [ "vdb-entry", "x_refsource_BID" ], "url": "http://www.securityfocus.com/bid/100342" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://xenbits.xen.org/xsa/advisory-227.html" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2017-12137", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "arch/x86/mm.c in Xen allows local PV guest OS users to gain host OS privileges via vectors related to map_grant_ref." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "https://support.citrix.com/article/CTX225941", "refsource": "CONFIRM", "url": "https://support.citrix.com/article/CTX225941" }, { "name": "[oss-security] 20170815 Xen Security Advisory 227 (CVE-2017-12137) - x86: PV privilege escalation via map_grant_ref", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2017/08/15/2" }, { "name": "1039174", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1039174" }, { "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1477657", "refsource": "MISC", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1477657" }, { "name": "DSA-3969", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2017/dsa-3969" }, { "name": "GLSA-201801-14", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201801-14" }, { "name": "100342", "refsource": "BID", "url": "http://www.securityfocus.com/bid/100342" }, { "name": "http://xenbits.xen.org/xsa/advisory-227.html", "refsource": "CONFIRM", "url": "http://xenbits.xen.org/xsa/advisory-227.html" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2017-12137", "datePublished": "2017-08-24T14:00:00", "dateReserved": "2017-08-01T00:00:00", "dateUpdated": "2024-08-05T18:28:16.519Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2022-23037
Vulnerability from cvelistv5
Published
2022-03-10 19:20
Modified
2024-08-03 03:28
Severity ?
EPSS score ?
Summary
Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn't check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042
References
▼ | URL | Tags |
---|---|---|
https://xenbits.xenproject.org/xsa/advisory-396.txt | x_refsource_MISC | |
https://lists.debian.org/debian-lts-announce/2022/07/msg00000.html | mailing-list, x_refsource_MLIST |
Impacted products
Vendor | Product | Version | ||
---|---|---|---|---|
unspecified | unspecified |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T03:28:43.061Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://xenbits.xenproject.org/xsa/advisory-396.txt" }, { "name": "[debian-lts-announce] 20220701 [SECURITY] [DLA 3065-1] linux security update", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2022/07/msg00000.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "unspecified", "vendor": "unspecified", "versions": [ { "status": "unknown", "version": "consult Xen advisory XSA-396" } ] } ], "credits": [ { "lang": "en", "value": "{\u0027credit_data\u0027: {\u0027description\u0027: {\u0027description_data\u0027: [{\u0027lang\u0027: \u0027eng\u0027, \u0027value\u0027: \u0027This issue was discovered by Demi Marie Obenour and Simon Gaiser of\\nInvisible Things Lab.\u0027}]}}}" } ], "descriptions": [ { "lang": "en", "value": "Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn\u0027t check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042" } ], "metrics": [ { "other": { "content": { "description": { "description_data": [ { "lang": "eng", "value": "Due to race conditions and missing tests of return codes in the Linux\nPV device frontend drivers a malicious backend could gain access (read\nand write) to memory pages it shouldn\u0027t have, or it could directly\ntrigger Denial of Service (DoS) in the guest." } ] } }, "type": "unknown" } } ], "problemTypes": [ { "descriptions": [ { "description": "unknown", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2022-07-01T13:06:32", "orgId": "23aa2041-22e1-471f-9209-9b7396fa234f", "shortName": "XEN" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://xenbits.xenproject.org/xsa/advisory-396.txt" }, { "name": "[debian-lts-announce] 20220701 [SECURITY] [DLA 3065-1] linux security update", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.debian.org/debian-lts-announce/2022/07/msg00000.html" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security@xen.org", "ID": "CVE-2022-23037", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "", "version": { "version_data": [ { "version_affected": "?", "version_value": "consult Xen advisory XSA-396" } ] } } ] }, "vendor_name": "" } ] } }, "configuration": { "configuration_data": { "description": { "description_data": [ { "lang": "eng", "value": "All Linux guests using PV devices are vulnerable in case potentially\nmalicious PV device backends are being used." } ] } } }, "credit": { "credit_data": { "description": { "description_data": [ { "lang": "eng", "value": "This issue was discovered by Demi Marie Obenour and Simon Gaiser of\nInvisible Things Lab." } ] } } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn\u0027t check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042" } ] }, "impact": { "impact_data": { "description": { "description_data": [ { "lang": "eng", "value": "Due to race conditions and missing tests of return codes in the Linux\nPV device frontend drivers a malicious backend could gain access (read\nand write) to memory pages it shouldn\u0027t have, or it could directly\ntrigger Denial of Service (DoS) in the guest." } ] } } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "unknown" } ] } ] }, "references": { "reference_data": [ { "name": "https://xenbits.xenproject.org/xsa/advisory-396.txt", "refsource": "MISC", "url": "https://xenbits.xenproject.org/xsa/advisory-396.txt" }, { "name": "[debian-lts-announce] 20220701 [SECURITY] [DLA 3065-1] linux security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2022/07/msg00000.html" } ] }, "workaround": { "workaround_data": { "description": { "description_data": [ { "lang": "eng", "value": "There is no mitigation available other than not using PV devices in case\na backend is suspected to be potentially malicious." } ] } } } } } }, "cveMetadata": { "assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f", "assignerShortName": "XEN", "cveId": "CVE-2022-23037", "datePublished": "2022-03-10T19:20:16", "dateReserved": "2022-01-10T00:00:00", "dateUpdated": "2024-08-03T03:28:43.061Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2020-29571
Vulnerability from cvelistv5
Published
2020-12-15 17:02
Modified
2024-08-04 16:55
Severity ?
EPSS score ?
Summary
An issue was discovered in Xen through 4.14.x. A bounds check common to most operation time functions specific to FIFO event channels depends on the CPU observing consistent state. While the producer side uses appropriately ordered writes, the consumer side isn't protected against re-ordered reads, and may hence end up de-referencing a NULL pointer. Malicious or buggy guest kernels can mount a Denial of Service (DoS) attack affecting the entire system. Only Arm systems may be vulnerable. Whether a system is vulnerable depends on the specific CPU. x86 systems are not vulnerable.
References
▼ | URL | Tags |
---|---|---|
https://xenbits.xenproject.org/xsa/advisory-359.html | x_refsource_MISC | |
https://www.debian.org/security/2020/dsa-4812 | vendor-advisory, x_refsource_DEBIAN | |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OBLV6L6Q24PPQ2CRFXDX4Q76KU776GKI/ | vendor-advisory, x_refsource_FEDORA | |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2C6M6S3CIMEBACH6O7V4H2VDANMO6TVA/ | vendor-advisory, x_refsource_FEDORA | |
https://security.gentoo.org/glsa/202107-30 | vendor-advisory, x_refsource_GENTOO |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T16:55:10.337Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://xenbits.xenproject.org/xsa/advisory-359.html" }, { "name": "DSA-4812", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "https://www.debian.org/security/2020/dsa-4812" }, { "name": "FEDORA-2020-64859a826b", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OBLV6L6Q24PPQ2CRFXDX4Q76KU776GKI/" }, { "name": "FEDORA-2020-df772b417b", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2C6M6S3CIMEBACH6O7V4H2VDANMO6TVA/" }, { "name": "GLSA-202107-30", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "https://security.gentoo.org/glsa/202107-30" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "descriptions": [ { "lang": "en", "value": "An issue was discovered in Xen through 4.14.x. A bounds check common to most operation time functions specific to FIFO event channels depends on the CPU observing consistent state. While the producer side uses appropriately ordered writes, the consumer side isn\u0027t protected against re-ordered reads, and may hence end up de-referencing a NULL pointer. Malicious or buggy guest kernels can mount a Denial of Service (DoS) attack affecting the entire system. Only Arm systems may be vulnerable. Whether a system is vulnerable depends on the specific CPU. x86 systems are not vulnerable." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2021-07-12T04:06:14", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://xenbits.xenproject.org/xsa/advisory-359.html" }, { "name": "DSA-4812", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "https://www.debian.org/security/2020/dsa-4812" }, { "name": "FEDORA-2020-64859a826b", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OBLV6L6Q24PPQ2CRFXDX4Q76KU776GKI/" }, { "name": "FEDORA-2020-df772b417b", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2C6M6S3CIMEBACH6O7V4H2VDANMO6TVA/" }, { "name": "GLSA-202107-30", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "https://security.gentoo.org/glsa/202107-30" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2020-29571", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "An issue was discovered in Xen through 4.14.x. A bounds check common to most operation time functions specific to FIFO event channels depends on the CPU observing consistent state. While the producer side uses appropriately ordered writes, the consumer side isn\u0027t protected against re-ordered reads, and may hence end up de-referencing a NULL pointer. Malicious or buggy guest kernels can mount a Denial of Service (DoS) attack affecting the entire system. Only Arm systems may be vulnerable. Whether a system is vulnerable depends on the specific CPU. x86 systems are not vulnerable." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "https://xenbits.xenproject.org/xsa/advisory-359.html", "refsource": "MISC", "url": "https://xenbits.xenproject.org/xsa/advisory-359.html" }, { "name": "DSA-4812", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2020/dsa-4812" }, { "name": "FEDORA-2020-64859a826b", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OBLV6L6Q24PPQ2CRFXDX4Q76KU776GKI/" }, { "name": "FEDORA-2020-df772b417b", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2C6M6S3CIMEBACH6O7V4H2VDANMO6TVA/" }, { "name": "GLSA-202107-30", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202107-30" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-29571", "datePublished": "2020-12-15T17:02:42", "dateReserved": "2020-12-04T00:00:00", "dateUpdated": "2024-08-04T16:55:10.337Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2018-7542
Vulnerability from cvelistv5
Published
2018-02-27 19:00
Modified
2024-08-05 06:31
Severity ?
EPSS score ?
Summary
An issue was discovered in Xen 4.8.x through 4.10.x allowing x86 PVH guest OS users to cause a denial of service (NULL pointer dereference and hypervisor crash) by leveraging the mishandling of configurations that lack a Local APIC.
References
▼ | URL | Tags |
---|---|---|
https://xenbits.xen.org/xsa/advisory-256.html | x_refsource_CONFIRM | |
https://security.gentoo.org/glsa/201810-06 | vendor-advisory, x_refsource_GENTOO | |
http://www.securitytracker.com/id/1040776 | vdb-entry, x_refsource_SECTRACK | |
https://www.debian.org/security/2018/dsa-4131 | vendor-advisory, x_refsource_DEBIAN |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-05T06:31:04.775Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://xenbits.xen.org/xsa/advisory-256.html" }, { "name": "GLSA-201810-06", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "https://security.gentoo.org/glsa/201810-06" }, { "name": "1040776", "tags": [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred" ], "url": "http://www.securitytracker.com/id/1040776" }, { "name": "DSA-4131", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "https://www.debian.org/security/2018/dsa-4131" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "datePublic": "2018-02-27T00:00:00", "descriptions": [ { "lang": "en", "value": "An issue was discovered in Xen 4.8.x through 4.10.x allowing x86 PVH guest OS users to cause a denial of service (NULL pointer dereference and hypervisor crash) by leveraging the mishandling of configurations that lack a Local APIC." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2018-10-31T09:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://xenbits.xen.org/xsa/advisory-256.html" }, { "name": "GLSA-201810-06", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "https://security.gentoo.org/glsa/201810-06" }, { "name": "1040776", "tags": [ "vdb-entry", "x_refsource_SECTRACK" ], "url": "http://www.securitytracker.com/id/1040776" }, { "name": "DSA-4131", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "https://www.debian.org/security/2018/dsa-4131" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2018-7542", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "An issue was discovered in Xen 4.8.x through 4.10.x allowing x86 PVH guest OS users to cause a denial of service (NULL pointer dereference and hypervisor crash) by leveraging the mishandling of configurations that lack a Local APIC." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "https://xenbits.xen.org/xsa/advisory-256.html", "refsource": "CONFIRM", "url": "https://xenbits.xen.org/xsa/advisory-256.html" }, { "name": "GLSA-201810-06", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201810-06" }, { "name": "1040776", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1040776" }, { "name": "DSA-4131", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2018/dsa-4131" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2018-7542", "datePublished": "2018-02-27T19:00:00", "dateReserved": "2018-02-27T00:00:00", "dateUpdated": "2024-08-05T06:31:04.775Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2016-6258
Vulnerability from cvelistv5
Published
2016-08-02 16:00
Modified
2024-08-06 01:22
Severity ?
EPSS score ?
Summary
The PV pagetable code in arch/x86/mm.c in Xen 4.7.x and earlier allows local 32-bit PV guest OS administrators to gain host OS privileges by leveraging fast-paths for updating pagetable entries.
References
▼ | URL | Tags |
---|---|---|
http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html | x_refsource_CONFIRM | |
http://xenbits.xen.org/xsa/advisory-182.html | x_refsource_CONFIRM | |
http://xenbits.xen.org/xsa/xsa182-4.6.patch | x_refsource_CONFIRM | |
http://support.citrix.com/article/CTX214954 | x_refsource_CONFIRM | |
https://security.gentoo.org/glsa/201611-09 | vendor-advisory, x_refsource_GENTOO | |
http://xenbits.xen.org/xsa/xsa182-unstable.patch | x_refsource_CONFIRM | |
http://xenbits.xen.org/xsa/xsa182-4.5.patch | x_refsource_CONFIRM | |
http://www.debian.org/security/2016/dsa-3633 | vendor-advisory, x_refsource_DEBIAN | |
http://www.securitytracker.com/id/1036446 | vdb-entry, x_refsource_SECTRACK | |
http://www.securityfocus.com/bid/92131 | vdb-entry, x_refsource_BID |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-06T01:22:20.664Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://xenbits.xen.org/xsa/advisory-182.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://xenbits.xen.org/xsa/xsa182-4.6.patch" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://support.citrix.com/article/CTX214954" }, { "name": "GLSA-201611-09", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "https://security.gentoo.org/glsa/201611-09" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://xenbits.xen.org/xsa/xsa182-unstable.patch" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://xenbits.xen.org/xsa/xsa182-4.5.patch" }, { "name": "DSA-3633", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "http://www.debian.org/security/2016/dsa-3633" }, { "name": "1036446", "tags": [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred" ], "url": "http://www.securitytracker.com/id/1036446" }, { "name": "92131", "tags": [ "vdb-entry", "x_refsource_BID", "x_transferred" ], "url": "http://www.securityfocus.com/bid/92131" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "datePublic": "2016-07-26T00:00:00", "descriptions": [ { "lang": "en", "value": "The PV pagetable code in arch/x86/mm.c in Xen 4.7.x and earlier allows local 32-bit PV guest OS administrators to gain host OS privileges by leveraging fast-paths for updating pagetable entries." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2017-06-30T16:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://xenbits.xen.org/xsa/advisory-182.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://xenbits.xen.org/xsa/xsa182-4.6.patch" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://support.citrix.com/article/CTX214954" }, { "name": "GLSA-201611-09", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "https://security.gentoo.org/glsa/201611-09" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://xenbits.xen.org/xsa/xsa182-unstable.patch" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://xenbits.xen.org/xsa/xsa182-4.5.patch" }, { "name": "DSA-3633", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "http://www.debian.org/security/2016/dsa-3633" }, { "name": "1036446", "tags": [ "vdb-entry", "x_refsource_SECTRACK" ], "url": "http://www.securitytracker.com/id/1036446" }, { "name": "92131", "tags": [ "vdb-entry", "x_refsource_BID" ], "url": "http://www.securityfocus.com/bid/92131" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2016-6258", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "The PV pagetable code in arch/x86/mm.c in Xen 4.7.x and earlier allows local 32-bit PV guest OS administrators to gain host OS privileges by leveraging fast-paths for updating pagetable entries." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html", "refsource": "CONFIRM", "url": "http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html" }, { "name": "http://xenbits.xen.org/xsa/advisory-182.html", "refsource": "CONFIRM", "url": "http://xenbits.xen.org/xsa/advisory-182.html" }, { "name": "http://xenbits.xen.org/xsa/xsa182-4.6.patch", "refsource": "CONFIRM", "url": "http://xenbits.xen.org/xsa/xsa182-4.6.patch" }, { "name": "http://support.citrix.com/article/CTX214954", "refsource": "CONFIRM", "url": "http://support.citrix.com/article/CTX214954" }, { "name": "GLSA-201611-09", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201611-09" }, { "name": "http://xenbits.xen.org/xsa/xsa182-unstable.patch", "refsource": "CONFIRM", "url": "http://xenbits.xen.org/xsa/xsa182-unstable.patch" }, { "name": "http://xenbits.xen.org/xsa/xsa182-4.5.patch", "refsource": "CONFIRM", "url": "http://xenbits.xen.org/xsa/xsa182-4.5.patch" }, { "name": "DSA-3633", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2016/dsa-3633" }, { "name": "1036446", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1036446" }, { "name": "92131", "refsource": "BID", "url": "http://www.securityfocus.com/bid/92131" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2016-6258", "datePublished": "2016-08-02T16:00:00", "dateReserved": "2016-07-20T00:00:00", "dateUpdated": "2024-08-06T01:22:20.664Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2016-9815
Vulnerability from cvelistv5
Published
2017-02-27 22:00
Modified
2024-08-06 02:59
Severity ?
EPSS score ?
Summary
Xen through 4.7.x allows local ARM guest OS users to cause a denial of service (host panic) by sending an asynchronous abort.
References
▼ | URL | Tags |
---|---|---|
http://xenbits.xen.org/xsa/advisory-201.html | x_refsource_CONFIRM | |
https://security.gentoo.org/glsa/201612-56 | vendor-advisory, x_refsource_GENTOO | |
http://xenbits.xen.org/xsa/xsa201-1.patch | x_refsource_CONFIRM | |
http://www.securitytracker.com/id/1037358 | vdb-entry, x_refsource_SECTRACK | |
http://www.openwall.com/lists/oss-security/2016/11/29/3 | mailing-list, x_refsource_MLIST | |
http://www.securityfocus.com/bid/94581 | vdb-entry, x_refsource_BID | |
http://www.openwall.com/lists/oss-security/2016/12/05/7 | mailing-list, x_refsource_MLIST |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-06T02:59:03.590Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://xenbits.xen.org/xsa/advisory-201.html" }, { "name": "GLSA-201612-56", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "https://security.gentoo.org/glsa/201612-56" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://xenbits.xen.org/xsa/xsa201-1.patch" }, { "name": "1037358", "tags": [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred" ], "url": "http://www.securitytracker.com/id/1037358" }, { "name": "[oss-security] 20161129 Xen Security Advisory 201 - ARM guests may induce host asynchronous abort", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2016/11/29/3" }, { "name": "94581", "tags": [ "vdb-entry", "x_refsource_BID", "x_transferred" ], "url": "http://www.securityfocus.com/bid/94581" }, { "name": "[oss-security] 20161204 Re: Xen Security Advisory 201 - ARM guests may induce host asynchronous abort", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2016/12/05/7" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "datePublic": "2016-11-29T00:00:00", "descriptions": [ { "lang": "en", "value": "Xen through 4.7.x allows local ARM guest OS users to cause a denial of service (host panic) by sending an asynchronous abort." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2017-07-27T09:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "http://xenbits.xen.org/xsa/advisory-201.html" }, { "name": "GLSA-201612-56", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "https://security.gentoo.org/glsa/201612-56" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://xenbits.xen.org/xsa/xsa201-1.patch" }, { "name": "1037358", "tags": [ "vdb-entry", "x_refsource_SECTRACK" ], "url": "http://www.securitytracker.com/id/1037358" }, { "name": "[oss-security] 20161129 Xen Security Advisory 201 - ARM guests may induce host asynchronous abort", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://www.openwall.com/lists/oss-security/2016/11/29/3" }, { "name": "94581", "tags": [ "vdb-entry", "x_refsource_BID" ], "url": "http://www.securityfocus.com/bid/94581" }, { "name": "[oss-security] 20161204 Re: Xen Security Advisory 201 - ARM guests may induce host asynchronous abort", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://www.openwall.com/lists/oss-security/2016/12/05/7" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2016-9815", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Xen through 4.7.x allows local ARM guest OS users to cause a denial of service (host panic) by sending an asynchronous abort." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "http://xenbits.xen.org/xsa/advisory-201.html", "refsource": "CONFIRM", "url": "http://xenbits.xen.org/xsa/advisory-201.html" }, { "name": "GLSA-201612-56", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201612-56" }, { "name": "http://xenbits.xen.org/xsa/xsa201-1.patch", "refsource": "CONFIRM", "url": "http://xenbits.xen.org/xsa/xsa201-1.patch" }, { "name": "1037358", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1037358" }, { "name": "[oss-security] 20161129 Xen Security Advisory 201 - ARM guests may induce host asynchronous abort", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2016/11/29/3" }, { "name": "94581", "refsource": "BID", "url": "http://www.securityfocus.com/bid/94581" }, { "name": "[oss-security] 20161204 Re: Xen Security Advisory 201 - ARM guests may induce host asynchronous abort", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2016/12/05/7" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2016-9815", "datePublished": "2017-02-27T22:00:00", "dateReserved": "2016-12-04T00:00:00", "dateUpdated": "2024-08-06T02:59:03.590Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2019-17349
Vulnerability from cvelistv5
Published
2019-10-08 00:00
Modified
2024-08-05 01:40
Severity ?
EPSS score ?
Summary
An issue was discovered in Xen through 4.12.x allowing Arm domU attackers to cause a denial of service (infinite loop) involving a LoadExcl or StoreExcl operation.
References
▼ | URL | Tags |
---|---|---|
http://xenbits.xen.org/xsa/advisory-295.html | x_refsource_CONFIRM | |
https://xenbits.xen.org/xsa/advisory-295.html | x_refsource_MISC | |
https://www.debian.org/security/2020/dsa-4602 | vendor-advisory, x_refsource_DEBIAN | |
https://seclists.org/bugtraq/2020/Jan/21 | mailing-list, x_refsource_BUGTRAQ |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-05T01:40:15.660Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://xenbits.xen.org/xsa/advisory-295.html" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://xenbits.xen.org/xsa/advisory-295.html" }, { "name": "DSA-4602", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "https://www.debian.org/security/2020/dsa-4602" }, { "name": "20200114 [SECURITY] [DSA 4602-1] xen security update", "tags": [ "mailing-list", "x_refsource_BUGTRAQ", "x_transferred" ], "url": "https://seclists.org/bugtraq/2020/Jan/21" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "descriptions": [ { "lang": "en", "value": "An issue was discovered in Xen through 4.12.x allowing Arm domU attackers to cause a denial of service (infinite loop) involving a LoadExcl or StoreExcl operation." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2020-01-14T22:06:17", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "http://xenbits.xen.org/xsa/advisory-295.html" }, { "tags": [ "x_refsource_MISC" ], "url": "https://xenbits.xen.org/xsa/advisory-295.html" }, { "name": "DSA-4602", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "https://www.debian.org/security/2020/dsa-4602" }, { "name": "20200114 [SECURITY] [DSA 4602-1] xen security update", "tags": [ "mailing-list", "x_refsource_BUGTRAQ" ], "url": "https://seclists.org/bugtraq/2020/Jan/21" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-17349", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "An issue was discovered in Xen through 4.12.x allowing Arm domU attackers to cause a denial of service (infinite loop) involving a LoadExcl or StoreExcl operation." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "http://xenbits.xen.org/xsa/advisory-295.html", "refsource": "CONFIRM", "url": "http://xenbits.xen.org/xsa/advisory-295.html" }, { "name": "https://xenbits.xen.org/xsa/advisory-295.html", "refsource": "MISC", "url": "https://xenbits.xen.org/xsa/advisory-295.html" }, { "name": "DSA-4602", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2020/dsa-4602" }, { "name": "20200114 [SECURITY] [DSA 4602-1] xen security update", "refsource": "BUGTRAQ", "url": "https://seclists.org/bugtraq/2020/Jan/21" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-17349", "datePublished": "2019-10-08T00:00:58", "dateReserved": "2019-10-07T00:00:00", "dateUpdated": "2024-08-05T01:40:15.660Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2022-23960
Vulnerability from cvelistv5
Published
2022-03-12 23:57
Modified
2024-08-03 03:59
Severity ?
EPSS score ?
Summary
Certain Arm Cortex and Neoverse processors through 2022-03-08 do not properly restrict cache speculation, aka Spectre-BHB. An attacker can leverage the shared branch history in the Branch History Buffer (BHB) to influence mispredicted branches. Then, cache allocation can allow the attacker to obtain sensitive information.
References
▼ | URL | Tags |
---|---|---|
https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability | x_refsource_CONFIRM | |
https://developer.arm.com/support/arm-security-updates | x_refsource_MISC | |
http://www.openwall.com/lists/oss-security/2022/03/18/2 | mailing-list, x_refsource_MLIST | |
https://lists.debian.org/debian-lts-announce/2022/07/msg00000.html | mailing-list, x_refsource_MLIST | |
https://www.debian.org/security/2022/dsa-5173 | vendor-advisory, x_refsource_DEBIAN |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T03:59:23.170Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://developer.arm.com/support/arm-security-updates" }, { "name": "[oss-security] 20220318 Xen Security Advisory 398 v2 - Multiple speculative security issues", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2022/03/18/2" }, { "name": "[debian-lts-announce] 20220701 [SECURITY] [DLA 3065-1] linux security update", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2022/07/msg00000.html" }, { "name": "DSA-5173", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "https://www.debian.org/security/2022/dsa-5173" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "descriptions": [ { "lang": "en", "value": "Certain Arm Cortex and Neoverse processors through 2022-03-08 do not properly restrict cache speculation, aka Spectre-BHB. An attacker can leverage the shared branch history in the Branch History Buffer (BHB) to influence mispredicted branches. Then, cache allocation can allow the attacker to obtain sensitive information." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2022-07-04T10:10:34", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability" }, { "tags": [ "x_refsource_MISC" ], "url": "https://developer.arm.com/support/arm-security-updates" }, { "name": "[oss-security] 20220318 Xen Security Advisory 398 v2 - Multiple speculative security issues", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://www.openwall.com/lists/oss-security/2022/03/18/2" }, { "name": "[debian-lts-announce] 20220701 [SECURITY] [DLA 3065-1] linux security update", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.debian.org/debian-lts-announce/2022/07/msg00000.html" }, { "name": "DSA-5173", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "https://www.debian.org/security/2022/dsa-5173" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2022-23960", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Certain Arm Cortex and Neoverse processors through 2022-03-08 do not properly restrict cache speculation, aka Spectre-BHB. An attacker can leverage the shared branch history in the Branch History Buffer (BHB) to influence mispredicted branches. Then, cache allocation can allow the attacker to obtain sensitive information." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability", "refsource": "CONFIRM", "url": "https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability" }, { "name": "https://developer.arm.com/support/arm-security-updates", "refsource": "MISC", "url": "https://developer.arm.com/support/arm-security-updates" }, { "name": "[oss-security] 20220318 Xen Security Advisory 398 v2 - Multiple speculative security issues", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2022/03/18/2" }, { "name": "[debian-lts-announce] 20220701 [SECURITY] [DLA 3065-1] linux security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2022/07/msg00000.html" }, { "name": "DSA-5173", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2022/dsa-5173" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2022-23960", "datePublished": "2022-03-12T23:57:21", "dateReserved": "2022-01-26T00:00:00", "dateUpdated": "2024-08-03T03:59:23.170Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2017-10923
Vulnerability from cvelistv5
Published
2017-07-05 01:00
Modified
2024-08-05 17:50
Severity ?
EPSS score ?
Summary
Xen through 4.8.x does not validate a vCPU array index upon the sending of an SGI, which allows guest OS users to cause a denial of service (hypervisor crash), aka XSA-225.
References
▼ | URL | Tags |
---|---|---|
http://www.securitytracker.com/id/1038735 | vdb-entry, x_refsource_SECTRACK | |
http://www.securityfocus.com/bid/99160 | vdb-entry, x_refsource_BID | |
https://security.gentoo.org/glsa/201708-03 | vendor-advisory, x_refsource_GENTOO | |
https://xenbits.xen.org/xsa/advisory-225.html | x_refsource_CONFIRM |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-05T17:50:12.816Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "1038735", "tags": [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred" ], "url": "http://www.securitytracker.com/id/1038735" }, { "name": "99160", "tags": [ "vdb-entry", "x_refsource_BID", "x_transferred" ], "url": "http://www.securityfocus.com/bid/99160" }, { "name": "GLSA-201708-03", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "https://security.gentoo.org/glsa/201708-03" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://xenbits.xen.org/xsa/advisory-225.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "datePublic": "2017-07-04T00:00:00", "descriptions": [ { "lang": "en", "value": "Xen through 4.8.x does not validate a vCPU array index upon the sending of an SGI, which allows guest OS users to cause a denial of service (hypervisor crash), aka XSA-225." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2017-08-21T09:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "name": "1038735", "tags": [ "vdb-entry", "x_refsource_SECTRACK" ], "url": "http://www.securitytracker.com/id/1038735" }, { "name": "99160", "tags": [ "vdb-entry", "x_refsource_BID" ], "url": "http://www.securityfocus.com/bid/99160" }, { "name": "GLSA-201708-03", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "https://security.gentoo.org/glsa/201708-03" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://xenbits.xen.org/xsa/advisory-225.html" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2017-10923", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Xen through 4.8.x does not validate a vCPU array index upon the sending of an SGI, which allows guest OS users to cause a denial of service (hypervisor crash), aka XSA-225." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "1038735", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1038735" }, { "name": "99160", "refsource": "BID", "url": "http://www.securityfocus.com/bid/99160" }, { "name": "GLSA-201708-03", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201708-03" }, { "name": "https://xenbits.xen.org/xsa/advisory-225.html", "refsource": "CONFIRM", "url": "https://xenbits.xen.org/xsa/advisory-225.html" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2017-10923", "datePublished": "2017-07-05T01:00:00", "dateReserved": "2017-07-04T00:00:00", "dateUpdated": "2024-08-05T17:50:12.816Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2017-10915
Vulnerability from cvelistv5
Published
2017-07-05 01:00
Modified
2024-08-05 17:50
Severity ?
EPSS score ?
Summary
The shadow-paging feature in Xen through 4.8.x mismanages page references and consequently introduces a race condition, which allows guest OS users to obtain Xen privileges, aka XSA-219.
References
▼ | URL | Tags |
---|---|---|
https://security.gentoo.org/glsa/201708-03 | vendor-advisory, x_refsource_GENTOO | |
http://www.debian.org/security/2017/dsa-3969 | vendor-advisory, x_refsource_DEBIAN | |
http://www.securityfocus.com/bid/99174 | vdb-entry, x_refsource_BID | |
https://xenbits.xen.org/xsa/advisory-219.html | x_refsource_CONFIRM | |
https://security.gentoo.org/glsa/201710-17 | vendor-advisory, x_refsource_GENTOO |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-05T17:50:12.571Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "GLSA-201708-03", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "https://security.gentoo.org/glsa/201708-03" }, { "name": "DSA-3969", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "http://www.debian.org/security/2017/dsa-3969" }, { "name": "99174", "tags": [ "vdb-entry", "x_refsource_BID", "x_transferred" ], "url": "http://www.securityfocus.com/bid/99174" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://xenbits.xen.org/xsa/advisory-219.html" }, { "name": "GLSA-201710-17", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "https://security.gentoo.org/glsa/201710-17" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "datePublic": "2017-07-04T00:00:00", "descriptions": [ { "lang": "en", "value": "The shadow-paging feature in Xen through 4.8.x mismanages page references and consequently introduces a race condition, which allows guest OS users to obtain Xen privileges, aka XSA-219." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2017-11-03T18:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "name": "GLSA-201708-03", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "https://security.gentoo.org/glsa/201708-03" }, { "name": "DSA-3969", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "http://www.debian.org/security/2017/dsa-3969" }, { "name": "99174", "tags": [ "vdb-entry", "x_refsource_BID" ], "url": "http://www.securityfocus.com/bid/99174" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://xenbits.xen.org/xsa/advisory-219.html" }, { "name": "GLSA-201710-17", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "https://security.gentoo.org/glsa/201710-17" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2017-10915", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "The shadow-paging feature in Xen through 4.8.x mismanages page references and consequently introduces a race condition, which allows guest OS users to obtain Xen privileges, aka XSA-219." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "GLSA-201708-03", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201708-03" }, { "name": "DSA-3969", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2017/dsa-3969" }, { "name": "99174", "refsource": "BID", "url": "http://www.securityfocus.com/bid/99174" }, { "name": "https://xenbits.xen.org/xsa/advisory-219.html", "refsource": "CONFIRM", "url": "https://xenbits.xen.org/xsa/advisory-219.html" }, { "name": "GLSA-201710-17", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201710-17" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2017-10915", "datePublished": "2017-07-05T01:00:00", "dateReserved": "2017-07-04T00:00:00", "dateUpdated": "2024-08-05T17:50:12.571Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2021-28706
Vulnerability from cvelistv5
Published
2021-11-24 00:00
Modified
2024-08-03 21:47
Severity ?
EPSS score ?
Summary
guests may exceed their designated memory limit When a guest is permitted to have close to 16TiB of memory, it may be able to issue hypercalls to increase its memory allocation beyond the administrator established limit. This is a result of a calculation done with 32-bit precision, which may overflow. It would then only be the overflowed (and hence small) number which gets compared against the established upper bound.
References
Impacted products
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T21:47:33.187Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://xenbits.xenproject.org/xsa/advisory-385.txt" }, { "name": "FEDORA-2021-03645e9807", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I7ZGWVVRI4XY2XSTBI3XEMWBXPDVX6OT/" }, { "name": "DSA-5017", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://www.debian.org/security/2021/dsa-5017" }, { "name": "FEDORA-2021-2b3a2de94f", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PXUI4VMD52CH3T7YXAG3J2JW7ZNN3SXF/" }, { "name": "GLSA-202402-07", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://security.gentoo.org/glsa/202402-07" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "xen", "vendor": "Xen", "versions": [ { "status": "affected", "version": "4.12.x" } ] }, { "product": "xen", "vendor": "Xen", "versions": [ { "lessThan": "4.12", "status": "unknown", "version": "unspecified", "versionType": "custom" }, { "lessThan": "unspecified", "status": "affected", "version": "4.14.x", "versionType": "custom" }, { "lessThan": "unspecified", "status": "unaffected", "version": "next of 4.15.x", "versionType": "custom" } ] }, { "product": "xen", "vendor": "Xen", "versions": [ { "status": "affected", "version": "xen-unstable" } ] }, { "product": "xen", "vendor": "Xen", "versions": [ { "status": "affected", "version": "4.13.x" } ] } ], "credits": [ { "lang": "en", "value": "{\u0027credit_data\u0027: {\u0027description\u0027: {\u0027description_data\u0027: [{\u0027lang\u0027: \u0027eng\u0027, \u0027value\u0027: \u0027This issue was discovered by Julien Grall of Amazon.\u0027}]}}}" } ], "descriptions": [ { "lang": "en", "value": "guests may exceed their designated memory limit When a guest is permitted to have close to 16TiB of memory, it may be able to issue hypercalls to increase its memory allocation beyond the administrator established limit. This is a result of a calculation done with 32-bit precision, which may overflow. It would then only be the overflowed (and hence small) number which gets compared against the established upper bound." } ], "metrics": [ { "other": { "content": { "description": { "description_data": [ { "lang": "eng", "value": "A guest may be able too allocate unbounded amounts of memory to itself.\nThis may result in a Denial of Service (DoS) affecting the entire host." } ] } }, "type": "unknown" } } ], "problemTypes": [ { "descriptions": [ { "description": "unknown", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2024-02-04T08:06:49.398870", "orgId": "23aa2041-22e1-471f-9209-9b7396fa234f", "shortName": "XEN" }, "references": [ { "url": "https://xenbits.xenproject.org/xsa/advisory-385.txt" }, { "name": "FEDORA-2021-03645e9807", "tags": [ "vendor-advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I7ZGWVVRI4XY2XSTBI3XEMWBXPDVX6OT/" }, { "name": "DSA-5017", "tags": [ "vendor-advisory" ], "url": "https://www.debian.org/security/2021/dsa-5017" }, { "name": "FEDORA-2021-2b3a2de94f", "tags": [ "vendor-advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PXUI4VMD52CH3T7YXAG3J2JW7ZNN3SXF/" }, { "name": "GLSA-202402-07", "tags": [ "vendor-advisory" ], "url": "https://security.gentoo.org/glsa/202402-07" } ] } }, "cveMetadata": { "assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f", "assignerShortName": "XEN", "cveId": "CVE-2021-28706", "datePublished": "2021-11-24T00:00:00", "dateReserved": "2021-03-18T00:00:00", "dateUpdated": "2024-08-03T21:47:33.187Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2018-18883
Vulnerability from cvelistv5
Published
2018-11-01 00:00
Modified
2024-08-05 11:23
Severity ?
EPSS score ?
Summary
An issue was discovered in Xen 4.9.x through 4.11.x, on Intel x86 platforms, allowing x86 HVM and PVH guests to cause a host OS denial of service (NULL pointer dereference) or possibly have unspecified other impact because nested VT-x is not properly restricted.
References
▼ | URL | Tags |
---|---|---|
https://xenbits.xen.org/xsa/advisory-278.html | x_refsource_MISC | |
http://www.securitytracker.com/id/1042021 | vdb-entry, x_refsource_SECTRACK | |
http://www.securityfocus.com/bid/105817 | vdb-entry, x_refsource_BID |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-05T11:23:08.479Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://xenbits.xen.org/xsa/advisory-278.html" }, { "name": "1042021", "tags": [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred" ], "url": "http://www.securitytracker.com/id/1042021" }, { "name": "105817", "tags": [ "vdb-entry", "x_refsource_BID", "x_transferred" ], "url": "http://www.securityfocus.com/bid/105817" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "datePublic": "2018-10-31T00:00:00", "descriptions": [ { "lang": "en", "value": "An issue was discovered in Xen 4.9.x through 4.11.x, on Intel x86 platforms, allowing x86 HVM and PVH guests to cause a host OS denial of service (NULL pointer dereference) or possibly have unspecified other impact because nested VT-x is not properly restricted." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2018-11-06T10:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://xenbits.xen.org/xsa/advisory-278.html" }, { "name": "1042021", "tags": [ "vdb-entry", "x_refsource_SECTRACK" ], "url": "http://www.securitytracker.com/id/1042021" }, { "name": "105817", "tags": [ "vdb-entry", "x_refsource_BID" ], "url": "http://www.securityfocus.com/bid/105817" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2018-18883", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "An issue was discovered in Xen 4.9.x through 4.11.x, on Intel x86 platforms, allowing x86 HVM and PVH guests to cause a host OS denial of service (NULL pointer dereference) or possibly have unspecified other impact because nested VT-x is not properly restricted." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "https://xenbits.xen.org/xsa/advisory-278.html", "refsource": "MISC", "url": "https://xenbits.xen.org/xsa/advisory-278.html" }, { "name": "1042021", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1042021" }, { "name": "105817", "refsource": "BID", "url": "http://www.securityfocus.com/bid/105817" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2018-18883", "datePublished": "2018-11-01T00:00:00", "dateReserved": "2018-10-31T00:00:00", "dateUpdated": "2024-08-05T11:23:08.479Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2016-3157
Vulnerability from cvelistv5
Published
2016-04-12 16:00
Modified
2024-08-05 23:47
Severity ?
EPSS score ?
Summary
The __switch_to function in arch/x86/kernel/process_64.c in the Linux kernel does not properly context-switch IOPL on 64-bit PV Xen guests, which allows local guest OS users to gain privileges, cause a denial of service (guest OS crash), or obtain sensitive information by leveraging I/O port access.
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-05T23:47:57.945Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "USN-2971-2", "tags": [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred" ], "url": "http://www.ubuntu.com/usn/USN-2971-2" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://xenbits.xen.org/xsa/advisory-171.html" }, { "name": "USN-2970-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred" ], "url": "http://www.ubuntu.com/usn/USN-2970-1" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html" }, { "name": "USN-2969-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred" ], "url": "http://www.ubuntu.com/usn/USN-2969-1" }, { "name": "USN-2968-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred" ], "url": "http://www.ubuntu.com/usn/USN-2968-1" }, { "name": "USN-2971-3", "tags": [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred" ], "url": "http://www.ubuntu.com/usn/USN-2971-3" }, { "name": "USN-2997-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred" ], "url": "http://www.ubuntu.com/usn/USN-2997-1" }, { "name": "DSA-3607", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "http://www.debian.org/security/2016/dsa-3607" }, { "name": "USN-2971-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred" ], "url": "http://www.ubuntu.com/usn/USN-2971-1" }, { "name": "USN-2996-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred" ], "url": "http://www.ubuntu.com/usn/USN-2996-1" }, { "name": "USN-2968-2", "tags": [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred" ], "url": "http://www.ubuntu.com/usn/USN-2968-2" }, { "name": "1035308", "tags": [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred" ], "url": "http://www.securitytracker.com/id/1035308" }, { "name": "84594", "tags": [ "vdb-entry", "x_refsource_BID", "x_transferred" ], "url": "http://www.securityfocus.com/bid/84594" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "datePublic": "2016-03-16T00:00:00", "descriptions": [ { "lang": "en", "value": "The __switch_to function in arch/x86/kernel/process_64.c in the Linux kernel does not properly context-switch IOPL on 64-bit PV Xen guests, which allows local guest OS users to gain privileges, cause a denial of service (guest OS crash), or obtain sensitive information by leveraging I/O port access." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2016-11-30T18:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "name": "USN-2971-2", "tags": [ "vendor-advisory", "x_refsource_UBUNTU" ], "url": "http://www.ubuntu.com/usn/USN-2971-2" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://xenbits.xen.org/xsa/advisory-171.html" }, { "name": "USN-2970-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU" ], "url": "http://www.ubuntu.com/usn/USN-2970-1" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html" }, { "name": "USN-2969-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU" ], "url": "http://www.ubuntu.com/usn/USN-2969-1" }, { "name": "USN-2968-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU" ], "url": "http://www.ubuntu.com/usn/USN-2968-1" }, { "name": "USN-2971-3", "tags": [ "vendor-advisory", "x_refsource_UBUNTU" ], "url": "http://www.ubuntu.com/usn/USN-2971-3" }, { "name": "USN-2997-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU" ], "url": "http://www.ubuntu.com/usn/USN-2997-1" }, { "name": "DSA-3607", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "http://www.debian.org/security/2016/dsa-3607" }, { "name": "USN-2971-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU" ], "url": "http://www.ubuntu.com/usn/USN-2971-1" }, { "name": "USN-2996-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU" ], "url": "http://www.ubuntu.com/usn/USN-2996-1" }, { "name": "USN-2968-2", "tags": [ "vendor-advisory", "x_refsource_UBUNTU" ], "url": "http://www.ubuntu.com/usn/USN-2968-2" }, { "name": "1035308", "tags": [ "vdb-entry", "x_refsource_SECTRACK" ], "url": "http://www.securitytracker.com/id/1035308" }, { "name": "84594", "tags": [ "vdb-entry", "x_refsource_BID" ], "url": "http://www.securityfocus.com/bid/84594" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2016-3157", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "The __switch_to function in arch/x86/kernel/process_64.c in the Linux kernel does not properly context-switch IOPL on 64-bit PV Xen guests, which allows local guest OS users to gain privileges, cause a denial of service (guest OS crash), or obtain sensitive information by leveraging I/O port access." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "USN-2971-2", "refsource": "UBUNTU", "url": "http://www.ubuntu.com/usn/USN-2971-2" }, { "name": "http://xenbits.xen.org/xsa/advisory-171.html", "refsource": "CONFIRM", "url": "http://xenbits.xen.org/xsa/advisory-171.html" }, { "name": "USN-2970-1", "refsource": "UBUNTU", "url": "http://www.ubuntu.com/usn/USN-2970-1" }, { "name": "http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html", "refsource": "CONFIRM", "url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html" }, { "name": "USN-2969-1", "refsource": "UBUNTU", "url": "http://www.ubuntu.com/usn/USN-2969-1" }, { "name": "USN-2968-1", "refsource": "UBUNTU", "url": "http://www.ubuntu.com/usn/USN-2968-1" }, { "name": "USN-2971-3", "refsource": "UBUNTU", "url": "http://www.ubuntu.com/usn/USN-2971-3" }, { "name": "USN-2997-1", "refsource": "UBUNTU", "url": "http://www.ubuntu.com/usn/USN-2997-1" }, { "name": "DSA-3607", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2016/dsa-3607" }, { "name": "USN-2971-1", "refsource": "UBUNTU", "url": "http://www.ubuntu.com/usn/USN-2971-1" }, { "name": "USN-2996-1", "refsource": "UBUNTU", "url": "http://www.ubuntu.com/usn/USN-2996-1" }, { "name": "USN-2968-2", "refsource": "UBUNTU", "url": "http://www.ubuntu.com/usn/USN-2968-2" }, { "name": "1035308", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1035308" }, { "name": "84594", "refsource": "BID", "url": "http://www.securityfocus.com/bid/84594" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2016-3157", "datePublished": "2016-04-12T16:00:00", "dateReserved": "2016-03-15T00:00:00", "dateUpdated": "2024-08-05T23:47:57.945Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2019-18422
Vulnerability from cvelistv5
Published
2019-10-31 13:35
Modified
2024-08-05 01:54
Severity ?
EPSS score ?
Summary
An issue was discovered in Xen through 4.12.x allowing ARM guest OS users to cause a denial of service or gain privileges by leveraging the erroneous enabling of interrupts. Interrupts are unconditionally unmasked in exception handlers. When an exception occurs on an ARM system which is handled without changing processor level, some interrupts are unconditionally enabled during exception entry. So exceptions which occur when interrupts are masked will effectively unmask the interrupts. A malicious guest might contrive to arrange for critical Xen code to run with interrupts erroneously enabled. This could lead to data corruption, denial of service, or possibly even privilege escalation. However a precise attack technique has not been identified.
References
▼ | URL | Tags |
---|---|---|
http://xenbits.xen.org/xsa/advisory-303.html | x_refsource_MISC | |
http://www.openwall.com/lists/oss-security/2019/10/31/5 | mailing-list, x_refsource_MLIST | |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2BQKX7M2RHCWDBKNPX4KEBI3MJIH6AYZ/ | vendor-advisory, x_refsource_FEDORA | |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I5WWPW4BSZDDW7VHU427XTVXV7ROOFFW/ | vendor-advisory, x_refsource_FEDORA | |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IZYATWNUGHRBG6I3TC24YHP5Y3J7I6KH/ | vendor-advisory, x_refsource_FEDORA | |
https://www.debian.org/security/2020/dsa-4602 | vendor-advisory, x_refsource_DEBIAN | |
https://seclists.org/bugtraq/2020/Jan/21 | mailing-list, x_refsource_BUGTRAQ |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-05T01:54:14.426Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "http://xenbits.xen.org/xsa/advisory-303.html" }, { "name": "[oss-security] 20191031 Xen Security Advisory 303 v4 (CVE-2019-18422) - ARM: Interrupts are unconditionally unmasked in exception handlers", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2019/10/31/5" }, { "name": "FEDORA-2019-865bb16900", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2BQKX7M2RHCWDBKNPX4KEBI3MJIH6AYZ/" }, { "name": "FEDORA-2019-376ec5c107", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I5WWPW4BSZDDW7VHU427XTVXV7ROOFFW/" }, { "name": "FEDORA-2019-cbb732f760", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IZYATWNUGHRBG6I3TC24YHP5Y3J7I6KH/" }, { "name": "DSA-4602", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "https://www.debian.org/security/2020/dsa-4602" }, { "name": "20200114 [SECURITY] [DSA 4602-1] xen security update", "tags": [ "mailing-list", "x_refsource_BUGTRAQ", "x_transferred" ], "url": "https://seclists.org/bugtraq/2020/Jan/21" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "descriptions": [ { "lang": "en", "value": "An issue was discovered in Xen through 4.12.x allowing ARM guest OS users to cause a denial of service or gain privileges by leveraging the erroneous enabling of interrupts. Interrupts are unconditionally unmasked in exception handlers. When an exception occurs on an ARM system which is handled without changing processor level, some interrupts are unconditionally enabled during exception entry. So exceptions which occur when interrupts are masked will effectively unmask the interrupts. A malicious guest might contrive to arrange for critical Xen code to run with interrupts erroneously enabled. This could lead to data corruption, denial of service, or possibly even privilege escalation. However a precise attack technique has not been identified." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2020-01-14T22:06:22", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "http://xenbits.xen.org/xsa/advisory-303.html" }, { "name": "[oss-security] 20191031 Xen Security Advisory 303 v4 (CVE-2019-18422) - ARM: Interrupts are unconditionally unmasked in exception handlers", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://www.openwall.com/lists/oss-security/2019/10/31/5" }, { "name": "FEDORA-2019-865bb16900", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2BQKX7M2RHCWDBKNPX4KEBI3MJIH6AYZ/" }, { "name": "FEDORA-2019-376ec5c107", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I5WWPW4BSZDDW7VHU427XTVXV7ROOFFW/" }, { "name": "FEDORA-2019-cbb732f760", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IZYATWNUGHRBG6I3TC24YHP5Y3J7I6KH/" }, { "name": "DSA-4602", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "https://www.debian.org/security/2020/dsa-4602" }, { "name": "20200114 [SECURITY] [DSA 4602-1] xen security update", "tags": [ "mailing-list", "x_refsource_BUGTRAQ" ], "url": "https://seclists.org/bugtraq/2020/Jan/21" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-18422", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "An issue was discovered in Xen through 4.12.x allowing ARM guest OS users to cause a denial of service or gain privileges by leveraging the erroneous enabling of interrupts. Interrupts are unconditionally unmasked in exception handlers. When an exception occurs on an ARM system which is handled without changing processor level, some interrupts are unconditionally enabled during exception entry. So exceptions which occur when interrupts are masked will effectively unmask the interrupts. A malicious guest might contrive to arrange for critical Xen code to run with interrupts erroneously enabled. This could lead to data corruption, denial of service, or possibly even privilege escalation. However a precise attack technique has not been identified." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "http://xenbits.xen.org/xsa/advisory-303.html", "refsource": "MISC", "url": "http://xenbits.xen.org/xsa/advisory-303.html" }, { "name": "[oss-security] 20191031 Xen Security Advisory 303 v4 (CVE-2019-18422) - ARM: Interrupts are unconditionally unmasked in exception handlers", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2019/10/31/5" }, { "name": "FEDORA-2019-865bb16900", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2BQKX7M2RHCWDBKNPX4KEBI3MJIH6AYZ/" }, { "name": "FEDORA-2019-376ec5c107", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I5WWPW4BSZDDW7VHU427XTVXV7ROOFFW/" }, { "name": "FEDORA-2019-cbb732f760", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IZYATWNUGHRBG6I3TC24YHP5Y3J7I6KH/" }, { "name": "DSA-4602", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2020/dsa-4602" }, { "name": "20200114 [SECURITY] [DSA 4602-1] xen security update", "refsource": "BUGTRAQ", "url": "https://seclists.org/bugtraq/2020/Jan/21" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-18422", "datePublished": "2019-10-31T13:35:15", "dateReserved": "2019-10-24T00:00:00", "dateUpdated": "2024-08-05T01:54:14.426Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2017-12136
Vulnerability from cvelistv5
Published
2017-08-24 14:00
Modified
2024-08-05 18:28
Severity ?
EPSS score ?
Summary
Race condition in the grant table code in Xen 4.6.x through 4.9.x allows local guest OS administrators to cause a denial of service (free list corruption and host crash) or gain privileges on the host via vectors involving maptrack free list handling.
References
▼ | URL | Tags |
---|---|---|
https://support.citrix.com/article/CTX225941 | x_refsource_CONFIRM | |
http://xenbits.xen.org/xsa/advisory-228.html | x_refsource_CONFIRM | |
http://www.securityfocus.com/bid/100346 | vdb-entry, x_refsource_BID | |
http://www.debian.org/security/2017/dsa-3969 | vendor-advisory, x_refsource_DEBIAN | |
http://www.openwall.com/lists/oss-security/2017/08/15/3 | mailing-list, x_refsource_MLIST | |
https://bugzilla.redhat.com/show_bug.cgi?id=1477651 | x_refsource_MISC | |
https://security.gentoo.org/glsa/201801-14 | vendor-advisory, x_refsource_GENTOO | |
http://www.securitytracker.com/id/1039175 | vdb-entry, x_refsource_SECTRACK |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-05T18:28:16.501Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://support.citrix.com/article/CTX225941" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://xenbits.xen.org/xsa/advisory-228.html" }, { "name": "100346", "tags": [ "vdb-entry", "x_refsource_BID", "x_transferred" ], "url": "http://www.securityfocus.com/bid/100346" }, { "name": "DSA-3969", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "http://www.debian.org/security/2017/dsa-3969" }, { "name": "[oss-security] 20170815 Xen Security Advisory 228 (CVE-2017-12136) - grant_table: Race conditions with maptrack free list handling", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2017/08/15/3" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1477651" }, { "name": "GLSA-201801-14", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "https://security.gentoo.org/glsa/201801-14" }, { "name": "1039175", "tags": [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred" ], "url": "http://www.securitytracker.com/id/1039175" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "datePublic": "2017-08-15T00:00:00", "descriptions": [ { "lang": "en", "value": "Race condition in the grant table code in Xen 4.6.x through 4.9.x allows local guest OS administrators to cause a denial of service (free list corruption and host crash) or gain privileges on the host via vectors involving maptrack free list handling." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2018-01-15T10:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://support.citrix.com/article/CTX225941" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://xenbits.xen.org/xsa/advisory-228.html" }, { "name": "100346", "tags": [ "vdb-entry", "x_refsource_BID" ], "url": "http://www.securityfocus.com/bid/100346" }, { "name": "DSA-3969", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "http://www.debian.org/security/2017/dsa-3969" }, { "name": "[oss-security] 20170815 Xen Security Advisory 228 (CVE-2017-12136) - grant_table: Race conditions with maptrack free list handling", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://www.openwall.com/lists/oss-security/2017/08/15/3" }, { "tags": [ "x_refsource_MISC" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1477651" }, { "name": "GLSA-201801-14", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "https://security.gentoo.org/glsa/201801-14" }, { "name": "1039175", "tags": [ "vdb-entry", "x_refsource_SECTRACK" ], "url": "http://www.securitytracker.com/id/1039175" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2017-12136", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Race condition in the grant table code in Xen 4.6.x through 4.9.x allows local guest OS administrators to cause a denial of service (free list corruption and host crash) or gain privileges on the host via vectors involving maptrack free list handling." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "https://support.citrix.com/article/CTX225941", "refsource": "CONFIRM", "url": "https://support.citrix.com/article/CTX225941" }, { "name": "http://xenbits.xen.org/xsa/advisory-228.html", "refsource": "CONFIRM", "url": "http://xenbits.xen.org/xsa/advisory-228.html" }, { "name": "100346", "refsource": "BID", "url": "http://www.securityfocus.com/bid/100346" }, { "name": "DSA-3969", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2017/dsa-3969" }, { "name": "[oss-security] 20170815 Xen Security Advisory 228 (CVE-2017-12136) - grant_table: Race conditions with maptrack free list handling", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2017/08/15/3" }, { "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1477651", "refsource": "MISC", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1477651" }, { "name": "GLSA-201801-14", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201801-14" }, { "name": "1039175", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1039175" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2017-12136", "datePublished": "2017-08-24T14:00:00", "dateReserved": "2017-08-01T00:00:00", "dateUpdated": "2024-08-05T18:28:16.501Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2022-23040
Vulnerability from cvelistv5
Published
2022-03-10 19:20
Modified
2024-08-03 03:28
Severity ?
EPSS score ?
Summary
Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn't check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042
References
▼ | URL | Tags |
---|---|---|
https://xenbits.xenproject.org/xsa/advisory-396.txt | x_refsource_MISC | |
https://lists.debian.org/debian-lts-announce/2022/07/msg00000.html | mailing-list, x_refsource_MLIST |
Impacted products
Vendor | Product | Version | ||
---|---|---|---|---|
unspecified | unspecified |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T03:28:42.981Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://xenbits.xenproject.org/xsa/advisory-396.txt" }, { "name": "[debian-lts-announce] 20220701 [SECURITY] [DLA 3065-1] linux security update", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2022/07/msg00000.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "unspecified", "vendor": "unspecified", "versions": [ { "status": "unknown", "version": "consult Xen advisory XSA-396" } ] } ], "credits": [ { "lang": "en", "value": "{\u0027credit_data\u0027: {\u0027description\u0027: {\u0027description_data\u0027: [{\u0027lang\u0027: \u0027eng\u0027, \u0027value\u0027: \u0027This issue was discovered by Demi Marie Obenour and Simon Gaiser of\\nInvisible Things Lab.\u0027}]}}}" } ], "descriptions": [ { "lang": "en", "value": "Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn\u0027t check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042" } ], "metrics": [ { "other": { "content": { "description": { "description_data": [ { "lang": "eng", "value": "Due to race conditions and missing tests of return codes in the Linux\nPV device frontend drivers a malicious backend could gain access (read\nand write) to memory pages it shouldn\u0027t have, or it could directly\ntrigger Denial of Service (DoS) in the guest." } ] } }, "type": "unknown" } } ], "problemTypes": [ { "descriptions": [ { "description": "unknown", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2022-07-01T13:06:37", "orgId": "23aa2041-22e1-471f-9209-9b7396fa234f", "shortName": "XEN" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://xenbits.xenproject.org/xsa/advisory-396.txt" }, { "name": "[debian-lts-announce] 20220701 [SECURITY] [DLA 3065-1] linux security update", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.debian.org/debian-lts-announce/2022/07/msg00000.html" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security@xen.org", "ID": "CVE-2022-23040", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "", "version": { "version_data": [ { "version_affected": "?", "version_value": "consult Xen advisory XSA-396" } ] } } ] }, "vendor_name": "" } ] } }, "configuration": { "configuration_data": { "description": { "description_data": [ { "lang": "eng", "value": "All Linux guests using PV devices are vulnerable in case potentially\nmalicious PV device backends are being used." } ] } } }, "credit": { "credit_data": { "description": { "description_data": [ { "lang": "eng", "value": "This issue was discovered by Demi Marie Obenour and Simon Gaiser of\nInvisible Things Lab." } ] } } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn\u0027t check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042" } ] }, "impact": { "impact_data": { "description": { "description_data": [ { "lang": "eng", "value": "Due to race conditions and missing tests of return codes in the Linux\nPV device frontend drivers a malicious backend could gain access (read\nand write) to memory pages it shouldn\u0027t have, or it could directly\ntrigger Denial of Service (DoS) in the guest." } ] } } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "unknown" } ] } ] }, "references": { "reference_data": [ { "name": "https://xenbits.xenproject.org/xsa/advisory-396.txt", "refsource": "MISC", "url": "https://xenbits.xenproject.org/xsa/advisory-396.txt" }, { "name": "[debian-lts-announce] 20220701 [SECURITY] [DLA 3065-1] linux security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2022/07/msg00000.html" } ] }, "workaround": { "workaround_data": { "description": { "description_data": [ { "lang": "eng", "value": "There is no mitigation available other than not using PV devices in case\na backend is suspected to be potentially malicious." } ] } } } } } }, "cveMetadata": { "assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f", "assignerShortName": "XEN", "cveId": "CVE-2022-23040", "datePublished": "2022-03-10T19:20:21", "dateReserved": "2022-01-10T00:00:00", "dateUpdated": "2024-08-03T03:28:42.981Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2022-42334
Vulnerability from cvelistv5
Published
2023-03-21 00:00
Modified
2025-02-13 16:33
Severity ?
EPSS score ?
Summary
x86/HVM pinned cache attributes mis-handling T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] To allow cachability control for HVM guests with passed through devices, an interface exists to explicitly override defaults which would otherwise be put in place. While not exposed to the affected guests themselves, the interface specifically exists for domains controlling such guests. This interface may therefore be used by not fully privileged entities, e.g. qemu running deprivileged in Dom0 or qemu running in a so called stub-domain. With this exposure it is an issue that - the number of the such controlled regions was unbounded (CVE-2022-42333), - installation and removal of such regions was not properly serialized (CVE-2022-42334).
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T13:03:45.933Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://xenbits.xenproject.org/xsa/advisory-428.txt" }, { "tags": [ "x_transferred" ], "url": "http://xenbits.xen.org/xsa/advisory-428.html" }, { "name": "[oss-security] 20230321 Xen Security Advisory 428 v3 (CVE-2022-42333,CVE-2022-42334) - x86/HVM pinned cache attributes mis-handling", "tags": [ "mailing-list", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2023/03/21/2" }, { "name": "FEDORA-2023-703f133eb3", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/APBMS2Q6746AXAFAITNJMGBNFGNMVLWR/" }, { "name": "FEDORA-2023-da8315e641", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5L6PM4RE7MUE6OWA32ZVOXCP235RM2TM/" }, { "name": "DSA-5378", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://www.debian.org/security/2023/dsa-5378" }, { "tags": [ "x_transferred" ], "url": "https://security.gentoo.org/glsa/202402-07" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "xen", "vendor": "Xen", "versions": [ { "status": "unknown", "version": "consult Xen advisory XSA-428" } ] } ], "credits": [ { "lang": "en", "value": "{\u0027credit_data\u0027: {\u0027description\u0027: {\u0027description_data\u0027: [{\u0027lang\u0027: \u0027eng\u0027, \u0027value\u0027: \u0027Aspects of this issue were discovered by Andrew Cooper of XenServer and\\nJan Beulich of SUSE.\u0027}]}}}" } ], "descriptions": [ { "lang": "en", "value": "x86/HVM pinned cache attributes mis-handling T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] To allow cachability control for HVM guests with passed through devices, an interface exists to explicitly override defaults which would otherwise be put in place. While not exposed to the affected guests themselves, the interface specifically exists for domains controlling such guests. This interface may therefore be used by not fully privileged entities, e.g. qemu running deprivileged in Dom0 or qemu running in a so called stub-domain. With this exposure it is an issue that - the number of the such controlled regions was unbounded (CVE-2022-42333), - installation and removal of such regions was not properly serialized (CVE-2022-42334)." } ], "metrics": [ { "other": { "content": { "description": { "description_data": [ { "lang": "eng", "value": "Entities controlling HVM guests can run the host out of resources or\nstall execution of a physical CPU for effectively unbounded periods of\ntime, resulting in a Denial of Servis (DoS) affecting the entire host.\nCrashes, information leaks, or elevation of privilege cannot be ruled\nout." } ] } }, "type": "unknown" } } ], "problemTypes": [ { "descriptions": [ { "description": "unknown", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2024-02-04T08:06:22.081Z", "orgId": "23aa2041-22e1-471f-9209-9b7396fa234f", "shortName": "XEN" }, "references": [ { "url": "https://xenbits.xenproject.org/xsa/advisory-428.txt" }, { "url": "http://xenbits.xen.org/xsa/advisory-428.html" }, { "name": "[oss-security] 20230321 Xen Security Advisory 428 v3 (CVE-2022-42333,CVE-2022-42334) - x86/HVM pinned cache attributes mis-handling", "tags": [ "mailing-list" ], "url": "http://www.openwall.com/lists/oss-security/2023/03/21/2" }, { "name": "FEDORA-2023-703f133eb3", "tags": [ "vendor-advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/APBMS2Q6746AXAFAITNJMGBNFGNMVLWR/" }, { "name": "FEDORA-2023-da8315e641", "tags": [ "vendor-advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5L6PM4RE7MUE6OWA32ZVOXCP235RM2TM/" }, { "name": "DSA-5378", "tags": [ "vendor-advisory" ], "url": "https://www.debian.org/security/2023/dsa-5378" }, { "url": "https://security.gentoo.org/glsa/202402-07" } ] } }, "cveMetadata": { "assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f", "assignerShortName": "XEN", "cveId": "CVE-2022-42334", "datePublished": "2023-03-21T00:00:00.000Z", "dateReserved": "2022-10-03T00:00:00.000Z", "dateUpdated": "2025-02-13T16:33:21.222Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2020-29482
Vulnerability from cvelistv5
Published
2020-12-15 17:14
Modified
2024-08-04 16:55
Severity ?
EPSS score ?
Summary
An issue was discovered in Xen through 4.14.x. A guest may access xenstore paths via absolute paths containing a full pathname, or via a relative path, which implicitly includes /local/domain/$DOMID for their own domain id. Management tools must access paths in guests' namespaces, necessarily using absolute paths. oxenstored imposes a pathname limit that is applied solely to the relative or absolute path specified by the client. Therefore, a guest can create paths in its own namespace which are too long for management tools to access. Depending on the toolstack in use, a malicious guest administrator might cause some management tools and debugging operations to fail. For example, a guest administrator can cause "xenstore-ls -r" to fail. However, a guest administrator cannot prevent the host administrator from tearing down the domain. All systems using oxenstored are vulnerable. Building and using oxenstored is the default in the upstream Xen distribution, if the Ocaml compiler is available. Systems using C xenstored are not vulnerable.
References
▼ | URL | Tags |
---|---|---|
https://xenbits.xenproject.org/xsa/advisory-323.html | x_refsource_MISC | |
https://www.debian.org/security/2020/dsa-4812 | vendor-advisory, x_refsource_DEBIAN | |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OBLV6L6Q24PPQ2CRFXDX4Q76KU776GKI/ | vendor-advisory, x_refsource_FEDORA | |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2C6M6S3CIMEBACH6O7V4H2VDANMO6TVA/ | vendor-advisory, x_refsource_FEDORA |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T16:55:10.536Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://xenbits.xenproject.org/xsa/advisory-323.html" }, { "name": "DSA-4812", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "https://www.debian.org/security/2020/dsa-4812" }, { "name": "FEDORA-2020-64859a826b", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OBLV6L6Q24PPQ2CRFXDX4Q76KU776GKI/" }, { "name": "FEDORA-2020-df772b417b", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2C6M6S3CIMEBACH6O7V4H2VDANMO6TVA/" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "descriptions": [ { "lang": "en", "value": "An issue was discovered in Xen through 4.14.x. A guest may access xenstore paths via absolute paths containing a full pathname, or via a relative path, which implicitly includes /local/domain/$DOMID for their own domain id. Management tools must access paths in guests\u0027 namespaces, necessarily using absolute paths. oxenstored imposes a pathname limit that is applied solely to the relative or absolute path specified by the client. Therefore, a guest can create paths in its own namespace which are too long for management tools to access. Depending on the toolstack in use, a malicious guest administrator might cause some management tools and debugging operations to fail. For example, a guest administrator can cause \"xenstore-ls -r\" to fail. However, a guest administrator cannot prevent the host administrator from tearing down the domain. All systems using oxenstored are vulnerable. Building and using oxenstored is the default in the upstream Xen distribution, if the Ocaml compiler is available. Systems using C xenstored are not vulnerable." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2020-12-25T02:06:15", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://xenbits.xenproject.org/xsa/advisory-323.html" }, { "name": "DSA-4812", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "https://www.debian.org/security/2020/dsa-4812" }, { "name": "FEDORA-2020-64859a826b", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OBLV6L6Q24PPQ2CRFXDX4Q76KU776GKI/" }, { "name": "FEDORA-2020-df772b417b", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2C6M6S3CIMEBACH6O7V4H2VDANMO6TVA/" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2020-29482", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "An issue was discovered in Xen through 4.14.x. A guest may access xenstore paths via absolute paths containing a full pathname, or via a relative path, which implicitly includes /local/domain/$DOMID for their own domain id. Management tools must access paths in guests\u0027 namespaces, necessarily using absolute paths. oxenstored imposes a pathname limit that is applied solely to the relative or absolute path specified by the client. Therefore, a guest can create paths in its own namespace which are too long for management tools to access. Depending on the toolstack in use, a malicious guest administrator might cause some management tools and debugging operations to fail. For example, a guest administrator can cause \"xenstore-ls -r\" to fail. However, a guest administrator cannot prevent the host administrator from tearing down the domain. All systems using oxenstored are vulnerable. Building and using oxenstored is the default in the upstream Xen distribution, if the Ocaml compiler is available. Systems using C xenstored are not vulnerable." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "https://xenbits.xenproject.org/xsa/advisory-323.html", "refsource": "MISC", "url": "https://xenbits.xenproject.org/xsa/advisory-323.html" }, { "name": "DSA-4812", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2020/dsa-4812" }, { "name": "FEDORA-2020-64859a826b", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OBLV6L6Q24PPQ2CRFXDX4Q76KU776GKI/" }, { "name": "FEDORA-2020-df772b417b", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2C6M6S3CIMEBACH6O7V4H2VDANMO6TVA/" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-29482", "datePublished": "2020-12-15T17:14:19", "dateReserved": "2020-12-03T00:00:00", "dateUpdated": "2024-08-04T16:55:10.536Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2011-2901
Vulnerability from cvelistv5
Published
2013-10-01 17:00
Modified
2024-08-06 23:15
Severity ?
EPSS score ?
Summary
Off-by-one error in the __addr_ok macro in Xen 3.3 and earlier allows local 64 bit PV guest administrators to cause a denial of service (host crash) via unspecified hypercalls that ignore virtual-address bits.
References
▼ | URL | Tags |
---|---|---|
http://secunia.com/advisories/55082 | third-party-advisory, x_refsource_SECUNIA | |
http://www.openwall.com/lists/oss-security/2011/09/02/2 | mailing-list, x_refsource_MLIST | |
http://security.gentoo.org/glsa/glsa-201309-24.xml | vendor-advisory, x_refsource_GENTOO | |
http://rhn.redhat.com/errata/RHSA-2011-1212.html | vendor-advisory, x_refsource_REDHAT | |
https://bugzilla.redhat.com/show_bug.cgi?id=728042 | x_refsource_CONFIRM |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-06T23:15:31.518Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "55082", "tags": [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred" ], "url": "http://secunia.com/advisories/55082" }, { "name": "[oss-security] 20110902 Xen Security Advisory 4 (CVE-2011-2901) - Xen 3.3 vaddr validation", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2011/09/02/2" }, { "name": "GLSA-201309-24", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "http://security.gentoo.org/glsa/glsa-201309-24.xml" }, { "name": "RHSA-2011:1212", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "http://rhn.redhat.com/errata/RHSA-2011-1212.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=728042" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "datePublic": "2011-09-02T00:00:00", "descriptions": [ { "lang": "en", "value": "Off-by-one error in the __addr_ok macro in Xen 3.3 and earlier allows local 64 bit PV guest administrators to cause a denial of service (host crash) via unspecified hypercalls that ignore virtual-address bits." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2013-12-27T00:57:03", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat" }, "references": [ { "name": "55082", "tags": [ "third-party-advisory", "x_refsource_SECUNIA" ], "url": "http://secunia.com/advisories/55082" }, { "name": "[oss-security] 20110902 Xen Security Advisory 4 (CVE-2011-2901) - Xen 3.3 vaddr validation", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://www.openwall.com/lists/oss-security/2011/09/02/2" }, { "name": "GLSA-201309-24", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "http://security.gentoo.org/glsa/glsa-201309-24.xml" }, { "name": "RHSA-2011:1212", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "http://rhn.redhat.com/errata/RHSA-2011-1212.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=728042" } ] } }, "cveMetadata": { "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2011-2901", "datePublished": "2013-10-01T17:00:00", "dateReserved": "2011-07-27T00:00:00", "dateUpdated": "2024-08-06T23:15:31.518Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2015-5154
Vulnerability from cvelistv5
Published
2015-08-12 14:00
Modified
2024-08-06 06:32
Severity ?
EPSS score ?
Summary
Heap-based buffer overflow in the IDE subsystem in QEMU, as used in Xen 4.5.x and earlier, when the container has a CDROM drive enabled, allows local guest users to execute arbitrary code on the host via unspecified ATAPI commands.
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-06T06:32:32.900Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "76048", "tags": [ "vdb-entry", "x_refsource_BID", "x_transferred" ], "url": "http://www.securityfocus.com/bid/76048" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://xenbits.xen.org/xsa/advisory-138.html" }, { "name": "SUSE-SU-2015:1643", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2015-09/msg00027.html" }, { "name": "GLSA-201510-02", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "https://security.gentoo.org/glsa/201510-02" }, { "name": "1033074", "tags": [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred" ], "url": "http://www.securitytracker.com/id/1033074" }, { "name": "DSA-3348", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "http://www.debian.org/security/2015/dsa-3348" }, { "name": "SUSE-SU-2015:1782", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2015-10/msg00019.html" }, { "name": "RHSA-2015:1508", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "http://rhn.redhat.com/errata/RHSA-2015-1508.html" }, { "name": "RHSA-2015:1507", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "http://rhn.redhat.com/errata/RHSA-2015-1507.html" }, { "name": "FEDORA-2015-12714", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-August/163681.html" }, { "name": "RHSA-2015:1512", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "http://rhn.redhat.com/errata/RHSA-2015-1512.html" }, { "name": "SUSE-SU-2015:1455", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2015-08/msg00022.html" }, { "name": "SUSE-SU-2015:1299", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00041.html" }, { "name": "SUSE-SU-2015:1426", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2015-08/msg00020.html" }, { "name": "FEDORA-2015-12657", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-August/163658.html" }, { "name": "SUSE-SU-2015:1421", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2015-08/msg00018.html" }, { "name": "GLSA-201604-03", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "https://security.gentoo.org/glsa/201604-03" }, { "name": "SUSE-SU-2015:1302", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00042.html" }, { "name": "SUSE-SU-2015:1409", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2015-08/msg00017.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://support.citrix.com/article/CTX201593" }, { "name": "FEDORA-2015-12679", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-August/163472.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "datePublic": "2015-07-27T00:00:00", "descriptions": [ { "lang": "en", "value": "Heap-based buffer overflow in the IDE subsystem in QEMU, as used in Xen 4.5.x and earlier, when the container has a CDROM drive enabled, allows local guest users to execute arbitrary code on the host via unspecified ATAPI commands." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2017-12-27T17:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat" }, "references": [ { "name": "76048", "tags": [ "vdb-entry", "x_refsource_BID" ], "url": "http://www.securityfocus.com/bid/76048" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://xenbits.xen.org/xsa/advisory-138.html" }, { "name": "SUSE-SU-2015:1643", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2015-09/msg00027.html" }, { "name": "GLSA-201510-02", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "https://security.gentoo.org/glsa/201510-02" }, { "name": "1033074", "tags": [ "vdb-entry", "x_refsource_SECTRACK" ], "url": "http://www.securitytracker.com/id/1033074" }, { "name": "DSA-3348", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "http://www.debian.org/security/2015/dsa-3348" }, { "name": "SUSE-SU-2015:1782", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2015-10/msg00019.html" }, { "name": "RHSA-2015:1508", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "http://rhn.redhat.com/errata/RHSA-2015-1508.html" }, { "name": "RHSA-2015:1507", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "http://rhn.redhat.com/errata/RHSA-2015-1507.html" }, { "name": "FEDORA-2015-12714", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-August/163681.html" }, { "name": "RHSA-2015:1512", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "http://rhn.redhat.com/errata/RHSA-2015-1512.html" }, { "name": "SUSE-SU-2015:1455", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2015-08/msg00022.html" }, { "name": "SUSE-SU-2015:1299", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00041.html" }, { "name": "SUSE-SU-2015:1426", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2015-08/msg00020.html" }, { "name": "FEDORA-2015-12657", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-August/163658.html" }, { "name": "SUSE-SU-2015:1421", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2015-08/msg00018.html" }, { "name": "GLSA-201604-03", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "https://security.gentoo.org/glsa/201604-03" }, { "name": "SUSE-SU-2015:1302", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00042.html" }, { "name": "SUSE-SU-2015:1409", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2015-08/msg00017.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://support.citrix.com/article/CTX201593" }, { "name": "FEDORA-2015-12679", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-August/163472.html" } ] } }, "cveMetadata": { "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2015-5154", "datePublished": "2015-08-12T14:00:00", "dateReserved": "2015-07-01T00:00:00", "dateUpdated": "2024-08-06T06:32:32.900Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2019-18423
Vulnerability from cvelistv5
Published
2019-10-31 13:36
Modified
2024-08-05 01:54
Severity ?
EPSS score ?
Summary
An issue was discovered in Xen through 4.12.x allowing ARM guest OS users to cause a denial of service via a XENMEM_add_to_physmap hypercall. p2m->max_mapped_gfn is used by the functions p2m_resolve_translation_fault() and p2m_get_entry() to sanity check guest physical frame. The rest of the code in the two functions will assume that there is a valid root table and check that with BUG_ON(). The function p2m_get_root_pointer() will ignore the unused top bits of a guest physical frame. This means that the function p2m_set_entry() will alias the frame. However, p2m->max_mapped_gfn will be updated using the original frame. It would be possible to set p2m->max_mapped_gfn high enough to cover a frame that would lead p2m_get_root_pointer() to return NULL in p2m_get_entry() and p2m_resolve_translation_fault(). Additionally, the sanity check on p2m->max_mapped_gfn is off-by-one allowing "highest mapped + 1" to be considered valid. However, p2m_get_root_pointer() will return NULL. The problem could be triggered with a specially crafted hypercall XENMEM_add_to_physmap{, _batch} followed by an access to an address (via hypercall or direct access) that passes the sanity check but cause p2m_get_root_pointer() to return NULL. A malicious guest administrator may cause a hypervisor crash, resulting in a Denial of Service (DoS). Xen version 4.8 and newer are vulnerable. Only Arm systems are vulnerable. x86 systems are not affected.
References
▼ | URL | Tags |
---|---|---|
http://xenbits.xen.org/xsa/advisory-301.html | x_refsource_MISC | |
http://www.openwall.com/lists/oss-security/2019/10/31/4 | mailing-list, x_refsource_MLIST | |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2BQKX7M2RHCWDBKNPX4KEBI3MJIH6AYZ/ | vendor-advisory, x_refsource_FEDORA | |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I5WWPW4BSZDDW7VHU427XTVXV7ROOFFW/ | vendor-advisory, x_refsource_FEDORA | |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IZYATWNUGHRBG6I3TC24YHP5Y3J7I6KH/ | vendor-advisory, x_refsource_FEDORA | |
https://www.debian.org/security/2020/dsa-4602 | vendor-advisory, x_refsource_DEBIAN | |
https://seclists.org/bugtraq/2020/Jan/21 | mailing-list, x_refsource_BUGTRAQ | |
https://security.gentoo.org/glsa/202003-56 | vendor-advisory, x_refsource_GENTOO |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-05T01:54:14.432Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "http://xenbits.xen.org/xsa/advisory-301.html" }, { "name": "[oss-security] 20191031 Xen Security Advisory 301 v3 (CVE-2019-18423) - add-to-physmap can be abused to DoS Arm hosts", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2019/10/31/4" }, { "name": "FEDORA-2019-865bb16900", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2BQKX7M2RHCWDBKNPX4KEBI3MJIH6AYZ/" }, { "name": "FEDORA-2019-376ec5c107", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I5WWPW4BSZDDW7VHU427XTVXV7ROOFFW/" }, { "name": "FEDORA-2019-cbb732f760", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IZYATWNUGHRBG6I3TC24YHP5Y3J7I6KH/" }, { "name": "DSA-4602", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "https://www.debian.org/security/2020/dsa-4602" }, { "name": "20200114 [SECURITY] [DSA 4602-1] xen security update", "tags": [ "mailing-list", "x_refsource_BUGTRAQ", "x_transferred" ], "url": "https://seclists.org/bugtraq/2020/Jan/21" }, { "name": "GLSA-202003-56", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "https://security.gentoo.org/glsa/202003-56" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "descriptions": [ { "lang": "en", "value": "An issue was discovered in Xen through 4.12.x allowing ARM guest OS users to cause a denial of service via a XENMEM_add_to_physmap hypercall. p2m-\u003emax_mapped_gfn is used by the functions p2m_resolve_translation_fault() and p2m_get_entry() to sanity check guest physical frame. The rest of the code in the two functions will assume that there is a valid root table and check that with BUG_ON(). The function p2m_get_root_pointer() will ignore the unused top bits of a guest physical frame. This means that the function p2m_set_entry() will alias the frame. However, p2m-\u003emax_mapped_gfn will be updated using the original frame. It would be possible to set p2m-\u003emax_mapped_gfn high enough to cover a frame that would lead p2m_get_root_pointer() to return NULL in p2m_get_entry() and p2m_resolve_translation_fault(). Additionally, the sanity check on p2m-\u003emax_mapped_gfn is off-by-one allowing \"highest mapped + 1\" to be considered valid. However, p2m_get_root_pointer() will return NULL. The problem could be triggered with a specially crafted hypercall XENMEM_add_to_physmap{, _batch} followed by an access to an address (via hypercall or direct access) that passes the sanity check but cause p2m_get_root_pointer() to return NULL. A malicious guest administrator may cause a hypervisor crash, resulting in a Denial of Service (DoS). Xen version 4.8 and newer are vulnerable. Only Arm systems are vulnerable. x86 systems are not affected." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2020-03-26T14:06:21", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "http://xenbits.xen.org/xsa/advisory-301.html" }, { "name": "[oss-security] 20191031 Xen Security Advisory 301 v3 (CVE-2019-18423) - add-to-physmap can be abused to DoS Arm hosts", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://www.openwall.com/lists/oss-security/2019/10/31/4" }, { "name": "FEDORA-2019-865bb16900", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2BQKX7M2RHCWDBKNPX4KEBI3MJIH6AYZ/" }, { "name": "FEDORA-2019-376ec5c107", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I5WWPW4BSZDDW7VHU427XTVXV7ROOFFW/" }, { "name": "FEDORA-2019-cbb732f760", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IZYATWNUGHRBG6I3TC24YHP5Y3J7I6KH/" }, { "name": "DSA-4602", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "https://www.debian.org/security/2020/dsa-4602" }, { "name": "20200114 [SECURITY] [DSA 4602-1] xen security update", "tags": [ "mailing-list", "x_refsource_BUGTRAQ" ], "url": "https://seclists.org/bugtraq/2020/Jan/21" }, { "name": "GLSA-202003-56", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "https://security.gentoo.org/glsa/202003-56" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-18423", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "An issue was discovered in Xen through 4.12.x allowing ARM guest OS users to cause a denial of service via a XENMEM_add_to_physmap hypercall. p2m-\u003emax_mapped_gfn is used by the functions p2m_resolve_translation_fault() and p2m_get_entry() to sanity check guest physical frame. The rest of the code in the two functions will assume that there is a valid root table and check that with BUG_ON(). The function p2m_get_root_pointer() will ignore the unused top bits of a guest physical frame. This means that the function p2m_set_entry() will alias the frame. However, p2m-\u003emax_mapped_gfn will be updated using the original frame. It would be possible to set p2m-\u003emax_mapped_gfn high enough to cover a frame that would lead p2m_get_root_pointer() to return NULL in p2m_get_entry() and p2m_resolve_translation_fault(). Additionally, the sanity check on p2m-\u003emax_mapped_gfn is off-by-one allowing \"highest mapped + 1\" to be considered valid. However, p2m_get_root_pointer() will return NULL. The problem could be triggered with a specially crafted hypercall XENMEM_add_to_physmap{, _batch} followed by an access to an address (via hypercall or direct access) that passes the sanity check but cause p2m_get_root_pointer() to return NULL. A malicious guest administrator may cause a hypervisor crash, resulting in a Denial of Service (DoS). Xen version 4.8 and newer are vulnerable. Only Arm systems are vulnerable. x86 systems are not affected." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "http://xenbits.xen.org/xsa/advisory-301.html", "refsource": "MISC", "url": "http://xenbits.xen.org/xsa/advisory-301.html" }, { "name": "[oss-security] 20191031 Xen Security Advisory 301 v3 (CVE-2019-18423) - add-to-physmap can be abused to DoS Arm hosts", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2019/10/31/4" }, { "name": "FEDORA-2019-865bb16900", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2BQKX7M2RHCWDBKNPX4KEBI3MJIH6AYZ/" }, { "name": "FEDORA-2019-376ec5c107", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I5WWPW4BSZDDW7VHU427XTVXV7ROOFFW/" }, { "name": "FEDORA-2019-cbb732f760", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IZYATWNUGHRBG6I3TC24YHP5Y3J7I6KH/" }, { "name": "DSA-4602", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2020/dsa-4602" }, { "name": "20200114 [SECURITY] [DSA 4602-1] xen security update", "refsource": "BUGTRAQ", "url": "https://seclists.org/bugtraq/2020/Jan/21" }, { "name": "GLSA-202003-56", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202003-56" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-18423", "datePublished": "2019-10-31T13:36:27", "dateReserved": "2019-10-24T00:00:00", "dateUpdated": "2024-08-05T01:54:14.432Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2022-33740
Vulnerability from cvelistv5
Published
2022-07-05 12:50
Modified
2024-08-03 08:09
Severity ?
EPSS score ?
Summary
Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742).
References
▼ | URL | Tags |
---|---|---|
https://xenbits.xenproject.org/xsa/advisory-403.txt | x_refsource_MISC | |
http://xenbits.xen.org/xsa/advisory-403.html | x_refsource_CONFIRM | |
http://www.openwall.com/lists/oss-security/2022/07/05/6 | mailing-list, x_refsource_MLIST | |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IGFTRZ66KQYTSYIRT5FRHF5D6O72NWOP/ | vendor-advisory, x_refsource_FEDORA | |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RKRXZ4LHGCGMOG24ZCEJNY6R2BTS4S2Q/ | vendor-advisory, x_refsource_FEDORA | |
https://www.debian.org/security/2022/dsa-5191 | vendor-advisory, x_refsource_DEBIAN | |
https://lists.debian.org/debian-lts-announce/2022/10/msg00000.html | mailing-list, x_refsource_MLIST |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T08:09:22.628Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://xenbits.xenproject.org/xsa/advisory-403.txt" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://xenbits.xen.org/xsa/advisory-403.html" }, { "name": "[oss-security] 20220705 Xen Security Advisory 403 v3 (CVE-2022-26365,CVE-2022-33740,CVE-2022-33741,CVE-2022-33742) - Linux disk/nic frontends data leaks", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2022/07/05/6" }, { "name": "FEDORA-2022-c4ec706488", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IGFTRZ66KQYTSYIRT5FRHF5D6O72NWOP/" }, { "name": "FEDORA-2022-2c9f8224f8", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RKRXZ4LHGCGMOG24ZCEJNY6R2BTS4S2Q/" }, { "name": "DSA-5191", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "https://www.debian.org/security/2022/dsa-5191" }, { "name": "[debian-lts-announce] 20221002 [SECURITY] [DLA 3131-1] linux security update", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00000.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Linux", "vendor": "Linux", "versions": [ { "status": "unknown", "version": "consult Xen advisory XSA-403" } ] }, { "product": "xen", "vendor": "Xen", "versions": [ { "status": "unknown", "version": "consult Xen advisory XSA-403" } ] } ], "credits": [ { "lang": "en", "value": "{\u0027credit_data\u0027: {\u0027description\u0027: {\u0027description_data\u0027: [{\u0027lang\u0027: \u0027eng\u0027, \u0027value\u0027: \u0027The issue related to not zeroing memory areas used for shared communications\\nwas discovered by Roger Pau Monn\u00e9 of Citrix.\\n\\nThe issue related to leaking contiguous data in granted pages was disclosed\\npublicly.\u0027}]}}}" } ], "descriptions": [ { "lang": "en", "value": "Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don\u0027t zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn\u0027t allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742)." } ], "metrics": [ { "other": { "content": { "description": { "description_data": [ { "lang": "eng", "value": "An untrusted backend can access data not intended to be shared. If such\nmappings are made with write permissions the backend could also cause\nmalfunctions and/or crashes to consumers of contiguous data in the shared\npages." } ] } }, "type": "unknown" } } ], "problemTypes": [ { "descriptions": [ { "description": "unknown", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2022-10-02T18:06:12", "orgId": "23aa2041-22e1-471f-9209-9b7396fa234f", "shortName": "XEN" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://xenbits.xenproject.org/xsa/advisory-403.txt" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://xenbits.xen.org/xsa/advisory-403.html" }, { "name": "[oss-security] 20220705 Xen Security Advisory 403 v3 (CVE-2022-26365,CVE-2022-33740,CVE-2022-33741,CVE-2022-33742) - Linux disk/nic frontends data leaks", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://www.openwall.com/lists/oss-security/2022/07/05/6" }, { "name": "FEDORA-2022-c4ec706488", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IGFTRZ66KQYTSYIRT5FRHF5D6O72NWOP/" }, { "name": "FEDORA-2022-2c9f8224f8", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RKRXZ4LHGCGMOG24ZCEJNY6R2BTS4S2Q/" }, { "name": "DSA-5191", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "https://www.debian.org/security/2022/dsa-5191" }, { "name": "[debian-lts-announce] 20221002 [SECURITY] [DLA 3131-1] linux security update", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00000.html" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security@xen.org", "ID": "CVE-2022-33740", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Linux", "version": { "version_data": [ { "version_affected": "?", "version_value": "consult Xen advisory XSA-403" } ] } } ] }, "vendor_name": "Linux" }, { "product": { "product_data": [ { "product_name": "xen", "version": { "version_data": [ { "version_affected": "?", "version_value": "consult Xen advisory XSA-403" } ] } } ] }, "vendor_name": "Xen" } ] } }, "configuration": { "configuration_data": { "description": { "description_data": [ { "lang": "eng", "value": "All Linux guests using PV devices are vulnerable in case potentially\nmalicious PV device backends are being used." } ] } } }, "credit": { "credit_data": { "description": { "description_data": [ { "lang": "eng", "value": "The issue related to not zeroing memory areas used for shared communications\nwas discovered by Roger Pau Monn\u00e9 of Citrix.\n\nThe issue related to leaking contiguous data in granted pages was disclosed\npublicly." } ] } } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don\u0027t zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn\u0027t allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742)." } ] }, "impact": { "impact_data": { "description": { "description_data": [ { "lang": "eng", "value": "An untrusted backend can access data not intended to be shared. If such\nmappings are made with write permissions the backend could also cause\nmalfunctions and/or crashes to consumers of contiguous data in the shared\npages." } ] } } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "unknown" } ] } ] }, "references": { "reference_data": [ { "name": "https://xenbits.xenproject.org/xsa/advisory-403.txt", "refsource": "MISC", "url": "https://xenbits.xenproject.org/xsa/advisory-403.txt" }, { "name": "http://xenbits.xen.org/xsa/advisory-403.html", "refsource": "CONFIRM", "url": "http://xenbits.xen.org/xsa/advisory-403.html" }, { "name": "[oss-security] 20220705 Xen Security Advisory 403 v3 (CVE-2022-26365,CVE-2022-33740,CVE-2022-33741,CVE-2022-33742) - Linux disk/nic frontends data leaks", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2022/07/05/6" }, { "name": "FEDORA-2022-c4ec706488", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IGFTRZ66KQYTSYIRT5FRHF5D6O72NWOP/" }, { "name": "FEDORA-2022-2c9f8224f8", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RKRXZ4LHGCGMOG24ZCEJNY6R2BTS4S2Q/" }, { "name": "DSA-5191", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2022/dsa-5191" }, { "name": "[debian-lts-announce] 20221002 [SECURITY] [DLA 3131-1] linux security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00000.html" } ] }, "workaround": { "workaround_data": { "description": { "description_data": [ { "lang": "eng", "value": "There is no mitigation available other than not using PV devices in case\na backend is suspected to be potentially malicious." } ] } } } } } }, "cveMetadata": { "assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f", "assignerShortName": "XEN", "cveId": "CVE-2022-33740", "datePublished": "2022-07-05T12:50:30", "dateReserved": "2022-06-15T00:00:00", "dateUpdated": "2024-08-03T08:09:22.628Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2018-19965
Vulnerability from cvelistv5
Published
2018-12-08 04:00
Modified
2024-08-05 11:51
Severity ?
EPSS score ?
Summary
An issue was discovered in Xen through 4.11.x allowing 64-bit PV guest OS users to cause a denial of service (host OS crash) because #GP[0] can occur after a non-canonical address is passed to the TLB flushing code. NOTE: this issue exists because of an incorrect CVE-2017-5754 (aka Meltdown) mitigation.
References
▼ | URL | Tags |
---|---|---|
https://support.citrix.com/article/CTX239432 | x_refsource_CONFIRM | |
https://xenbits.xen.org/xsa/advisory-279.html | x_refsource_MISC | |
https://www.debian.org/security/2019/dsa-4369 | vendor-advisory, x_refsource_DEBIAN | |
http://www.securityfocus.com/bid/106182 | vdb-entry, x_refsource_BID | |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UXC6BME7SXJI2ZIATNXCAH7RGPI4UKTT/ | vendor-advisory, x_refsource_FEDORA | |
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00072.html | vendor-advisory, x_refsource_SUSE |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-05T11:51:17.815Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://support.citrix.com/article/CTX239432" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://xenbits.xen.org/xsa/advisory-279.html" }, { "name": "DSA-4369", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "https://www.debian.org/security/2019/dsa-4369" }, { "name": "106182", "tags": [ "vdb-entry", "x_refsource_BID", "x_transferred" ], "url": "http://www.securityfocus.com/bid/106182" }, { "name": "FEDORA-2019-bce6498890", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UXC6BME7SXJI2ZIATNXCAH7RGPI4UKTT/" }, { "name": "openSUSE-SU-2019:1226", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00072.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "datePublic": "2018-12-07T00:00:00", "descriptions": [ { "lang": "en", "value": "An issue was discovered in Xen through 4.11.x allowing 64-bit PV guest OS users to cause a denial of service (host OS crash) because #GP[0] can occur after a non-canonical address is passed to the TLB flushing code. NOTE: this issue exists because of an incorrect CVE-2017-5754 (aka Meltdown) mitigation." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2019-04-17T20:06:04", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://support.citrix.com/article/CTX239432" }, { "tags": [ "x_refsource_MISC" ], "url": "https://xenbits.xen.org/xsa/advisory-279.html" }, { "name": "DSA-4369", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "https://www.debian.org/security/2019/dsa-4369" }, { "name": "106182", "tags": [ "vdb-entry", "x_refsource_BID" ], "url": "http://www.securityfocus.com/bid/106182" }, { "name": "FEDORA-2019-bce6498890", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UXC6BME7SXJI2ZIATNXCAH7RGPI4UKTT/" }, { "name": "openSUSE-SU-2019:1226", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00072.html" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2018-19965", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "An issue was discovered in Xen through 4.11.x allowing 64-bit PV guest OS users to cause a denial of service (host OS crash) because #GP[0] can occur after a non-canonical address is passed to the TLB flushing code. NOTE: this issue exists because of an incorrect CVE-2017-5754 (aka Meltdown) mitigation." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "https://support.citrix.com/article/CTX239432", "refsource": "CONFIRM", "url": "https://support.citrix.com/article/CTX239432" }, { "name": "https://xenbits.xen.org/xsa/advisory-279.html", "refsource": "MISC", "url": "https://xenbits.xen.org/xsa/advisory-279.html" }, { "name": "DSA-4369", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2019/dsa-4369" }, { "name": "106182", "refsource": "BID", "url": "http://www.securityfocus.com/bid/106182" }, { "name": "FEDORA-2019-bce6498890", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UXC6BME7SXJI2ZIATNXCAH7RGPI4UKTT/" }, { "name": "openSUSE-SU-2019:1226", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00072.html" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2018-19965", "datePublished": "2018-12-08T04:00:00", "dateReserved": "2018-12-07T00:00:00", "dateUpdated": "2024-08-05T11:51:17.815Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2022-42336
Vulnerability from cvelistv5
Published
2023-05-17 00:00
Modified
2025-01-22 20:08
Severity ?
EPSS score ?
Summary
Mishandling of guest SSBD selection on AMD hardware The current logic to set SSBD on AMD Family 17h and Hygon Family 18h processors requires that the setting of SSBD is coordinated at a core level, as the setting is shared between threads. Logic was introduced to keep track of how many threads require SSBD active in order to coordinate it, such logic relies on using a per-core counter of threads that have SSBD active. When running on the mentioned hardware, it's possible for a guest to under or overflow the thread counter, because each write to VIRT_SPEC_CTRL.SSBD by the guest gets propagated to the helper that does the per-core active accounting. Underflowing the counter causes the value to get saturated, and thus attempts for guests running on the same core to set SSBD won't have effect because the hypervisor assumes it's already active.
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T13:03:45.951Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "url": "http://xenbits.xen.org/xsa/advisory-431.html" }, { "tags": [ "x_transferred" ], "url": "https://xenbits.xenproject.org/xsa/advisory-431.txt" }, { "name": "FEDORA-2023-8334fe0ecb", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LTO3U3WYLAZW3KLPKJZ332FYUREXPZMQ/" } ], "title": "CVE Program Container" }, { "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 3.3, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2022-42336", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2025-01-22T20:08:02.301497Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "description": "CWE-noinfo Not enough information", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2025-01-22T20:08:06.226Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "product": "xen", "vendor": "Xen", "versions": [ { "status": "unknown", "version": "consult Xen advisory XSA-431" } ] } ], "descriptions": [ { "lang": "en", "value": "Mishandling of guest SSBD selection on AMD hardware The current logic to set SSBD on AMD Family 17h and Hygon Family 18h processors requires that the setting of SSBD is coordinated at a core level, as the setting is shared between threads. Logic was introduced to keep track of how many threads require SSBD active in order to coordinate it, such logic relies on using a per-core counter of threads that have SSBD active. When running on the mentioned hardware, it\u0027s possible for a guest to under or overflow the thread counter, because each write to VIRT_SPEC_CTRL.SSBD by the guest gets propagated to the helper that does the per-core active accounting. Underflowing the counter causes the value to get saturated, and thus attempts for guests running on the same core to set SSBD won\u0027t have effect because the hypervisor assumes it\u0027s already active." } ], "metrics": [ { "other": { "content": { "description": { "description_data": [ { "lang": "eng", "value": "An attacker with control over a guest can mislead other guests into\nobserving SSBD active when it is not." } ] } }, "type": "unknown" } } ], "problemTypes": [ { "descriptions": [ { "description": "unknown", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2023-05-27T00:00:00.000Z", "orgId": "23aa2041-22e1-471f-9209-9b7396fa234f", "shortName": "XEN" }, "references": [ { "url": "https://xen