FEDORA-2015-a931b02be2

FEDORA-2015-6f6b79efe2

FEDORA-2015-242be2c240

openSUSE-SU-2015:2250

http://support.citrix.com/article/CTX202404

DSA-3414

77362

1034034

http://xenbits.xen.org/xsa/advisory-150.html

GLSA-201604-03

The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2018-0248 for details.

This security update fixes a number of security issues in Xen in wheezy.

For Debian 7 'Wheezy', these problems have been fixed in version 4.1.6.1-1+deb7u1.

We recommend that you upgrade your libidn packages.

CVE-2015-2752

The XEN_DOMCTL_memory_mapping hypercall in Xen 3.2.x through 4.5.x, when using a PCI passthrough device, is not preemptable, which allows local x86 HVM domain users to cause a denial of service (host CPU consumption) via a crafted request to the device model (qemu-dm).

CVE-2015-2756

QEMU, as used in Xen 3.3.x through 4.5.x, does not properly restrict access to PCI command registers, which might allow local HVM guest users to cause a denial of service (non-maskable interrupt and host crash) by disabling the (1) memory or (2) I/O decoding for a PCI Express device and then accessing the device, which triggers an Unsupported Request (UR) response.

CVE-2015-5165

The C+ mode offload emulation in the RTL8139 network card device model in QEMU, as used in Xen 4.5.x and earlier, allows remote attackers to read process heap memory via unspecified vectors.

CVE-2015-5307

The KVM subsystem in the Linux kernel through 4.2.6, and Xen 4.3.x through 4.6.x, allows guest OS users to cause a denial of service (host OS panic or hang) by triggering many #AC (aka Alignment Check) exceptions, related to svm.c and vmx.c.

CVE-2015-7969

Multiple memory leaks in Xen 4.0 through 4.6.x allow local guest administrators or domains with certain permission to cause a denial of service (memory consumption) via a large number of 'teardowns' of domains with the vcpu pointer array allocated using the (1) XEN_DOMCTL_max_vcpus hypercall or the xenoprofile state vcpu pointer array allocated using the (2) XENOPROF_get_buffer or (3) XENOPROF_set_passive hypercall.

CVE-2015-7970

The p2m_pod_emergency_sweep function in arch/x86/mm/p2m-pod.c in Xen 3.4.x, 3.5.x, and 3.6.x is not preemptible, which allows local x86 HVM guest administrators to cause a denial of service (CPU consumption and possibly reboot) via crafted memory contents that triggers a 'time-consuming linear scan,' related to Populate-on-Demand.

CVE-2015-7971

Xen 3.2.x through 4.6.x does not limit the number of printk console messages when logging certain pmu and profiling hypercalls, which allows local guests to cause a denial of service via a sequence of crafted (1) HYPERCALL_xenoprof_op hypercalls, which are not properly handled in the do_xenoprof_op function in common/xenoprof.c, or (2) HYPERVISOR_xenpmu_op hypercalls, which are not properly handled in the do_xenpmu_op function in arch/x86/cpu/vpmu.c.

CVE-2015-7972

The (1) libxl_set_memory_target function in tools/libxl/libxl.c and (2) libxl__build_post function in tools/libxl/libxl_dom.c in Xen 3.4.x through 4.6.x do not properly calculate the balloon size when using the populate-on-demand (PoD) system, which allows local HVM guest users to cause a denial of service (guest crash) via unspecified vectors related to 'heavy memory pressure.'

CVE-2015-8104

The KVM subsystem in the Linux kernel through 4.2.6, and Xen 4.3.x through 4.6.x, allows guest OS users to cause a denial of service (host OS panic or hang) by triggering many #DB (aka Debug) exceptions, related to svm.c.

CVE-2015-8339

The memory_exchange function in common/memory.c in Xen 3.2.x through 4.6.x does not properly hand back pages to a domain, which might allow guest OS administrators to cause a denial of service (host crash) via unspecified vectors related to domain teardown.

CVE-2015-8340

The memory_exchange function in common/memory.c in Xen 3.2.x through 4.6.x does not properly release locks, which might allow guest OS administrators to cause a denial of service (deadlock or host crash) via unspecified vectors, related to XENMEM_exchange error handling.

CVE-2015-8550

Xen, when used on a system providing PV backends, allows local guest OS administrators to cause a denial of service (host OS crash) or gain privileges by writing to memory shared between the frontend and backend, aka a double fetch vulnerability.

CVE-2015-8554

Buffer overflow in hw/pt-msi.c in Xen 4.6.x and earlier, when using the qemu-xen-traditional (aka qemu-dm) device model, allows local x86 HVM guest administrators to gain privileges by leveraging a system with access to a passed-through MSI-X capable physical PCI device and MSI-X table entries, related to a 'write path.'

CVE-2015-8555

Xen 4.6.x, 4.5.x, 4.4.x, 4.3.x, and earlier do not initialize x86 FPU stack and XMM registers when XSAVE/XRSTOR are not used to manage guest extended register state, which allows local guest domains to obtain sensitive information from other domains via unspecified vectors.

CVE-2015-8615

The hvm_set_callback_via function in arch/x86/hvm/irq.c in Xen 4.6 does not limit the number of printk console messages when logging the new callback method, which allows local HVM guest OS users to cause a denial of service via a large number of changes to the callback method (HVM_PARAM_CALLBACK_IRQ).

CVE-2016-1570

The PV superpage functionality in arch/x86/mm.c in Xen 3.4.0, 3.4.1, and 4.1.x through 4.6.x allows local PV guests to obtain sensitive information, cause a denial of service, gain privileges, or have unspecified other impact via a crafted page identifier (MFN) to the (1) MMUEXT_MARK_SUPER or (2) MMUEXT_UNMARK_SUPER sub-op in the HYPERVISOR_mmuext_op hypercall or (3) unknown vectors related to page table updates.

CVE-2016-1571

The paging_invlpg function in include/asm-x86/paging.h in Xen 3.3.x through 4.6.x, when using shadow mode paging or nested virtualization is enabled, allows local HVM guest users to cause a denial of service (host crash) via a non-canonical guest address in an INVVPID instruction, which triggers a hypervisor bug check.

CVE-2016-2270

Xen 4.6.x and earlier allows local guest administrators to cause a denial of service (host reboot) via vectors related to multiple mappings of MMIO pages with different cachability settings.

CVE-2016-2271

VMX in Xen 4.6.x and earlier, when using an Intel or Cyrix CPU, allows local HVM guest users to cause a denial of service (guest crash) via vectors related to a non-canonical RIP.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is affected by the vulnerability described in GLSA-201604-03 (Xen: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Xen. Please review the       CVE identifiers referenced below for details.
  Impact :

    A local attacker could possibly cause a Denial of Service condition or       obtain sensitive information.
  Workaround :

    There is no known workaround at this time.

nine security updates CVE-2015-7969 CVE-2015-7970 CVE-2015-7813 CVE-2015-7814 CVE-2015-7812 CVE-2015-7971 CVE-2015-7835 CVE-2015-7972

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for xen fixes the following security issues :

  - CVE-2015-8550: paravirtualized drivers incautious about     shared memory contents (XSA-155, boo#957988)

  - CVE-2015-8558: qemu: usb: infinite loop in     ehci_advance_state results in DoS (boo#959006)

  - CVE-2015-7549: qemu pci: NULL pointer dereference issue     (boo#958918)

  - CVE-2015-8504: qemu: ui: vnc: avoid floating point     exception (boo#958493)

  - CVE-2015-8554: qemu-dm buffer overrun in MSI-X handling     (XSA-164, boo#958007) 

  - CVE-2015-8555: information leak in legacy x86 FPU/XMM     initialization (XSA-165, boo#958009)

  - boo#958523 xen: ioreq handling possibly susceptible to     multiple read issue (XSA-166)

  - CVE-2015-8345: xen: qemu: net: eepro100: infinite loop     in processing command block list (boo#956832)

  - boo#956592: xen: virtual PMU is unsupported (XSA-163)

  - CVE-2015-8339, CVE-2015-8340: xen: XENMEM_exchange error     handling issues (XSA-159, boo#956408)

  - CVE-2015-8341: xen: libxl leak of pv kernel and initrd     on error (XSA-160, boo#956409)

  - CVE-2015-7504: xen: heap buffer overflow vulnerability     in pcnet emulator (XSA-162, boo#956411)

  - CVE-2015-7311: xen: libxl fails to honour readonly flag     on disks with qemu-xen (xsa-142, boo#947165)

  - CVE-2015-8104: Xen: guest to host DoS by triggering an     infinite loop in microcode via #DB exception     (boo#954405)

  - CVE-2015-5307: xen: x86: CPU lockup during fault     delivery (XSA-156, boo#954018)

  - CVE-2015-7970: xen: x86: Long latency populate-on-demand     operation is not preemptible (XSA-150, boo#950704)

This update fixes the following security issues :

  - bsc#955399 - Fix xm migrate --log_progress. Due to logic     error progress was not logged when requested.

  - bsc#956832 - CVE-2015-8345: xen: qemu: net: eepro100:
    infinite loop in processing command block list

  - bsc#956592 - xen: virtual PMU is unsupported (XSA-163)

  - bsc#956408 - CVE-2015-8339, CVE-2015-8340: xen:
    XENMEM_exchange error handling issues (XSA-159)

  - bsc#956409 - CVE-2015-8341: xen: libxl leak of pv kernel     and initrd on error (XSA-160)

  - bsc#956411 - CVE-2015-7504: xen: heap buffer overflow     vulnerability in pcnet emulator (XSA-162)

  - bsc#947165 - CVE-2015-7311: xen: libxl fails to honour     readonly flag on disks with qemu-xen (xsa-142)

  - bsc#955399 - Fix xm migrate --live. The options were not     passed due to a merge error. As a result the migration     was not live, instead the suspended guest was migrated.

  - bsc#954405 - CVE-2015-8104: Xen: guest to host DoS by     triggering an infinite loop in microcode via #DB     exception

  - bsc#954018 - CVE-2015-5307: xen: x86: CPU lockup during     fault delivery (XSA-156)

  - bsc#950704 - CVE-2015-7970: xen: x86: Long latency     populate-on-demand operation is not preemptible     (XSA-150)

  - bsc#951845 - CVE-2015-7972: xen: x86: populate-on-demand     balloon size inaccuracy can crash guests (XSA-153)

  - Drop     5604f239-x86-PV-properly-populate-descriptor-tables.patc     h

  - bsc#950703 - CVE-2015-7969: xen: leak of main per-domain     vcpu pointer array (DoS) (XSA-149)

  - bsc#950705 - CVE-2015-7969: xen: x86: leak of per-domain     profiling-related vcpu pointer array (DoS) (XSA-151)

  - bsc#950706 - CVE-2015-7971: xen: x86: some pmu and     profiling hypercalls log without rate limiting (XSA-152)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update fixes the following security issues :

  - bsc#956832 - CVE-2015-8345: xen: qemu: net: eepro100:
    infinite loop in processing command block list

  - bsc#956592 - xen: virtual PMU is unsupported (XSA-163)

  - bsc#956408 - CVE-2015-8339, CVE-2015-8340: xen:
    XENMEM_exchange error handling issues (XSA-159)

  - bsc#956409 - CVE-2015-8341: xen: libxl leak of pv kernel     and initrd on error (XSA-160)

  - bsc#956411 - CVE-2015-7504: xen: heap buffer overflow     vulnerability in pcnet emulator (XSA-162)

  - bsc#947165 - CVE-2015-7311: xen: libxl fails to honour     readonly flag on disks with qemu-xen (xsa-142)

  - bsc#954405 - CVE-2015-8104: Xen: guest to host DoS by     triggering an infinite loop in microcode via #DB     exception

  - bsc#954018 - CVE-2015-5307: xen: x86: CPU lockup during     fault delivery (XSA-156) CVE-2015-5307-xsa156.patch

  - bsc#950704 - CVE-2015-7970: xen: x86: Long latency     populate-on-demand operation is not preemptible     (XSA-150)     563212c9-x86-PoD-Eager-sweep-for-zeroed-pages.patch

  - bsc#951845 - CVE-2015-7972: xen: x86: populate-on-demand     balloon size inaccuracy can crash guests (XSA-153)     xsa153-libxl.patch xend-xsa153.patch

  - Drop     5604f239-x86-PV-properly-populate-descriptor-tables.patc     h

  - bsc#950703 - CVE-2015-7969: xen: leak of main per-domain     vcpu pointer array (DoS) (XSA-149)

  - bsc#950705 - CVE-2015-7969: xen: x86: leak of per-domain     profiling-related vcpu pointer array (DoS) (XSA-151)

  - bsc#950706 - CVE-2015-7971: xen: x86: some pmu and     profiling hypercalls log without rate limiting (XSA-152)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update fixes the following security issues :

  - bsc#956832 - CVE-2015-8345: xen: qemu: net: eepro100:
    infinite loop in processing command block list

  - bsc#956592 - xen: virtual PMU is unsupported (XSA-163)

  - bsc#956408 - CVE-2015-8339, CVE-2015-8340: xen:
    XENMEM_exchange error handling issues (XSA-159)

  - bsc#956409 - CVE-2015-8341: xen: libxl leak of pv kernel     and initrd on error (XSA-160)

  - bsc#956411 - CVE-2015-7504: xen: heap buffer overflow     vulnerability in pcnet emulator (XSA-162)

  - bsc#947165 - CVE-2015-7311: xen: libxl fails to honour     readonly flag on disks with qemu-xen (xsa-142)

  - bsc#954405 - CVE-2015-8104: Xen: guest to host DoS by     triggering an infinite loop in microcode via #DB     exception

  - bsc#954018 - CVE-2015-5307: xen: x86: CPU lockup during     fault delivery (XSA-156)

  - bsc#950704 - CVE-2015-7970: xen: x86: Long latency     populate-on-demand operation is not preemptible     (XSA-150)

  - bsc#951845 - CVE-2015-7972: xen: x86: populate-on-demand     balloon size inaccuracy can crash guests (XSA-153)

  - bsc#950703 - CVE-2015-7969: xen: leak of main per-domain     vcpu pointer array (DoS) (XSA-149)

  - bsc#950705 - CVE-2015-7969: xen: x86: leak of per-domain     profiling-related vcpu pointer array (DoS) (XSA-151)

  - bsc#950706 - CVE-2015-7971: xen: x86: some pmu and     profiling hypercalls log without rate limiting (XSA-152)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update fixes the following security issues :

  - bsc#956832 - CVE-2015-8345: xen: qemu: net: eepro100:
    infinite loop in processing command block list

  - bsc#956408 - CVE-2015-8339, CVE-2015-8340: xen:
    XENMEM_exchange error handling issues (XSA-159)     xsa159.patch

  - bsc#956411 - CVE-2015-7504: xen: heap buffer overflow     vulnerability in pcnet emulator (XSA-162)

  - bsc#954405 - CVE-2015-8104: Xen: guest to host DoS by     triggering an infinite loop in microcode via #DB     exception

  - bsc#953527 - CVE-2015-5307: kernel: kvm/xen: x86: avoid     guest->host DOS by intercepting #AC (XSA-156)

  - bsc#950704 - CVE-2015-7970: xen: x86: Long latency     populate-on-demand operation is not preemptible     (XSA-150)

  - bsc#951845 - CVE-2015-7972: xen: x86: populate-on-demand     balloon size inaccuracy can crash guests (XSA-153)

  - bsc#950703 - CVE-2015-7969: xen: leak of main per-domain     vcpu pointer array (DoS) (XSA-149)

  - bsc#950705 - CVE-2015-7969: xen: x86: leak of per-domain     profiling-related vcpu pointer array (DoS) (XSA-151)

  - bsc#950706 - CVE-2015-7971: xen: x86: some pmu and     profiling hypercalls log without rate limiting (XSA-152)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update fixes the following security issues :

  - bsc#947165 - CVE-2015-7311: xen: libxl fails to honour     readonly flag on disks with qemu-xen (xsa-142)

  - bsc#954405 - CVE-2015-8104: Xen: guest to host DoS by     triggering an infinite loop in microcode via #DB     exception

  - bsc#954018 - CVE-2015-5307: xen: x86: CPU lockup during     fault delivery (XSA-156)

  - bsc#950704 - CVE-2015-7970: xen: x86: Long latency     populate-on-demand operation is not preemptible     (XSA-150)

This update fixes the following security issues :

  - bsc#947165 - CVE-2015-7311: xen: libxl fails to honour     readonly flag on disks with qemu-xen (xsa-142)

  - bsc#954405 - CVE-2015-8104: Xen: guest to host DoS by     triggering an infinite loop in microcode via #DB     exception

  - bsc#954018 - CVE-2015-5307: xen: x86: CPU lockup during     fault delivery (XSA-156)

  - bsc#950704 - CVE-2015-7970 xen: x86: Long latency     populate-on-demand operation is not preemptible     (XSA-150)     563212c9-x86-PoD-Eager-sweep-for-zeroed-pages.patch

Multiple security issues have been found in the Xen virtualisation solution, which may result in denial of service or information disclosure.

The Xen Project reports :

When running an HVM domain in Populate-on-Demand mode, Xen would sometimes search the domain for memory to reclaim, in response to demands for population of other pages in the same domain. This search runs without preemption. The guest can, by suitable arrangement of its memory contents, create a situation where this search is a time-consuming linear scan of the guest's address space.

A malicious HVM guest administrator can cause a denial of service.
Specifically, prevent use of a physical CPU for a significant period.

ID	Name	Product	Family	Severity
111992	OracleVM 3.4 : xen (OVMSA-2018-0248) (Bunker Buster) (Foreshadow) (Meltdown) (POODLE) (Spectre)	Nessus	OracleVM Local Security Checks	critical
91198	Debian DLA-479-1 : xen security update	Nessus	Debian Local Security Checks	medium
90380	GLSA-201604-03 : Xen: Multiple vulnerabilities (Venom)	Nessus	Gentoo Local Security Checks	high
89359	Fedora 23 : xen-4.5.1-14.fc23 (2015-a931b02be2)	Nessus	Fedora Local Security Checks	high
89278	Fedora 22 : xen-4.5.1-14.fc22 (2015-6f6b79efe2)	Nessus	Fedora Local Security Checks	high
89177	Fedora 21 : xen-4.4.3-7.fc21 (2015-242be2c240)	Nessus	Fedora Local Security Checks	high
88124	openSUSE Security Update : xen (openSUSE-2016-34)	Nessus	SuSE Local Security Checks	high
87650	SUSE SLED11 / SLES11 Security Update : xen (SUSE-SU-2015:2338-1)	Nessus	SuSE Local Security Checks	high
87591	SUSE SLED12 / SLES12 Security Update : xen (SUSE-SU-2015:2328-1)	Nessus	SuSE Local Security Checks	high
87590	SUSE SLED11 / SLES11 Security Update : xen (SUSE-SU-2015:2326-1)	Nessus	SuSE Local Security Checks	high
87528	SUSE SLES11 Security Update : xen (SUSE-SU-2015:2306-1)	Nessus	SuSE Local Security Checks	medium
87443	openSUSE Security Update : xen (openSUSE-2015-893)	Nessus	SuSE Local Security Checks	high
87393	openSUSE Security Update : xen (openSUSE-2015-892)	Nessus	SuSE Local Security Checks	high
87288	Debian DSA-3414-1 : xen - security update	Nessus	Debian Local Security Checks	medium
86838	FreeBSD : xen-kernel -- Long latency populate-on-demand operation is not preemptible (83350009-881e-11e5-ab94-002590263bf5)	Nessus	FreeBSD Local Security Checks	medium

CVE-2015-7970

Description

References

Details

Risk Information

CVSS v2.0

Vulnerable Software

Configuration 1

Tenable Plugins