The paging_invlpg function in include/asm-x86/paging.h in Xen 3.3.x through 4.6.x, when using shadow mode paging or nested virtualization is enabled, allows local HVM guest users to cause a denial of service (host crash) via a non-canonical guest address in an INVVPID instruction, which triggers a hypervisor bug check.

The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2020-0039 for details.

The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2018-0248 for details.

xen was updated to fix 36 security issues.

These security issues were fixed :

  - CVE-2013-4527: Buffer overflow in hw/timer/hpet.c might     have allowed remote attackers to execute arbitrary code     via vectors related to the number of timers     (bnc#864673).

  - CVE-2013-4529: Buffer overflow in hw/pci/pcie_aer.c     allowed remote attackers to cause a denial of service     and possibly execute arbitrary code via a large log_num     value in a savevm image (bnc#864678).

  - CVE-2013-4530: Buffer overflow in hw/ssi/pl022.c allowed     remote attackers to cause a denial of service or     possibly execute arbitrary code via crafted tx_fifo_head     and rx_fifo_head values in a savevm image (bnc#864682).

  - CVE-2013-4533: Buffer overflow in the pxa2xx_ssp_load     function in hw/arm/pxa2xx.c allowed remote attackers to     cause a denial of service or possibly execute arbitrary     code via a crafted s->rx_level value in a savevm image     (bsc#864655).

  - CVE-2013-4534: Buffer overflow in hw/intc/openpic.c     allowed remote attackers to cause a denial of service or     possibly execute arbitrary code via vectors related to     IRQDest elements (bsc#864811).

  - CVE-2013-4537: The ssi_sd_transfer function in     hw/sd/ssi-sd.c allowed remote attackers to execute     arbitrary code via a crafted arglen value in a savevm     image (bsc#864391).

  - CVE-2013-4538: Multiple buffer overflows in the     ssd0323_load function in hw/display/ssd0323.c allowed     remote attackers to cause a denial of service (memory     corruption) or possibly execute arbitrary code via     crafted (1) cmd_len, (2) row, or (3) col values; (4)     row_start and row_end values; or (5) col_star and     col_end values in a savevm image (bsc#864769).

  - CVE-2013-4539: Multiple buffer overflows in the     tsc210x_load function in hw/input/tsc210x.c might have     allowed remote attackers to execute arbitrary code via a     crafted (1) precision, (2) nextprecision, (3) function,     or (4) nextfunction value in a savevm image     (bsc#864805).

  - CVE-2014-0222: Integer overflow in the qcow_open     function in block/qcow.c allowed remote attackers to     cause a denial of service (crash) via a large L2 table     in a QCOW version 1 image (bsc#877642).

  - CVE-2014-3640: The sosendto function in slirp/udp.c     allowed local users to cause a denial of service (NULL     pointer dereference) by sending a udp packet with a     value of 0 in the source port and address, which     triggers access of an uninitialized socket (bsc#897654).

  - CVE-2014-3689: The vmware-vga driver     (hw/display/vmware_vga.c) allowed local guest users to     write to qemu memory locations and gain privileges via     unspecified parameters related to rectangle handling     (bsc#901508).

  - CVE-2014-7815: The set_pixel_format function in ui/vnc.c     allowed remote attackers to cause a denial of service     (crash) via a small bytes_per_pixel value (bsc#902737).

  - CVE-2014-9718: The (1) BMDMA and (2) AHCI HBA interfaces     in the IDE functionality had multiple interpretations of     a function's return value, which allowed guest OS users     to cause a host OS denial of service (memory consumption     or infinite loop, and system crash) via a PRDT with zero     complete sectors, related to the bmdma_prepare_buf and     ahci_dma_prepare_buf functions (bsc#928393).

  - CVE-2015-5278: Infinite loop in ne2000_receive()     function (bsc#945989).

  - CVE-2015-6855: hw/ide/core.c did not properly restrict     the commands accepted by an ATAPI device, which allowed     guest users to cause a denial of service or possibly     have unspecified other impact via certain IDE commands,     as demonstrated by a WIN_READ_NATIVE_MAX command to an     empty drive, which triggers a divide-by-zero error and     instance crash (bsc#945404).

  - CVE-2015-7512: Buffer overflow in the pcnet_receive     function in hw/net/pcnet.c, when a guest NIC has a     larger MTU, allowed remote attackers to cause a denial     of service (guest OS crash) or execute arbitrary code     via a large packet (bsc#957162).

  - CVE-2015-8345: eepro100: infinite loop in processing     command block list (bsc#956829).

  - CVE-2015-8504: VNC: floating point exception     (bsc#958491).

  - CVE-2015-8550: Paravirtualized drivers were incautious     about shared memory contents (XSA-155) (bsc#957988).

  - CVE-2015-8554: qemu-dm buffer overrun in MSI-X handling     (XSA-164) (bsc#958007).

  - CVE-2015-8555: Information leak in legacy x86 FPU/XMM     initialization (XSA-165) (bsc#958009).

  - CVE-2015-8558: Infinite loop in ehci_advance_state     resulted in DoS (bsc#959005).

  - CVE-2015-8743: ne2000: OOB memory access in ioport r/w     functions (bsc#960725).

  - CVE-2015-8745: Reading IMR registers lead to a crash via     assert(2) call (bsc#960707).

  - CVE-2016-1568: AHCI use-after-free vulnerability in aio     port commands (bsc#961332).

  - CVE-2016-1570: The PV superpage functionality in     arch/x86/mm.c allowed local PV guests to obtain     sensitive information, cause a denial of service, gain     privileges, or have unspecified other impact via a     crafted page identifier (MFN) to the (1)     MMUEXT_MARK_SUPER or (2) MMUEXT_UNMARK_SUPER sub-op in     the HYPERVISOR_mmuext_op hypercall or (3) unknown     vectors related to page table updates (bsc#960861).

  - CVE-2016-1571: VMX: intercept issue with INVLPG on     non-canonical address (XSA-168) (bsc#960862).

  - CVE-2016-1714: nvram: OOB r/w access in processing     firmware configurations (bsc#961691).

  - CVE-2016-1981: e1000 infinite loop in start_xmit and     e1000_receive_iov routines (bsc#963782).

  - CVE-2016-2270: Xen allowed local guest administrators to     cause a denial of service (host reboot) via vectors     related to multiple mappings of MMIO pages with     different cachability settings (bsc#965315).

  - CVE-2016-2271: VMX when using an Intel or Cyrix CPU,     allowed local HVM guest users to cause a denial of     service (guest crash) via vectors related to a     non-canonical RIP (bsc#965317).

  - CVE-2016-2391: usb: multiple eof_timers in ohci module     lead to NULL pointer dereference (bsc#967013).

  - CVE-2016-2392: NULL pointer dereference in remote NDIS     control message handling (bsc#967012).

  - CVE-2016-2538: Integer overflow in remote NDIS control     message handling (bsc#967969).

  - CVE-2016-2841: ne2000: Infinite loop in ne2000_receive     (bsc#969350).

  - XSA-166: ioreq handling possibly susceptible to multiple     read issue (bsc#958523).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2016-0081 for details.

xen was updated to fix 46 security issues.

These security issues were fixed :

  - CVE-2013-4527: Buffer overflow in hw/timer/hpet.c might     have allowed remote attackers to execute arbitrary code     via vectors related to the number of timers     (bsc#964746).

  - CVE-2013-4529: Buffer overflow in hw/pci/pcie_aer.c     allowed remote attackers to cause a denial of service     and possibly execute arbitrary code via a large log_num     value in a savevm image (bsc#964929).

  - CVE-2013-4530: Buffer overflow in hw/ssi/pl022.c allowed     remote attackers to cause a denial of service or     possibly execute arbitrary code via crafted tx_fifo_head     and rx_fifo_head values in a savevm image (bsc#964950).

  - CVE-2013-4533: Buffer overflow in the pxa2xx_ssp_load     function in hw/arm/pxa2xx.c allowed remote attackers to     cause a denial of service or possibly execute arbitrary     code via a crafted s->rx_level value in a savevm image     (bsc#964644).

  - CVE-2013-4534: Buffer overflow in hw/intc/openpic.c     allowed remote attackers to cause a denial of service or     possibly execute arbitrary code via vectors related to     IRQDest elements (bsc#964452).

  - CVE-2013-4537: The ssi_sd_transfer function in     hw/sd/ssi-sd.c allowed remote attackers to execute     arbitrary code via a crafted arglen value in a savevm     image (bsc#962642).

  - CVE-2013-4538: Multiple buffer overflows in the     ssd0323_load function in hw/display/ssd0323.c allowed     remote attackers to cause a denial of service (memory     corruption) or possibly execute arbitrary code via     crafted (1) cmd_len, (2) row, or (3) col values; (4)     row_start and row_end values; or (5) col_star and     col_end values in a savevm image (bsc#962335).

  - CVE-2013-4539: Multiple buffer overflows in the     tsc210x_load function in hw/input/tsc210x.c might have     allowed remote attackers to execute arbitrary code via a     crafted (1) precision, (2) nextprecision, (3) function,     or (4) nextfunction value in a savevm image     (bsc#962758).

  - CVE-2014-0222: Integer overflow in the qcow_open     function in block/qcow.c allowed remote attackers to     cause a denial of service (crash) via a large L2 table     in a QCOW version 1 image (bsc#964925).

  - CVE-2014-3640: The sosendto function in slirp/udp.c     allowed local users to cause a denial of service (NULL     pointer dereference) by sending a udp packet with a     value of 0 in the source port and address, which     triggers access of an uninitialized socket (bsc#965112).

  - CVE-2014-3689: The vmware-vga driver     (hw/display/vmware_vga.c) allowed local guest users to     write to qemu memory locations and gain privileges via     unspecified parameters related to rectangle handling     (bsc#962611).

  - CVE-2014-7815: The set_pixel_format function in ui/vnc.c     allowed remote attackers to cause a denial of service     (crash) via a small bytes_per_pixel value (bsc#962627).

  - CVE-2014-9718: The (1) BMDMA and (2) AHCI HBA interfaces     in the IDE functionality had multiple interpretations of     a function's return value, which allowed guest OS users     to cause a host OS denial of service (memory consumption     or infinite loop, and system crash) via a PRDT with zero     complete sectors, related to the bmdma_prepare_buf and     ahci_dma_prepare_buf functions (bsc#964431).

  - CVE-2015-1779: The VNC websocket frame decoder allowed     remote attackers to cause a denial of service (memory     and CPU consumption) via a large (1) websocket payload     or (2) HTTP headers section (bsc#962632).

  - CVE-2015-5278: Infinite loop in ne2000_receive()     function (bsc#964947).

  - CVE-2015-6855: hw/ide/core.c did not properly restrict     the commands accepted by an ATAPI device, which allowed     guest users to cause a denial of service or possibly     have unspecified other impact via certain IDE commands,     as demonstrated by a WIN_READ_NATIVE_MAX command to an     empty drive, which triggers a divide-by-zero error and     instance crash (bsc#965156).

  - CVE-2015-7512: Buffer overflow in the pcnet_receive     function in hw/net/pcnet.c, when a guest NIC has a     larger MTU, allowed remote attackers to cause a denial     of service (guest OS crash) or execute arbitrary code     via a large packet (bsc#962360).

  - CVE-2015-7549: pci: NULL pointer dereference issue     (bsc#958918).

  - CVE-2015-8345: eepro100: infinite loop in processing     command block list (bsc#956832).

  - CVE-2015-8504: VNC: floating point exception     (bsc#958493).

  - CVE-2015-8550: Paravirtualized drivers were incautious     about shared memory contents (XSA-155) (bsc#957988).

  - CVE-2015-8554: qemu-dm buffer overrun in MSI-X handling     (XSA-164) (bsc#958007).

  - CVE-2015-8555: Information leak in legacy x86 FPU/XMM     initialization (XSA-165) (bsc#958009).

  - CVE-2015-8558: Infinite loop in ehci_advance_state     resulted in DoS (bsc#959006).

  - CVE-2015-8567: vmxnet3: host memory leakage     (bsc#959387).

  - CVE-2015-8568: vmxnet3: host memory leakage     (bsc#959387).

  - CVE-2015-8613: SCSI: stack-based buffer overflow in     megasas_ctrl_get_info (bsc#961358).

  - CVE-2015-8619: Stack based OOB write in hmp_sendkey     routine (bsc#965269).

  - CVE-2015-8743: ne2000: OOB memory access in ioport r/w     functions (bsc#960726).

  - CVE-2015-8744: vmxnet3: Incorrect l2 header validation     lead to a crash via assert(2) call (bsc#960836).

  - CVE-2015-8745: Reading IMR registers lead to a crash via     assert(2) call (bsc#960707).

  - CVE-2015-8817: OOB access in address_space_rw lead to     segmentation fault (I) (bsc#969125).

  - CVE-2015-8818: OOB access in address_space_rw lead to     segmentation fault (II) (bsc#969126).

  - CVE-2016-1568: AHCI use-after-free vulnerability in aio     port commands (bsc#961332).

  - CVE-2016-1570: The PV superpage functionality in     arch/x86/mm.c allowed local PV guests to obtain     sensitive information, cause a denial of service, gain     privileges, or have unspecified other impact via a     crafted page identifier (MFN) to the (1)     MMUEXT_MARK_SUPER or (2) MMUEXT_UNMARK_SUPER sub-op in     the HYPERVISOR_mmuext_op hypercall or (3) unknown     vectors related to page table updates (bsc#960861).

  - CVE-2016-1571: VMX: intercept issue with INVLPG on     non-canonical address (XSA-168) (bsc#960862).

  - CVE-2016-1714: nvram: OOB r/w access in processing     firmware configurations (bsc#961692).

  - CVE-2016-1922: NULL pointer dereference in vapic_write()     (bsc#962321).

  - CVE-2016-1981: e1000 infinite loop in start_xmit and     e1000_receive_iov routines (bsc#963783).

  - CVE-2016-2198: EHCI NULL pointer dereference in     ehci_caps_write (bsc#964415).

  - CVE-2016-2270: Xen allowed local guest administrators to     cause a denial of service (host reboot) via vectors     related to multiple mappings of MMIO pages with     different cachability settings (bsc#965315).

  - CVE-2016-2271: VMX when using an Intel or Cyrix CPU,     allowed local HVM guest users to cause a denial of     service (guest crash) via vectors related to a     non-canonical RIP (bsc#965317).

  - CVE-2016-2391: usb: multiple eof_timers in ohci module     lead to NULL pointer dereference (bsc#967101).

  - CVE-2016-2392: NULL pointer dereference in remote NDIS     control message handling (bsc#967090).

  - CVE-2016-2538: Integer overflow in remote NDIS control     message handling (bsc#968004).

  - XSA-166: ioreq handling possibly susceptible to multiple     read issue (bsc#958523).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This security update fixes a number of security issues in Xen in wheezy.

For Debian 7 'Wheezy', these problems have been fixed in version 4.1.6.1-1+deb7u1.

We recommend that you upgrade your libidn packages.

CVE-2015-2752

The XEN_DOMCTL_memory_mapping hypercall in Xen 3.2.x through 4.5.x, when using a PCI passthrough device, is not preemptable, which allows local x86 HVM domain users to cause a denial of service (host CPU consumption) via a crafted request to the device model (qemu-dm).

CVE-2015-2756

QEMU, as used in Xen 3.3.x through 4.5.x, does not properly restrict access to PCI command registers, which might allow local HVM guest users to cause a denial of service (non-maskable interrupt and host crash) by disabling the (1) memory or (2) I/O decoding for a PCI Express device and then accessing the device, which triggers an Unsupported Request (UR) response.

CVE-2015-5165

The C+ mode offload emulation in the RTL8139 network card device model in QEMU, as used in Xen 4.5.x and earlier, allows remote attackers to read process heap memory via unspecified vectors.

CVE-2015-5307

The KVM subsystem in the Linux kernel through 4.2.6, and Xen 4.3.x through 4.6.x, allows guest OS users to cause a denial of service (host OS panic or hang) by triggering many #AC (aka Alignment Check) exceptions, related to svm.c and vmx.c.

CVE-2015-7969

Multiple memory leaks in Xen 4.0 through 4.6.x allow local guest administrators or domains with certain permission to cause a denial of service (memory consumption) via a large number of 'teardowns' of domains with the vcpu pointer array allocated using the (1) XEN_DOMCTL_max_vcpus hypercall or the xenoprofile state vcpu pointer array allocated using the (2) XENOPROF_get_buffer or (3) XENOPROF_set_passive hypercall.

CVE-2015-7970

The p2m_pod_emergency_sweep function in arch/x86/mm/p2m-pod.c in Xen 3.4.x, 3.5.x, and 3.6.x is not preemptible, which allows local x86 HVM guest administrators to cause a denial of service (CPU consumption and possibly reboot) via crafted memory contents that triggers a 'time-consuming linear scan,' related to Populate-on-Demand.

CVE-2015-7971

Xen 3.2.x through 4.6.x does not limit the number of printk console messages when logging certain pmu and profiling hypercalls, which allows local guests to cause a denial of service via a sequence of crafted (1) HYPERCALL_xenoprof_op hypercalls, which are not properly handled in the do_xenoprof_op function in common/xenoprof.c, or (2) HYPERVISOR_xenpmu_op hypercalls, which are not properly handled in the do_xenpmu_op function in arch/x86/cpu/vpmu.c.

CVE-2015-7972

The (1) libxl_set_memory_target function in tools/libxl/libxl.c and (2) libxl__build_post function in tools/libxl/libxl_dom.c in Xen 3.4.x through 4.6.x do not properly calculate the balloon size when using the populate-on-demand (PoD) system, which allows local HVM guest users to cause a denial of service (guest crash) via unspecified vectors related to 'heavy memory pressure.'

CVE-2015-8104

The KVM subsystem in the Linux kernel through 4.2.6, and Xen 4.3.x through 4.6.x, allows guest OS users to cause a denial of service (host OS panic or hang) by triggering many #DB (aka Debug) exceptions, related to svm.c.

CVE-2015-8339

The memory_exchange function in common/memory.c in Xen 3.2.x through 4.6.x does not properly hand back pages to a domain, which might allow guest OS administrators to cause a denial of service (host crash) via unspecified vectors related to domain teardown.

CVE-2015-8340

The memory_exchange function in common/memory.c in Xen 3.2.x through 4.6.x does not properly release locks, which might allow guest OS administrators to cause a denial of service (deadlock or host crash) via unspecified vectors, related to XENMEM_exchange error handling.

CVE-2015-8550

Xen, when used on a system providing PV backends, allows local guest OS administrators to cause a denial of service (host OS crash) or gain privileges by writing to memory shared between the frontend and backend, aka a double fetch vulnerability.

CVE-2015-8554

Buffer overflow in hw/pt-msi.c in Xen 4.6.x and earlier, when using the qemu-xen-traditional (aka qemu-dm) device model, allows local x86 HVM guest administrators to gain privileges by leveraging a system with access to a passed-through MSI-X capable physical PCI device and MSI-X table entries, related to a 'write path.'

CVE-2015-8555

Xen 4.6.x, 4.5.x, 4.4.x, 4.3.x, and earlier do not initialize x86 FPU stack and XMM registers when XSAVE/XRSTOR are not used to manage guest extended register state, which allows local guest domains to obtain sensitive information from other domains via unspecified vectors.

CVE-2015-8615

The hvm_set_callback_via function in arch/x86/hvm/irq.c in Xen 4.6 does not limit the number of printk console messages when logging the new callback method, which allows local HVM guest OS users to cause a denial of service via a large number of changes to the callback method (HVM_PARAM_CALLBACK_IRQ).

CVE-2016-1570

The PV superpage functionality in arch/x86/mm.c in Xen 3.4.0, 3.4.1, and 4.1.x through 4.6.x allows local PV guests to obtain sensitive information, cause a denial of service, gain privileges, or have unspecified other impact via a crafted page identifier (MFN) to the (1) MMUEXT_MARK_SUPER or (2) MMUEXT_UNMARK_SUPER sub-op in the HYPERVISOR_mmuext_op hypercall or (3) unknown vectors related to page table updates.

CVE-2016-1571

The paging_invlpg function in include/asm-x86/paging.h in Xen 3.3.x through 4.6.x, when using shadow mode paging or nested virtualization is enabled, allows local HVM guest users to cause a denial of service (host crash) via a non-canonical guest address in an INVVPID instruction, which triggers a hypervisor bug check.

CVE-2016-2270

Xen 4.6.x and earlier allows local guest administrators to cause a denial of service (host reboot) via vectors related to multiple mappings of MMIO pages with different cachability settings.

CVE-2016-2271

VMX in Xen 4.6.x and earlier, when using an Intel or Cyrix CPU, allows local HVM guest users to cause a denial of service (guest crash) via vectors related to a non-canonical RIP.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

xen was updated to fix 27 security issues.

These security issues were fixed :

  - CVE-2013-4533: Buffer overflow in the pxa2xx_ssp_load     function in hw/arm/pxa2xx.c allowed remote attackers to     cause a denial of service or possibly execute arbitrary     code via a crafted s->rx_level value in a savevm image     (bsc#864655).

  - CVE-2013-4534: Buffer overflow in hw/intc/openpic.c     allowed remote attackers to cause a denial of service or     possibly execute arbitrary code via vectors related to     IRQDest elements (bsc#864811).

  - CVE-2013-4537: The ssi_sd_transfer function in     hw/sd/ssi-sd.c allowed remote attackers to execute     arbitrary code via a crafted arglen value in a savevm     image (bsc#864391).

  - CVE-2013-4538: Multiple buffer overflows in the     ssd0323_load function in hw/display/ssd0323.c allowed     remote attackers to cause a denial of service (memory     corruption) or possibly execute arbitrary code via     crafted (1) cmd_len, (2) row, or (3) col values; (4)     row_start and row_end values; or (5) col_star and     col_end values in a savevm image (bsc#864769).

  - CVE-2013-4539: Multiple buffer overflows in the     tsc210x_load function in hw/input/tsc210x.c might have     allowed remote attackers to execute arbitrary code via a     crafted (1) precision, (2) nextprecision, (3) function,     or (4) nextfunction value in a savevm image     (bsc#864805).

  - CVE-2014-0222: Integer overflow in the qcow_open     function in block/qcow.c allowed remote attackers to     cause a denial of service (crash) via a large L2 table     in a QCOW version 1 image (bsc#877642).

  - CVE-2014-3640: The sosendto function in slirp/udp.c     allowed local users to cause a denial of service (NULL     pointer dereference) by sending a udp packet with a     value of 0 in the source port and address, which     triggers access of an uninitialized socket (bsc#897654).

  - CVE-2014-3689: The vmware-vga driver     (hw/display/vmware_vga.c) allowed local guest users to     write to qemu memory locations and gain privileges via     unspecified parameters related to rectangle handling     (bsc#901508).

  - CVE-2014-7815: The set_pixel_format function in ui/vnc.c     allowed remote attackers to cause a denial of service     (crash) via a small bytes_per_pixel value (bsc#902737).

  - CVE-2015-5278: Infinite loop in ne2000_receive()     function (bsc#945989).

  - CVE-2015-7512: Buffer overflow in the pcnet_receive     function in hw/net/pcnet.c, when a guest NIC has a     larger MTU, allowed remote attackers to cause a denial     of service (guest OS crash) or execute arbitrary code     via a large packet (bsc#957162).

  - CVE-2015-8504: VNC: floating point exception     (bsc#958491).

  - CVE-2015-8550: Paravirtualized drivers were incautious     about shared memory contents (XSA-155) (bsc#957988).

  - CVE-2015-8554: qemu-dm buffer overrun in MSI-X handling     (XSA-164) (bsc#958007).

  - CVE-2015-8555: Information leak in legacy x86 FPU/XMM     initialization (XSA-165) (bsc#958009).

  - CVE-2015-8558: Infinite loop in ehci_advance_state     resulted in DoS (bsc#959005).

  - CVE-2015-8743: ne2000: OOB memory access in ioport r/w     functions (bsc#960725).

  - CVE-2015-8745: Reading IMR registers lead to a crash via     assert(2) call (bsc#960707).

  - CVE-2016-1570: The PV superpage functionality in     arch/x86/mm.c allowed local PV guests to obtain     sensitive information, cause a denial of service, gain     privileges, or have unspecified other impact via a     crafted page identifier (MFN) to the (1)     MMUEXT_MARK_SUPER or (2) MMUEXT_UNMARK_SUPER sub-op in     the HYPERVISOR_mmuext_op hypercall or (3) unknown     vectors related to page table updates (bsc#960861).

  - CVE-2016-1571: VMX: intercept issue with INVLPG on     non-canonical address (XSA-168) (bsc#960862).

  - CVE-2016-1714: nvram: OOB r/w access in processing     firmware configurations (bsc#961691).

  - CVE-2016-1981: e1000 infinite loop in start_xmit and     e1000_receive_iov routines (bsc#963782).

  - CVE-2016-2270: Xen allowed local guest administrators to     cause a denial of service (host reboot) via vectors     related to multiple mappings of MMIO pages with     different cachability settings (bsc#965315).

  - CVE-2016-2271: VMX when using an Intel or Cyrix CPU,     allowed local HVM guest users to cause a denial of     service (guest crash) via vectors related to a     non-canonical RIP (bsc#965317).

  - CVE-2016-2391: usb: multiple eof_timers in ohci module     lead to NULL pointer dereference (bsc#967013).

  - CVE-2016-2841: ne2000: Infinite loop in ne2000_receive     (bsc#969350).

  - XSA-166: ioreq handling possibly susceptible to multiple     read issue (bsc#958523).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

xen was updated to version 4.4.4 to fix 33 security issues.

These security issues were fixed :

  - CVE-2016-2392: NULL pointer dereference in remote NDIS     control message handling (bsc#967012).

  - CVE-2015-5239: Integer overflow in vnc_client_read() and     protocol_client_msg() (bsc#944463).

  - CVE-2016-2270: Xen allowed local guest administrators to     cause a denial of service (host reboot) via vectors     related to multiple mappings of MMIO pages with     different cachability settings (boo#965315).

  - CVE-2016-2538: Integer overflow in remote NDIS control     message handling (bsc#967969).

  - CVE-2015-7512: Buffer overflow in the pcnet_receive     function in hw/net/pcnet.c, when a guest NIC has a     larger MTU, allowed remote attackers to cause a denial     of service (guest OS crash) or execute arbitrary code     via a large packet (boo#962360).

  - CVE-2014-3689: The vmware-vga driver     (hw/display/vmware_vga.c) allowed local guest users to     write to qemu memory locations and gain privileges via     unspecified parameters related to rectangle handling     (boo#962611).

  - CVE-2015-5278: Infinite loop in ne2000_receive()     function (bsc#945989).

  - CVE-2016-1568: AHCI use-after-free vulnerability in aio     port commands (bsc#961332).

  - CVE-2016-1981: e1000 infinite loop in start_xmit and     e1000_receive_iov routines (bsc#963782).

  - CVE-2016-2198: EHCI NULL pointer dereference in     ehci_caps_write (bsc#964413).

  - CVE-2015-6815: e1000: infinite loop issue (bsc#944697).

  - CVE-2014-0222: Integer overflow in the qcow_open     function in block/qcow.c allowed remote attackers to     cause a denial of service (crash) via a large L2 table     in a QCOW version 1 image (boo#964925).

  - CVE-2015-6855: hw/ide/core.c did not properly restrict     the commands accepted by an ATAPI device, which allowed     guest users to cause a denial of service or possibly     have unspecified other impact via certain IDE commands,     as demonstrated by a WIN_READ_NATIVE_MAX command to an     empty drive, which triggers a divide-by-zero error and     instance crash (boo#965156).

  - CVE-2016-2271: VMX in using an Intel or Cyrix CPU,     allowed local HVM guest users to cause a denial of     service (guest crash) via vectors related to a     non-canonical RIP (boo#965317).

  - CVE-2013-4534: Buffer overflow in hw/intc/openpic.c     allowed remote attackers to cause a denial of service or     possibly execute arbitrary code via vectors related to     IRQDest elements (boo#964452).

  - CVE-2013-4537: The ssi_sd_transfer function in     hw/sd/ssi-sd.c allowed remote attackers to execute     arbitrary code via a crafted arglen value in a savevm     image (boo#962642).

  - CVE-2015-1779: The VNC websocket frame decoder allowed     remote attackers to cause a denial of service (memory     and CPU consumption) via a large (1) websocket payload     or (2) HTTP headers section (boo#962632).

  - CVE-2013-4530: Buffer overflow in hw/ssi/pl022.c allowed     remote attackers to cause a denial of service or     possibly execute arbitrary code via crafted tx_fifo_head     and rx_fifo_head values in a savevm image (boo#964950).

  - CVE-2013-4533: Buffer overflow in the pxa2xx_ssp_load     function in hw/arm/pxa2xx.c allowed remote attackers to     cause a denial of service or possibly execute arbitrary     code via a crafted s->rx_level value in a savevm image     (boo#964644).

  - CVE-2013-4539: Multiple buffer overflows in the     tsc210x_load function in hw/input/tsc210x.c allowed     remote attackers to execute arbitrary code via a crafted     (1) precision, (2) nextprecision, (3) function, or (4)     nextfunction value in a savevm image (boo#962758).

  - CVE-2013-4538: Multiple buffer overflows in the     ssd0323_load function in hw/display/ssd0323.c allowed     remote attackers to cause a denial of service (memory     corruption) or possibly execute arbitrary code via     crafted (1) cmd_len, (2) row, or (3) col values; (4)     row_start and row_end values; or (5) col_star and     col_end values in a savevm image (boo#962335).

  - CVE-2015-8345: eepro100: infinite loop in processing     command block list (bsc#956829).

  - CVE-2015-8613: scsi: stack based buffer overflow in     megasas_ctrl_get_info (bsc#961358).

  - CVE-2015-8619: Stack based OOB write in hmp_sendkey     routine (bsc#960334).

  - CVE-2016-1571: The paging_invlpg function in     include/asm-x86/paging.h, when using shadow mode paging     or nested virtualization is enabled, allowed local HVM     guest users to cause a denial of service (host crash)     via a non-canonical guest address in an INVVPID     instruction, which triggers a hypervisor bug check     (boo#960862).

  - CVE-2016-1570: The PV superpage functionality in     arch/x86/mm.c allowed local PV guests to obtain     sensitive information, cause a denial of service, gain     privileges, or have unspecified other impact via a     crafted page identifier (MFN) to the (1)     MMUEXT_MARK_SUPER or (2) MMUEXT_UNMARK_SUPER sub-op in     the HYPERVISOR_mmuext_op hypercall or (3) unknown     vectors related to page table updates (boo#960861).

  - CVE-2014-9718: The (1) BMDMA and (2) AHCI HBA interfaces     in the IDE functionality had multiple interpretations of     a function's return value, which allowed guest OS users     to cause a host OS denial of service (memory consumption     or infinite loop, and system crash) via a PRDT with zero     complete sectors, related to the bmdma_prepare_buf and     ahci_dma_prepare_buf functions (boo#964431).

  - CVE-2016-1714: nvram: OOB r/w access in processing     firmware configurations (bsc#961691).

  - CVE-2015-8743: ne2000: OOB memory access in ioport r/w     functions (bsc#960725).

  - CVE-2015-8744: vmxnet3: incorrect l2 header validation     leads to a crash via assert(2) call (bsc#960835).

  - CVE-2015-8745: Reading IMR registers could have lead to     a crash via assert(2) call (bsc#960707).

  - CVE-2014-7815: The set_pixel_format function in ui/vnc.c     allowed remote attackers to cause a denial of service     (crash) via a small bytes_per_pixel value (boo#962627).

  - CVE-2013-4529: Buffer overflow in hw/pci/pcie_aer.c     allowed remote attackers to cause a denial of service     and possibly execute arbitrary code via a large log_num     value in a savevm image (boo#964929).

xen was updated to fix 47 security issues.

These security issues were fixed :

  - CVE-2013-4527: Buffer overflow in hw/timer/hpet.c might     have allowed remote attackers to execute arbitrary code     via vectors related to the number of timers     (bnc#864673).

  - CVE-2013-4529: Buffer overflow in hw/pci/pcie_aer.c     allowed remote attackers to cause a denial of service     and possibly execute arbitrary code via a large log_num     value in a savevm image (bnc#864678).

  - CVE-2013-4530: Buffer overflow in hw/ssi/pl022.c allowed     remote attackers to cause a denial of service or     possibly execute arbitrary code via crafted tx_fifo_head     and rx_fifo_head values in a savevm image (bnc#864682).

  - CVE-2013-4533: Buffer overflow in the pxa2xx_ssp_load     function in hw/arm/pxa2xx.c allowed remote attackers to     cause a denial of service or possibly execute arbitrary     code via a crafted s->rx_level value in a savevm image     (bsc#864655).

  - CVE-2013-4534: Buffer overflow in hw/intc/openpic.c     allowed remote attackers to cause a denial of service or     possibly execute arbitrary code via vectors related to     IRQDest elements (bsc#864811).

  - CVE-2013-4537: The ssi_sd_transfer function in     hw/sd/ssi-sd.c allowed remote attackers to execute     arbitrary code via a crafted arglen value in a savevm     image (bsc#864391).

  - CVE-2013-4538: Multiple buffer overflows in the     ssd0323_load function in hw/display/ssd0323.c allowed     remote attackers to cause a denial of service (memory     corruption) or possibly execute arbitrary code via     crafted (1) cmd_len, (2) row, or (3) col values; (4)     row_start and row_end values; or (5) col_star and     col_end values in a savevm image (bsc#864769).

  - CVE-2013-4539: Multiple buffer overflows in the     tsc210x_load function in hw/input/tsc210x.c might have     allowed remote attackers to execute arbitrary code via a     crafted (1) precision, (2) nextprecision, (3) function,     or (4) nextfunction value in a savevm image     (bsc#864805).

  - CVE-2014-0222: Integer overflow in the qcow_open     function in block/qcow.c allowed remote attackers to     cause a denial of service (crash) via a large L2 table     in a QCOW version 1 image (bsc#877642).

  - CVE-2014-3640: The sosendto function in slirp/udp.c     allowed local users to cause a denial of service (NULL     pointer dereference) by sending a udp packet with a     value of 0 in the source port and address, which     triggers access of an uninitialized socket (bsc#897654).

  - CVE-2014-3689: The vmware-vga driver     (hw/display/vmware_vga.c) allowed local guest users to     write to qemu memory locations and gain privileges via     unspecified parameters related to rectangle handling     (bsc#901508).

  - CVE-2014-7815: The set_pixel_format function in ui/vnc.c     allowed remote attackers to cause a denial of service     (crash) via a small bytes_per_pixel value (bsc#902737).

  - CVE-2014-9718: The (1) BMDMA and (2) AHCI HBA interfaces     in the IDE functionality had multiple interpretations of     a function's return value, which allowed guest OS users     to cause a host OS denial of service (memory consumption     or infinite loop, and system crash) via a PRDT with zero     complete sectors, related to the bmdma_prepare_buf and     ahci_dma_prepare_buf functions (bsc#928393).

  - CVE-2015-1779: The VNC websocket frame decoder allowed     remote attackers to cause a denial of service (memory     and CPU consumption) via a large (1) websocket payload     or (2) HTTP headers section (bsc#924018).

  - CVE-2015-5278: Infinite loop in ne2000_receive()     function (bsc#945989).

  - CVE-2015-6855: hw/ide/core.c did not properly restrict     the commands accepted by an ATAPI device, which allowed     guest users to cause a denial of service or possibly     have unspecified other impact via certain IDE commands,     as demonstrated by a WIN_READ_NATIVE_MAX command to an     empty drive, which triggers a divide-by-zero error and     instance crash (bsc#945404).

  - CVE-2015-7512: Buffer overflow in the pcnet_receive     function in hw/net/pcnet.c, when a guest NIC has a     larger MTU, allowed remote attackers to cause a denial     of service (guest OS crash) or execute arbitrary code     via a large packet (bsc#957162).

  - CVE-2015-7549: pci: NULL pointer dereference issue     (bsc#958917).

  - CVE-2015-8345: eepro100: infinite loop in processing     command block list (bsc#956829).

  - CVE-2015-8504: VNC: floating point exception     (bsc#958491).

  - CVE-2015-8550: Paravirtualized drivers were incautious     about shared memory contents (XSA-155) (bsc#957988).

  - CVE-2015-8554: qemu-dm buffer overrun in MSI-X handling     (XSA-164) (bsc#958007).

  - CVE-2015-8555: Information leak in legacy x86 FPU/XMM     initialization (XSA-165) (bsc#958009).

  - CVE-2015-8558: Infinite loop in ehci_advance_state     resulted in DoS (bsc#959005).

  - CVE-2015-8567: vmxnet3: host memory leakage     (bsc#959387).

  - CVE-2015-8568: vmxnet3: host memory leakage     (bsc#959387).

  - CVE-2015-8613: SCSI: stack-based buffer overflow in     megasas_ctrl_get_info (bsc#961358).

  - CVE-2015-8619: Stack based OOB write in hmp_sendkey     routine (bsc#960334).

  - CVE-2015-8743: ne2000: OOB memory access in ioport r/w     functions (bsc#960725).

  - CVE-2015-8744: vmxnet3: Incorrect l2 header validation     lead to a crash via assert(2) call (bsc#960835).

  - CVE-2015-8745: Reading IMR registers lead to a crash via     assert(2) call (bsc#960707).

  - CVE-2015-8817: OOB access in address_space_rw lead to     segmentation fault (I) (bsc#969121).

  - CVE-2015-8818: OOB access in address_space_rw lead to     segmentation fault (II) (bsc#969122).

  - CVE-2016-1568: AHCI use-after-free vulnerability in aio     port commands (bsc#961332).

  - CVE-2016-1570: The PV superpage functionality in     arch/x86/mm.c allowed local PV guests to obtain     sensitive information, cause a denial of service, gain     privileges, or have unspecified other impact via a     crafted page identifier (MFN) to the (1)     MMUEXT_MARK_SUPER or (2) MMUEXT_UNMARK_SUPER sub-op in     the HYPERVISOR_mmuext_op hypercall or (3) unknown     vectors related to page table updates (bsc#960861).

  - CVE-2016-1571: VMX: intercept issue with INVLPG on     non-canonical address (XSA-168) (bsc#960862).

  - CVE-2016-1714: nvram: OOB r/w access in processing     firmware configurations (bsc#961691).

  - CVE-2016-1922: NULL pointer dereference in vapic_write()     (bsc#962320).

  - CVE-2016-1981: e1000 infinite loop in start_xmit and     e1000_receive_iov routines (bsc#963782).

  - CVE-2016-2198: EHCI NULL pointer dereference in     ehci_caps_write (bsc#964413).

  - CVE-2016-2270: Xen allowed local guest administrators to     cause a denial of service (host reboot) via vectors     related to multiple mappings of MMIO pages with     different cachability settings (bsc#965315).

  - CVE-2016-2271: VMX when using an Intel or Cyrix CPU,     allowed local HVM guest users to cause a denial of     service (guest crash) via vectors related to a     non-canonical RIP (bsc#965317).

  - CVE-2016-2391: usb: multiple eof_timers in ohci module     lead to NULL pointer dereference (bsc#967013).

  - CVE-2016-2392: NULL pointer dereference in remote NDIS     control message handling (bsc#967012).

  - CVE-2016-2538: Integer overflow in remote NDIS control     message handling (bsc#967969).

  - CVE-2016-2841: ne2000: Infinite loop in ne2000_receive     (bsc#969350).

  - XSA-166: ioreq handling possibly susceptible to multiple     read issue (bsc#958523).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

xen was updated to fix 44 security issues.

These security issues were fixed :

  - CVE-2013-4533: Buffer overflow in the pxa2xx_ssp_load     function in hw/arm/pxa2xx.c allowed remote attackers to     cause a denial of service or possibly execute arbitrary     code via a crafted s->rx_level value in a savevm image     (bsc#864655).

  - CVE-2013-4534: Buffer overflow in hw/intc/openpic.c     allowed remote attackers to cause a denial of service or     possibly execute arbitrary code via vectors related to     IRQDest elements (bsc#864811).

  - CVE-2013-4537: The ssi_sd_transfer function in     hw/sd/ssi-sd.c allowed remote attackers to execute     arbitrary code via a crafted arglen value in a savevm     image (bsc#864391).

  - CVE-2013-4538: Multiple buffer overflows in the     ssd0323_load function in hw/display/ssd0323.c allowed     remote attackers to cause a denial of service (memory     corruption) or possibly execute arbitrary code via     crafted (1) cmd_len, (2) row, or (3) col values; (4)     row_start and row_end values; or (5) col_star and     col_end values in a savevm image (bsc#864769).

  - CVE-2013-4539: Multiple buffer overflows in the     tsc210x_load function in hw/input/tsc210x.c might have     allowed remote attackers to execute arbitrary code via a     crafted (1) precision, (2) nextprecision, (3) function,     or (4) nextfunction value in a savevm image     (bsc#864805).

  - CVE-2014-0222: Integer overflow in the qcow_open     function in block/qcow.c allowed remote attackers to     cause a denial of service (crash) via a large L2 table     in a QCOW version 1 image (bsc#877642).

  - CVE-2014-3640: The sosendto function in slirp/udp.c     allowed local users to cause a denial of service (NULL     pointer dereference) by sending a udp packet with a     value of 0 in the source port and address, which     triggers access of an uninitialized socket (bsc#897654).

  - CVE-2014-3689: The vmware-vga driver     (hw/display/vmware_vga.c) allowed local guest users to     write to qemu memory locations and gain privileges via     unspecified parameters related to rectangle handling     (bsc#901508).

  - CVE-2014-7815: The set_pixel_format function in ui/vnc.c     allowed remote attackers to cause a denial of service     (crash) via a small bytes_per_pixel value (bsc#902737).

  - CVE-2014-9718: The (1) BMDMA and (2) AHCI HBA interfaces     in the IDE functionality had multiple interpretations of     a function's return value, which allowed guest OS users     to cause a host OS denial of service (memory consumption     or infinite loop, and system crash) via a PRDT with zero     complete sectors, related to the bmdma_prepare_buf and     ahci_dma_prepare_buf functions (bsc#928393).

  - CVE-2015-1779: The VNC websocket frame decoder allowed     remote attackers to cause a denial of service (memory     and CPU consumption) via a large (1) websocket payload     or (2) HTTP headers section (bsc#924018).

  - CVE-2015-5278: Infinite loop in ne2000_receive()     function (bsc#945989).

  - CVE-2015-6855: hw/ide/core.c did not properly restrict     the commands accepted by an ATAPI device, which allowed     guest users to cause a denial of service or possibly     have unspecified other impact via certain IDE commands,     as demonstrated by a WIN_READ_NATIVE_MAX command to an     empty drive, which triggers a divide-by-zero error and     instance crash (bsc#945404).

  - CVE-2015-7512: Buffer overflow in the pcnet_receive     function in hw/net/pcnet.c, when a guest NIC has a     larger MTU, allowed remote attackers to cause a denial     of service (guest OS crash) or execute arbitrary code     via a large packet (bsc#957162).

  - CVE-2015-7549: pci: NULL pointer dereference issue     (bsc#958917).

  - CVE-2015-8345: eepro100: infinite loop in processing     command block list (bsc#956829).

  - CVE-2015-8504: VNC: floating point exception     (bsc#958491).

  - CVE-2015-8550: Paravirtualized drivers were incautious     about shared memory contents (XSA-155) (bsc#957988).

  - CVE-2015-8554: qemu-dm buffer overrun in MSI-X handling     (XSA-164) (bsc#958007).

  - CVE-2015-8555: Information leak in legacy x86 FPU/XMM     initialization (XSA-165) (bsc#958009).

  - CVE-2015-8558: Infinite loop in ehci_advance_state     resulted in DoS (bsc#959005).

  - CVE-2015-8567: vmxnet3: host memory leakage     (bsc#959387).

  - CVE-2015-8568: vmxnet3: host memory leakage     (bsc#959387).

  - CVE-2015-8613: SCSI: stack-based buffer overflow in     megasas_ctrl_get_info (bsc#961358).

  - CVE-2015-8619: Stack based OOB write in hmp_sendkey     routine (bsc#960334).

  - CVE-2015-8743: ne2000: OOB memory access in ioport r/w     functions (bsc#960725).

  - CVE-2015-8744: vmxnet3: Incorrect l2 header validation     lead to a crash via assert(2) call (bsc#960835).

  - CVE-2015-8745: Reading IMR registers lead to a crash via     assert(2) call (bsc#960707).

  - CVE-2015-8817: OOB access in address_space_rw lead to     segmentation fault (I) (bsc#969121).

  - CVE-2015-8818: OOB access in address_space_rw lead to     segmentation fault (II) (bsc#969122).

  - CVE-2016-1568: AHCI use-after-free vulnerability in aio     port commands (bsc#961332).

  - CVE-2016-1570: The PV superpage functionality in     arch/x86/mm.c allowed local PV guests to obtain     sensitive information, cause a denial of service, gain     privileges, or have unspecified other impact via a     crafted page identifier (MFN) to the (1)     MMUEXT_MARK_SUPER or (2) MMUEXT_UNMARK_SUPER sub-op in     the HYPERVISOR_mmuext_op hypercall or (3) unknown     vectors related to page table updates (bsc#960861).

  - CVE-2016-1571: VMX: intercept issue with INVLPG on     non-canonical address (XSA-168) (bsc#960862).

  - CVE-2016-1714: nvram: OOB r/w access in processing     firmware configurations (bsc#961691).

  - CVE-2016-1922: NULL pointer dereference in vapic_write()     (bsc#962320).

  - CVE-2016-1981: e1000 infinite loop in start_xmit and     e1000_receive_iov routines (bsc#963782).

  - CVE-2016-2198: EHCI NULL pointer dereference in     ehci_caps_write (bsc#964413).

  - CVE-2016-2270: Xen allowed local guest administrators to     cause a denial of service (host reboot) via vectors     related to multiple mappings of MMIO pages with     different cachability settings (bsc#965315).

  - CVE-2016-2271: VMX when using an Intel or Cyrix CPU,     allowed local HVM guest users to cause a denial of     service (guest crash) via vectors related to a     non-canonical RIP (bsc#965317).

  - CVE-2016-2391: usb: multiple eof_timers in ohci module     lead to NULL pointer dereference (bsc#967013).

  - CVE-2016-2392: NULL pointer dereference in remote NDIS     control message handling (bsc#967012).

  - CVE-2016-2538: Integer overflow in remote NDIS control     message handling (bsc#967969).

  - CVE-2016-2841: ne2000: Infinite loop in ne2000_receive     (bsc#969350).

  - XSA-166: ioreq handling possibly susceptible to multiple     read issue (bsc#958523).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Multiple security issues have been found in the Xen virtualisation solution, which may result in denial of service or information disclosure.

The oldstable distribution (wheezy) will be updated in a separate DSA.

PV superpage functionality missing sanity checks [XSA-167, CVE-2016-1570] VMX: intercept issue with INVLPG on non-canonical address [XSA-168, CVE-2016-1571] Qemu: pci: NULL pointer dereference issue CVE-2015-7549 qemu: DoS by infinite loop in ehci_advance_state CVE-2015-8558 qemu: Heap-based buffer overrun during VM migration CVE-2015-8666 Qemu: net: vmxnet3: incorrect l2 header validation leads to a crash via assert(2) call CVE-2015-8744 qemu: Support reading IMR registers on bar0 CVE-2015-8745 Qemu: net: vmxnet3: host memory leakage CVE-2015-8567 CVE-2015-8568 Qemu: net: ne2000: OOB memory access in ioport r/w functions CVE-2015-8743

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The Xen Project reports :

While INVLPG does not cause a General Protection Fault when used on a non-canonical address, INVVPID in its 'individual address' variant, which is used to back the intercepted INVLPG in certain cases, fails in such cases. Failure of INVVPID results in a hypervisor bug check.

A malicious guest can crash the host, leading to a Denial of Service.

The remote OracleVM system is missing necessary patches to address critical security updates :

  - VT-d: fix TLB flushing in dma_pte_clear_one From: Jan     Beulich The TLB flush code was wrong since     xen-4.1.3-25.el5.127.20 (commit:
    vtd-Refactor-iotlb-flush-code.patch), both ovm-3.2.9 and     ovm-3.2.10 were affected. The third parameter of
    __intel_iommu_iotlb_flush is to indicate whether the to     be flushed entry was a present one. A few lines before,     we bailed if !dma_pte_present(*pte), so there's no need     to check the flag here again - we can simply always pass     TRUE here. This is CVE-2013-6375 / XSA-78. Suggested-by:
    Cheng Yueqiang 

    (cherry picked from commit     85c72f9fe764ed96f5c149efcdd69ab7c18bfe3d)     (CVE-2013-6375)

  - x86/VMX: prevent INVVPID failure due to non-canonical     guest address While INVLPG (and on SVM INVLPGA) don't     fault on non-canonical addresses, INVVPID fails (in the     'individual address' case) when passed such an address.
    Since such intercepted INVLPG are effectively no-ops     anyway, don't fix this in vmx_invlpg_intercept, but     instead have paging_invlpg never return true in such a     case. This is XSA-168. (CVE-2016-1571)

  - x86/mm: PV superpage handling lacks sanity checks     MMUEXT_[,UN]MARK_SUPER fail to check the input MFN for     validity before dereferencing pointers into the     superpage frame table. get_superpage has a similar     issue. This is XSA-167. (CVE-2016-1570)

  - xend/image: Don't throw VMException when using backend     domains for disks. If we are using backend domains the     disk image may not be accessible within the host     (domain0). As such it is OK to continue on. The     'addStoreEntries' in DevController.py already does the     check to make sure that when the 'backend' configuration     is used - that said domain exists. As such the only     change we need to do is to exclude the disk image     location if the domain is not dom0.

  - memory: fix XENMEM_exchange error handling assign_pages     can fail due to the domain getting killed in parallel,     which should not result in a hypervisor crash. Also     delete a redundant put_gfn - all relevant paths leading     to the 'fail' label already do this (and there are also     paths where it was plain wrong). All of the put_gfn-s     got introduced by 51032ca058 ('Modify naming of queries     into the p2m'), including the otherwise unneeded     initializer for k (with even a kind of misleading     comment - the compiler warning could actually have     served as a hint that the use is wrong). This is     XSA-159.

    Based on xen.org's xsa159.patch Conflicts: OVM 3.2 does     not have the change (51032ca058) that is backed out in     xen/common/memory.c or the put_gfn in     xen/common/memory.c

(CVE-2015-8339, CVE-2015-8340)

The remote OracleVM system is missing necessary patches to address critical security updates :

  - x86/VMX: prevent INVVPID failure due to non-canonical     guest address While INVLPG (and on SVM INVLPGA) don't     fault on non-canonical addresses, INVVPID fails (in the     'individual address' case) when passed such an address.
    Since such intercepted INVLPG are effectively no-ops     anyway, don't fix this in vmx_invlpg_intercept, but     instead have paging_invlpg never return true in such a     case. This is XSA-168. (CVE-2016-1571)

  - x86/mm: PV superpage handling lacks sanity checks     MMUEXT_[,UN]MARK_SUPER fail to check the input MFN for     validity before dereferencing pointers into the     superpage frame table. get_superpage has a similar     issue. This is XSA-167. (CVE-2016-1570)

  - x86/HVM: avoid reading ioreq state more than once     Otherwise, especially when the compiler chooses to     translate the switch to a jump table, unpredictable     behavior (and in the jump table case arbitrary code     execution) can result. This is XSA-166.

  - x86: don't leak ST(n)/XMMn values to domains first using     them FNINIT doesn't alter these registers, and hence     using it is insufficient to initialize a guest's initial     state. This is XSA-165. (CVE-2015-8555)

  - MSI-X: avoid array overrun upon MSI-X table writes     pt_msix_init allocates msix->msix_entry[] to just cover     msix->total_entries entries. While pci_msix_readl     resorts to reading physical memory for out of bounds     reads, pci_msix_writel so far simply accessed/corrupted     unrelated memory. pt_iomem_map's call to     cpu_register_physical_memory registers a page granular     region, which is necessary as the Pending Bit Array may     share space with the MSI-X table (but nothing else is     allowed to). This also explains why pci_msix_readl     actually honors out of bounds reads, but pci_msi_writel     doesn't need to. This is XSA-164. (CVE-2015-8554)

  - From 43a10fecd6f4a9d8adf9f5d85e3d5e7187e2d54a Mon Sep 17     00:00:00 2001 From: Ian Jackson Date: Wed, 18 Nov 2015     15:34:54 +0000 Subject: [PATCH] libxl: Fix     bootloader-related virtual memory leak on pv build     failure The bootloader may call     libxl__file_reference_map, which mmap's the pv_kernel     and pv_ramdisk into process memory. This was only     unmapped, however, on the success path of     libxl__build_pv. If there were a failure anywhere     between libxl_bootloader.c:parse_bootloader_result and     the end of libxl__build_pv, the calls to     libxl__file_reference_unmap would be skipped, leaking     the mapped virtual memory. Ideally this would be fixed     by adding the unmap calls to the destruction path for     libxl__domain_build_state. Unfortunately the lifetime of     the libxl__domain_build_state is opaque, and it doesn't     have a proper destruction path. But, the only thing in     it that isn't from the gc are these bootloader     references, and they are only ever set for one     libxl__domain_build_state, the one which is     libxl__domain_create_state.build_state. So we can clean     up in the exit path from libxl__domain_create_*, which     always comes through domcreate_complete. Remove the     now-redundant unmaps in libxl__build_pv's success path.
    This is XSA-160.

    Based on xen.org's xsa160.patch Conflicts: adjust patch     context to match OVM 3.3 code base (CVE-2015-8341)

  - memory: fix XENMEM_exchange error handling assign_pages     can fail due to the domain getting killed in parallel,     which should not result in a hypervisor crash. Also     delete a redundant put_gfn - all relevant paths leading     to the 'fail' label already do this (and there are also     paths where it was plain wrong). All of the put_gfn-s     got introduced by 51032ca058 ('Modify naming of queries     into the p2m'), including the otherwise unneeded     initializer for k (with even a kind of misleading     comment - the compiler warning could actually have     served as a hint that the use is wrong). This is     XSA-159.

22326022] (CVE-2015-8339, CVE-2015-8340)

  - x86/HVM: always intercept #AC and #DB Both being benign     exceptions, and both being possible to get triggered by     exception delivery, this is required to prevent a guest     from locking up a CPU (resulting from no other VM exits     occurring once getting into such a loop). The specific     scenarios: 1) #AC may be raised during exception     delivery if the handler is set to be a ring-3 one by a     32-bit guest, and the stack is misaligned. 2) #DB may be     raised during exception delivery when a breakpoint got     placed on a data structure involved in delivering the     exception. This can result in an endless loop when a     64-bit guest uses a non-zero IST for the vector 1 IDT     entry, but even without use of IST the time it takes     until a contributory fault would get raised (results     depending on the handler) may be quite long. This is     XSA-156.

(CVE-2015-5307, CVE-2015-8104)

ID	Name	Product	Family	Severity
140019	OracleVM 3.4 : xen (OVMSA-2020-0039) (Bunker Buster) (Foreshadow) (MDSUM/RIDL) (MFBDS/RIDL/ZombieLoad) (MLPDS/RIDL) (MSBDS/Fallout) (Meltdown) (POODLE) (Spectre)	Nessus	OracleVM Local Security Checks	critical
111992	OracleVM 3.4 : xen (OVMSA-2018-0248) (Bunker Buster) (Foreshadow) (Meltdown) (POODLE) (Spectre)	Nessus	OracleVM Local Security Checks	critical
93177	SUSE SLES11 Security Update : xen (SUSE-SU-2016:1745-1)	Nessus	SuSE Local Security Checks	critical
91756	OracleVM 3.2 : xen (OVMSA-2016-0081)	Nessus	OracleVM Local Security Checks	high
91249	SUSE SLED12 / SLES12 Security Update : xen (SUSE-SU-2016:1318-1)	Nessus	SuSE Local Security Checks	critical
91198	Debian DLA-479-1 : xen security update	Nessus	Debian Local Security Checks	high
90759	SUSE SLES11 Security Update : xen (SUSE-SU-2016:1154-1)	Nessus	SuSE Local Security Checks	critical
90478	openSUSE Security Update : xen (openSUSE-2016-439)	Nessus	SuSE Local Security Checks	critical
90396	SUSE SLED11 / SLES11 Security Update : xen (SUSE-SU-2016:0955-1)	Nessus	SuSE Local Security Checks	critical
90186	SUSE SLED12 / SLES12 Security Update : xen (SUSE-SU-2016:0873-1)	Nessus	SuSE Local Security Checks	critical
90030	Debian DSA-3519-1 : xen - security update	Nessus	Debian Local Security Checks	high
89624	Fedora 22 : xen-4.5.2-7.fc22 (2016-e1784417af)	Nessus	Fedora Local Security Checks	high
89503	Fedora 23 : xen-4.5.2-7.fc23 (2016-2c15b72b01)	Nessus	Fedora Local Security Checks	high
89012	FreeBSD : xen-kernel -- VMX: intercept issue with INVLPG on non-canonical address (80adc394-ddaf-11e5-b2bd-002590263bf5)	Nessus	FreeBSD Local Security Checks	medium
88171	OracleVM 3.2 : xen (OVMSA-2016-0008)	Nessus	OracleVM Local Security Checks	high
88170	OracleVM 3.3 : xen (OVMSA-2016-0007)	Nessus	OracleVM Local Security Checks	high

Detections

Analytics

CVE-2016-1571

medium

Tenable Plugins

critical

critical

critical

high

critical

high

critical

critical

critical

critical

high

high

high

medium

high

high