SUSE-SU-2014:0411

SUSE-SU-2014:0446

SUSE-SU-2014:0470

55082

GLSA-201309-24

http://support.citrix.com/article/CTX138058

DSA-3006

[oss-security] 20130620 Re: Xen Security Advisory 55 - Multiple vulnerabilities in libelf PV kernel handling

[oss-security] 20130620 Xen Security Advisory 55 (CVE-2013-2194,CVE-2013-2195,CVE-2013-2196) - Multiple vulnerabilities in libelf PV kernel handling

The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2015-0068 for details.

The SUSE Linux Enterprise 10 Service Pack 3 LTSS Xen hypervisor and toolset have been updated to fix various security issues :

The following security issues have been addressed :

XSA-20: CVE-2012-4535: Xen 3.4 through 4.2, and possibly earlier versions, allows local guest OS administrators to cause a denial of service (Xen infinite loop and physical CPU consumption) by setting a VCPU with an 'inappropriate deadline'. (bnc#786516)

XSA-22: CVE-2012-4537: Xen 3.4 through 4.2, and possibly earlier versions, does not properly synchronize the p2m and m2p tables when the set_p2m_entry function fails, which allows local HVM guest OS administrators to cause a denial of service (memory consumption and assertion failure), aka 'Memory mapping failure DoS vulnerability'. (bnc#786517)

XSA-25: CVE-2012-4544: The PV domain builder in Xen 4.2 and earlier does not validate the size of the kernel or ramdisk (1) before or (2) after decompression, which allows local guest administrators to cause a denial of service (domain 0 memory consumption) via a crafted (a) kernel or (b) ramdisk.
(bnc#787163)

XSA-29: CVE-2012-5513: The XENMEM_exchange handler in Xen 4.2 and earlier does not properly check the memory address, which allows local PV guest OS administrators to cause a denial of service (crash) or possibly gain privileges via unspecified vectors that overwrite memory in the hypervisor reserved range. (bnc#789951)

XSA-31: CVE-2012-5515: The (1) XENMEM_decrease_reservation, (2) XENMEM_populate_physmap, and (3) XENMEM_exchange hypercalls in Xen 4.2 and earlier allow local guest administrators to cause a denial of service (long loop and hang) via a crafted extent_order value. (bnc#789950)

XSA-44: CVE-2013-1917: Xen 3.1 through 4.x, when running 64-bit hosts on Intel CPUs, does not clear the NT flag when using an IRET after a SYSENTER instruction, which allows PV guest users to cause a denial of service (hypervisor crash) by triggering a #GP fault, which is not properly handled by another IRET instruction. (bnc#813673)

XSA-47: CVE-2013-1920: Xen 4.2.x, 4.1.x, and earlier, when the hypervisor is running 'under memory pressure' and the Xen Security Module (XSM) is enabled, uses the wrong ordering of operations when extending the per-domain event channel tracking table, which causes a use-after-free and allows local guest kernels to inject arbitrary events and gain privileges via unspecified vectors. (bnc#813677)

XSA-55: CVE-2013-2196: Multiple unspecified vulnerabilities in the Elf parser (libelf) in Xen 4.2.x and earlier allow local guest administrators with certain permissions to have an unspecified impact via a crafted kernel, related to 'other problems' that are not CVE-2013-2194 or CVE-2013-2195. (bnc#823011)

XSA-55: CVE-2013-2195: The Elf parser (libelf) in Xen 4.2.x and earlier allow local guest administrators with certain permissions to have an unspecified impact via a crafted kernel, related to 'pointer dereferences' involving unexpected calculations. (bnc#823011)

XSA-55: CVE-2013-2194: Multiple integer overflows in the Elf parser (libelf) in Xen 4.2.x and earlier allow local guest administrators with certain permissions to have an unspecified impact via a crafted kernel. (bnc#823011)

XSA-63: CVE-2013-4355: Xen 4.3.x and earlier does not properly handle certain errors, which allows local HVM guests to obtain hypervisor stack memory via a (1) port or (2) memory mapped I/O write or (3) other unspecified operations related to addresses without associated memory.
(bnc#840592)

XSA-67: CVE-2013-4368: The outs instruction emulation in Xen 3.1.x, 4.2.x, 4.3.x, and earlier, when using FS: or GS:
segment override, uses an uninitialized variable as a segment base, which allows local 64-bit PV guests to obtain sensitive information (hypervisor stack content) via unspecified vectors related to stale data in a segment register. (bnc#842511)

XSA-73: CVE-2013-4494: Xen before 4.1.x, 4.2.x, and 4.3.x does not take the page_alloc_lock and grant_table.lock in the same order, which allows local guest administrators with access to multiple vcpus to cause a denial of service (host deadlock) via unspecified vectors. (bnc#848657)

XSA-76: CVE-2013-4554: Xen 3.0.3 through 4.1.x (possibly 4.1.6.1), 4.2.x (possibly 4.2.3), and 4.3.x (possibly 4.3.1) does not properly prevent access to hypercalls, which allows local guest users to gain privileges via a crafted application running in ring 1 or 2. (bnc#849668)

XSA-82: CVE-2013-6885: The microcode on AMD 16h 00h through 0Fh processors does not properly handle the interaction between locked instructions and write-combined memory types, which allows local users to cause a denial of service (system hang) via a crafted application, aka the errata 793 issue. (bnc#853049)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise Server 11 Service Pack 1 LTSS Xen hypervisor and toolset have been updated to fix various security issues and some bugs.

The following security issues have been addressed :

XSA-84: CVE-2014-1894: Xen 3.2 (and presumably earlier) exhibit both problems with the overflow issue being present for more than just the suboperations listed above. (bnc#860163)

XSA-84: CVE-2014-1892 CVE-2014-1893: Xen 3.3 through 4.1, while not affected by the above overflow, have a different overflow issue on FLASK_{GET,SET}BOOL and expose unreasonably large memory allocation to arbitrary guests.
(bnc#860163)

XSA-84: CVE-2014-1891: The FLASK_{GET,SET}BOOL, FLASK_USER and FLASK_CONTEXT_TO_SID suboperations of the flask hypercall are vulnerable to an integer overflow on the input size. The hypercalls attempt to allocate a buffer which is 1 larger than this size and is therefore vulnerable to integer overflow and an attempt to allocate then access a zero byte buffer. (bnc#860163)

XSA-82: CVE-2013-6885: The microcode on AMD 16h 00h through 0Fh processors does not properly handle the interaction between locked instructions and write-combined memory types, which allows local users to cause a denial of service (system hang) via a crafted application, aka the errata 793 issue. (bnc#853049)

XSA-76: CVE-2013-4554: Xen 3.0.3 through 4.1.x (possibly 4.1.6.1), 4.2.x (possibly 4.2.3), and 4.3.x (possibly 4.3.1) does not properly prevent access to hypercalls, which allows local guest users to gain privileges via a crafted application running in ring 1 or 2. (bnc#849668)

XSA-74: CVE-2013-4553: The XEN_DOMCTL_getmemlist hypercall in Xen 3.4.x through 4.3.x (possibly 4.3.1) does not always obtain the page_alloc_lock and mm_rwlock in the same order, which allows local guest administrators to cause a denial of service (host deadlock). (bnc#849667)

XSA-73: CVE-2013-4494: Xen before 4.1.x, 4.2.x, and 4.3.x does not take the page_alloc_lock and grant_table.lock in the same order, which allows local guest administrators with access to multiple vcpus to cause a denial of service (host deadlock) via unspecified vectors. (bnc#848657)

XSA-67: CVE-2013-4368: The outs instruction emulation in Xen 3.1.x, 4.2.x, 4.3.x, and earlier, when using FS: or GS:
segment override, uses an uninitialized variable as a segment base, which allows local 64-bit PV guests to obtain sensitive information (hypervisor stack content) via unspecified vectors related to stale data in a segment register. (bnc#842511)

XSA-66: CVE-2013-4361: The fbld instruction emulation in Xen 3.3.x through 4.3.x does not use the correct variable for the source effective address, which allows local HVM guests to obtain hypervisor stack information by reading the values used by the instruction. (bnc#841766)

XSA-63: CVE-2013-4355: Xen 4.3.x and earlier does not properly handle certain errors, which allows local HVM guests to obtain hypervisor stack memory via a (1) port or (2) memory mapped I/O write or (3) other unspecified operations related to addresses without associated memory.
(bnc#840592)

XSA-62: CVE-2013-1442: Xen 4.0 through 4.3.x, when using AVX or LWP capable CPUs, does not properly clear previous data from registers when using an XSAVE or XRSTOR to extend the state components of a saved or restored vCPU after touching other restored extended registers, which allows local guest OSes to obtain sensitive information by reading the registers. (bnc#839596)

XSA-61: CVE-2013-4329: The xenlight library (libxl) in Xen 4.0.x through 4.2.x, when IOMMU is disabled, provides access to a busmastering-capable PCI passthrough device before the IOMMU setup is complete, which allows local HVM guest domains to gain privileges or cause a denial of service via a DMA instruction. (bnc#839618)

XSA-60: CVE-2013-2212: The vmx_set_uc_mode function in Xen 3.3 through 4.3, when disabling chaches, allows local HVM guests with access to memory mapped I/O regions to cause a denial of service (CPU consumption and possibly hypervisor or guest kernel panic) via a crafted GFN range. (bnc#831120)

XSA-58: CVE-2013-1918: Certain page table manipulation operations in Xen 4.1.x, 4.2.x, and earlier are not preemptible, which allows local PV kernels to cause a denial of service via vectors related to 'deep page table traversal.' (bnc#826882)

XSA-58: CVE-2013-1432: Xen 4.1.x and 4.2.x, when the XSA-45 patch is in place, does not properly maintain references on pages stored for deferred cleanup, which allows local PV guest kernels to cause a denial of service (premature page free and hypervisor crash) or possible gain privileges via unspecified vectors. (bnc#826882)

XSA-57: CVE-2013-2211: The libxenlight (libxl) toolstack library in Xen 4.0.x, 4.1.x, and 4.2.x uses weak permissions for xenstore keys for paravirtualised and emulated serial console devices, which allows local guest administrators to modify the xenstore value via unspecified vectors.
(bnc#823608)

XSA-56: CVE-2013-2072: Buffer overflow in the Python bindings for the xc_vcpu_setaffinity call in Xen 4.0.x, 4.1.x, and 4.2.x allows local administrators with permissions to configure VCPU affinity to cause a denial of service (memory corruption and xend toolstack crash) and possibly gain privileges via a crafted cpumap. (bnc#819416)

XSA-55: CVE-2013-2196: Multiple unspecified vulnerabilities in the Elf parser (libelf) in Xen 4.2.x and earlier allow local guest administrators with certain permissions to have an unspecified impact via a crafted kernel, related to 'other problems' that are not CVE-2013-2194 or CVE-2013-2195. (bnc#823011)

XSA-55: CVE-2013-2195: The Elf parser (libelf) in Xen 4.2.x and earlier allow local guest administrators with certain permissions to have an unspecified impact via a crafted kernel, related to 'pointer dereferences' involving unexpected calculations. (bnc#823011)

XSA-55: CVE-2013-2194: Multiple integer overflows in the Elf parser (libelf) in Xen 4.2.x and earlier allow local guest administrators with certain permissions to have an unspecified impact via a crafted kernel. (bnc#823011)

XSA-53: CVE-2013-2077: Xen 4.0.x, 4.1.x, and 4.2.x does not properly restrict the contents of a XRSTOR, which allows local PV guest users to cause a denial of service (unhandled exception and hypervisor crash) via unspecified vectors.
(bnc#820919)

XSA-52: CVE-2013-2076: Xen 4.0.x, 4.1.x, and 4.2.x, when running on AMD64 processors, only save/restore the FOP, FIP, and FDP x87 registers in FXSAVE/FXRSTOR when an exception is pending, which allows one domain to determine portions of the state of floating point instructions of other domains, which can be leveraged to obtain sensitive information such as cryptographic keys, a similar vulnerability to CVE-2006-1056. NOTE: this is the documented behavior of AMD64 processors, but it is inconsistent with Intel processors in a security-relevant fashion that was not addressed by the kernels. (bnc#820917)

XSA-50: CVE-2013-1964: Xen 4.0.x and 4.1.x incorrectly releases a grant reference when releasing a non-v1, non-transitive grant, which allows local guest administrators to cause a denial of service (host crash), obtain sensitive information, or possible have other impacts via unspecified vectors. (bnc#816156)

XSA-49: CVE-2013-1952: Xen 4.x, when using Intel VT-d for a bus mastering capable PCI device, does not properly check the source when accessing a bridge device's interrupt remapping table entries for MSI interrupts, which allows local guest domains to cause a denial of service (interrupt injection) via unspecified vectors. (bnc#816163)

XSA-47: CVE-2013-1920: Xen 4.2.x, 4.1.x, and earlier, when the hypervisor is running 'under memory pressure' and the Xen Security Module (XSM) is enabled, uses the wrong ordering of operations when extending the per-domain event channel tracking table, which causes a use-after-free and allows local guest kernels to inject arbitrary events and gain privileges via unspecified vectors. (bnc#813677)

XSA-46: CVE-2013-1919: Xen 4.2.x and 4.1.x does not properly restrict access to IRQs, which allows local stub domain clients to gain access to IRQs and cause a denial of service via vectors related to 'passed-through IRQs or PCI devices.' (bnc#813675)

XSA-45: CVE-2013-1918: Certain page table manipulation operations in Xen 4.1.x, 4.2.x, and earlier are not preemptible, which allows local PV kernels to cause a denial of service via vectors related to 'deep page table traversal.' (bnc#816159)

XSA-44: CVE-2013-1917: Xen 3.1 through 4.x, when running 64-bit hosts on Intel CPUs, does not clear the NT flag when using an IRET after a SYSENTER instruction, which allows PV guest users to cause a denial of service (hypervisor crash) by triggering a #GP fault, which is not properly handled by another IRET instruction. (bnc#813673)

XSA-41: CVE-2012-6075: Buffer overflow in the e1000_receive function in the e1000 device driver (hw/e1000.c) in QEMU 1.3.0-rc2 and other versions, when the SBP and LPE flags are disabled, allows remote attackers to cause a denial of service (guest OS crash) and possibly execute arbitrary guest code via a large packet. (bnc#797523)

XSA-37: CVE-2013-0154: The get_page_type function in xen/arch/x86/mm.c in Xen 4.2, when debugging is enabled, allows local PV or HVM guest administrators to cause a denial of service (assertion failure and hypervisor crash) via unspecified vectors related to a hypercall. (bnc#797031)

XSA-36: CVE-2013-0153: The AMD IOMMU support in Xen 4.2.x, 4.1.x, 3.3, and other versions, when using AMD-Vi for PCI passthrough, uses the same interrupt remapping table for the host and all guests, which allows guests to cause a denial of service by injecting an interrupt into other guests.
(bnc#800275)

XSA-33: CVE-2012-5634: Xen 4.2.x, 4.1.x, and 4.0, when using Intel VT-d for PCI passthrough, does not properly configure VT-d when supporting a device that is behind a legacy PCI Bridge, which allows local guests to cause a denial of service to other guests by injecting an interrupt.
(bnc#794316)

XSA-31: CVE-2012-5515: The (1) XENMEM_decrease_reservation, (2) XENMEM_populate_physmap, and (3) XENMEM_exchange hypercalls in Xen 4.2 and earlier allow local guest administrators to cause a denial of service (long loop and hang) via a crafted extent_order value. (bnc#789950)

XSA-30: CVE-2012-5514: The guest_physmap_mark_populate_on_demand function in Xen 4.2 and earlier does not properly unlock the subject GFNs when checking if they are in use, which allows local guest HVM administrators to cause a denial of service (hang) via unspecified vectors. (bnc#789948)

XSA-29: CVE-2012-5513: The XENMEM_exchange handler in Xen 4.2 and earlier does not properly check the memory address, which allows local PV guest OS administrators to cause a denial of service (crash) or possibly gain privileges via unspecified vectors that overwrite memory in the hypervisor reserved range. (bnc#789951)

XSA-27: CVE-2012-6333: Multiple HVM control operations in Xen 3.4 through 4.2 allow local HVM guest OS administrators to cause a denial of service (physical CPU consumption) via a large input. (bnc#789944)

XSA-27: CVE-2012-5511: Stack-based buffer overflow in the dirty video RAM tracking functionality in Xen 3.4 through 4.1 allows local HVM guest OS administrators to cause a denial of service (crash) via a large bitmap image.
(bnc#789944)

XSA-26: CVE-2012-5510: Xen 4.x, when downgrading the grant table version, does not properly remove the status page from the tracking list when freeing the page, which allows local guest OS administrators to cause a denial of service (hypervisor crash) via unspecified vectors. (bnc#789945)

XSA-25: CVE-2012-4544: The PV domain builder in Xen 4.2 and earlier does not validate the size of the kernel or ramdisk (1) before or (2) after decompression, which allows local guest administrators to cause a denial of service (domain 0 memory consumption) via a crafted (a) kernel or (b) ramdisk.
(bnc#787163)

XSA-24: CVE-2012-4539: Xen 4.0 through 4.2, when running 32-bit x86 PV guests on 64-bit hypervisors, allows local guest OS administrators to cause a denial of service (infinite loop and hang or crash) via invalid arguments to GNTTABOP_get_status_frames, aka 'Grant table hypercall infinite loop DoS vulnerability.' (bnc#786520)

XSA-23: CVE-2012-4538: The HVMOP_pagetable_dying hypercall in Xen 4.0, 4.1, and 4.2 does not properly check the pagetable state when running on shadow pagetables, which allows a local HVM guest OS to cause a denial of service (hypervisor crash) via unspecified vectors. (bnc#786519)

XSA-22: CVE-2012-4537: Xen 3.4 through 4.2, and possibly earlier versions, does not properly synchronize the p2m and m2p tables when the set_p2m_entry function fails, which allows local HVM guest OS administrators to cause a denial of service (memory consumption and assertion failure), aka 'Memory mapping failure DoS vulnerability.' (bnc#786517)

XSA-20: CVE-2012-4535: Xen 3.4 through 4.2, and possibly earlier versions, allows local guest OS administrators to cause a denial of service (Xen infinite loop and physical CPU consumption) by setting a VCPU with an 'inappropriate deadline.' (bnc#786516)

XSA-19: CVE-2012-4411: The graphical console in Xen 4.0, 4.1 and 4.2 allows local OS guest administrators to obtain sensitive host resource information via the qemu monitor.
NOTE: this might be a duplicate of CVE-2007-0998.
(bnc#779212)

XSA-15: CVE-2012-3497: (1) TMEMC_SAVE_GET_CLIENT_WEIGHT, (2) TMEMC_SAVE_GET_CLIENT_CAP, (3) TMEMC_SAVE_GET_CLIENT_FLAGS and (4) TMEMC_SAVE_END in the Transcendent Memory (TMEM) in Xen 4.0, 4.1, and 4.2 allow local guest OS users to cause a denial of service (NULL pointer dereference or memory corruption and host crash) or possibly have other unspecified impacts via a NULL client id. (bnc#777890)

Also the following non-security bugs have been fixed :

  - xen hot plug attach/detach fails modified     blktap-pv-cdrom.patch. (bnc#805094)

  - guest 'disappears' after live migration Updated     block-dmmd script. (bnc#777628)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise Server 10 Service Pack 4 LTSS Xen hypervisor and toolset have been updated to fix various security issues.

The following security issues have been addressed :

  - XSA-82: CVE-2013-6885: The microcode on AMD 16h 00h     through 0Fh processors does not properly handle the     interaction between locked instructions and     write-combined memory types, which allows local users to     cause a denial of service (system hang) via a crafted     application, aka the errata 793 issue. (bnc#853049)

  - XSA-76: CVE-2013-4554: Xen 3.0.3 through 4.1.x (possibly     4.1.6.1), 4.2.x (possibly 4.2.3), and 4.3.x (possibly     4.3.1) does not properly prevent access to hypercalls,     which allows local guest users to gain privileges via a     crafted application running in ring 1 or 2. (bnc#849668)

  - XSA-73: CVE-2013-4494: Xen before 4.1.x, 4.2.x, and     4.3.x does not take the page_alloc_lock and     grant_table.lock in the same order, which allows local     guest administrators with access to multiple vcpus to     cause a denial of service (host deadlock) via     unspecified vectors. (bnc#848657)

  - XSA-67: CVE-2013-4368: The outs instruction emulation in     Xen 3.1.x, 4.2.x, 4.3.x, and earlier, when using FS: or     GS: segment override, uses an uninitialized variable as     a segment base, which allows local 64-bit PV guests to     obtain sensitive information (hypervisor stack content)     via unspecified vectors related to stale data in a     segment register. (bnc#842511)

  - XSA-63: CVE-2013-4355: Xen 4.3.x and earlier does not     properly handle certain errors, which allows local HVM     guests to obtain hypervisor stack memory via a (1) port     or (2) memory mapped I/O write or (3) other unspecified     operations related to addresses without associated     memory. (bnc#840592)

  - XSA-55: CVE-2013-2196: Multiple unspecified     vulnerabilities in the Elf parser (libelf) in Xen 4.2.x     and earlier allow local guest administrators with     certain permissions to have an unspecified impact via a     crafted kernel, related to 'other problems' that are not     CVE-2013-2194 or CVE-2013-2195. (bnc#823011)

  - XSA-55: CVE-2013-2195: The Elf parser (libelf) in Xen     4.2.x and earlier allow local guest administrators with     certain permissions to have an unspecified impact via a     crafted kernel, related to 'pointer dereferences'     involving unexpected calculations. (bnc#823011)

  - XSA-55: CVE-2013-2194: Multiple integer overflows in the     Elf parser (libelf) in Xen 4.2.x and earlier allow local     guest administrators with certain permissions to have an     unspecified impact via a crafted kernel. (bnc#823011)

  - XSA-47: CVE-2013-1920: Xen 4.2.x, 4.1.x, and earlier,     when the hypervisor is running 'under memory pressure'     and the Xen Security Module (XSM) is enabled, uses the     wrong ordering of operations when extending the     per-domain event channel tracking table, which causes a     use-after-free and allows local guest kernels to inject     arbitrary events and gain privileges via unspecified     vectors. (bnc#813677)

  - XSA-44: CVE-2013-1917: Xen 3.1 through 4.x, when running     64-bit hosts on Intel CPUs, does not clear the NT flag     when using an IRET after a SYSENTER instruction, which     allows PV guest users to cause a denial of service     (hypervisor crash) by triggering a #GP fault, which is     not properly handled by another IRET instruction.
    (bnc#813673)

  - XSA-25: CVE-2012-4544: The PV domain builder in Xen 4.2     and earlier does not validate the size of the kernel or     ramdisk (1) before or (2) after decompression, which     allows local guest administrators to cause a denial of     service (domain 0 memory consumption) via a crafted (a)     kernel or (b) ramdisk. (bnc#787163)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote OracleVM system is missing necessary patches to address critical security updates :

  - x86: check segment descriptor read result in 64-bit OUTS     emulation XSA-67 (Matthew Daley) [orabug 17571640]     (CVE-2013-4368)

  - x86: properly set up fbld emulation operand address     XSA-66 (Jan Beulich) [orabug 17472492] (CVE-2013-4361)

  - x86: properly handle hvm_copy_from_guest_[phys,virt]     errors XSA-63 (Jan Beulich) [orabug 17472461]     (CVE-2013-4355)

  - libxc: builder: limit maximum size of kernel/ramdisk     (Ian Campbell) [orabug 15852491] (CVE-2012-4544)

  - libxc: builder: Correct fix for CVE-2012-4544 (Ian     Campbell) [orabug 15852491] (CVE-2012-4544)

  - [PATCH 01/21] libelf: abolish libelf-relocate.c (Ian     Jackson) [orabug 16902308] (CVE-2013-2194 CVE-2013-2195     CVE-2013-2196)

  - [PATCH 02/21] libxc: introduce xc_dom_seg_to_ptr_pages     (Ian Jackson) [orabug 16902308] (CVE-2013-2194     CVE-2013-2195 CVE-2013-2196)

  - [PATCH 03/21] libxc: Fix range checking in     xc_dom_pfn_to_ptr etc. (Ian Jackson) [orabug 16902308]     (CVE-2013-2194 CVE-2013-2195 CVE-2013-2196)

  - [PATCH 04/21] libelf: abolish elf_sval and     elf_access_signed (Ian Jackson) [orabug 16902308]     (CVE-2013-2194 CVE-2013-2195 CVE-2013-2196)

  - [PATCH 05/21] libelf/xc_dom_load_elf_symtab: Do not use     'syms' uninitialised (Ian Jackson) [orabug 16902308]     (CVE-2013-2194 CVE-2013-2195 CVE-2013-2196)

  - [PATCH 06/21] libelf: introduce macros for memory access     and pointer handling (Ian Jackson) [orabug 16902308]     (CVE-2013-2194 CVE-2013-2195 CVE-2013-2196)

  - [PATCH 07/21] tools/xcutils/readnotes: adjust     print_l1_mfn_valid_note (Ian Jackson) [orabug 16902308]     (CVE-2013-2194 CVE-2013-2195 CVE-2013-2196)

  - [PATCH 08/21] libelf: check nul-terminated strings     properly (Ian Jackson) [orabug 16902308] (CVE-2013-2194     CVE-2013-2195 CVE-2013-2196)

  - [PATCH 09/21] libelf: check all pointer accesses (Ian     Jackson) [orabug 16902308] (CVE-2013-2194 CVE-2013-2195     CVE-2013-2196)

  - [PATCH 10/21] libelf: Check pointer references in     elf_is_elfbinary (Ian Jackson) [orabug 16902308]     (CVE-2013-2194 CVE-2013-2195 CVE-2013-2196)

  - [PATCH 11/21] libelf: Make all callers call     elf_check_broken (Ian Jackson) [orabug 16902308]     (CVE-2013-2194 CVE-2013-2195 CVE-2013-2196)

  - [PATCH 12/21] libelf: use C99 bool for booleans (Ian     Jackson) [orabug 16902308] (CVE-2013-2194 CVE-2013-2195     CVE-2013-2196)

  - [PATCH 13/21] libelf: use only unsigned integers (Ian     Jackson) [orabug 16902308] (CVE-2013-2194 CVE-2013-2195     CVE-2013-2196)

  - [PATCH 14/21] libxc: Introduce xc_bitops.h (Ian Jackson)     [orabug 16902308] (CVE-2013-2194 CVE-2013-2195     CVE-2013-2196)

  - [PATCH 15/21] libelf: check loops for running away (Ian     Jackson) [orabug 16902308] (CVE-2013-2194 CVE-2013-2195     CVE-2013-2196)

  - [PATCH 16/21] libelf: abolish obsolete macros (Ian     Jackson) [orabug 16902308] (CVE-2013-2194 CVE-2013-2195     CVE-2013-2196)

  - [PATCH 17/21] libxc: Add range checking to     xc_dom_binloader (Ian Jackson) [orabug 16902308]     (CVE-2013-2194 CVE-2013-2195 CVE-2013-2196)

  - [PATCH 18/21] libxc: check failure of xc_dom_*_to_ptr,     xc_map_foreign_range (Ian Jackson) [orabug 16902308]     (CVE-2013-2194 CVE-2013-2195 CVE-2013-2196)

  - [PATCH 19/21] libxc: check return values from malloc     (Ian Jackson) [orabug 16902308] (CVE-2013-2194     CVE-2013-2195 CVE-2013-2196)

  - [PATCH 20/21] libxc: range checks in xc_dom_p2m_host and
    _guest (Ian Jackson) [orabug 16902308] (CVE-2013-2194     CVE-2013-2195 CVE-2013-2196)

  - [PATCH 21/21] libxc: check blob size before proceeding     in xc_dom_check_gzip (Matthew Daley) [orabug 16902308]     (CVE-2013-2194 CVE-2013-2195 CVE-2013-2196)

  - libxc: define INVALID_MFN for the XSA-55 patchset (Chuck     Anderson) [orabug 16902308] (CVE-2013-2194 CVE-2013-2195     CVE-2013-2196)

  - fix page refcount handling in page table pin error path     (Andrew Cooper) [orabug 16949882] (CVE-2013-1432)

  - remove CVE-2013-1919 (Chuck Anderson) [orabug 16635741]     (CVE-2013-1919)

  - x86: make vcpu_destroy_pagetables preemptible (Jan     Beulich) [orabug 16714903] (CVE-2013-1918)

  - x86: make new_guest_cr3 preemptible (Jan Beulich)     [orabug 16714903] (CVE-2013-1918)

  - x86: make MMUEXT_NEW_USER_BASEPTR preemptible (Jan     Beulich) [orabug 16714903] (CVE-2013-1918)

  - x86: make vcpu_reset preemptible (Jan Beulich) [orabug     16714903] (CVE-2013-1918)

  - x86: make arch_set_info_guest preemptible (Jan Beulich)     [orabug 16714903] (CVE-2013-1918)

  - x86: make page table unpinning preemptible (Jan Beulich)     [orabug 16714903] (CVE-2013-1918)

  - x86: make page table handling error paths preemptible     (Jan Beulich) [orabug 16714903] (CVE-2013-1918)

The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2013-0069 for details.

Multiple security issues have been discovered in the Xen virtualisation solution which may result in information leaks or denial of service.

XEN has been updated to version 4.2.3 c/s 26170, fixing various bugs and security issues.

  - XSA-72: Fixed ocaml xenstored that mishandled oversized     message replies. (CVE-2013-4416)

  - XSA-63: Fixed information leaks through I/O instruction     emulation. (CVE-2013-4355)

  - XSA-66: Fixed information leak through fbld instruction     emulation. (CVE-2013-4361)

  - XSA-67: Fixed information leak through outs instruction     emulation. (CVE-2013-4368)

  - XSA-68: Fixed possible null dereference when parsing vif     ratelimiting info. (CVE-2013-4369)

  - XSA-69: Fixed misplaced free in ocaml     xc_vcpu_getaffinity stub. (CVE-2013-4370)

  - XSA-70: Fixed use-after-free in libxl_list_cpupool under     memory pressure. (CVE-2013-4371)

  - XSA-71: xen: qemu disk backend (qdisk) resource leak.
    (CVE-2013-4375)

  - XSA-62: Fixed information leak on AVX and/or LWP capable     CPUs. (CVE-2013-1442)

  - XSA-58: Page reference counting error due to     XSA-45/CVE-2013-1918 fixes. Various bugs have also been     fixed:. (CVE-2013-1432)

  - Boot failure with xen kernel in UEFI mode with error 'No     memory for trampoline'. (bnc#833483)

  - Improvements to block-dmmd script. (bnc#828623)

  - MTU size on Dom0 gets reset when booting DomU with e1000     device. (bnc#840196)

  - In HP's UEFI x86_64 platform and with xen environment,     in booting stage, xen hypervisor will panic.
    (bnc#833251)

  - Xen: migration broken from xsave-capable to     xsave-incapable host. (bnc#833796)

  - In xen, 'shutdown -y 0 -h' cannot power off system.
    (bnc#834751)

  - In HP's UEFI x86_64 platform with xen environment, xen     hypervisor will panic on multiple blades nPar.
    (bnc#839600)

  - vcpus not started after upgrading Dom0 from SLES 11 SP2     to SP3. (bnc#835896)

  - SLES 11 SP3 Xen security patch does not automatically     update UEFI boot binary. (bnc#836239)

  - Failed to setup devices for vm instance when start     multiple vms simultaneously. (bnc#824676)

  - SLES 9 SP4 guest fails to start after upgrading to SLES     11 SP3. (bnc#817799)

  - Various upstream fixes have been included.

The remote host is affected by the vulnerability described in GLSA-201309-24 (Xen: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Xen. Please review the       CVE identifiers referenced below for details.
  Impact :

    Guest domains could possibly gain privileges, execute arbitrary code, or       cause a Denial of Service on the host domain (Dom0). Additionally, guest       domains could gain information about other virtual machines running on       the same host or read arbitrary files on the host.
  Workaround :

    The CVEs listed below do not currently have fixes, but only apply to Xen       setups which have &ldquo;tmem&rdquo; specified on the hypervisor command line.
      TMEM is not currently supported for use in production systems, and       administrators using tmem should disable it.
      Relevant CVEs:
      * CVE-2012-2497
      * CVE-2012-6030
      * CVE-2012-6031
      * CVE-2012-6032
      * CVE-2012-6033
      * CVE-2012-6034
      * CVE-2012-6035
      * CVE-2012-6036

The Xen hypervisor and toolset has been updated to 4.2.2_06 to fix various bugs and security issues :

The following security issues have been addressed :

  - Various integer overflows in the ELF loader were fixed.
    (XSA-55). (CVE-2013-2194)

  - Various pointer dereferences issues in the ELF loader     were fixed. (XSA-55). (CVE-2013-2195)

  - Various other problems in the ELF loader were fixed.
    (XSA-55). (CVE-2013-2196)

  - A Hypervisor crash due to missing exception recovery on     XSETBV was fixed. (XSA-54). (CVE-2013-2078)

  - A Hypervisor crash due to missing exception recovery on     XRSTOR was fixed. (XSA-53). (CVE-2013-2077)

  - libxl allowed guest write access to sensitive console     related xenstore keys. (XSA-57). (CVE-2013-2211)

  - An information leak on XSAVE/XRSTOR capable AMD CPUs     (XSA-52) was fixed, where parts of this state could leak     to other VMs. (CVE-2013-2076)

Also the following bugs have been fixed :

  - performance issues in mirror lvm. (bnc#801663)

  - aacraid driver panics mapping INT A when booting     kernel-xen. (bnc#808085)

  - Fully Virtualized Windows VM install failed on Ivy     Bridge platforms with Xen kernel. (bnc#808269)

  - Did not boot with i915 graphics controller with VT-d     enabled (bnc#817210)

Revised fixes for [XSA-55]

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
84140	OracleVM 3.2 : xen (OVMSA-2015-0068) (POODLE) (Venom)	Nessus	OracleVM Local Security Checks	low
83617	SUSE SLES10 Security Update : Xen (SUSE-SU-2014:0470-1)	Nessus	SuSE Local Security Checks	medium
83616	SUSE SLES11 Security Update : Xen (SUSE-SU-2014:0446-1)	Nessus	SuSE Local Security Checks	high
83614	SUSE SLES10 Security Update : Xen (SUSE-SU-2014:0411-1)	Nessus	SuSE Local Security Checks	medium
79521	OracleVM 2.2 : xen (OVMSA-2013-0074)	Nessus	OracleVM Local Security Checks	high
79516	OracleVM 3.2 : xen (OVMSA-2013-0069)	Nessus	OracleVM Local Security Checks	medium
77240	Debian DSA-3006-1 : xen - security update	Nessus	Debian Local Security Checks	high
70969	SuSE 11.2 / 11.3 Security Update : Xen (SAT Patch Numbers 8478 / 8479)	Nessus	SuSE Local Security Checks	high
70184	GLSA-201309-24 : Xen: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
69297	SuSE 11.3 Security Update : Xen (SAT Patch Number 8063)	Nessus	SuSE Local Security Checks	high
67292	Fedora 18 : xen-4.2.2-7.fc18 (2013-10941)	Nessus	Fedora Local Security Checks	medium
67291	Fedora 17 : xen-4.1.5-6.fc17 (2013-10929)	Nessus	Fedora Local Security Checks	medium
67290	Fedora 19 : xen-4.2.2-7.fc19 (2013-10908)	Nessus	Fedora Local Security Checks	medium

CVE-2013-2195

medium

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

Vulnerable Software

Configuration 1

Tenable Plugins

low

medium

high

medium

high

medium

high

high

high

high

medium

medium

medium