SUSE-SU-2012:1486

SUSE-SU-2012:1487

openSUSE-SU-2012:1572

openSUSE-SU-2012:1573

[Xen-announce] 20121113 Xen Security Advisory 21 (CVE-2012-4536) - pirq range check DoS vulnerability

87297

51200

51324

51352

51413

55082

GLSA-201309-24

[oss-security] 20121113 Xen Security Advisory 21 (CVE-2012-4536) - pirq range check DoS vulnerability

56498

1027760

xen-domainpirqtoemuirq-dos(80023)

GLSA-201604-03

The remote host is affected by the vulnerability described in GLSA-201604-03 (Xen: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Xen. Please review the       CVE identifiers referenced below for details.
  Impact :

    A local attacker could possibly cause a Denial of Service condition or       obtain sensitive information.
  Workaround :

    There is no known workaround at this time.

The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2015-0068 for details.

XEN received various security and bugfixes :

  - CVE-2012-4535: xen: Timer overflow DoS vulnerability     (XSA-20)

  - CVE-2012-4537: xen: Memory mapping failure DoS     vulnerability (XSA-22)

The following additional bugs have been fixed :

  - bnc#784087 - L3: Xen BUG at io_apic.c:129     26102-x86-IOAPIC-legacy-not-first.patch

  - Upstream patches from Jan     25927-x86-domctl-ioport-mapping-range.patch     25931-x86-domctl-iomem-mapping-checks.patch     26061-x86-oprof-counter-range.patch     25431-x86-EDD-MBR-sig-check.patch     25480-x86_64-sysret-canonical.patch     25481-x86_64-AMD-erratum-121.patch     25485-x86_64-canonical-checks.patch     25587-param-parse-limit.patch     25589-pygrub-size-limits.patch     25744-hypercall-return-long.patch     25765-x86_64-allow-unsafe-adjust.patch     25773-x86-honor-no-real-mode.patch     25786-x86-prefer-multiboot-meminfo-over-e801.patch     25808-domain_create-return-value.patch     25814-x86_64-set-debugreg-guest.patch     24742-gnttab-misc.patch 25098-x86-emul-lock-UD.patch     25200-x86_64-trap-bounce-flags.patch     25271-x86_64-IST-index.patch bnc#651093 - win2k8 guests     are unable to restore after saving the vms state     ept-novell-x64.patch 23800-x86_64-guest-addr-range.patch     24168-x86-vioapic-clear-remote_irr.patch     24453-x86-vIRQ-IRR-TMR-race.patch     24456-x86-emul-lea.patch

    bnc#713555 - Unable to install RHEL 6.1 x86 as a     paravirtualized guest OS on SLES 10 SP4 x86     vm-install-0.2.19.tar.bz2

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote OracleVM system is missing necessary patches to address critical security updates :

  - libxc: builder: limit maximum size of kernel/ramdisk.
    Allowing user supplied kernels of arbitrary sizes,     especially during decompression, can swallow up dom0     memory leading to either virtual address space     exhaustion in the builder process or allocation     failures/OOM killing of both toolstack and unrelated     processes. We disable these checks when building in a     stub domain for pvgrub since this uses the guest's own     memory and is isolated. Decompression of gzip compressed     kernels and ramdisks has been safe since     14954:58205257517d (Xen 3.1.0 onwards). This is XSA-25 /     CVE-2012-4544. Also make explicit checks for buffer     overflows in various decompression routines. These were     already ruled out due to other properties of the code     but check them as a belt-and-braces measure.

    [ Includes 25589:60f09d1ab1fe for CVE-2012-2625]     (CVE-2012-4544)

  - compat/gnttab: Prevent infinite loop in compat code c/s     20281:95ea2052b41b, which introduces Grant Table version     2 hypercalls introduces a vulnerability whereby the     compat hypercall handler can fall into an infinite loop.
    If the watchdog is enabled, Xen will die after the     timeout. This is a security problem, XSA-24 /     CVE-2012-4539. (CVE-2012-4539)

  - xen/mm/shadow: check toplevel pagetables are present     before unhooking them. If the guest has not fully     populated its top-level PAE entries when it calls     HVMOP_pagetable_dying, the shadow code could try to     unhook entries from MFN 0. Add a check to avoid that     case. This issue was introduced by c/s     21239:b9d2db109cf5. This is a security problem, XSA-23 /     CVE-2012-4538. (CVE-2012-4538)

  - x86/physmap: Prevent incorrect updates of m2p mappings     In certain conditions, such as low memory, set_p2m_entry     can fail. Currently, the p2m and m2p tables will get out     of sync because we still update the m2p table after the     p2m update has failed. If that happens, subsequent     guest-invoked memory operations can cause BUGs and     ASSERTs to kill Xen. This is fixed by only updating the     m2p table iff the p2m was successfully updated. This is     a security problem, XSA-22 / CVE-2012-4537.
    (CVE-2012-4537)

  - x86/physdev: Range check pirq parameter from guests     Otherwise Xen will read beyond either end of the struct     domain.arch.pirq_emuirq array, usually resulting in a     fatal page fault. This vulnerability was introduced by     c/s 23241:d21100f1d00e, which adds a call to     domain_pirq_to_emuirq which uses the guest provided pirq     value before range checking it, and was fixed by c/s     23573:584c2e5e03d9 which changed the behaviour of the     domain_pirq_to_emuirq macro to use radix trees instead     of a flat array. This is XSA-21 / CVE-2012-4536.
    (CVE-2012-4536)

  - VCPU/timers: Prevent overflow in calculations, leading     to DoS vulnerability The timer action for a vcpu     periodic timer is to calculate the next expiry time, and     to reinsert itself into the timer queue. If the deadline     ends up in the past, Xen never leaves __do_softirq. The     affected PCPU will stay in an infinite loop until Xen is     killed by the watchdog (if enabled). This is a security     problem, XSA-20 / CVE-2012-4535. (CVE-2012-4535)

  - Correct RTC time offset update error for HVM guest     changeset 24947:b198ada9689d

  - always release vm running lock on VM shutdown Before     this patch, when xend restarted, the VM running lock     will not be released on shutdown, so the VM could never     start again. Talked with Junjie, we recommend always     releasing the lock on VM shutdown. So even when xend     restarted, there should be no stale lock leaving there.

This security update of XEN fixes various bugs and security issues.

  - Upstream patch 26088-xend-xml-filesize-check.patch

  - bnc#787163 - CVE-2012-4544: xen: Domain builder Out-of-     memory due to malicious kernel/ramdisk (XSA 25)     CVE-2012-4544-xsa25.patch

  - bnc#779212 - CVE-2012-4411: XEN / qemu: guest     administrator can access qemu monitor console (XSA-19)     CVE-2012-4411-xsa19.patch

  - bnc#786516 - CVE-2012-4535: xen: Timer overflow DoS     vulnerability CVE-2012-4535-xsa20.patch

  - bnc#786518 - CVE-2012-4536: xen: pirq range check DoS     vulnerability CVE-2012-4536-xsa21.patch

  - bnc#786517 - CVE-2012-4537: xen: Memory mapping failure     DoS vulnerability CVE-2012-4537-xsa22.patch

  - bnc#786519 - CVE-2012-4538: xen: Unhooking empty PAE     entries DoS vulnerability CVE-2012-4538-xsa23.patch

  - bnc#786520 - CVE-2012-4539: xen: Grant table hypercall     infinite loop DoS vulnerability     CVE-2012-4539-xsa24.patch

  - bnc#784087 - L3: Xen BUG at io_apic.c:129     26102-x86-IOAPIC-legacy-not-first.patch

  - Upstream patches from Jan     26054-x86-AMD-perf-ctr-init.patch     26055-x86-oprof-hvm-mode.patch     26056-page-alloc-flush-filter.patch     26061-x86-oprof-counter-range.patch     26062-ACPI-ERST-move-data.patch     26063-x86-HPET-affinity-lock.patch     26093-HVM-PoD-grant-mem-type.patch

  - Upstream patches from Jan     25931-x86-domctl-iomem-mapping-checks.patch     25952-x86-MMIO-remap-permissions.patch

------------------------------------------------------------------- Mon Sep 24 16:41:58 CEST 2012 - ohering@suse.de

  - use BuildRequires: gcc46 only in sles11sp2 or 12.1 to     fix build in 11.4

------------------------------------------------------------------- Thu Sep 20 10:03:40 MDT 2012 - carnold@novell.com

  - Upstream patches from Jan     25808-domain_create-return-value.patch     25814-x86_64-set-debugreg-guest.patch     25815-x86-PoD-no-bug-in-non-translated.patch     25816-x86-hvm-map-pirq-range-check.patch     25833-32on64-bogus-pt_base-adjust.patch     25834-x86-S3-MSI-resume.patch     25835-adjust-rcu-lock-domain.patch     25836-VT-d-S3-MSI-resume.patch 25850-tmem-xsa-15-1.patch     25851-tmem-xsa-15-2.patch 25852-tmem-xsa-15-3.patch     25853-tmem-xsa-15-4.patch 25854-tmem-xsa-15-5.patch     25855-tmem-xsa-15-6.patch 25856-tmem-xsa-15-7.patch     25857-tmem-xsa-15-8.patch 25858-tmem-xsa-15-9.patch     25859-tmem-missing-break.patch 25860-tmem-cleanup.patch     25883-pt-MSI-cleanup.patch     25927-x86-domctl-ioport-mapping-range.patch     25929-tmem-restore-pool-version.patch

  - bnc#778105 - first XEN-PV VM fails to spawn xend:
    Increase wait time for disk to appear in host bootloader     Modified existing xen-domUloader.diff

  - Upstream patches from Jan     25752-ACPI-pm-op-valid-cpu.patch     25754-x86-PoD-early-access.patch     25755-x86-PoD-types.patch     25756-x86-MMIO-max-mapped-pfn.patch     25757-x86-EPT-PoD-1Gb-assert.patch     25764-x86-unknown-cpu-no-sysenter.patch     25765-x86_64-allow-unsafe-adjust.patch     25771-grant-copy-status-paged-out.patch     25773-x86-honor-no-real-mode.patch     25786-x86-prefer-multiboot-meminfo-over-e801.patch

  - bnc#777890 - CVE-2012-3497: xen: multiple TMEM hypercall     vulnerabilities (XSA-15)     CVE-2012-3497-tmem-xsa-15-1.patch     CVE-2012-3497-tmem-xsa-15-2.patch     CVE-2012-3497-tmem-xsa-15-3.patch     CVE-2012-3497-tmem-xsa-15-4.patch     CVE-2012-3497-tmem-xsa-15-5.patch     CVE-2012-3497-tmem-xsa-15-6.patch     CVE-2012-3497-tmem-xsa-15-7.patch     CVE-2012-3497-tmem-xsa-15-8.patch     CVE-2012-3497-tmem-xsa-15-9.patch     tmem-missing-break.patch

This security update of XEN fixes various bugs and security issues.

  - Upstream patch 26088-xend-xml-filesize-check.patch

  - bnc#787163 - CVE-2012-4544: xen: Domain builder Out-of-     memory due to malicious kernel/ramdisk (XSA 25)     CVE-2012-4544-xsa25.patch

  - bnc#779212 - CVE-2012-4411: XEN / qemu: guest     administrator can access qemu monitor console (XSA-19)     CVE-2012-4411-xsa19.patch

  - bnc#786516 - CVE-2012-4535: xen: Timer overflow DoS     vulnerability CVE-2012-4535-xsa20.patch

  - bnc#786518 - CVE-2012-4536: xen: pirq range check DoS     vulnerability CVE-2012-4536-xsa21.patch

  - bnc#786517 - CVE-2012-4537: xen: Memory mapping failure     DoS vulnerability CVE-2012-4537-xsa22.patch

  - bnc#786519 - CVE-2012-4538: xen: Unhooking empty PAE     entries DoS vulnerability CVE-2012-4538-xsa23.patch

  - bnc#786520 - CVE-2012-4539: xen: Grant table hypercall     infinite loop DoS vulnerability     CVE-2012-4539-xsa24.patch

  - bnc#784087 - L3: Xen BUG at io_apic.c:129     26102-x86-IOAPIC-legacy-not-first.patch

  - Upstream patches from Jan     26054-x86-AMD-perf-ctr-init.patch     26055-x86-oprof-hvm-mode.patch     26056-page-alloc-flush-filter.patch     26061-x86-oprof-counter-range.patch     26062-ACPI-ERST-move-data.patch     26063-x86-HPET-affinity-lock.patch     26093-HVM-PoD-grant-mem-type.patch

  - Upstream patches from Jan     25931-x86-domctl-iomem-mapping-checks.patch     25952-x86-MMIO-remap-permissions.patch

  - Upstream patches from Jan     25808-domain_create-return-value.patch     25814-x86_64-set-debugreg-guest.patch     25815-x86-PoD-no-bug-in-non-translated.patch     25816-x86-hvm-map-pirq-range-check.patch     25833-32on64-bogus-pt_base-adjust.patch     25834-x86-S3-MSI-resume.patch     25835-adjust-rcu-lock-domain.patch     25836-VT-d-S3-MSI-resume.patch 25850-tmem-xsa-15-1.patch     25851-tmem-xsa-15-2.patch 25852-tmem-xsa-15-3.patch     25853-tmem-xsa-15-4.patch 25854-tmem-xsa-15-5.patch     25855-tmem-xsa-15-6.patch 25856-tmem-xsa-15-7.patch     25857-tmem-xsa-15-8.patch 25858-tmem-xsa-15-9.patch     25859-tmem-missing-break.patch 25860-tmem-cleanup.patch     25883-pt-MSI-cleanup.patch     25927-x86-domctl-ioport-mapping-range.patch     25929-tmem-restore-pool-version.patch

  - bnc#778105 - first XEN-PV VM fails to spawn xend:
    Increase wait time for disk to appear in host bootloader     Modified existing xen-domUloader.diff

  - Upstream patches from Jan     25752-ACPI-pm-op-valid-cpu.patch     25754-x86-PoD-early-access.patch     25755-x86-PoD-types.patch     25756-x86-MMIO-max-mapped-pfn.patch     25757-x86-EPT-PoD-1Gb-assert.patch     25764-x86-unknown-cpu-no-sysenter.patch     25765-x86_64-allow-unsafe-adjust.patch     25771-grant-copy-status-paged-out.patch     25773-x86-honor-no-real-mode.patch     25786-x86-prefer-multiboot-meminfo-over-e801.patch

  - bnc#777890 - CVE-2012-3497: xen: multiple TMEM hypercall     vulnerabilities (XSA-15)     CVE-2012-3497-tmem-xsa-15-1.patch     CVE-2012-3497-tmem-xsa-15-2.patch     CVE-2012-3497-tmem-xsa-15-3.patch     CVE-2012-3497-tmem-xsa-15-4.patch     CVE-2012-3497-tmem-xsa-15-5.patch     CVE-2012-3497-tmem-xsa-15-6.patch     CVE-2012-3497-tmem-xsa-15-7.patch     CVE-2012-3497-tmem-xsa-15-8.patch     CVE-2012-3497-tmem-xsa-15-9.patch     tmem-missing-break.patch

The remote host is affected by the vulnerability described in GLSA-201309-24 (Xen: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Xen. Please review the       CVE identifiers referenced below for details.
  Impact :

    Guest domains could possibly gain privileges, execute arbitrary code, or       cause a Denial of Service on the host domain (Dom0). Additionally, guest       domains could gain information about other virtual machines running on       the same host or read arbitrary files on the host.
  Workaround :

    The CVEs listed below do not currently have fixes, but only apply to Xen       setups which have &ldquo;tmem&rdquo; specified on the hypervisor command line.
      TMEM is not currently supported for use in production systems, and       administrators using tmem should disable it.
      Relevant CVEs:
      * CVE-2012-2497
      * CVE-2012-6030
      * CVE-2012-6031
      * CVE-2012-6032
      * CVE-2012-6033
      * CVE-2012-6034
      * CVE-2012-6035
      * CVE-2012-6036

XEN was updated to fix various bugs and security issues :

The following security issues have been fixed :

  - xen: Domain builder Out-of-memory due to malicious     kernel/ramdisk (XSA 25). (CVE-2012-4544)

  - XEN / qemu: guest administrator can access qemu monitor     console (XSA-19). (CVE-2012-4411)

  - xen: Timer overflow DoS vulnerability (XSA 20).
    (CVE-2012-4535)

  - xen: pirq range check DoS vulnerability (XSA 21).
    (CVE-2012-4536)

  - xen: Memory mapping failure DoS vulnerability (XSA 22).
    (CVE-2012-4537)

  - xen: Unhooking empty PAE entries DoS vulnerability (XSA     23). (CVE-2012-4538)

  - xen: Grant table hypercall infinite loop DoS     vulnerability (XSA 24). (CVE-2012-4539)

  - xen: multiple TMEM hypercall vulnerabilities (XSA-15)     Also the following bugs have been fixed and upstream     patches have been applied:. (CVE-2012-3497)

  - L3: Xen BUG at io_apic.c:129     26102-x86-IOAPIC-legacy-not-first.patch. (bnc#784087)

  - Upstream patches merged:
    26054-x86-AMD-perf-ctr-init.patch     26055-x86-oprof-hvm-mode.patch     26056-page-alloc-flush-filter.patch     26061-x86-oprof-counter-range.patch     26062-ACPI-ERST-move-data.patch     26063-x86-HPET-affinity-lock.patch     26093-HVM-PoD-grant-mem-type.patch     25931-x86-domctl-iomem-mapping-checks.patch     25952-x86-MMIO-remap-permissions.patch     25808-domain_create-return-value.patch     25814-x86_64-set-debugreg-guest.patch     25815-x86-PoD-no-bug-in-non-translated.patch     25816-x86-hvm-map-pirq-range-check.patch     25833-32on64-bogus-pt_base-adjust.patch     25834-x86-S3-MSI-resume.patch     25835-adjust-rcu-lock-domain.patch     25836-VT-d-S3-MSI-resume.patch 25850-tmem-xsa-15-1.patch     25851-tmem-xsa-15-2.patch 25852-tmem-xsa-15-3.patch     25853-tmem-xsa-15-4.patch 25854-tmem-xsa-15-5.patch     25855-tmem-xsa-15-6.patch 25856-tmem-xsa-15-7.patch     25857-tmem-xsa-15-8.patch 25858-tmem-xsa-15-9.patch     25859-tmem-missing-break.patch 25860-tmem-cleanup.patch     25883-pt-MSI-cleanup.patch     25927-x86-domctl-ioport-mapping-range.patch     25929-tmem-restore-pool-version.patch

  - first XEN-PV VM fails to spawn xend: Increase wait time     for disk to appear in host bootloader Modified existing     xen-domUloader.diff. (bnc#778105)

    25752-ACPI-pm-op-valid-cpu.patch     25754-x86-PoD-early-access.patch     25755-x86-PoD-types.patch     25756-x86-MMIO-max-mapped-pfn.patch

libvirt received security and bugfixes :

  - Fixed a libvirt remote denial of service (crash)     problem. The following bugs have been fixed :.
    (CVE-2012-4423)

  - qemu: Fix probing for guest capabilities

  - xen-xm: Generate UUID if not specified

  - xenParseXM: don't dereference NULL pointer when script     is empty

A guest can block a cpu by setting a bad VCPU deadline [XSA 20, CVE-2012-4535] (#876198) HVM guest can use invalid pirq values to crash xen [XSA 21, CVE-2012-4536] (#876200) HVM guest can exhaust p2m table crashing xen [XSA 22, CVE-2012-4537] (#876203) PAE HVM guest can crash hypervisor [XSA-23, CVE-2012-4538] (#876205) 32-bit PV guest on 64-bit hypervisor can cause an hypervisor infinite loop [XSA-24, CVE-2012-4539] (#876207)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

XEN received various security and bugfixes :

  - xen: Timer overflow DoS vulnerability (XSA-20).
    (CVE-2012-4535)

  - xen: Memory mapping failure DoS vulnerability (XSA-22)     The following additional bugs have beenfixed:.
    (CVE-2012-4537)

  - L3: Xen BUG at io_apic.c:129     26102-x86-IOAPIC-legacy-not-first.patch. (bnc#784087)

  - Upstream patches from Jan     25927-x86-domctl-ioport-mapping-range.patch     25931-x86-domctl-iomem-mapping-checks.patch     26061-x86-oprof-counter-range.patch     25431-x86-EDD-MBR-sig-check.patch     25480-x86_64-sysret-canonical.patch     25481-x86_64-AMD-erratum-121.patch     25485-x86_64-canonical-checks.patch     25587-param-parse-limit.patch     25589-pygrub-size-limits.patch     25744-hypercall-return-long.patch     25765-x86_64-allow-unsafe-adjust.patch     25773-x86-honor-no-real-mode.patch     25786-x86-prefer-multiboot-meminfo-over-e801.patch     25808-domain_create-return-value.patch     25814-x86_64-set-debugreg-guest.patch     24742-gnttab-misc.patch 25098-x86-emul-lock-UD.patch     25200-x86_64-trap-bounce-flags.patch     25271-x86_64-IST-index.patch

  - win2k8 guests are unable to restore after saving the vms     state ept-novell-x64.patch     23800-x86_64-guest-addr-range.patch     24168-x86-vioapic-clear-remote_irr.patch     24453-x86-vIRQ-IRR-TMR-race.patch     24456-x86-emul-lea.patch. (bnc#651093)

  - Unable to install RHEL 6.1 x86 as a paravirtualized     guest OS on SLES 10 SP4 x86 vm-install-0.2.19.tar.bz2.
    (bnc#713555)

ID	Name	Product	Family	Severity
90380	GLSA-201604-03 : Xen: Multiple vulnerabilities (Venom)	Nessus	Gentoo Local Security Checks	critical
84140	OracleVM 3.2 : xen (OVMSA-2015-0068) (POODLE) (Venom)	Nessus	OracleVM Local Security Checks	low
83564	SUSE SLED10 / SLES10 Security Update : Xen (SUSE-SU-2012:1487-1)	Nessus	SuSE Local Security Checks	medium
79489	OracleVM 3.1 : xen (OVMSA-2012-0051)	Nessus	OracleVM Local Security Checks	medium
74821	openSUSE Security Update : XEN (openSUSE-SU-2012:1573-1)	Nessus	SuSE Local Security Checks	high
74820	openSUSE Security Update : XEN (openSUSE-SU-2012:1572-1)	Nessus	SuSE Local Security Checks	high
70184	GLSA-201309-24 : Xen: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
64238	SuSE 11.2 Security Update : Xen (SAT Patch Number 7018)	Nessus	SuSE Local Security Checks	medium
64201	SuSE 11.2 Security Update : libvirt (SAT Patch Number 7015)	Nessus	SuSE Local Security Checks	medium
63010	Fedora 16 : xen-4.1.3-4.fc16 (2012-18249)	Nessus	Fedora Local Security Checks	medium
63009	Fedora 17 : xen-4.1.3-6.fc17 (2012-18242)	Nessus	Fedora Local Security Checks	medium
62963	SuSE 10 Security Update : Xen (ZYPP Patch Number 8359)	Nessus	SuSE Local Security Checks	medium

CVE-2012-4536

LOW

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

Vulnerable Software

Configuration 1

Tenable Plugins

critical

low

medium

medium

high

high

high

medium

medium

medium

medium

medium