SUSE-SU-2012:1486

SUSE-SU-2012:1487

openSUSE-SU-2012:1572

openSUSE-SU-2012:1573

SUSE-SU-2014:0446

[Xen-announce] 20120906 Xen Security Advisory 19 - guest administrator can access qemu monitor console

[Xen-announce] 20120907 Xen Security Advisory 19 (CVE-2012-4411) - guest administrator can access qemu monitor console

50493

51324

51352

51413

55082

GLSA-201309-24

DSA-2543

[oss-security] 20120906 Xen Security Advisory 19 - guest administrator can access qemu monitor console

[oss-security] 20120906 Re: Xen Security Advisory 19 - guest administrator can access qemu monitor console

[oss-security] 20120907 Xen Security Advisory 19 (CVE-2012-4411) - guest administrator can access qemu monitor console

55442

GLSA-201604-03

The remote host is affected by the vulnerability described in GLSA-201604-03 (Xen: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Xen. Please review the       CVE identifiers referenced below for details.
  Impact :

    A local attacker could possibly cause a Denial of Service condition or       obtain sensitive information.
  Workaround :

    There is no known workaround at this time.

The SUSE Linux Enterprise Server 11 Service Pack 1 LTSS Xen hypervisor and toolset have been updated to fix various security issues and some bugs.

The following security issues have been addressed :

XSA-84: CVE-2014-1894: Xen 3.2 (and presumably earlier) exhibit both problems with the overflow issue being present for more than just the suboperations listed above. (bnc#860163)

XSA-84: CVE-2014-1892 CVE-2014-1893: Xen 3.3 through 4.1, while not affected by the above overflow, have a different overflow issue on FLASK_{GET,SET}BOOL and expose unreasonably large memory allocation to arbitrary guests.
(bnc#860163)

XSA-84: CVE-2014-1891: The FLASK_{GET,SET}BOOL, FLASK_USER and FLASK_CONTEXT_TO_SID suboperations of the flask hypercall are vulnerable to an integer overflow on the input size. The hypercalls attempt to allocate a buffer which is 1 larger than this size and is therefore vulnerable to integer overflow and an attempt to allocate then access a zero byte buffer. (bnc#860163)

XSA-82: CVE-2013-6885: The microcode on AMD 16h 00h through 0Fh processors does not properly handle the interaction between locked instructions and write-combined memory types, which allows local users to cause a denial of service (system hang) via a crafted application, aka the errata 793 issue. (bnc#853049)

XSA-76: CVE-2013-4554: Xen 3.0.3 through 4.1.x (possibly 4.1.6.1), 4.2.x (possibly 4.2.3), and 4.3.x (possibly 4.3.1) does not properly prevent access to hypercalls, which allows local guest users to gain privileges via a crafted application running in ring 1 or 2. (bnc#849668)

XSA-74: CVE-2013-4553: The XEN_DOMCTL_getmemlist hypercall in Xen 3.4.x through 4.3.x (possibly 4.3.1) does not always obtain the page_alloc_lock and mm_rwlock in the same order, which allows local guest administrators to cause a denial of service (host deadlock). (bnc#849667)

XSA-73: CVE-2013-4494: Xen before 4.1.x, 4.2.x, and 4.3.x does not take the page_alloc_lock and grant_table.lock in the same order, which allows local guest administrators with access to multiple vcpus to cause a denial of service (host deadlock) via unspecified vectors. (bnc#848657)

XSA-67: CVE-2013-4368: The outs instruction emulation in Xen 3.1.x, 4.2.x, 4.3.x, and earlier, when using FS: or GS:
segment override, uses an uninitialized variable as a segment base, which allows local 64-bit PV guests to obtain sensitive information (hypervisor stack content) via unspecified vectors related to stale data in a segment register. (bnc#842511)

XSA-66: CVE-2013-4361: The fbld instruction emulation in Xen 3.3.x through 4.3.x does not use the correct variable for the source effective address, which allows local HVM guests to obtain hypervisor stack information by reading the values used by the instruction. (bnc#841766)

XSA-63: CVE-2013-4355: Xen 4.3.x and earlier does not properly handle certain errors, which allows local HVM guests to obtain hypervisor stack memory via a (1) port or (2) memory mapped I/O write or (3) other unspecified operations related to addresses without associated memory.
(bnc#840592)

XSA-62: CVE-2013-1442: Xen 4.0 through 4.3.x, when using AVX or LWP capable CPUs, does not properly clear previous data from registers when using an XSAVE or XRSTOR to extend the state components of a saved or restored vCPU after touching other restored extended registers, which allows local guest OSes to obtain sensitive information by reading the registers. (bnc#839596)

XSA-61: CVE-2013-4329: The xenlight library (libxl) in Xen 4.0.x through 4.2.x, when IOMMU is disabled, provides access to a busmastering-capable PCI passthrough device before the IOMMU setup is complete, which allows local HVM guest domains to gain privileges or cause a denial of service via a DMA instruction. (bnc#839618)

XSA-60: CVE-2013-2212: The vmx_set_uc_mode function in Xen 3.3 through 4.3, when disabling chaches, allows local HVM guests with access to memory mapped I/O regions to cause a denial of service (CPU consumption and possibly hypervisor or guest kernel panic) via a crafted GFN range. (bnc#831120)

XSA-58: CVE-2013-1918: Certain page table manipulation operations in Xen 4.1.x, 4.2.x, and earlier are not preemptible, which allows local PV kernels to cause a denial of service via vectors related to 'deep page table traversal.' (bnc#826882)

XSA-58: CVE-2013-1432: Xen 4.1.x and 4.2.x, when the XSA-45 patch is in place, does not properly maintain references on pages stored for deferred cleanup, which allows local PV guest kernels to cause a denial of service (premature page free and hypervisor crash) or possible gain privileges via unspecified vectors. (bnc#826882)

XSA-57: CVE-2013-2211: The libxenlight (libxl) toolstack library in Xen 4.0.x, 4.1.x, and 4.2.x uses weak permissions for xenstore keys for paravirtualised and emulated serial console devices, which allows local guest administrators to modify the xenstore value via unspecified vectors.
(bnc#823608)

XSA-56: CVE-2013-2072: Buffer overflow in the Python bindings for the xc_vcpu_setaffinity call in Xen 4.0.x, 4.1.x, and 4.2.x allows local administrators with permissions to configure VCPU affinity to cause a denial of service (memory corruption and xend toolstack crash) and possibly gain privileges via a crafted cpumap. (bnc#819416)

XSA-55: CVE-2013-2196: Multiple unspecified vulnerabilities in the Elf parser (libelf) in Xen 4.2.x and earlier allow local guest administrators with certain permissions to have an unspecified impact via a crafted kernel, related to 'other problems' that are not CVE-2013-2194 or CVE-2013-2195. (bnc#823011)

XSA-55: CVE-2013-2195: The Elf parser (libelf) in Xen 4.2.x and earlier allow local guest administrators with certain permissions to have an unspecified impact via a crafted kernel, related to 'pointer dereferences' involving unexpected calculations. (bnc#823011)

XSA-55: CVE-2013-2194: Multiple integer overflows in the Elf parser (libelf) in Xen 4.2.x and earlier allow local guest administrators with certain permissions to have an unspecified impact via a crafted kernel. (bnc#823011)

XSA-53: CVE-2013-2077: Xen 4.0.x, 4.1.x, and 4.2.x does not properly restrict the contents of a XRSTOR, which allows local PV guest users to cause a denial of service (unhandled exception and hypervisor crash) via unspecified vectors.
(bnc#820919)

XSA-52: CVE-2013-2076: Xen 4.0.x, 4.1.x, and 4.2.x, when running on AMD64 processors, only save/restore the FOP, FIP, and FDP x87 registers in FXSAVE/FXRSTOR when an exception is pending, which allows one domain to determine portions of the state of floating point instructions of other domains, which can be leveraged to obtain sensitive information such as cryptographic keys, a similar vulnerability to CVE-2006-1056. NOTE: this is the documented behavior of AMD64 processors, but it is inconsistent with Intel processors in a security-relevant fashion that was not addressed by the kernels. (bnc#820917)

XSA-50: CVE-2013-1964: Xen 4.0.x and 4.1.x incorrectly releases a grant reference when releasing a non-v1, non-transitive grant, which allows local guest administrators to cause a denial of service (host crash), obtain sensitive information, or possible have other impacts via unspecified vectors. (bnc#816156)

XSA-49: CVE-2013-1952: Xen 4.x, when using Intel VT-d for a bus mastering capable PCI device, does not properly check the source when accessing a bridge device's interrupt remapping table entries for MSI interrupts, which allows local guest domains to cause a denial of service (interrupt injection) via unspecified vectors. (bnc#816163)

XSA-47: CVE-2013-1920: Xen 4.2.x, 4.1.x, and earlier, when the hypervisor is running 'under memory pressure' and the Xen Security Module (XSM) is enabled, uses the wrong ordering of operations when extending the per-domain event channel tracking table, which causes a use-after-free and allows local guest kernels to inject arbitrary events and gain privileges via unspecified vectors. (bnc#813677)

XSA-46: CVE-2013-1919: Xen 4.2.x and 4.1.x does not properly restrict access to IRQs, which allows local stub domain clients to gain access to IRQs and cause a denial of service via vectors related to 'passed-through IRQs or PCI devices.' (bnc#813675)

XSA-45: CVE-2013-1918: Certain page table manipulation operations in Xen 4.1.x, 4.2.x, and earlier are not preemptible, which allows local PV kernels to cause a denial of service via vectors related to 'deep page table traversal.' (bnc#816159)

XSA-44: CVE-2013-1917: Xen 3.1 through 4.x, when running 64-bit hosts on Intel CPUs, does not clear the NT flag when using an IRET after a SYSENTER instruction, which allows PV guest users to cause a denial of service (hypervisor crash) by triggering a #GP fault, which is not properly handled by another IRET instruction. (bnc#813673)

XSA-41: CVE-2012-6075: Buffer overflow in the e1000_receive function in the e1000 device driver (hw/e1000.c) in QEMU 1.3.0-rc2 and other versions, when the SBP and LPE flags are disabled, allows remote attackers to cause a denial of service (guest OS crash) and possibly execute arbitrary guest code via a large packet. (bnc#797523)

XSA-37: CVE-2013-0154: The get_page_type function in xen/arch/x86/mm.c in Xen 4.2, when debugging is enabled, allows local PV or HVM guest administrators to cause a denial of service (assertion failure and hypervisor crash) via unspecified vectors related to a hypercall. (bnc#797031)

XSA-36: CVE-2013-0153: The AMD IOMMU support in Xen 4.2.x, 4.1.x, 3.3, and other versions, when using AMD-Vi for PCI passthrough, uses the same interrupt remapping table for the host and all guests, which allows guests to cause a denial of service by injecting an interrupt into other guests.
(bnc#800275)

XSA-33: CVE-2012-5634: Xen 4.2.x, 4.1.x, and 4.0, when using Intel VT-d for PCI passthrough, does not properly configure VT-d when supporting a device that is behind a legacy PCI Bridge, which allows local guests to cause a denial of service to other guests by injecting an interrupt.
(bnc#794316)

XSA-31: CVE-2012-5515: The (1) XENMEM_decrease_reservation, (2) XENMEM_populate_physmap, and (3) XENMEM_exchange hypercalls in Xen 4.2 and earlier allow local guest administrators to cause a denial of service (long loop and hang) via a crafted extent_order value. (bnc#789950)

XSA-30: CVE-2012-5514: The guest_physmap_mark_populate_on_demand function in Xen 4.2 and earlier does not properly unlock the subject GFNs when checking if they are in use, which allows local guest HVM administrators to cause a denial of service (hang) via unspecified vectors. (bnc#789948)

XSA-29: CVE-2012-5513: The XENMEM_exchange handler in Xen 4.2 and earlier does not properly check the memory address, which allows local PV guest OS administrators to cause a denial of service (crash) or possibly gain privileges via unspecified vectors that overwrite memory in the hypervisor reserved range. (bnc#789951)

XSA-27: CVE-2012-6333: Multiple HVM control operations in Xen 3.4 through 4.2 allow local HVM guest OS administrators to cause a denial of service (physical CPU consumption) via a large input. (bnc#789944)

XSA-27: CVE-2012-5511: Stack-based buffer overflow in the dirty video RAM tracking functionality in Xen 3.4 through 4.1 allows local HVM guest OS administrators to cause a denial of service (crash) via a large bitmap image.
(bnc#789944)

XSA-26: CVE-2012-5510: Xen 4.x, when downgrading the grant table version, does not properly remove the status page from the tracking list when freeing the page, which allows local guest OS administrators to cause a denial of service (hypervisor crash) via unspecified vectors. (bnc#789945)

XSA-25: CVE-2012-4544: The PV domain builder in Xen 4.2 and earlier does not validate the size of the kernel or ramdisk (1) before or (2) after decompression, which allows local guest administrators to cause a denial of service (domain 0 memory consumption) via a crafted (a) kernel or (b) ramdisk.
(bnc#787163)

XSA-24: CVE-2012-4539: Xen 4.0 through 4.2, when running 32-bit x86 PV guests on 64-bit hypervisors, allows local guest OS administrators to cause a denial of service (infinite loop and hang or crash) via invalid arguments to GNTTABOP_get_status_frames, aka 'Grant table hypercall infinite loop DoS vulnerability.' (bnc#786520)

XSA-23: CVE-2012-4538: The HVMOP_pagetable_dying hypercall in Xen 4.0, 4.1, and 4.2 does not properly check the pagetable state when running on shadow pagetables, which allows a local HVM guest OS to cause a denial of service (hypervisor crash) via unspecified vectors. (bnc#786519)

XSA-22: CVE-2012-4537: Xen 3.4 through 4.2, and possibly earlier versions, does not properly synchronize the p2m and m2p tables when the set_p2m_entry function fails, which allows local HVM guest OS administrators to cause a denial of service (memory consumption and assertion failure), aka 'Memory mapping failure DoS vulnerability.' (bnc#786517)

XSA-20: CVE-2012-4535: Xen 3.4 through 4.2, and possibly earlier versions, allows local guest OS administrators to cause a denial of service (Xen infinite loop and physical CPU consumption) by setting a VCPU with an 'inappropriate deadline.' (bnc#786516)

XSA-19: CVE-2012-4411: The graphical console in Xen 4.0, 4.1 and 4.2 allows local OS guest administrators to obtain sensitive host resource information via the qemu monitor.
NOTE: this might be a duplicate of CVE-2007-0998.
(bnc#779212)

XSA-15: CVE-2012-3497: (1) TMEMC_SAVE_GET_CLIENT_WEIGHT, (2) TMEMC_SAVE_GET_CLIENT_CAP, (3) TMEMC_SAVE_GET_CLIENT_FLAGS and (4) TMEMC_SAVE_END in the Transcendent Memory (TMEM) in Xen 4.0, 4.1, and 4.2 allow local guest OS users to cause a denial of service (NULL pointer dereference or memory corruption and host crash) or possibly have other unspecified impacts via a NULL client id. (bnc#777890)

Also the following non-security bugs have been fixed :

  - xen hot plug attach/detach fails modified     blktap-pv-cdrom.patch. (bnc#805094)

  - guest 'disappears' after live migration Updated     block-dmmd script. (bnc#777628)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

XEN received various security and bugfixes :

  - CVE-2012-4535: xen: Timer overflow DoS vulnerability     (XSA-20)

  - CVE-2012-4537: xen: Memory mapping failure DoS     vulnerability (XSA-22)

The following additional bugs have been fixed :

  - bnc#784087 - L3: Xen BUG at io_apic.c:129     26102-x86-IOAPIC-legacy-not-first.patch

  - Upstream patches from Jan     25927-x86-domctl-ioport-mapping-range.patch     25931-x86-domctl-iomem-mapping-checks.patch     26061-x86-oprof-counter-range.patch     25431-x86-EDD-MBR-sig-check.patch     25480-x86_64-sysret-canonical.patch     25481-x86_64-AMD-erratum-121.patch     25485-x86_64-canonical-checks.patch     25587-param-parse-limit.patch     25589-pygrub-size-limits.patch     25744-hypercall-return-long.patch     25765-x86_64-allow-unsafe-adjust.patch     25773-x86-honor-no-real-mode.patch     25786-x86-prefer-multiboot-meminfo-over-e801.patch     25808-domain_create-return-value.patch     25814-x86_64-set-debugreg-guest.patch     24742-gnttab-misc.patch 25098-x86-emul-lock-UD.patch     25200-x86_64-trap-bounce-flags.patch     25271-x86_64-IST-index.patch bnc#651093 - win2k8 guests     are unable to restore after saving the vms state     ept-novell-x64.patch 23800-x86_64-guest-addr-range.patch     24168-x86-vioapic-clear-remote_irr.patch     24453-x86-vIRQ-IRR-TMR-race.patch     24456-x86-emul-lea.patch

    bnc#713555 - Unable to install RHEL 6.1 x86 as a     paravirtualized guest OS on SLES 10 SP4 x86     vm-install-0.2.19.tar.bz2

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote OracleVM system is missing necessary patches to address critical security updates :

  - compat/gnttab: Prevent infinite loop in compat code c/s     20281:95ea2052b41b, which introduces Grant Table version     2 hypercalls introduces a vulnerability whereby the     compat hypercall handler can fall into an infinite loop.
    If the watchdog is enabled, Xen will die after the     timeout. This is a security problem, XSA-24 /     CVE-2012-4539. (CVE-2012-4539)

  - xen/mm/shadow: check toplevel pagetables are present     before unhooking them. If the guest has not fully     populated its top-level PAE entries when it calls     HVMOP_pagetable_dying, the shadow code could try to     unhook entries from MFN 0. Add a check to avoid that     case. This issue was introduced by c/s     21239:b9d2db109cf5. This is a security problem, XSA-23 /     CVE-2012-4538. (CVE-2012-4538)

  - x86/physmap: Prevent incorrect updates of m2p mappings     In certain conditions, such as low memory, set_p2m_entry     can fail. Currently, the p2m and m2p tables will get out     of sync because we still update the m2p table after the     p2m update has failed. If that happens, subsequent     guest-invoked memory operations can cause BUGs and     ASSERTs to kill Xen. This is fixed by only updating the     m2p table iff the p2m was successfully updated. This is     a security problem, XSA-22 / CVE-2012-4537.
    (CVE-2012-4537)

  - VCPU/timers: Prevent overflow in calculations, leading     to DoS vulnerability The timer action for a vcpu     periodic timer is to calculate the next expiry time, and     to reinsert itself into the timer queue. If the deadline     ends up in the past, Xen never leaves __do_softirq. The     affected PCPU will stay in an infinite loop until Xen is     killed by the watchdog (if enabled). This is a security     problem, XSA-20 / CVE-2012-4535. (CVE-2012-4535)

  - always release vm running lock on VM shutdown Before     this patch, when xend restarted, the VM running lock     will not be released on shutdown, so the VM could never     start again. Talked with Junjie, we recommend always     releasing the lock on VM shutdown. So even when xend     restarted, there should be no stale lock leaving there.

  - Xen Security Advisory CVE-2012-4411 / XSA-19 version 2     guest administrator can access qemu monitor console     Disable qemu monitor by default. The qemu monitor is an     overly powerful feature which must be protected from     untrusted (guest) administrators. (CVE-2012-4411)

The remote OracleVM system is missing necessary patches to address critical security updates :

  - Xen Security Advisory CVE-2012-4411 / XSA-19 version 2     guest administrator can access qemu monitor console     Disable qemu monitor by default. The qemu monitor is an     overly powerful feature which must be protected from     untrusted (guest) administrators. (CVE-2012-4411)

  - fix xm create vcpu_avail exceeds XMLRPC int limits If     maxvcpus = vcpus = 40, (1<<40 -1) will exceed XMLRPC int     limit. Change it to str will work. Then in the xend     side, it will converted back to int. (CVE-2012-3515)

This security update of XEN fixes various bugs and security issues.

  - Upstream patch 26088-xend-xml-filesize-check.patch

  - bnc#787163 - CVE-2012-4544: xen: Domain builder Out-of-     memory due to malicious kernel/ramdisk (XSA 25)     CVE-2012-4544-xsa25.patch

  - bnc#779212 - CVE-2012-4411: XEN / qemu: guest     administrator can access qemu monitor console (XSA-19)     CVE-2012-4411-xsa19.patch

  - bnc#786516 - CVE-2012-4535: xen: Timer overflow DoS     vulnerability CVE-2012-4535-xsa20.patch

  - bnc#786518 - CVE-2012-4536: xen: pirq range check DoS     vulnerability CVE-2012-4536-xsa21.patch

  - bnc#786517 - CVE-2012-4537: xen: Memory mapping failure     DoS vulnerability CVE-2012-4537-xsa22.patch

  - bnc#786519 - CVE-2012-4538: xen: Unhooking empty PAE     entries DoS vulnerability CVE-2012-4538-xsa23.patch

  - bnc#786520 - CVE-2012-4539: xen: Grant table hypercall     infinite loop DoS vulnerability     CVE-2012-4539-xsa24.patch

  - bnc#784087 - L3: Xen BUG at io_apic.c:129     26102-x86-IOAPIC-legacy-not-first.patch

  - Upstream patches from Jan     26054-x86-AMD-perf-ctr-init.patch     26055-x86-oprof-hvm-mode.patch     26056-page-alloc-flush-filter.patch     26061-x86-oprof-counter-range.patch     26062-ACPI-ERST-move-data.patch     26063-x86-HPET-affinity-lock.patch     26093-HVM-PoD-grant-mem-type.patch

  - Upstream patches from Jan     25931-x86-domctl-iomem-mapping-checks.patch     25952-x86-MMIO-remap-permissions.patch

------------------------------------------------------------------- Mon Sep 24 16:41:58 CEST 2012 - ohering@suse.de

  - use BuildRequires: gcc46 only in sles11sp2 or 12.1 to     fix build in 11.4

------------------------------------------------------------------- Thu Sep 20 10:03:40 MDT 2012 - carnold@novell.com

  - Upstream patches from Jan     25808-domain_create-return-value.patch     25814-x86_64-set-debugreg-guest.patch     25815-x86-PoD-no-bug-in-non-translated.patch     25816-x86-hvm-map-pirq-range-check.patch     25833-32on64-bogus-pt_base-adjust.patch     25834-x86-S3-MSI-resume.patch     25835-adjust-rcu-lock-domain.patch     25836-VT-d-S3-MSI-resume.patch 25850-tmem-xsa-15-1.patch     25851-tmem-xsa-15-2.patch 25852-tmem-xsa-15-3.patch     25853-tmem-xsa-15-4.patch 25854-tmem-xsa-15-5.patch     25855-tmem-xsa-15-6.patch 25856-tmem-xsa-15-7.patch     25857-tmem-xsa-15-8.patch 25858-tmem-xsa-15-9.patch     25859-tmem-missing-break.patch 25860-tmem-cleanup.patch     25883-pt-MSI-cleanup.patch     25927-x86-domctl-ioport-mapping-range.patch     25929-tmem-restore-pool-version.patch

  - bnc#778105 - first XEN-PV VM fails to spawn xend:
    Increase wait time for disk to appear in host bootloader     Modified existing xen-domUloader.diff

  - Upstream patches from Jan     25752-ACPI-pm-op-valid-cpu.patch     25754-x86-PoD-early-access.patch     25755-x86-PoD-types.patch     25756-x86-MMIO-max-mapped-pfn.patch     25757-x86-EPT-PoD-1Gb-assert.patch     25764-x86-unknown-cpu-no-sysenter.patch     25765-x86_64-allow-unsafe-adjust.patch     25771-grant-copy-status-paged-out.patch     25773-x86-honor-no-real-mode.patch     25786-x86-prefer-multiboot-meminfo-over-e801.patch

  - bnc#777890 - CVE-2012-3497: xen: multiple TMEM hypercall     vulnerabilities (XSA-15)     CVE-2012-3497-tmem-xsa-15-1.patch     CVE-2012-3497-tmem-xsa-15-2.patch     CVE-2012-3497-tmem-xsa-15-3.patch     CVE-2012-3497-tmem-xsa-15-4.patch     CVE-2012-3497-tmem-xsa-15-5.patch     CVE-2012-3497-tmem-xsa-15-6.patch     CVE-2012-3497-tmem-xsa-15-7.patch     CVE-2012-3497-tmem-xsa-15-8.patch     CVE-2012-3497-tmem-xsa-15-9.patch     tmem-missing-break.patch

This security update of XEN fixes various bugs and security issues.

  - Upstream patch 26088-xend-xml-filesize-check.patch

  - bnc#787163 - CVE-2012-4544: xen: Domain builder Out-of-     memory due to malicious kernel/ramdisk (XSA 25)     CVE-2012-4544-xsa25.patch

  - bnc#779212 - CVE-2012-4411: XEN / qemu: guest     administrator can access qemu monitor console (XSA-19)     CVE-2012-4411-xsa19.patch

  - bnc#786516 - CVE-2012-4535: xen: Timer overflow DoS     vulnerability CVE-2012-4535-xsa20.patch

  - bnc#786518 - CVE-2012-4536: xen: pirq range check DoS     vulnerability CVE-2012-4536-xsa21.patch

  - bnc#786517 - CVE-2012-4537: xen: Memory mapping failure     DoS vulnerability CVE-2012-4537-xsa22.patch

  - bnc#786519 - CVE-2012-4538: xen: Unhooking empty PAE     entries DoS vulnerability CVE-2012-4538-xsa23.patch

  - bnc#786520 - CVE-2012-4539: xen: Grant table hypercall     infinite loop DoS vulnerability     CVE-2012-4539-xsa24.patch

  - bnc#784087 - L3: Xen BUG at io_apic.c:129     26102-x86-IOAPIC-legacy-not-first.patch

  - Upstream patches from Jan     26054-x86-AMD-perf-ctr-init.patch     26055-x86-oprof-hvm-mode.patch     26056-page-alloc-flush-filter.patch     26061-x86-oprof-counter-range.patch     26062-ACPI-ERST-move-data.patch     26063-x86-HPET-affinity-lock.patch     26093-HVM-PoD-grant-mem-type.patch

  - Upstream patches from Jan     25931-x86-domctl-iomem-mapping-checks.patch     25952-x86-MMIO-remap-permissions.patch

  - Upstream patches from Jan     25808-domain_create-return-value.patch     25814-x86_64-set-debugreg-guest.patch     25815-x86-PoD-no-bug-in-non-translated.patch     25816-x86-hvm-map-pirq-range-check.patch     25833-32on64-bogus-pt_base-adjust.patch     25834-x86-S3-MSI-resume.patch     25835-adjust-rcu-lock-domain.patch     25836-VT-d-S3-MSI-resume.patch 25850-tmem-xsa-15-1.patch     25851-tmem-xsa-15-2.patch 25852-tmem-xsa-15-3.patch     25853-tmem-xsa-15-4.patch 25854-tmem-xsa-15-5.patch     25855-tmem-xsa-15-6.patch 25856-tmem-xsa-15-7.patch     25857-tmem-xsa-15-8.patch 25858-tmem-xsa-15-9.patch     25859-tmem-missing-break.patch 25860-tmem-cleanup.patch     25883-pt-MSI-cleanup.patch     25927-x86-domctl-ioport-mapping-range.patch     25929-tmem-restore-pool-version.patch

  - bnc#778105 - first XEN-PV VM fails to spawn xend:
    Increase wait time for disk to appear in host bootloader     Modified existing xen-domUloader.diff

  - Upstream patches from Jan     25752-ACPI-pm-op-valid-cpu.patch     25754-x86-PoD-early-access.patch     25755-x86-PoD-types.patch     25756-x86-MMIO-max-mapped-pfn.patch     25757-x86-EPT-PoD-1Gb-assert.patch     25764-x86-unknown-cpu-no-sysenter.patch     25765-x86_64-allow-unsafe-adjust.patch     25771-grant-copy-status-paged-out.patch     25773-x86-honor-no-real-mode.patch     25786-x86-prefer-multiboot-meminfo-over-e801.patch

  - bnc#777890 - CVE-2012-3497: xen: multiple TMEM hypercall     vulnerabilities (XSA-15)     CVE-2012-3497-tmem-xsa-15-1.patch     CVE-2012-3497-tmem-xsa-15-2.patch     CVE-2012-3497-tmem-xsa-15-3.patch     CVE-2012-3497-tmem-xsa-15-4.patch     CVE-2012-3497-tmem-xsa-15-5.patch     CVE-2012-3497-tmem-xsa-15-6.patch     CVE-2012-3497-tmem-xsa-15-7.patch     CVE-2012-3497-tmem-xsa-15-8.patch     CVE-2012-3497-tmem-xsa-15-9.patch     tmem-missing-break.patch

The remote host is affected by the vulnerability described in GLSA-201309-24 (Xen: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Xen. Please review the       CVE identifiers referenced below for details.
  Impact :

    Guest domains could possibly gain privileges, execute arbitrary code, or       cause a Denial of Service on the host domain (Dom0). Additionally, guest       domains could gain information about other virtual machines running on       the same host or read arbitrary files on the host.
  Workaround :

    The CVEs listed below do not currently have fixes, but only apply to Xen       setups which have &ldquo;tmem&rdquo; specified on the hypervisor command line.
      TMEM is not currently supported for use in production systems, and       administrators using tmem should disable it.
      Relevant CVEs:
      * CVE-2012-2497
      * CVE-2012-6030
      * CVE-2012-6031
      * CVE-2012-6032
      * CVE-2012-6033
      * CVE-2012-6034
      * CVE-2012-6035
      * CVE-2012-6036

XEN was updated to fix various bugs and security issues :

The following security issues have been fixed :

  - xen: Domain builder Out-of-memory due to malicious     kernel/ramdisk (XSA 25). (CVE-2012-4544)

  - XEN / qemu: guest administrator can access qemu monitor     console (XSA-19). (CVE-2012-4411)

  - xen: Timer overflow DoS vulnerability (XSA 20).
    (CVE-2012-4535)

  - xen: pirq range check DoS vulnerability (XSA 21).
    (CVE-2012-4536)

  - xen: Memory mapping failure DoS vulnerability (XSA 22).
    (CVE-2012-4537)

  - xen: Unhooking empty PAE entries DoS vulnerability (XSA     23). (CVE-2012-4538)

  - xen: Grant table hypercall infinite loop DoS     vulnerability (XSA 24). (CVE-2012-4539)

  - xen: multiple TMEM hypercall vulnerabilities (XSA-15)     Also the following bugs have been fixed and upstream     patches have been applied:. (CVE-2012-3497)

  - L3: Xen BUG at io_apic.c:129     26102-x86-IOAPIC-legacy-not-first.patch. (bnc#784087)

  - Upstream patches merged:
    26054-x86-AMD-perf-ctr-init.patch     26055-x86-oprof-hvm-mode.patch     26056-page-alloc-flush-filter.patch     26061-x86-oprof-counter-range.patch     26062-ACPI-ERST-move-data.patch     26063-x86-HPET-affinity-lock.patch     26093-HVM-PoD-grant-mem-type.patch     25931-x86-domctl-iomem-mapping-checks.patch     25952-x86-MMIO-remap-permissions.patch     25808-domain_create-return-value.patch     25814-x86_64-set-debugreg-guest.patch     25815-x86-PoD-no-bug-in-non-translated.patch     25816-x86-hvm-map-pirq-range-check.patch     25833-32on64-bogus-pt_base-adjust.patch     25834-x86-S3-MSI-resume.patch     25835-adjust-rcu-lock-domain.patch     25836-VT-d-S3-MSI-resume.patch 25850-tmem-xsa-15-1.patch     25851-tmem-xsa-15-2.patch 25852-tmem-xsa-15-3.patch     25853-tmem-xsa-15-4.patch 25854-tmem-xsa-15-5.patch     25855-tmem-xsa-15-6.patch 25856-tmem-xsa-15-7.patch     25857-tmem-xsa-15-8.patch 25858-tmem-xsa-15-9.patch     25859-tmem-missing-break.patch 25860-tmem-cleanup.patch     25883-pt-MSI-cleanup.patch     25927-x86-domctl-ioport-mapping-range.patch     25929-tmem-restore-pool-version.patch

  - first XEN-PV VM fails to spawn xend: Increase wait time     for disk to appear in host bootloader Modified existing     xen-domUloader.diff. (bnc#778105)

    25752-ACPI-pm-op-valid-cpu.patch     25754-x86-PoD-early-access.patch     25755-x86-PoD-types.patch     25756-x86-MMIO-max-mapped-pfn.patch

libvirt received security and bugfixes :

  - Fixed a libvirt remote denial of service (crash)     problem. The following bugs have been fixed :.
    (CVE-2012-4423)

  - qemu: Fix probing for guest capabilities

  - xen-xm: Generate UUID if not specified

  - xenParseXM: don't dereference NULL pointer when script     is empty

XEN received various security and bugfixes :

  - xen: Timer overflow DoS vulnerability (XSA-20).
    (CVE-2012-4535)

  - xen: Memory mapping failure DoS vulnerability (XSA-22)     The following additional bugs have beenfixed:.
    (CVE-2012-4537)

  - L3: Xen BUG at io_apic.c:129     26102-x86-IOAPIC-legacy-not-first.patch. (bnc#784087)

  - Upstream patches from Jan     25927-x86-domctl-ioport-mapping-range.patch     25931-x86-domctl-iomem-mapping-checks.patch     26061-x86-oprof-counter-range.patch     25431-x86-EDD-MBR-sig-check.patch     25480-x86_64-sysret-canonical.patch     25481-x86_64-AMD-erratum-121.patch     25485-x86_64-canonical-checks.patch     25587-param-parse-limit.patch     25589-pygrub-size-limits.patch     25744-hypercall-return-long.patch     25765-x86_64-allow-unsafe-adjust.patch     25773-x86-honor-no-real-mode.patch     25786-x86-prefer-multiboot-meminfo-over-e801.patch     25808-domain_create-return-value.patch     25814-x86_64-set-debugreg-guest.patch     24742-gnttab-misc.patch 25098-x86-emul-lock-UD.patch     25200-x86_64-trap-bounce-flags.patch     25271-x86_64-IST-index.patch

  - win2k8 guests are unable to restore after saving the vms     state ept-novell-x64.patch     23800-x86_64-guest-addr-range.patch     24168-x86-vioapic-clear-remote_irr.patch     24453-x86-vIRQ-IRR-TMR-race.patch     24456-x86-emul-lea.patch. (bnc#651093)

  - Unable to install RHEL 6.1 x86 as a paravirtualized     guest OS on SLES 10 SP4 x86 vm-install-0.2.19.tar.bz2.
    (bnc#713555)

disable qemu monitor by default [XSA-19, CVE-2012-4411] (#855141)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

a malicious 64-bit PV guest can crash the dom0 [XSA-12, CVE-2012-3494] (#854585) a malicious crash might be able to crash the dom0 or escalate privileges [XSA-13, CVE-2012-3495] (#854589) a malicious PV guest can crash the dom0 [XSA-14, CVE-2012-3496] (#854590) a malicious HVM guest can crash the dom0 and might be able to read hypervisor or guest memory [XSA-16, CVE-2012-3498] (#854593) an HVM guest could use VT100 escape sequences to escalate privileges to that of the qemu process [XSA-17, CVE-2012-3515] (#854599) disable qemu monitor by default [XSA-19, CVE-2012-4411] (#855141)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Multiple vulnerabilities have been discovered in xen-qemu-dm-4.0, the Xen QEMU Device Model virtual machine hardware emulator. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2012-3515 :
    The device model for HVM domains does not properly     handle VT100 escape sequences when emulating certain     devices with a virtual console backend. An attacker     within a guest with access to the vulnerable virtual     console could overwrite memory of the device model and     escalate privileges to that of the device model process.

  - CVE-2012-4411 :
    The QEMU monitor was enabled by default, allowing     administrators of a guest to access resources of the     host, possibly escalate privileges or access resources     belonging to another guest.

ID	Name	Product	Family	Severity
90380	GLSA-201604-03 : Xen: Multiple vulnerabilities (Venom)	Nessus	Gentoo Local Security Checks	critical
83616	SUSE SLES11 Security Update : Xen (SUSE-SU-2014:0446-1)	Nessus	SuSE Local Security Checks	high
83564	SUSE SLED10 / SLES10 Security Update : Xen (SUSE-SU-2012:1487-1)	Nessus	SuSE Local Security Checks	medium
79488	OracleVM 3.0 : xen (OVMSA-2012-0050)	Nessus	OracleVM Local Security Checks	medium
79485	OracleVM 3.1 : xen (OVMSA-2012-0046)	Nessus	OracleVM Local Security Checks	high
74821	openSUSE Security Update : XEN (openSUSE-SU-2012:1573-1)	Nessus	SuSE Local Security Checks	high
74820	openSUSE Security Update : XEN (openSUSE-SU-2012:1572-1)	Nessus	SuSE Local Security Checks	high
70184	GLSA-201309-24 : Xen: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
64238	SuSE 11.2 Security Update : Xen (SAT Patch Number 7018)	Nessus	SuSE Local Security Checks	medium
64201	SuSE 11.2 Security Update : libvirt (SAT Patch Number 7015)	Nessus	SuSE Local Security Checks	medium
62963	SuSE 10 Security Update : Xen (ZYPP Patch Number 8359)	Nessus	SuSE Local Security Checks	medium
62160	Fedora 18 : xen-4.1.3-4.fc18 (2012-13536)	Nessus	Fedora Local Security Checks	medium
62155	Fedora 16 : xen-4.1.3-2.fc16 (2012-13443)	Nessus	Fedora Local Security Checks	high
62153	Fedora 17 : xen-4.1.3-4.fc17 (2012-13434)	Nessus	Fedora Local Security Checks	medium
62014	Debian DSA-2543-1 : xen-qemu-dm-4.0 - multiple vulnerabilities	Nessus	Debian Local Security Checks	high

CVE-2012-4411

medium

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

Vulnerable Software

Configuration 1

Tenable Plugins

critical

high

medium

medium

high

high

high

high

medium

medium

medium

medium

high

medium

high