CVE-2015-3340

low
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

Xen 4.2.x through 4.5.x does not initialize certain fields, which allows certain remote service domains to obtain sensitive information from memory via a (1) XEN_DOMCTL_gettscinfo or (2) XEN_SYSCTL_getdomaininfolist request.

References

http://lists.fedoraproject.org/pipermail/package-announce/2015-April/156005.html

http://lists.fedoraproject.org/pipermail/package-announce/2015-May/156979.html

http://lists.fedoraproject.org/pipermail/package-announce/2015-May/157006.html

http://lists.opensuse.org/opensuse-security-announce/2015-05/msg00018.html

http://lists.opensuse.org/opensuse-security-announce/2015-05/msg00019.html

http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00001.html

http://www.debian.org/security/2015/dsa-3414

http://www.securityfocus.com/bid/74248

http://www.securitytracker.com/id/1032158

http://xenbits.xen.org/xsa/advisory-132.html

https://security.gentoo.org/glsa/201604-03

Details

Source: MITRE

Published: 2015-04-28

Updated: 2018-10-30

Type: CWE-200

Risk Information

CVSS v2

Base Score: 2.9

Vector: AV:A/AC:M/Au:N/C:P/I:N/A:N

Impact Score: 2.9

Exploitability Score: 5.5

Severity: LOW

Vulnerable Software

Configuration 1

OR

cpe:2.3:o:xen:xen:4.2.0:*:*:*:*:*:*:*

cpe:2.3:o:xen:xen:4.2.1:*:*:*:*:*:*:*

cpe:2.3:o:xen:xen:4.2.2:*:*:*:*:*:*:*

cpe:2.3:o:xen:xen:4.2.3:*:*:*:*:*:*:*

cpe:2.3:o:xen:xen:4.2.4:*:*:*:*:*:*:*

cpe:2.3:o:xen:xen:4.2.5:*:*:*:*:*:*:*

cpe:2.3:o:xen:xen:4.3.0:*:*:*:*:*:*:*

cpe:2.3:o:xen:xen:4.3.1:*:*:*:*:*:*:*

cpe:2.3:o:xen:xen:4.3.2:*:*:*:*:*:*:*

cpe:2.3:o:xen:xen:4.3.3:*:*:*:*:*:*:*

cpe:2.3:o:xen:xen:4.3.4:*:*:*:*:*:*:*

cpe:2.3:o:xen:xen:4.4.0:*:*:*:*:*:*:*

cpe:2.3:o:xen:xen:4.4.1:*:*:*:*:*:*:*

cpe:2.3:o:xen:xen:4.4.2:*:*:*:*:*:*:*

cpe:2.3:o:xen:xen:4.5.0:*:*:*:*:*:*:*

Configuration 2

OR

cpe:2.3:a:suse:suse_linux_enterprise_software_development_kit:11.0:sp3:*:*:*:*:*:*

cpe:2.3:o:suse:suse_linux_enterprise_desktop:11.0:sp3:*:*:*:*:*:*

cpe:2.3:o:suse:suse_linux_enterprise_server:11.0:sp3:*:*:*:*:*:*

Configuration 3

OR

cpe:2.3:o:fedoraproject:fedora:20:*:*:*:*:*:*:*

cpe:2.3:o:fedoraproject:fedora:21:*:*:*:*:*:*:*

cpe:2.3:o:fedoraproject:fedora:22:*:*:*:*:*:*:*

Configuration 4

OR

cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*

cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*

Configuration 5

OR

cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*

cpe:2.3:o:suse:linux_enterprise_desktop:12:*:*:*:*:*:*:*

cpe:2.3:o:suse:linux_enterprise_software_development_kit:12:*:*:*:*:*:*:*

cpe:2.3:o:suse:suse_linux_enterprise_server:12:*:*:*:*:*:*:*

Tenable Plugins

View all (14 total)

IDNameProductFamilySeverity
140019OracleVM 3.4 : xen (OVMSA-2020-0039) (Bunker Buster) (Foreshadow) (MDSUM/RIDL) (MFBDS/RIDL/ZombieLoad) (MLPDS/RIDL) (MSBDS/Fallout) (Meltdown) (POODLE) (Spectre)NessusOracleVM Local Security Checks
critical
111992OracleVM 3.4 : xen (OVMSA-2018-0248) (Bunker Buster) (Foreshadow) (Meltdown) (POODLE) (Spectre)NessusOracleVM Local Security Checks
critical
90380GLSA-201604-03 : Xen: Multiple vulnerabilities (Venom)NessusGentoo Local Security Checks
critical
87288Debian DSA-3414-1 : xen - security updateNessusDebian Local Security Checks
medium
84714FreeBSD : xen-kernel -- Information leak through XEN_DOMCTL_gettscinfo (ce658051-27ea-11e5-a4a5-002590263bf5)NessusFreeBSD Local Security Checks
low
84333openSUSE Security Update : xen (openSUSE-2015-434) (Venom)NessusSuSE Local Security Checks
high
83965openSUSE Security Update : xen (openSUSE-2015-391) (Venom)NessusSuSE Local Security Checks
high
83859SUSE SLES11 Security Update : Xen (SUSE-SU-2015:0944-1) (Venom)NessusSuSE Local Security Checks
high
83856SUSE SLES11 Security Update : Xen (SUSE-SU-2015:0940-1) (Venom)NessusSuSE Local Security Checks
high
83853SUSE SLED11 / SLES11 Security Update : Xen (SUSE-SU-2015:0927-1) (Venom)NessusSuSE Local Security Checks
high
83757SUSE SLED12 / SLES12 Security Update : xen (SUSE-SU-2015:0923-1) (Venom)NessusSuSE Local Security Checks
high
83207Fedora 21 : xen-4.4.2-3.fc21 (2015-6670)NessusFedora Local Security Checks
low
83205Fedora 20 : xen-4.3.4-3.fc20 (2015-6583)NessusFedora Local Security Checks
low
83075Fedora 22 : xen-4.5.0-8.fc22 (2015-6569)NessusFedora Local Security Checks
low