FEDORA-2016-35d7b09908

FEDORA-2016-75063477ca

FEDORA-2016-48e72b7bc5

http://support.citrix.com/article/CTX209443

DSA-3554

http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html

86318

1035587

http://xenbits.xen.org/xsa/advisory-173.html

This update for xen fixes several issues. These security issues were fixed :

  - CVE-2016-7094: Buffer overflow in Xen allowed local x86     HVM guest OS administrators on guests running with     shadow paging to cause a denial of service via a     pagetable update (bsc#995792)

  - CVE-2016-7092: The get_page_from_l3e function in     arch/x86/mm.c in Xen allowed local 32-bit PV guest OS     administrators to gain host OS privileges via vectors     related to L3 recursive pagetables (bsc#995785)

  - CVE-2016-5403: Unbounded memory allocation allowed a     guest administrator to cause a denial of service of the     host (bsc#990923)

  - CVE-2016-6351: The esp_do_dma function in hw/scsi/esp.c,     when built with ESP/NCR53C9x controller emulation     support, allowed local guest OS administrators to cause     a denial of service (out-of-bounds write and QEMU     process crash) or execute arbitrary code on the host via     vectors involving DMA read into ESP command buffer     (bsc#990843)

  - CVE-2016-6258: The PV pagetable code in arch/x86/mm.c in     Xen allowed local 32-bit PV guest OS administrators to     gain host OS privileges by leveraging fast-paths for     updating pagetable entries (bsc#988675)

  - CVE-2016-5338: The (1) esp_reg_read and (2)     esp_reg_write functions allowed local guest OS     administrators to cause a denial of service (QEMU     process crash) or execute arbitrary code on the host via     vectors related to the information transfer buffer     (bsc#983984)

  - CVE-2016-5238: The get_cmd function in hw/scsi/esp.c     might have allowed local guest OS administrators to     cause a denial of service (out-of-bounds write and QEMU     process crash) via vectors related to reading from the     information transfer buffer in non-DMA mode (bsc#982960)

  - CVE-2016-4453: The vmsvga_fifo_run function allowed     local guest OS administrators to cause a denial of     service (infinite loop and QEMU process crash) via a VGA     command (bsc#982225)

  - CVE-2016-4454: The vmsvga_fifo_read_raw function allowed     local guest OS administrators to obtain sensitive host     memory information or cause a denial of service (QEMU     process crash) by changing FIFO registers and issuing a     VGA command, which triggered an out-of-bounds read     (bsc#982224)

  - CVE-2014-3672: The qemu implementation in libvirt Xen     allowed local guest OS users to cause a denial of     service (host disk consumption) by writing to stdout or     stderr (bsc#981264)

  - CVE-2016-4441: The get_cmd function in the 53C9X Fast     SCSI Controller (FSC) support did not properly check DMA     length, which allowed local guest OS administrators to     cause a denial of service (out-of-bounds write and QEMU     process crash) via unspecified vectors, involving an     SCSI command (bsc#980724)

  - CVE-2016-4439: The esp_reg_write function in the 53C9X     Fast SCSI Controller (FSC) support did not properly     check command buffer length, which allowed local guest     OS administrators to cause a denial of service     (out-of-bounds write and QEMU process crash) or     potentially execute arbitrary code on the host via     unspecified vectors (bsc#980716)

  - CVE-2016-3710: The VGA module improperly performed     bounds checking on banked access to video memory, which     allowed local guest OS administrators to execute     arbitrary code on the host by changing access modes     after setting the bank register, aka the 'Dark Portal'     issue (bsc#978164)

  - CVE-2016-4480: The guest_walk_tables function in     arch/x86/mm/guest_walk.c in Xen did not properly handle     the Page Size (PS) page table entry bit at the L4 and L3     page table levels, which might have allowed local guest     OS users to gain privileges via a crafted mapping of     memory (bsc#978295)

  - CVE-2016-3960: Integer overflow in the x86 shadow     pagetable code allowed local guest OS users to cause a     denial of service (host crash) or possibly gain     privileges by shadowing a superpage mapping (bsc#974038)

  - CVE-2016-3158: The xrstor function did not properly     handle writes to the hardware FSW.ES bit when running on     AMD64 processors, which allowed local guest OS users to     obtain sensitive register content information from     another guest by leveraging pending exception and mask     bits (bsc#973188)

  - CVE-2016-4001: Buffer overflow in the     stellaris_enet_receive function, when the Stellaris     ethernet controller is configured to accept large     packets, allowed remote attackers to cause a denial of     service (QEMU crash) via a large packet (bsc#975130)

  - CVE-2016-4002: Buffer overflow in the mipsnet_receive     function, when the guest NIC is configured to accept     large packets, allowed remote attackers to cause a     denial of service (memory corruption and QEMU crash) or     possibly execute arbitrary code via a packet larger than     1514 bytes (bsc#975138)

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for xen fixes several issues. These security issues were fixed :

  - CVE-2014-3672: The qemu implementation in libvirt Xen     allowed local guest OS users to cause a denial of     service (host disk consumption) by writing to stdout or     stderr (bsc#981264).

  - CVE-2016-3158: The xrstor function did not properly     handle writes to the hardware FSW.ES bit when running on     AMD64 processors, which allowed local guest OS users to     obtain sensitive register content information from     another guest by leveraging pending exception and mask     bits (bsc#973188).

  - CVE-2016-3159: The fpu_fxrstor function in     arch/x86/i387.c did not properly handle writes to the     hardware FSW.ES bit when running on AMD64 processors,     which allowed local guest OS users to obtain sensitive     register content information from another guest by     leveraging pending exception and mask bits (bsc#973188).

  - CVE-2016-3710: The VGA module improperly performed     bounds checking on banked access to video memory, which     allowed local guest OS administrators to execute     arbitrary code on the host by changing access modes     after setting the bank register, aka the 'Dark Portal'     issue (bsc#978164)

  - CVE-2016-3960: Integer overflow in the x86 shadow     pagetable code allowed local guest OS users to cause a     denial of service (host crash) or possibly gain     privileges by shadowing a superpage mapping     (bsc#974038).

  - CVE-2016-4001: Buffer overflow in the     stellaris_enet_receive function, when the Stellaris     ethernet controller is configured to accept large     packets, allowed remote attackers to cause a denial of     service (QEMU crash) via a large packet (bsc#975130).

  - CVE-2016-4002: Buffer overflow in the mipsnet_receive     function, when the guest NIC is configured to accept     large packets, allowed remote attackers to cause a     denial of service (memory corruption and QEMU crash) or     possibly execute arbitrary code via a packet larger than     1514 bytes (bsc#975138).

  - CVE-2016-4020: The patch_instruction function did not     initialize the imm32 variable, which allowed local guest     OS administrators to obtain sensitive information from     host stack memory by accessing the Task Priority     Register (TPR) (bsc#975907)

  - CVE-2016-4037: The ehci_advance_state function in     hw/usb/hcd-ehci.c allowed local guest OS administrators     to cause a denial of service (infinite loop and CPU     consumption) via a circular split isochronous transfer     descriptor (siTD) list (bsc#976111)

  - CVE-2016-4439: The esp_reg_write function in the 53C9X     Fast SCSI Controller (FSC) support did not properly     check command buffer length, which allowed local guest     OS administrators to cause a denial of service     (out-of-bounds write and QEMU process crash) or     potentially execute arbitrary code on the host via     unspecified vectors (bsc#980716)

  - CVE-2016-4441: The get_cmd function in the 53C9X Fast     SCSI Controller (FSC) support did not properly check DMA     length, which allowed local guest OS administrators to     cause a denial of service (out-of-bounds write and QEMU     process crash) via unspecified vectors, involving an     SCSI command (bsc#980724)

  - CVE-2016-4453: The vmsvga_fifo_run function allowed     local guest OS administrators to cause a denial of     service (infinite loop and QEMU process crash) via a VGA     command (bsc#982225)

  - CVE-2016-4454: The vmsvga_fifo_read_raw function allowed     local guest OS administrators to obtain sensitive host     memory information or cause a denial of service (QEMU     process crash) by changing FIFO registers and issuing a     VGA command, which triggered an out-of-bounds read     (bsc#982224)

  - CVE-2016-4480: The guest_walk_tables function in     arch/x86/mm/guest_walk.c in Xen did not properly handle     the Page Size (PS) page table entry bit at the L4 and L3     page table levels, which might have allowed local guest     OS users to gain privileges via a crafted mapping of     memory (bsc#978295).

  - CVE-2016-4952: Out-of-bounds access issue in     pvsci_ring_init_msg/data routines (bsc#981276)

  - CVE-2016-4962: The libxl device-handling allowed local     OS guest administrators to cause a denial of service     (resource consumption or management facility confusion)     or gain host OS privileges by manipulating information     in guest controlled areas of xenstore (bsc#979620)

  - CVE-2016-4963: The libxl device-handling allowed local     guest OS users with access to the driver domain to cause     a denial of service (management tool confusion) by     manipulating information in the backend directories in     xenstore (bsc#979670)

  - CVE-2016-5105: Stack information leakage while reading     configuration (bsc#982024)

  - CVE-2016-5106: Out-of-bounds write while setting     controller properties (bsc#982025)

  - CVE-2016-5107: Out-of-bounds read in     megasas_lookup_frame() function (bsc#982026)

  - CVE-2016-5126: Heap-based buffer overflow in the     iscsi_aio_ioctl function allowed local guest OS users to     cause a denial of service (QEMU process crash) or     possibly execute arbitrary code via a crafted iSCSI     asynchronous I/O ioctl call (bsc#982286)

  - CVE-2016-5238: The get_cmd function in hw/scsi/esp.c     might have allowed local guest OS administrators to     cause a denial of service (out-of-bounds write and QEMU     process crash) via vectors related to reading from the     information transfer buffer in non-DMA mode (bsc#982960)

  - CVE-2016-5337: The megasas_ctrl_get_info function     allowed local guest OS administrators to obtain     sensitive host memory information via vectors related to     reading device control information (bsc#983973)

  - CVE-2016-5338: The (1) esp_reg_read and (2)     esp_reg_write functions allowed local guest OS     administrators to cause a denial of service (QEMU     process crash) or execute arbitrary code on the host via     vectors related to the information transfer buffer     (bsc#983984)

  - CVE-2016-5403: virtio: unbounded memory allocation on     host via guest leading to DoS (XSA-184) (bsc#990923)

  - CVE-2016-6258: The PV pagetable code in arch/x86/mm.c in     Xen allowed local 32-bit PV guest OS administrators to     gain host OS privileges by leveraging fast-paths for     updating pagetable entries (bsc#988675)

  - CVE-2016-6351: The esp_do_dma function in hw/scsi/esp.c,     when built with ESP/NCR53C9x controller emulation     support, allowed local guest OS administrators to cause     a denial of service (out-of-bounds write and QEMU     process crash) or execute arbitrary code on the host via     vectors involving DMA read into ESP command buffer     (bsc#990843).

  - CVE-2016-6833: A use-after-free issue in the VMWARE     VMXNET3 NIC device support allowed privileged user     inside guest to crash the Qemu instance resulting in DoS     (bsc#994775).

  - CVE-2016-6834: A infinite loop during packet     fragmentation in the VMWARE VMXNET3 NIC device support     allowed privileged user inside guest to crash the Qemu     instance resulting in DoS (bsc#994421).

  - CVE-2016-6835: Buffer overflow in the VMWARE VMXNET3 NIC     device support, causing an OOB read access (bsc#994625).

  - CVE-2016-6836: VMWARE VMXNET3 NIC device allowed     privileged user inside the guest to leak information. It     occured while processing transmit(tx) queue, when it     reaches the end of packet (bsc#994761).

  - CVE-2016-6888: A integer overflow int the VMWARE VMXNET3     NIC device support, during the initialisation of new     packets in the device, could have allowed a privileged     user inside guest to crash the Qemu instance resulting     in DoS (bsc#994772).

  - CVE-2016-7092: The get_page_from_l3e function in     arch/x86/mm.c in Xen allowed local 32-bit PV guest OS     administrators to gain host OS privileges via vectors     related to L3 recursive pagetables (bsc#995785)

  - CVE-2016-7093: Xen allowed local HVM guest OS     administrators to overwrite hypervisor memory and     consequently gain host OS privileges by leveraging     mishandling of instruction pointer truncation during     emulation (bsc#995789)

  - CVE-2016-7094: Buffer overflow in Xen allowed local x86     HVM guest OS administrators on guests running with     shadow paging to cause a denial of service via a     pagetable update (bsc#995792)

  - CVE-2016-7154: Use-after-free vulnerability in the FIFO     event channel code in Xen allowed local guest OS     administrators to cause a denial of service (host crash)     and possibly execute arbitrary code or obtain sensitive     information via an invalid guest frame number     (bsc#997731).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for xen fixes several issues. These security issues were fixed :

  - CVE-2016-7094: Buffer overflow in Xen allowed local x86     HVM guest OS administrators on guests running with     shadow paging to cause a denial of service via a     pagetable update (bsc#995792)

  - CVE-2016-7092: The get_page_from_l3e function in     arch/x86/mm.c in Xen allowed local 32-bit PV guest OS     administrators to gain host OS privileges via vectors     related to L3 recursive pagetables (bsc#995785)

  - CVE-2016-6258: The PV pagetable code in arch/x86/mm.c in     Xen allowed local 32-bit PV guest OS administrators to     gain host OS privileges by leveraging fast-paths for     updating pagetable entries (bsc#988675)

  - CVE-2016-5338: The (1) esp_reg_read and (2)     esp_reg_write functions allowed local guest OS     administrators to cause a denial of service (QEMU     process crash) or execute arbitrary code on the host via     vectors related to the information transfer buffer     (bsc#983984)

  - CVE-2016-5238: The get_cmd function in hw/scsi/esp.c     might have allowed local guest OS administrators to     cause a denial of service (out-of-bounds write and QEMU     process crash) via vectors related to reading from the     information transfer buffer in non-DMA mode (bsc#982960)

  - CVE-2014-3672: The qemu implementation in libvirt Xen     allowed local guest OS users to cause a denial of     service (host disk consumption) by writing to stdout or     stderr (bsc#981264)

  - CVE-2016-4441: The get_cmd function in the 53C9X Fast     SCSI Controller (FSC) support did not properly check DMA     length, which allowed local guest OS administrators to     cause a denial of service (out-of-bounds write and QEMU     process crash) via unspecified vectors, involving an     SCSI command (bsc#980724)

  - CVE-2016-4439: The esp_reg_write function in the 53C9X     Fast SCSI Controller (FSC) support did not properly     check command buffer length, which allowed local guest     OS administrators to cause a denial of service     (out-of-bounds write and QEMU process crash) or     potentially execute arbitrary code on the host via     unspecified vectors (bsc#980716)

  - CVE-2016-3710: The VGA module improperly performed     bounds checking on banked access to video memory, which     allowed local guest OS administrators to execute     arbitrary code on the host by changing access modes     after setting the bank register, aka the 'Dark Portal'     issue (bsc#978164)

  - CVE-2016-4480: The guest_walk_tables function in     arch/x86/mm/guest_walk.c in Xen did not properly handle     the Page Size (PS) page table entry bit at the L4 and L3     page table levels, which might have allowed local guest     OS users to gain privileges via a crafted mapping of     memory (bsc#978295)

  - CVE-2016-3960: Integer overflow in the x86 shadow     pagetable code allowed local guest OS users to cause a     denial of service (host crash) or possibly gain     privileges by shadowing a superpage mapping (bsc#974038)

  - CVE-2016-3158: The xrstor function did not properly     handle writes to the hardware FSW.ES bit when running on     AMD64 processors, which allowed local guest OS users to     obtain sensitive register content information from     another guest by leveraging pending exception and mask     bits (bsc#973188)

  - CVE-2016-4001: Buffer overflow in the     stellaris_enet_receive function, when the Stellaris     ethernet controller is configured to accept large     packets, allowed remote attackers to cause a denial of     service (QEMU crash) via a large packet (bsc#975130)

  - CVE-2016-4002: Buffer overflow in the mipsnet_receive     function, when the guest NIC is configured to accept     large packets, allowed remote attackers to cause a     denial of service (memory corruption and QEMU crash) or     possibly execute arbitrary code via a packet larger than     1514 bytes (bsc#975138)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for xen fixes the following issues :

These security issues were fixed :

  - CVE-2016-7092: The get_page_from_l3e function in     arch/x86/mm.c in Xen allowed local 32-bit PV guest OS     administrators to gain host OS privileges via vectors     related to L3 recursive pagetables (bsc#995785)

  - CVE-2016-7093: Xen allowed local HVM guest OS     administrators to overwrite hypervisor memory and     consequently gain host OS privileges by leveraging     mishandling of instruction pointer truncation during     emulation (bsc#995789)

  - CVE-2016-7094: Buffer overflow in Xen allowed local x86     HVM guest OS administrators on guests running with     shadow paging to cause a denial of service via a     pagetable update (bsc#995792)

  - CVE-2016-6836: VMWARE VMXNET3 NIC device support was     leaging information leakage. A privileged user inside     guest could have used this to leak host memory bytes to     a guest (boo#994761)

  - CVE-2016-6888: Integer overflow in packet initialisation     in VMXNET3 device driver. A privileged user inside guest     could have used this flaw to crash the Qemu instance     resulting in DoS (bsc#994772)

  - CVE-2016-6833: Use-after-free issue in the VMWARE     VMXNET3 NIC device support. A privileged user inside     guest could have used this issue to crash the Qemu     instance resulting in DoS (boo#994775)

  - CVE-2016-6835: Buffer overflow in the VMWARE VMXNET3 NIC     device support, causing an OOB read access (bsc#994625)

  - CVE-2016-6834: A infinite loop during packet     fragmentation in the VMWARE VMXNET3 NIC device support     allowed privileged user inside guest to crash the Qemu     instance resulting in DoS (bsc#994421)

  - CVE-2016-6258: The PV pagetable code in arch/x86/mm.c in     Xen allowed local 32-bit PV guest OS administrators to     gain host OS privileges by leveraging fast-paths for     updating pagetable entries (bsc#988675)

  - CVE-2016-6259: Xen did not implement Supervisor Mode     Access Prevention (SMAP) whitelisting in 32-bit     exception and event delivery, which allowed local 32-bit     PV guest OS kernels to cause a denial of service     (hypervisor and VM crash) by triggering a safety check     (bsc#988676)

  - CVE-2016-5403: The virtqueue_pop function in     hw/virtio/virtio.c in QEMU allowed local guest OS     administrators to cause a denial of service (memory     consumption and QEMU process crash) by submitting     requests without waiting for completion (boo#990923)

  - CVE-2016-6351: The esp_do_dma function in hw/scsi/esp.c,     when built with ESP/NCR53C9x controller emulation     support, allowed local guest OS administrators to cause     a denial of service (out-of-bounds write and QEMU     process crash) or execute arbitrary code on the host via     vectors involving DMA read into ESP command buffer     (bsc#990843)

  - CVE-2016-6258: The PV pagetable code in arch/x86/mm.c in     Xen allowed local 32-bit PV guest OS administrators to     gain host OS privileges by leveraging fast-paths for     updating pagetable entries (bsc#988675)

  - CVE-2016-6259: Xen did not implement Supervisor Mode     Access Prevention (SMAP) whitelisting in 32-bit     exception and event delivery, which allowed local 32-bit     PV guest OS kernels to cause a denial of service     (hypervisor and VM crash) by triggering a safety check     (bsc#988676)

  - CVE-2016-5337: The megasas_ctrl_get_info function in     hw/scsi/megasas.c in QEMU allowed local guest OS     administrators to obtain sensitive host memory     information via vectors related to reading device     control information (bsc#983973)

  - CVE-2016-5338: The (1) esp_reg_read and (2)     esp_reg_write functions in hw/scsi/esp.c in QEMU allowed     local guest OS administrators to cause a denial of     service (QEMU process crash) or execute arbitrary code     on the QEMU host via vectors related to the information     transfer buffer (bsc#983984)

  - CVE-2016-5238: The get_cmd function in hw/scsi/esp.c in     QEMU allowed local guest OS administrators to cause a     denial of service (out-of-bounds write and QEMU process     crash) via vectors related to reading from the     information transfer buffer in non-DMA mode (bsc#982960)

  - CVE-2016-4453: The vmsvga_fifo_run function in     hw/display/vmware_vga.c in QEMU allowed local guest OS     administrators to cause a denial of service (infinite     loop and QEMU process crash) via a VGA command     (bsc#982225)

  - CVE-2016-4454: The vmsvga_fifo_read_raw function in     hw/display/vmware_vga.c in QEMU allowed local guest OS     administrators to obtain sensitive host memory     information or cause a denial of service (QEMU process     crash) by changing FIFO registers and issuing a VGA     command, which triggers an out-of-bounds read     (bsc#982224)

  - CVE-2016-5126: Heap-based buffer overflow in the     iscsi_aio_ioctl function in block/iscsi.c in QEMU     allowed local guest OS users to cause a denial of     service (QEMU process crash) or possibly execute     arbitrary code via a crafted iSCSI asynchronous I/O     ioctl call (bsc#982286)

  - CVE-2016-5105: The megasas_dcmd_cfg_read function in     hw/scsi/megasas.c in QEMU, when built with MegaRAID SAS     8708EM2 Host Bus Adapter emulation support, used an     uninitialized variable, which allowed local guest     administrators to read host memory via vectors involving     a MegaRAID Firmware Interface (MFI) command (bsc#982024)

  - CVE-2016-5106: The megasas_dcmd_set_properties function     in hw/scsi/megasas.c in QEMU, when built with MegaRAID     SAS 8708EM2 Host Bus Adapter emulation support, allowed     local guest administrators to cause a denial of service     (out-of-bounds write access) via vectors involving a     MegaRAID Firmware Interface (MFI) command (bsc#982025)

  - CVE-2016-5107: The megasas_lookup_frame function in     QEMU, when built with MegaRAID SAS 8708EM2 Host Bus     Adapter emulation support, allowed local guest OS     administrators to cause a denial of service     (out-of-bounds read and crash) via unspecified vectors     (bsc#982026)

  - CVE-2016-4963: The libxl device-handling allowed local     guest OS users with access to the driver domain to cause     a denial of service (management tool confusion) by     manipulating information in the backend directories in     xenstore (bsc#979670)

  - CVE-2016-4962: The libxl device-handling allowed local     OS guest administrators to cause a denial of service     (resource consumption or management facility confusion)     or gain host OS privileges by manipulating information     in guest controlled areas of xenstore (bsc#979620)

  - CVE-2016-4952: Out-of-bounds access issue in     pvsci_ring_init_msg/data routines (bsc#981276)

  - CVE-2016-3710: The VGA module improperly performed     bounds checking on banked access to video memory, which     allowed local guest OS administrators to execute     arbitrary code on the host by changing access modes     after setting the bank register, aka the 'Dark Portal'     issue (bsc#978164)

  - CVE-2014-3672: The qemu implementation in libvirt Xen     allowed local guest OS users to cause a denial of     service (host disk consumption) by writing to stdout or     stderr (bsc#981264)

  - CVE-2016-4441: The get_cmd function in the 53C9X Fast     SCSI Controller (FSC) support did not properly check DMA     length, which allowed local guest OS administrators to     cause a denial of service (out-of-bounds write and QEMU     process crash) via unspecified vectors, involving an     SCSI command (bsc#980724)

  - CVE-2016-4439: The esp_reg_write function in the 53C9X     Fast SCSI Controller (FSC) support did not properly     check command buffer length, which allowed local guest     OS administrators to cause a denial of service     (out-of-bounds write and QEMU process crash) or     potentially execute arbitrary code on the host via     unspecified vectors (bsc#980716)

  - CVE-2016-3960: Integer overflow in the x86 shadow     pagetable code allowed local guest OS users to cause a     denial of service (host crash) or possibly gain     privileges by shadowing a superpage mapping (bsc#974038)

  - CVE-2016-3158: The xrstor function did not properly     handle writes to the hardware FSW.ES bit when running on     AMD64 processors, which allowed local guest OS users to     obtain sensitive register content information from     another guest by leveraging pending exception and mask     bits (bsc#973188)

  - CVE-2016-3159: The fpu_fxrstor function in     arch/x86/i387.c did not properly handle writes to the     hardware FSW.ES bit when running on AMD64 processors,     which allowed local guest OS users to obtain sensitive     register content information from another guest by     leveraging pending exception and mask bits (bsc#973188)

  - CVE-2016-4037: The ehci_advance_state function in     hw/usb/hcd-ehci.c allowed local guest OS administrators     to cause a denial of service (infinite loop and CPU     consumption) via a circular split isochronous transfer     descriptor (siTD) list (bsc#976111)

  - CVE-2016-4020: The patch_instruction function did not     initialize the imm32 variable, which allowed local guest     OS administrators to obtain sensitive information from     host stack memory by accessing the Task Priority     Register (TPR) (bsc#975907)

  - CVE-2016-4001: Buffer overflow in the     stellaris_enet_receive function, when the Stellaris     ethernet controller is configured to accept large     packets, allowed remote attackers to cause a denial of     service (QEMU crash) via a large packet (bsc#975130)

  - CVE-2016-4002: Buffer overflow in the mipsnet_receive     function, when the guest NIC is configured to accept     large packets, allowed remote attackers to cause a     denial of service (memory corruption and QEMU crash) or     possibly execute arbitrary code via a packet larger than     1514 bytes (bsc#975138)

  - CVE-2016-4480: The guest_walk_tables function in     arch/x86/mm/guest_walk.c in Xen did not properly handle     the Page Size (PS) page table entry bit at the L4 and L3     page table levels, which might have allowed local guest     OS users to gain privileges via a crafted mapping of     memory (bsc#978295)

These non-security issues were fixed :

  - boo#991934: xen hypervisor crash in csched_acct

  - boo#992224: During boot of Xen Hypervisor, Failed to get     contiguous memory for DMA from Xen

  - boo#955104: Virsh reports error 'one or more references     were leaked after disconnect from hypervisor' when     'virsh save' failed due to 'no response from client     after 6 keepalive messages'

  - boo#959552: Migration of HVM guest leads into libvirt     segmentation fault

  - boo#993665: Migration of xen guests finishes in: One or     more references were leaked after disconnect from the     hypervisor

  - boo#959330: Guest migrations using virsh results in     error 'Internal error: received hangup / error event on     socket'

  - boo#990500: VM virsh migration fails with keepalive     error: ':virKeepAliveTimerInternal:143 : No response     from client'

  - boo#953518: Unplug also SCSI disks in     qemu-xen-traditional for upstream unplug protocol

  - boo#953518: xen_platform: unplug also SCSI disks in     qemu-xen

  - boo#971949: Support (by ignoring) xl migrate --live. xl     migrations are always live 

  - boo#970135: New virtualization project clock test     randomly fails on Xen

  - boo#990970: Add PMU support for Intel E7-8867 v4 (fam=6,     model=79)

  - boo#985503: vif-route broken

  - boo#961100: Migrate a fv guest from sles12 to sles12sp1     fails remove patch because it can not fix the bug

  - boo#978413: PV guest upgrade from sles11sp4 to sles12sp2     alpha3 failed on sles11sp4 xen host.

  - boo#986586: Out of memory (oom) during boot on 'modprobe     xenblk' (non xen kernel) init.50-hvm-xen_conf

  - boo#900418: Dump cannot be performed on SLES12 XEN

  - boo#953339, boo#953362, boo#953518, boo#984981:
    Implement SUSE specific unplug protocol for emulated PCI     devices in PVonHVM guests to qemu-xen-upstream 

  - boo#954872: script block-dmmd not working as expected -     libxl: error: libxl_dm.c (Additional fixes) block-dmmd

  - boo#982695: xen-4.5.2 qemu fails to boot HVM guest from     xvda 

  - boo#958848: HVM guest crash at /usr/src/packages/BUILD/     xen-4.4.2-testing/obj/default/balloon/balloon.c:407

  - boo#949889: Fail to install 32-bit paravirt VM under     SLES12SP1Beta3 XEN

  - boo#954872: script block-dmmd not working as expected -     libxl: error: libxl_dm.c (another modification)     block-dmmd

  - boo#961600: Poor performance when Xen HVM domU     configured with max memory greater than current memory

  - boo#963161: Windows VM getting stuck during load while a     VF is assigned to it after upgrading to latest     maintenance updates

  - boo#976058: Xen error running simple HVM guest (Post     Alpha 2 xen+qemu)

  - boo#961100: Migrate a fv guest from sles12 to sles12sp1     on xen fails for 'Domain is not running on destination     host'. qemu-ignore-kvm-tpr-opt-on-migration.patch 

  - boo#973631: AWS EC2 kdump issue

  - boo#964427: Discarding device blocks: failed -     Input/output error

This update for xen fixes the following issues :

These security issues were fixed :

  - CVE-2016-7092: The get_page_from_l3e function in     arch/x86/mm.c in Xen allowed local 32-bit PV guest OS     administrators to gain host OS privileges via vectors     related to L3 recursive pagetables (bsc#995785)

  - CVE-2016-7093: Xen allowed local HVM guest OS     administrators to overwrite hypervisor memory and     consequently gain host OS privileges by leveraging     mishandling of instruction pointer truncation during     emulation (bsc#995789)

  - CVE-2016-7094: Buffer overflow in Xen allowed local x86     HVM guest OS administrators on guests running with     shadow paging to cause a denial of service via a     pagetable update (bsc#995792)

  - CVE-2016-7154: Use-after-free vulnerability in the FIFO     event channel code in Xen allowed local guest OS     administrators to cause a denial of service (host crash)     and possibly execute arbitrary code or obtain sensitive     information via an invalid guest frame number     (bsc#997731)

  - CVE-2016-6836: VMWARE VMXNET3 NIC device support was     leaging information leakage. A privileged user inside     guest could have used this to leak host memory bytes to     a guest (boo#994761)

  - CVE-2016-6888: Integer overflow in packet initialisation     in VMXNET3 device driver. A privileged user inside guest     could have used this flaw to crash the Qemu instance     resulting in DoS (bsc#994772)

  - CVE-2016-6833: Use-after-free issue in the VMWARE     VMXNET3 NIC device support. A privileged user inside     guest could have used this issue to crash the Qemu     instance resulting in DoS (boo#994775)

  - CVE-2016-6835: Buffer overflow in the VMWARE VMXNET3 NIC     device support, causing an OOB read access (bsc#994625)

  - CVE-2016-6834: A infinite loop during packet     fragmentation in the VMWARE VMXNET3 NIC device support     allowed privileged user inside guest to crash the Qemu     instance resulting in DoS (bsc#994421)

  - CVE-2016-6258: The PV pagetable code in arch/x86/mm.c in     Xen allowed local 32-bit PV guest OS administrators to     gain host OS privileges by leveraging fast-paths for     updating pagetable entries (bsc#988675)

  - CVE-2016-5403: The virtqueue_pop function in     hw/virtio/virtio.c in QEMU allowed local guest OS     administrators to cause a denial of service (memory     consumption and QEMU process crash) by submitting     requests without waiting for completion (boo#990923)

  - CVE-2016-6351: The esp_do_dma function in hw/scsi/esp.c,     when built with ESP/NCR53C9x controller emulation     support, allowed local guest OS administrators to cause     a denial of service (out-of-bounds write and QEMU     process crash) or execute arbitrary code on the host via     vectors involving DMA read into ESP command buffer     (bsc#990843)

  - CVE-2016-6258: The PV pagetable code in arch/x86/mm.c in     Xen allowed local 32-bit PV guest OS administrators to     gain host OS privileges by leveraging fast-paths for     updating pagetable entries (bsc#988675)

  - CVE-2016-5337: The megasas_ctrl_get_info function in     hw/scsi/megasas.c in QEMU allowed local guest OS     administrators to obtain sensitive host memory     information via vectors related to reading device     control information (bsc#983973)

  - CVE-2016-5338: The (1) esp_reg_read and (2)     esp_reg_write functions in hw/scsi/esp.c in QEMU allowed     local guest OS administrators to cause a denial of     service (QEMU process crash) or execute arbitrary code     on the QEMU host via vectors related to the information     transfer buffer (bsc#983984)

  - CVE-2016-5238: The get_cmd function in hw/scsi/esp.c in     QEMU allowed local guest OS administrators to cause a     denial of service (out-of-bounds write and QEMU process     crash) via vectors related to reading from the     information transfer buffer in non-DMA mode (bsc#982960)

  - CVE-2016-4453: The vmsvga_fifo_run function in     hw/display/vmware_vga.c in QEMU allowed local guest OS     administrators to cause a denial of service (infinite     loop and QEMU process crash) via a VGA command     (bsc#982225)

  - CVE-2016-4454: The vmsvga_fifo_read_raw function in     hw/display/vmware_vga.c in QEMU allowed local guest OS     administrators to obtain sensitive host memory     information or cause a denial of service (QEMU process     crash) by changing FIFO registers and issuing a VGA     command, which triggers an out-of-bounds read     (bsc#982224)

  - CVE-2016-5126: Heap-based buffer overflow in the     iscsi_aio_ioctl function in block/iscsi.c in QEMU     allowed local guest OS users to cause a denial of     service (QEMU process crash) or possibly execute     arbitrary code via a crafted iSCSI asynchronous I/O     ioctl call (bsc#982286)

  - CVE-2016-5105: The megasas_dcmd_cfg_read function in     hw/scsi/megasas.c in QEMU, when built with MegaRAID SAS     8708EM2 Host Bus Adapter emulation support, used an     uninitialized variable, which allowed local guest     administrators to read host memory via vectors involving     a MegaRAID Firmware Interface (MFI) command (bsc#982024)

  - CVE-2016-5106: The megasas_dcmd_set_properties function     in hw/scsi/megasas.c in QEMU, when built with MegaRAID     SAS 8708EM2 Host Bus Adapter emulation support, allowed     local guest administrators to cause a denial of service     (out-of-bounds write access) via vectors involving a     MegaRAID Firmware Interface (MFI) command (bsc#982025)

  - CVE-2016-5107: The megasas_lookup_frame function in     QEMU, when built with MegaRAID SAS 8708EM2 Host Bus     Adapter emulation support, allowed local guest OS     administrators to cause a denial of service     (out-of-bounds read and crash) via unspecified vectors     (bsc#982026)

  - CVE-2016-4963: The libxl device-handling allowed local     guest OS users with access to the driver domain to cause     a denial of service (management tool confusion) by     manipulating information in the backend directories in     xenstore (bsc#979670)

  - CVE-2016-4962: The libxl device-handling allowed local     OS guest administrators to cause a denial of service     (resource consumption or management facility confusion)     or gain host OS privileges by manipulating information     in guest controlled areas of xenstore (bsc#979620)

  - CVE-2016-4952: Out-of-bounds access issue in     pvsci_ring_init_msg/data routines (bsc#981276)

  - CVE-2014-3672: The qemu implementation in libvirt Xen     allowed local guest OS users to cause a denial of     service (host disk consumption) by writing to stdout or     stderr (bsc#981264)

  - CVE-2016-4441: The get_cmd function in the 53C9X Fast     SCSI Controller (FSC) support did not properly check DMA     length, which allowed local guest OS administrators to     cause a denial of service (out-of-bounds write and QEMU     process crash) via unspecified vectors, involving an     SCSI command (bsc#980724)

  - CVE-2016-4439: The esp_reg_write function in the 53C9X     Fast SCSI Controller (FSC) support did not properly     check command buffer length, which allowed local guest     OS administrators to cause a denial of service     (out-of-bounds write and QEMU process crash) or     potentially execute arbitrary code on the host via     unspecified vectors (bsc#980716)

  - CVE-2016-3710: The VGA module improperly performed     bounds checking on banked access to video memory, which     allowed local guest OS administrators to execute     arbitrary code on the host by changing access modes     after setting the bank register, aka the 'Dark Portal'     issue (bsc#978164)

  - CVE-2016-3960: Integer overflow in the x86 shadow     pagetable code allowed local guest OS users to cause a     denial of service (host crash) or possibly gain     privileges by shadowing a superpage mapping (bsc#974038)

  - CVE-2016-4037: The ehci_advance_state function in     hw/usb/hcd-ehci.c allowed local guest OS administrators     to cause a denial of service (infinite loop and CPU     consumption) via a circular split isochronous transfer     descriptor (siTD) list (bsc#976111)

  - CVE-2016-4020: The patch_instruction function did not     initialize the imm32 variable, which allowed local guest     OS administrators to obtain sensitive information from     host stack memory by accessing the Task Priority     Register (TPR) (bsc#975907)

  - CVE-2016-4001: Buffer overflow in the     stellaris_enet_receive function, when the Stellaris     ethernet controller is configured to accept large     packets, allowed remote attackers to cause a denial of     service (QEMU crash) via a large packet (bsc#975130)

  - CVE-2016-4002: Buffer overflow in the mipsnet_receive     function, when the guest NIC is configured to accept     large packets, allowed remote attackers to cause a     denial of service (memory corruption and QEMU crash) or     possibly execute arbitrary code via a packet larger than     1514 bytes (bsc#975138)

  - CVE-2016-3158: The xrstor function did not properly     handle writes to the hardware FSW.ES bit when running on     AMD64 processors, which allowed local guest OS users to     obtain sensitive register content information from     another guest by leveraging pending exception and mask     bits (bsc#973188)

  - CVE-2016-3159: The fpu_fxrstor function in     arch/x86/i387.c did not properly handle writes to the     hardware FSW.ES bit when running on AMD64 processors,     which allowed local guest OS users to obtain sensitive     register content information from another guest by     leveraging pending exception and mask bits (bsc#973188)

  - CVE-2016-4480: The guest_walk_tables function in     arch/x86/mm/guest_walk.c in Xen did not properly handle     the Page Size (PS) page table entry bit at the L4 and L3     page table levels, which might have allowed local guest     OS users to gain privileges via a crafted mapping of     memory (bsc#978295)

These non-security issues were fixed :

  - boo#991934: xen hypervisor crash in csched_acct 

  - boo#992224: [HPS Bug] During boot of Xen Hypervisor,     Failed to get contiguous memory for DMA from Xen 

  - boo#970135: new virtualization project clock test     randomly fails on Xen 

  - boo#971949 xl: Support (by ignoring) xl migrate --live.
    xl migrations are always live 

  - boo#990970: Add PMU support for Intel E7-8867 v4 (fam=6,     model=79) 

  - boo#985503: vif-route broken 

  - boo#978413: PV guest upgrade from sles11sp4 to sles12sp2     alpha3 failed on sles11sp4 xen host

  - boo#986586: out of memory (oom) during boot on 'modprobe     xenblk' (non xen kernel) 

  - boo#953339, boo#953362, boo#953518, boo#984981)     boo#953339, boo#953362, boo#953518, boo#984981:
    Implement SUSE specific unplug protocol for emulated PCI     devices in PVonHVM guests to qemu-xen-upstream 

  - boo#958848: HVM guest crash at /usr/src/packages/BUILD/     xen-4.4.2-testing/obj/default/balloon/balloon.c:407 

  - boo#982695: xen-4.5.2 qemu fails to boot HVM guest from     xvda 

  - boo#954872: script block-dmmd not working as expected 

  - boo#961600: L3: poor performance when Xen HVM domU     configured with max memory greater than current memory 

  - boo#979035: restore xm migrate fixes for boo#955399/     boo#955399 

  - boo#963161: Windows VM getting stuck during load while a     VF is assigned to it after upgrading to latest     maintenance updates boo#963161

  - boo#976058: Xen error running simple HVM guest (Post     Alpha 2 xen+qemu) 

  - boo#973631: AWS EC2 kdump issue 

  - boo#961100: Migrate a fv guest from sles12 to sles12sp1     on xen fails for 'Domain is not running on destination     host'. 

  - boo#964427: Discarding device blocks: failed -     Input/output error

This update for xen fixes the several issues. These security issues were fixed :

  - CVE-2014-3672: The qemu implementation in libvirt Xen     allowed local guest OS users to cause a denial of     service (host disk consumption) by writing to stdout or     stderr (bsc#981264).

  - CVE-2016-3158: The xrstor function did not properly     handle writes to the hardware FSW.ES bit when running on     AMD64 processors, which allowed local guest OS users to     obtain sensitive register content information from     another guest by leveraging pending exception and mask     bits (bsc#973188).

  - CVE-2016-3159: The fpu_fxrstor function in     arch/x86/i387.c did not properly handle writes to the     hardware FSW.ES bit when running on AMD64 processors,     which allowed local guest OS users to obtain sensitive     register content information from another guest by     leveraging pending exception and mask bits (bsc#973188).

  - CVE-2016-3710: The VGA module improperly performed     bounds checking on banked access to video memory, which     allowed local guest OS administrators to execute     arbitrary code on the host by changing access modes     after setting the bank register, aka the 'Dark Portal'     issue (bsc#978164).

  - CVE-2016-3960: Integer overflow in the x86 shadow     pagetable code allowed local guest OS users to cause a     denial of service (host crash) or possibly gain     privileges by shadowing a superpage mapping     (bsc#974038).

  - CVE-2016-4001: Buffer overflow in the     stellaris_enet_receive function, when the Stellaris     ethernet controller is configured to accept large     packets, allowed remote attackers to cause a denial of     service (QEMU crash) via a large packet (bsc#975130).

  - CVE-2016-4002: Buffer overflow in the mipsnet_receive     function, when the guest NIC is configured to accept     large packets, allowed remote attackers to cause a     denial of service (memory corruption and QEMU crash) or     possibly execute arbitrary code via a packet larger than     1514 bytes (bsc#975138).

  - CVE-2016-4020: The patch_instruction function did not     initialize the imm32 variable, which allowed local guest     OS administrators to obtain sensitive information from     host stack memory by accessing the Task Priority     Register (TPR) (bsc#975907).

  - CVE-2016-4037: The ehci_advance_state function in     hw/usb/hcd-ehci.c allowed local guest OS administrators     to cause a denial of service (infinite loop and CPU     consumption) via a circular split isochronous transfer     descriptor (siTD) list (bsc#976111).

  - CVE-2016-4439: The esp_reg_write function in the 53C9X     Fast SCSI Controller (FSC) support did not properly     check command buffer length, which allowed local guest     OS administrators to cause a denial of service     (out-of-bounds write and QEMU process crash) or     potentially execute arbitrary code on the host via     unspecified vectors (bsc#980716).

  - CVE-2016-4441: The get_cmd function in the 53C9X Fast     SCSI Controller (FSC) support did not properly check DMA     length, which allowed local guest OS administrators to     cause a denial of service (out-of-bounds write and QEMU     process crash) via unspecified vectors, involving an     SCSI command (bsc#980724).

  - CVE-2016-4453: The vmsvga_fifo_run function allowed     local guest OS administrators to cause a denial of     service (infinite loop and QEMU process crash) via a VGA     command (bsc#982225).

  - CVE-2016-4454: The vmsvga_fifo_read_raw function allowed     local guest OS administrators to obtain sensitive host     memory information or cause a denial of service (QEMU     process crash) by changing FIFO registers and issuing a     VGA command, which triggered an out-of-bounds read     (bsc#982224).

  - CVE-2016-4952: Out-of-bounds access issue in     pvsci_ring_init_msg/data routines (bsc#981276).

  - CVE-2016-4962: The libxl device-handling allowed local     OS guest administrators to cause a denial of service     (resource consumption or management facility confusion)     or gain host OS privileges by manipulating information     in guest controlled areas of xenstore (bsc#979620).

  - CVE-2016-4963: The libxl device-handling allowed local     guest OS users with access to the driver domain to cause     a denial of service (management tool confusion) by     manipulating information in the backend directories in     xenstore (bsc#979670).

  - CVE-2016-5105: Stack information leakage while reading     configuration (bsc#982024).

  - CVE-2016-5106: Out-of-bounds write while setting     controller properties (bsc#982025).

  - CVE-2016-5107: Out-of-bounds read in     megasas_lookup_frame() function (bsc#982026).

  - CVE-2016-5126: Heap-based buffer overflow in the     iscsi_aio_ioctl function allowed local guest OS users to     cause a denial of service (QEMU process crash) or     possibly execute arbitrary code via a crafted iSCSI     asynchronous I/O ioctl call (bsc#982286).

  - CVE-2016-5238: The get_cmd function in hw/scsi/esp.c     might have allowed local guest OS administrators to     cause a denial of service (out-of-bounds write and QEMU     process crash) via vectors related to reading from the     information transfer buffer in non-DMA mode     (bsc#982960).

  - CVE-2016-5337: The megasas_ctrl_get_info function     allowed local guest OS administrators to obtain     sensitive host memory information via vectors related to     reading device control information (bsc#983973).

  - CVE-2016-5338: The (1) esp_reg_read and (2)     esp_reg_write functions allowed local guest OS     administrators to cause a denial of service (QEMU     process crash) or execute arbitrary code on the host via     vectors related to the information transfer buffer     (bsc#983984).

  - CVE-2016-6258: Potential privilege escalation in PV     guests (XSA-182) (bsc#988675).

  - bsc#978295: x86 software guest page walk PS bit handling     flaw (XSA-176)

  - CVE-2016-5403: virtio: unbounded memory allocation on     host via guest leading to DoS (XSA-184) (bsc#990923)

  - CVE-2016-6351: scsi: esp: OOB write access in esp_do_dma     (bsc#990843)

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for xen to version 4.5.3 fixes the several issues. These security issues were fixed :

  - CVE-2016-6258: Potential privilege escalation in PV     guests (XSA-182) (bsc#988675).

  - CVE-2016-6259: Missing SMAP whitelisting in 32-bit     exception / event delivery (XSA-183) (bsc#988676).

  - CVE-2016-5337: The megasas_ctrl_get_info function     allowed local guest OS administrators to obtain     sensitive host memory information via vectors related to     reading device control information (bsc#983973).

  - CVE-2016-5338: The (1) esp_reg_read and (2)     esp_reg_write functions allowed local guest OS     administrators to cause a denial of service (QEMU     process crash) or execute arbitrary code on the host via     vectors related to the information transfer buffer     (bsc#983984).

  - CVE-2016-5238: The get_cmd function in hw/scsi/esp.c     might have allowed local guest OS administrators to     cause a denial of service (out-of-bounds write and QEMU     process crash) via vectors related to reading from the     information transfer buffer in non-DMA mode     (bsc#982960).

  - CVE-2016-4453: The vmsvga_fifo_run function allowed     local guest OS administrators to cause a denial of     service (infinite loop and QEMU process crash) via a VGA     command (bsc#982225).

  - CVE-2016-4454: The vmsvga_fifo_read_raw function allowed     local guest OS administrators to obtain sensitive host     memory information or cause a denial of service (QEMU     process crash) by changing FIFO registers and issuing a     VGA command, which triggered an out-of-bounds read     (bsc#982224).

  - CVE-2016-5126: Heap-based buffer overflow in the     iscsi_aio_ioctl function allowed local guest OS users to     cause a denial of service (QEMU process crash) or     possibly execute arbitrary code via a crafted iSCSI     asynchronous I/O ioctl call (bsc#982286).

  - CVE-2016-5105: Stack information leakage while reading     configuration (bsc#982024).

  - CVE-2016-5106: Out-of-bounds write while setting     controller properties (bsc#982025).

  - CVE-2016-5107: Out-of-bounds read in     megasas_lookup_frame() function (bsc#982026).

  - CVE-2016-4963: The libxl device-handling allowed local     guest OS users with access to the driver domain to cause     a denial of service (management tool confusion) by     manipulating information in the backend directories in     xenstore (bsc#979670).

  - CVE-2016-4962: The libxl device-handling allowed local     OS guest administrators to cause a denial of service     (resource consumption or management facility confusion)     or gain host OS privileges by manipulating information     in guest controlled areas of xenstore (bsc#979620).

  - CVE-2016-4952: Out-of-bounds access issue in     pvsci_ring_init_msg/data routines (bsc#981276).

  - CVE-2014-3672: The qemu implementation in libvirt Xen     allowed local guest OS users to cause a denial of     service (host disk consumption) by writing to stdout or     stderr (bsc#981264).

  - CVE-2016-4441: The get_cmd function in the 53C9X Fast     SCSI Controller (FSC) support did not properly check DMA     length, which allowed local guest OS administrators to     cause a denial of service (out-of-bounds write and QEMU     process crash) via unspecified vectors, involving an     SCSI command (bsc#980724).

  - CVE-2016-4439: The esp_reg_write function in the 53C9X     Fast SCSI Controller (FSC) support did not properly     check command buffer length, which allowed local guest     OS administrators to cause a denial of service     (out-of-bounds write and QEMU process crash) or     potentially execute arbitrary code on the host via     unspecified vectors (bsc#980716).

  - CVE-2016-3710: The VGA module improperly performed     bounds checking on banked access to video memory, which     allowed local guest OS administrators to execute     arbitrary code on the host by changing access modes     after setting the bank register, aka the 'Dark Portal'     issue (bsc#978164).

  - CVE-2016-3960: Integer overflow in the x86 shadow     pagetable code allowed local guest OS users to cause a     denial of service (host crash) or possibly gain     privileges by shadowing a superpage mapping     (bsc#974038).

  - CVE-2016-3159: The fpu_fxrstor function in     arch/x86/i387.c did not properly handle writes to the     hardware FSW.ES bit when running on AMD64 processors,     which allowed local guest OS users to obtain sensitive     register content information from another guest by     leveraging pending exception and mask bits (bsc#973188).

  - CVE-2016-3158: The xrstor function did not properly     handle writes to the hardware FSW.ES bit when running on     AMD64 processors, which allowed local guest OS users to     obtain sensitive register content information from     another guest by leveraging pending exception and mask     bits (bsc#973188).

  - CVE-2016-4037: The ehci_advance_state function in     hw/usb/hcd-ehci.c allowed local guest OS administrators     to cause a denial of service (infinite loop and CPU     consumption) via a circular split isochronous transfer     descriptor (siTD) list (bsc#976111).

  - CVE-2016-4020: The patch_instruction function did not     initialize the imm32 variable, which allowed local guest     OS administrators to obtain sensitive information from     host stack memory by accessing the Task Priority     Register (TPR) (bsc#975907).

  - CVE-2016-4001: Buffer overflow in the     stellaris_enet_receive function, when the Stellaris     ethernet controller is configured to accept large     packets, allowed remote attackers to cause a denial of     service (QEMU crash) via a large packet (bsc#975130).

  - CVE-2016-4002: Buffer overflow in the mipsnet_receive     function, when the guest NIC is configured to accept     large packets, allowed remote attackers to cause a     denial of service (memory corruption and QEMU crash) or     possibly execute arbitrary code via a packet larger than     1514 bytes (bsc#975138).

  - bsc#978295: x86 software guest page walk PS bit handling     flaw (XSA-176)

  - CVE-2016-5403: virtio: unbounded memory allocation on     host via guest leading to DoS (XSA-184) (bsc#990923)

  - CVE-2016-6351: scsi: esp: OOB write access in esp_do_dma     (bsc#990843)

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Multiple vulnerabilities have been discovered in the Xen hypervisor.
The Common Vulnerabilities and Exposures project identifies the following problems :

CVE-2014-3672 (XSA-180)

Andrew Sorensen discovered that a HVM domain can exhaust the hosts disk space by filling up the log file.

CVE-2016-3158, CVE-2016-3159 (XSA-172)

Jan Beulich from SUSE discovered that Xen does not properly handle writes to the hardware FSW.ES bit when running on AMD64 processors. A malicious domain can take advantage of this flaw to obtain address space usage and timing information, about another domain, at a fairly low rate.

CVE-2016-3710 (XSA-179)

Wei Xiao and Qinghao Tang of 360.cn Inc discovered an out-of-bounds read and write flaw in the QEMU VGA module. A privileged guest user could use this flaw to execute arbitrary code on the host with the privileges of the hosting QEMU process.

CVE-2016-3712 (XSA-179)

Zuozhi Fzz of Alibaba Inc discovered potential integer overflow or out-of-bounds read access issues in the QEMU VGA module. A privileged guest user could use this flaw to mount a denial of service (QEMU process crash).

CVE-2016-3960 (XSA-173)

Ling Liu and Yihan Lian of the Cloud Security Team, Qihoo 360 discovered an integer overflow in the x86 shadow pagetable code. A HVM guest using shadow pagetables can cause the host to crash. A PV guest using shadow pagetables (i.e. being migrated) with PV superpages enabled (which is not the default) can crash the host, or corrupt hypervisor memory, potentially leading to privilege escalation.

CVE-2016-4480 (XSA-176)

Jan Beulich discovered that incorrect page table handling could result in privilege escalation inside a Xen guest instance.

CVE-2016-6258 (XSA-182)

J&eacute;r&eacute;mie Boutoille discovered that incorrect pagetable handling in PV instances could result in guest to host privilege escalation.

Additionally this Xen Security Advisory without a CVE was fixed :

XSA-166

Konrad Rzeszutek Wilk and Jan Beulich discovered that ioreq handling is possibly susceptible to a multiple read issue.

For Debian 7 'Wheezy', these problems have been fixed in version 4.1.6.lts1-1.

We recommend that you upgrade your xen packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote OracleVM system is missing necessary patches to address critical security updates :

  - x86/HVM: correct CPUID leaf 80000008 handling - 6c733e54     xsa173_01_0001-x86-HVM-correct-CPUID-leaf-80000008-handl     ing.patch was based on upstream commit:
    ef437690af8b75e6758dce77af75a22b63982883 x86/HVM:
    correct CPUID leaf 80000008 handling It should have been     based on upstream commit:
    6c733e549889a9b8c4e03140348b8e00241d4ce9 x86/HVM:
    correct CPUID leaf 80000008 handling The changes in this     patch are the differences between those two patches.

  - x86/pv: Remove unsafe bits from the mod_l?_entry     fastpath All changes in writeability and cacheability     must go through full re-validation. Rework the logic as     a whitelist, to make it clearer to follow. This is     XSA-182

    Upstream commit 798c1498f764bfaa7b0b955bab40b01b0610d372     Conflicts: xen/include/asm-x86/page.h

  - x86/mm: fully honor PS bits in guest page table walks In     L4 entries it is currently unconditionally reserved (and     hence should, when set, always result in a reserved bit     page fault), and is reserved on hardware not supporting     1Gb pages (and hence should, when set, similarly cause a     reserved bit page fault on such hardware). This is     CVE-2016-4480 / XSA-176. (CVE-2016-4480)

  - x86/mm: Handle 1GiB superpages in the pagetable walker.
    This allows HAP guests to use 1GiB superpages. Shadow     and PV guests still can't use them without more support     in shadow/* and mm.c.

    Conflicts: xen/arch/x86/hvm/hvm.c     xen/arch/x86/mm/guest_walk.c Backported from upstream     commit 96b740e209d0bea4c16d93211ceb139fc98d10c2     (CVE-2016-4480)

  - main loop: Big hammer to fix logfile disk DoS in Xen     setups Each time round the main loop, we now fstat     stderr. If it is too big, we dup2 /dev/null onto it.
    This is not a very pretty patch but it is very simple,     easy to see that it's correct, and has a low risk of     collateral damage. The limit is 1Mby by default but can     be adjusted by setting a new environment variable. This     fixes CVE-2014-3672. (CVE-2014-3672)

  - x86: make hvm_cpuid tolerate NULL pointers Now that     other HVM code started making more extensive use of     hvm_cpuid, let's not force every caller to declare dummy     variables for output not cared about.

    xen/arch/x86/hvm/svm/svm.c and     xen/arch/x86/hvm/vmx/vvmx.c part are removed as no     source matched. Upstream commit     11b85dbd0ab068bad3beadda3aee2298205a3c01

  - x86: limit GFNs to 32 bits for shadowed superpages.
    Superpage shadows store the shadowed GFN in the     backpointer field, which for non-BIGMEM builds is 32     bits wide. Shadowing a superpage mapping of a     guest-physical address above 2^44 would lead to the GFN     being truncated there, and a crash when we come to     remove the shadow from the hash table. Track the valid     width of a GFN for each guest, including reporting it     through CPUID, and enforce it in the shadow pagetables.
    Set the maximum witth to 32 for guests where this     truncation could occur. This is XSA-173.

    Conflicts: xen/arch/x86/cpu/common.c     arch/x86/mm/guest_walk.c Upstream commit     95dd1b6e87b61222fc856724a5d828c9bdc30c80 (CVE-2016-3960)

  - x86/HVM: correct CPUID leaf 80000008 handling     CPUID[80000008].EAX[23:16] have been given the meaning     of the guest physical address restriction (in case it     needs to be smaller than the host's), hence we need to     mirror that into vCPUID[80000008].EAX[7:0]. Enforce a     lower limit at the same time, as well as a fixed value     for the virtual address bits, and zero for the guest     physical address ones. In order for the vMTRR code to     see these overrides we need to make it call hvm_cpuid     instead of domain_cpuid, which in turn requires special     casing (and relaxing) the controlling domain. This     additionally should hide an ordering problem in the     tools: Both xend and xl appear to be restoring a guest     from its image before setting up the CPUID policy in the     hypervisor, resulting in domain_cpuid returning all     zeros and hence the check in mtrr_var_range_msr_set     failing if the guest previously had more than the     minimum 36 physical address bits.

    Conflicts: xen/arch/x86/hvm/mtrr.c Upstream commit     ef437690af8b75e6758dce77af75a22b63982883 (CVE-2016-3960)

The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2016-0089 for details.

The remote OracleVM system is missing necessary patches to address critical security updates :

  - BUILDINFO:
    commit=aff08b43b1a504aa14a0fce65302ccf515b69fdf

  - Remove unsafe bits from the mod_l?_entry fastpath     (Andrew Cooper) (CVE-2016-6258)

  - x86/mm: fully honor PS bits in guest page table walks     (Jan Beulich) (CVE-2016-4480) (CVE-2016-4480)

  - libxl: Document ~/serial/ correctly (Ian Jackson)     (CVE-2016-4962)

  - libxl: Cleanup: Have libxl__alloc_vdev use /libxl (Ian     Jackson) (CVE-2016-4962)

  - libxl: Do not trust frontend for nic in getinfo (Ian     Jackson) (CVE-2016-4962)

  - libxl: Do not trust frontend for nic in     libxl_devid_to_device_nic (Ian Jackson) (CVE-2016-4962)

  - libxl: Do not trust frontend for vtpm in getinfo (Ian     Jackson) (CVE-2016-4962)

  - libxl: Do not trust frontend for vtpm list (Ian Jackson)     (CVE-2016-4962)

  - libxl: Do not trust frontend for disk in getinfo (Ian     Jackson) (CVE-2016-4962)

  - libxl: Do not trust frontend for disk eject event (Ian     Jackson) (CVE-2016-4962)

  - libxl: Do not trust frontend in libxl__device_nextid     (Ian Jackson) (CVE-2016-4962)

  - libxl: Do not trust frontend in libxl__devices_destroy     (Ian Jackson) (CVE-2016-4962)

  - libxl: Provide libxl__backendpath_parse_domid (Ian     Jackson) (CVE-2016-4962)

  - libxl: Record backend/frontend paths in /libxl/$DOMID     (Ian Jackson) (CVE-2016-4962)

  - x86: limit GFNs to 32 bits for shadowed superpages. (Tim     Deegan) (CVE-2016-3960)

  - x86: fix information leak on AMD CPUs (Jan Beulich)     (CVE-2016-3158) (CVE-2016-3159) (CVE-2016-3158)     (CVE-2016-3159) (CVE-2016-3158) (CVE-2016-3159)

  - x86: enforce consistent cachability of MMIO mappings     (Jan Beulich) (CVE-2016-2270) (CVE-2016-2270)

The Xen Project reports :

In the x86 shadow pagetable code, the guest frame number of a superpage mapping is stored in a 32-bit field. If a shadowed guest can cause a superpage mapping of a guest-physical address at or above 2^44 to be shadowed, the top bits of the address will be lost, causing an assertion failure or NULL dereference later on, in code that removes the shadow.

A HVM guest using shadow pagetables can cause the host to crash.

A PV guest using shadow pagetables (i.e. being migrated) with PV superpages enabled (which is not the default) can crash the host, or corrupt hypervisor memory, and so a privilege escalation cannot be ruled out.

The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2016-0081 for details.

x86 shadow pagetables: address width overflow [XSA-173, CVE-2016-3960] Qemu: net: buffer overflow in stellaris_enet emulator [CVE-2016-4001] Qemu: net: buffer overflow in MIPSnet emulator [CVE-2016-4002] qemu:
Infinite loop vulnerability in usb_ehci using siTD process [CVE-2016-4037]

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Multiple vulnerabilities have been discovered in the Xen hypervisor.
The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2016-3158, CVE-2016-3159 (XSA-172)     Jan Beulich from SUSE discovered that Xen does not     properly handle writes to the hardware FSW.ES bit when     running on AMD64 processors. A malicious domain can take     advantage of this flaw to obtain address space usage and     timing information, about another domain, at a fairly     low rate.

  - CVE-2016-3960 (XSA-173)     Ling Liu and Yihan Lian of the Cloud Security Team,     Qihoo 360 discovered an integer overflow in the x86     shadow pagetable code. A HVM guest using shadow     pagetables can cause the host to crash. A PV guest using     shadow pagetables (i.e. being migrated) with PV     superpages enabled (which is not the default) can crash     the host, or corrupt hypervisor memory, potentially     leading to privilege escalation.

ID	Name	Product	Family	Severity
94608	SUSE SLES11 Security Update : xen (SUSE-SU-2016:2725-1) (Bunker Buster)	Nessus	SuSE Local Security Checks	high
94269	SUSE SLES12 Security Update : xen (SUSE-SU-2016:2533-1) (Bunker Buster)	Nessus	SuSE Local Security Checks	high
94267	SUSE SLES11 Security Update : xen (SUSE-SU-2016:2528-1) (Bunker Buster)	Nessus	SuSE Local Security Checks	high
94000	openSUSE Security Update : xen (openSUSE-2016-1170) (Bunker Buster)	Nessus	SuSE Local Security Checks	high
93999	openSUSE Security Update : xen (openSUSE-2016-1169) (Bunker Buster)	Nessus	SuSE Local Security Checks	high
93298	SUSE SLES11 Security Update : xen (SUSE-SU-2016:2100-1) (Bunker Buster)	Nessus	SuSE Local Security Checks	high
93296	SUSE SLED12 / SLES12 Security Update : xen (SUSE-SU-2016:2093-1) (Bunker Buster)	Nessus	SuSE Local Security Checks	high
92635	Debian DLA-571-1 : xen security update (Bunker Buster)	Nessus	Debian Local Security Checks	high
92602	OracleVM 3.2 : xen (OVMSA-2016-0090)	Nessus	OracleVM Local Security Checks	high
92601	OracleVM 3.3 : xen (OVMSA-2016-0089)	Nessus	OracleVM Local Security Checks	high
92600	OracleVM 3.4 : xen (OVMSA-2016-0088) (Bunker Buster)	Nessus	OracleVM Local Security Checks	high
91934	FreeBSD : xen-kernel -- x86 shadow pagetables: address width overflow (d51ced72-4212-11e6-942d-bc5ff45d0f28)	Nessus	FreeBSD Local Security Checks	high
91756	OracleVM 3.2 : xen (OVMSA-2016-0081)	Nessus	OracleVM Local Security Checks	high
90954	Fedora 24 : xen-4.6.1-6.fc24 (2016-48e72b7bc5)	Nessus	Fedora Local Security Checks	high
90814	Fedora 22 : xen-4.5.3-2.fc22 (2016-75063477ca)	Nessus	Fedora Local Security Checks	high
90811	Fedora 23 : xen-4.5.3-2.fc23 (2016-35d7b09908)	Nessus	Fedora Local Security Checks	high
90638	Debian DSA-3554-1 : xen - security update	Nessus	Debian Local Security Checks	high

CVE-2016-3960

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Configuration 3

Tenable Plugins