FEDORA-2015-14361

FEDORA-2015-15946

FEDORA-2015-15944

76152

1033175

http://xenbits.xen.org/xsa/advisory-139.html

xen was updated to fix 12 security issues.

These security issues were fixed :

  - CVE-2015-7972: Populate-on-demand balloon size     inaccuracy can crash guests (bsc#951845).

  - CVE-2015-7969: Leak of main per-domain vcpu pointer     array (DoS) (bsc#950703).

  - CVE-2015-7969: Leak of per-domain profiling-related vcpu     pointer array (DoS) (bsc#950705).

  - CVE-2015-7971: Some pmu and profiling hypercalls log     without rate limiting (bsc#950706).

  - CVE-2015-4037: Insecure temporary file use in     /net/slirp.c (bsc#932267).

  - CVE-2014-0222: Validate L2 table size to avoid integer     overflows (bsc#877642).

  - CVE-2015-7835: Uncontrolled creation of large page     mappings by PV guests (bsc#950367).

  - CVE-2015-7311: libxl fails to honour readonly flag on     disks with qemu-xen (bsc#947165).

  - CVE-2015-5165: QEMU leak of uninitialized heap memory in     rtl8139 device model (bsc#939712).

  - CVE-2015-5166: Use after free in QEMU/Xen block unplug     protocol (bsc#939709).

  - CVE-2015-5154: Host code execution via IDE subsystem     CD-ROM (bsc#938344).

  - CVE-2015-3259: xl command line config handling stack     overflow (bsc#935634).

These non-security issues were fixed :

  - bsc#907514: Bus fatal error and sles12 sudden reboot has     been observed

  - bsc#910258: SLES12 Xen host crashes with FATAL NMI after     shutdown of guest with VT-d NIC

  - bsc#918984: Bus fatal error and sles11-SP4 sudden reboot     has been observed

  - bsc#923967: Partner-L3: Bus fatal error and sles11-SP3     sudden reboot has been observed

  - bsc#901488: Intel ixgbe driver assigns rx/tx queues per     core resulting in irq problems on servers with a large     amount of CPU cores

  - bsc#945167: Running command xl pci-assignable-add     03:10.1 secondly show errors

  - bsc#949138: Setting vcpu affinity under Xen causes     libvirtd abort

  - bsc#944463: VUL-0: CVE-2015-5239: qemu-kvm: Integer     overflow in vnc_client_read() and protocol_client_msg()

  - bsc#944697: VUL-1: CVE-2015-6815: qemu: net: e1000:
    infinite loop issue

  - bsc#925466: Kdump does not work in a XEN environment

xen was updated to fix 13 security issues.

These security issues were fixed :

  - CVE-2015-7972: Populate-on-demand balloon size     inaccuracy can crash guests (bsc#951845).

  - CVE-2015-7969: Leak of main per-domain vcpu pointer     array (DoS) (bsc#950703).

  - CVE-2015-7969: Leak of per-domain profiling-related vcpu     pointer array (DoS) (bsc#950705).

  - CVE-2015-7971: Some pmu and profiling hypercalls log     without rate limiting (bsc#950706).

  - CVE-2015-4037: Insecure temporary file use in     /net/slirp.c (bsc#932267).

  - CVE-2014-0222: Validate L2 table size to avoid integer     overflows (bsc#877642).

  - CVE-2015-7835: Uncontrolled creation of large page     mappings by PV guests (bsc#950367).

  - CVE-2015-7311: libxl fails to honour readonly flag on     disks with qemu-xen (bsc#947165).

  - CVE-2015-5165: QEMU leak of uninitialized heap memory in     rtl8139 device model (bsc#939712).

  - CVE-2015-5166: Use after free in QEMU/Xen block unplug     protocol (bsc#939709).

  - CVE-2015-5239: Integer overflow in vnc_client_read() and     protocol_client_msg() (bsc#944463).

  - CVE-2015-6815: e1000: infinite loop issue (bsc#944697).

  - CVE-2015-5154: Host code execution via IDE subsystem     CD-ROM (bsc#938344).

This non-security issues was fixed :

  - bsc#941074: VmError: Device 51728 (vbd) could not be     connected. Hotplug scripts not working.

libxl fails to honour readonly flag on disks with qemu-xen [XSA-142 (possible fix)] ---- update to xen-4.4.3, including Use after free in QEMU/Xen block unplug protocol [XSA-139, CVE-2015-5166], QEMU leak of uninitialized heap memory in rtl8139 device model [XSA-140, CVE-2015-5165]

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

libxl fails to honour readonly flag on disks with qemu-xen [XSA-142 (possible fix)] ---- Use after free in QEMU/Xen block unplug protocol [XSA-139, CVE-2015-5166] QEMU leak of uninitialized heap memory in rtl8139 device model [XSA-140, CVE-2015-5165]

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

xen was updated to fix the following security issues :

  - CVE-2015-5165: QEMU leak of uninitialized heap memory in     rtl8139 device model (bsc#939712, XSA-140)

  - CVE-2015-5166: Use after free in QEMU/Xen block unplug     protocol (bsc#939709, XSA-139)

  - CVE-2015-2751: Certain domctl operations could have be     used to lock up the host (bsc#922709, XSA-127)

  - CVE-2015-3259: xl command line config handling stack     overflow (bsc#935634, XSA-137)

  - CVE-2015-4164: DoS through iret hypercall handler     (bsc#932996, XSA-136)

  - CVE-2015-5154: Host code execution via IDE subsystem     CD-ROM (bsc#938344)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Use after free in QEMU/Xen block unplug protocol [XSA-139, CVE-2015-5166] QEMU leak of uninitialized heap memory in rtl8139 device model [XSA-140, CVE-2015-5165]

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that QEMU incorrectly handled a PRDT with zero complete sectors in the IDE functionality. A malicious guest could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2014-9718)

Donghai Zhu discovered that QEMU incorrectly handled the RTL8139 driver. A malicious guest could possibly use this issue to read sensitive information from arbitrary host memory. (CVE-2015-5165)

Donghai Zhu discovered that QEMU incorrectly handled unplugging emulated block devices. A malicious guest could use this issue to cause a denial of service, or possibly execute arbitrary code on the host as the user running the QEMU process. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile. This issue only affected Ubuntu 15.04. (CVE-2015-5166)

Qinghao Tang and Mr. Zuozhi discovered that QEMU incorrectly handled memory in the VNC display driver. A malicious guest could use this issue to cause a denial of service, or possibly execute arbitrary code on the host as the user running the QEMU process. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile. This issue only affected Ubuntu 15.04. (CVE-2015-5225)

It was discovered that QEMU incorrectly handled the virtio-serial device. A malicious guest could use this issue to cause a denial of service, or possibly execute arbitrary code on the host as the user running the QEMU process. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile. This issue only affected Ubuntu 14.04 LTS and Ubuntu 15.04.
(CVE-2015-5745).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

- Rebased to version 2.4.0 * Support for virtio-gpu, 2D     only * Support for virtio-based keyboard/mouse/tablet     emulation * x86 support for memory hot-unplug

  - ACPI v5.1 table support for 'virt' board *     CVE-2015-3209: pcnet: multi-tmd buffer overflow in the     tx path (bz #1230536) * CVE-2015-3214: i8254: out-of-     bounds memory access (bz #1243728) * CVE-2015-5158: scsi     stack-based buffer overflow (bz #1246025) *     CVE-2015-5154: ide: atapi: heap overflow during I/O     buffer memory access (bz #1247141) * CVE-2015-5165:
    rtl8139 uninitialized heap memory information leakage to     guest (bz #1249755) * CVE-2015-5166: BlockBackend object     use after free issue (bz #1249758) * CVE-2015-5745:
    buffer overflow in virtio- serial (bz #1251160)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This security update of Xen fixes the following issues :

  - bsc#939712 (XSA-140): QEMU leak of uninitialized heap     memory in rtl8139 device model (CVE-2015-5165)

  - bsc#939709 (XSA-139): Use after free in QEMU/Xen block     unplug protocol (CVE-2015-5166)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The Xen Project reports :

When unplugging an emulated block device the device was not fully unplugged, meaning a second unplug attempt would attempt to unplug the device a second time using a previously freed pointer.

An HVM guest which has access to an emulated IDE disk device may be able to exploit this vulnerability in order to take over the qemu process elevating its privilege to that of the qemu process.

- Rebased to version 2.3.1

    - Fix crash in qemu_spice_create_display (bz #1163047)

    - Fix qemu-img map crash for unaligned image (bz       #1229394)

    - CVE-2015-3209: pcnet: multi-tmd buffer overflow in the       tx path (bz #1230536)

    - CVE-2015-3214: i8254: out-of-bounds memory access (bz       #1243728)

    - CVE-2015-5158: scsi stack-based buffer overflow (bz       #1246025)

    - CVE-2015-5154: ide: atapi: heap overflow during I/O       buffer memory access (bz #1247141)

    - CVE-2015-5166: BlockBackend object use after free       issue (bz #1249758)

    - CVE-2015-5745: buffer overflow in virtio-serial (bz       #1251160)

    - CVE-2015-5165: rtl8139 uninitialized heap memory       information leakage to guest (bz #1249755)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote OracleVM system is missing necessary patches to address critical security updates in xen

ID	Name	Product	Family	Severity
86909	openSUSE Security Update : xen (openSUSE-2015-750)	Nessus	SuSE Local Security Checks	high
86863	openSUSE Security Update : xen (openSUSE-2015-729)	Nessus	SuSE Local Security Checks	high
86163	Fedora 21 : xen-4.4.3-3.fc21 (2015-15946)	Nessus	Fedora Local Security Checks	high
86162	Fedora 22 : xen-4.5.1-8.fc22 (2015-15944)	Nessus	Fedora Local Security Checks	high
85792	SUSE SLED11 Security Update : xen (SUSE-SU-2015:1479-2)	Nessus	SuSE Local Security Checks	high
85791	SUSE SLED11 / SLES11 Security Update : xen (SUSE-SU-2015:1479-1)	Nessus	SuSE Local Security Checks	high
85728	Fedora 23 : xen-4.5.1-6.fc23 (2015-14361)	Nessus	Fedora Local Security Checks	high
85683	Ubuntu 12.04 LTS / 14.04 LTS / 15.04 : qemu, qemu-kvm vulnerabilities (USN-2724-1)	Nessus	Ubuntu Local Security Checks	high
85592	Fedora 23 : qemu-2.4.0-1.fc23 (2015-13358)	Nessus	Fedora Local Security Checks	high
85532	SUSE SLED11 / SLES11 Security Update : xen (SUSE-SU-2015:1404-1)	Nessus	SuSE Local Security Checks	high
85505	SUSE SLED12 / SLES12 Security Update : xen (SUSE-SU-2015:1384-1)	Nessus	SuSE Local Security Checks	high
85485	FreeBSD : qemu, xen-tools -- use-after-free in QEMU/Xen block unplug protocol (ee99899d-4347-11e5-93ad-002590263bf5)	Nessus	FreeBSD Local Security Checks	high
85480	Fedora 22 : qemu-2.3.1-1.fc22 (2015-13402)	Nessus	Fedora Local Security Checks	high
85236	OracleVM 3.3 : xen (OVMSA-2015-0111)	Nessus	OracleVM Local Security Checks	high

CVE-2015-5166

Description

References

Details

Risk Information

CVSS v2.0

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins