103174

1040773

[debian-lts-announce] 20180306 [SECURITY] [DLA 1300-1] xen security update

[debian-lts-announce] 20181112 [SECURITY] [DLA 1577-1] xen security update

GLSA-201810-06

https://support.citrix.com/article/CTX232096

https://support.citrix.com/article/CTX232655

DSA-4131

https://xenbits.xen.org/xsa/advisory-252.html

The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2018-0272 for details.

The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2018-0271 for details.

Multiple vulnerabilities have been discovered in the Xen hypervisor, which could result in denial of service, informations leaks or privilege escalation.

For Debian 8 'Jessie', these problems have been fixed in version 4.4.4lts4-0+deb8u1.

We recommend that you upgrade your xen packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is affected by the vulnerability described in GLSA-201810-06 (Xen: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Xen. Please review the       referenced CVE identifiers for details.
  Impact :

    A local attacker could cause a Denial of Service condition or disclose       sensitive information.
  Workaround :

    There is no known workaround at this time.

The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2018-0248 for details.

The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2018-0218 for details.

This update for xen to version 4.9.2 fixes several issues.

This feature was added :

  - Added script, udev rule and systemd service to watch for     vcpu online/offline events in a HVM domU. They are     triggered via 'xl vcpu-set domU N'

These security issues were fixed :

  - CVE-2018-8897: Prevent mishandling of debug exceptions     on x86 (XSA-260, bsc#1090820)

  - Handle HPET timers in IO-APIC mode correctly to prevent     malicious or buggy HVM guests from causing a hypervisor     crash or potentially privilege escalation/information     leaks (XSA-261, bsc#1090822)

  - Prevent unbounded loop, induced by qemu allowing an     attacker to permanently keep a physical CPU core busy     (XSA-262, bsc#1090823)

  - CVE-2018-10472: x86 HVM guest OS users (in certain     configurations) were able to read arbitrary dom0 files     via QMP live insertion of a CDROM, in conjunction with     specifying the target file as the backing file of a     snapshot (bsc#1089152).

  - CVE-2018-10471: x86 PV guest OS users were able to cause     a denial of service (out-of-bounds zero write and     hypervisor crash) via unexpected INT 80 processing,     because of an incorrect fix for CVE-2017-5754     (bsc#1089635).

  - CVE-2018-7540: x86 PV guest OS users were able to cause     a denial of service (host OS CPU hang) via     non-preemptable L3/L4 pagetable freeing (bsc#1080635).

  - CVE-2018-7541: Guest OS users were able to cause a     denial of service (hypervisor crash) or gain privileges     by triggering a grant-table transition from v2 to v1     (bsc#1080662).

  - CVE-2018-7542: x86 PVH guest OS users were able to cause     a denial of service (NULL pointer dereference and     hypervisor crash) by leveraging the mishandling of     configurations that lack a Local APIC (bsc#1080634).

These non-security issues were fixed :

  - bsc#1087252: Update built-in defaults for xenstored in     stubdom, keep default to run xenstored as daemon in dom0

  - bsc#1087251: Preserve xen-syms from xen-dbg.gz to allow     processing vmcores with crash(1) 

  - bsc#1072834: Prevent unchecked MSR access error This     update was imported from the SUSE:SLE-12-SP3:Update     update project.

This update for xen to version 4.9.2 fixes several issues. This feature was added :

  - Added script, udev rule and systemd service to watch for     vcpu online/offline events in a HVM domU. They are     triggered via 'xl vcpu-set domU N' These security issues     were fixed :

  - CVE-2018-8897: Prevent mishandling of debug exceptions     on x86 (XSA-260, bsc#1090820)

  - Handle HPET timers in IO-APIC mode correctly to prevent     malicious or buggy HVM guests from causing a hypervisor     crash or potentially privilege escalation/information     leaks (XSA-261, bsc#1090822)

  - Prevent unbounded loop, induced by qemu allowing an     attacker to permanently keep a physical CPU core busy     (XSA-262, bsc#1090823)

  - CVE-2018-10472: x86 HVM guest OS users (in certain     configurations) were able to read arbitrary dom0 files     via QMP live insertion of a CDROM, in conjunction with     specifying the target file as the backing file of a     snapshot (bsc#1089152).

  - CVE-2018-10471: x86 PV guest OS users were able to cause     a denial of service (out-of-bounds zero write and     hypervisor crash) via unexpected INT 80 processing,     because of an incorrect fix for CVE-2017-5754     (bsc#1089635).

  - CVE-2018-7540: x86 PV guest OS users were able to cause     a denial of service (host OS CPU hang) via     non-preemptable L3/L4 pagetable freeing (bsc#1080635).

  - CVE-2018-7541: Guest OS users were able to cause a     denial of service (hypervisor crash) or gain privileges     by triggering a grant-table transition from v2 to v1     (bsc#1080662).

  - CVE-2018-7542: x86 PVH guest OS users were able to cause     a denial of service (NULL pointer dereference and     hypervisor crash) by leveraging the mishandling of     configurations that lack a Local APIC (bsc#1080634).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for xen fixes the following issues: Update to Xen 4.7.5 bug fix only release (bsc#1027519) Security issues fixed :

  - CVE-2018-7540: Fixed DoS via non-preemptable L3/L4     pagetable freeing (XSA-252) (bsc#1080635)

  - CVE-2018-7541: A grant table v2 -> v1 transition may     crash Xen (XSA-255) (bsc#1080662)

  - CVE-2017-5753,CVE-2017-5715,CVE-2017-5754 Fixed     information leaks via side effects of speculative     execution (XSA-254). Includes Spectre v2 mitigation.
    (bsc#1074562)

  - Preserve xen-syms from xen-dbg.gz to allow processing     vmcores with crash(1) (bsc#1087251)

  - Xen HVM: Fixed unchecked MSR access error (bsc#1072834)

  - Add script, udev rule and systemd service to watch for     vcpu online/offline events in a HVM domU They are     triggered via xl vcpu-set domU N (fate#324965)

  - Make sure tools and tools-domU require libs from the     very same build

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The version of Citrix XenServer running on the remote host is missing a security hotfix. It is, therefore, affected by multiple vulnerabilities.

update Xen page-table isolation (XPTI) mitigation and add Branch Target Injection (BTI) mitigation for XSA-254 DoS via non-preemptable L3/L4 pagetable freeing [XSA-252] (#1549568) grant table v2 -> v1 transition may crash Xen [XSA-255] (#1549570) x86 PVH guest without LAPIC may DoS the host [XSA-256] (#1549572)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for xen fixes several issues. These security issues were fixed :

  - CVE-2017-5753, CVE-2017-5715, CVE-2017-5754: Prevent     information leaks via side effects of speculative     execution, aka 'Spectre' and 'Meltdown' attacks     (bsc#1074562, bsc#1068032)

  - CVE-2018-5683: The vga_draw_text function allowed local     OS guest privileged users to cause a denial of service     (out-of-bounds read and QEMU process crash) by     leveraging improper memory address validation     (bsc#1076116).

  - CVE-2017-18030: The cirrus_invalidate_region function     allowed local OS guest privileged users to cause a     denial of service (out-of-bounds array access and QEMU     process crash) via vectors related to negative pitch     (bsc#1076180).

  - CVE-2017-15595: x86 PV guest OS users were able to cause     a DoS (unbounded recursion, stack consumption, and     hypervisor crash) or possibly gain privileges via     crafted page-table stacking (bsc#1061081)

  - CVE-2017-17566: Prevent PV guest OS users to cause a     denial of service (host OS crash) or gain host OS     privileges in shadow mode by mapping a certain auxiliary     page (bsc#1070158).

  - CVE-2017-17563: Prevent guest OS users to cause a denial     of service (host OS crash) or gain host OS privileges by     leveraging an incorrect mask for reference-count     overflow checking in shadow mode (bsc#1070159).

  - CVE-2017-17564: Prevent guest OS users to cause a denial     of service (host OS crash) or gain host OS privileges by     leveraging incorrect error handling for reference     counting in shadow mode (bsc#1070160).

  - CVE-2017-17565: Prevent PV guest OS users to cause a     denial of service (host OS crash) if shadow mode and     log-dirty mode are in place, because of an incorrect     assertion related to M2P (bsc#1070163).

  - Added missing intermediate preemption checks for guest     requesting removal of memory. This allowed malicious     guest administrator to cause denial of service due to     the high cost of this operation (bsc#1080635).

  - Because of XEN not returning the proper error messages     when transitioning grant tables from v2 to v1 a     malicious guest was able to cause DoS or potentially     allowed for privilege escalation as well as information     leaks (bsc#1080662).

  - CVE-2017-5898: The CCID Card device emulator support was     vulnerable to an integer overflow flaw allowing a     privileged user to crash the Qemu process on the host     resulting in DoS (bsc#1024307)

  - Unprivileged domains could have issued well-timed writes     to xenstore which conflict with transactions to stall     progress of the control domain or driver domain,     possibly leading to DoS (bsc#1030144, XSA-206).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

add Xen page-table isolation (XPTI) mitigation and Branch Target Injection (BTI) mitigation for XSA-254 DoS via non-preemptable L3/L4 pagetable freeing [XSA-252] (#1549568) grant table v2 -> v1 transition may crash Xen [XSA-255] (#1549570) x86 PVH guest without LAPIC may DoS the host [XSA-256] (#1549572)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Multiple vulnerabilities have been discovered in the Xen hypervisor, which could result in denial of service, informations leaks or privilege escalation.

For Debian 7 'Wheezy', these problems have been fixed in version 4.1.6.lts1-13.

We recommend that you upgrade your xen packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote OracleVM system is missing necessary patches to address critical security updates :

  - BUILDINFO: xen     commit=b2a6db11ced11291a472bc1bda20ce329eda4d66

  - BUILDINFO: QEMU upstream     commit=8bff6989bd0bafcc0ddf859c23ce6a2ff21a80ff

  - BUILDINFO: QEMU traditional     commit=346fdd7edd73f8287d0d0a2bab9c67b71bc6b8ba

  - BUILDINFO: IPXE     commit=9a93db3f0947484e30e753bbd61a10b17336e20e

  - BUILDINFO: SeaBIOS     commit=7d9cbe613694924921ed1a6f8947d711c5832eee

  - gnttab: don't blindly free status pages upon version     change (Andrew Cooper)&nbsp  [Orabug: 27571750]&nbsp     (CVE-2018-7541)

  - memory: don't implicitly unpin for decrease-reservation     (Andrew Cooper)&nbsp  [Orabug: 27571737]&nbsp     (CVE-2018-7540)

  - BUILDINFO: xen     commit=873b8236e886daa3c26dae28d0c1c53d88447dc0

  - BUILDINFO: QEMU upstream     commit=8bff6989bd0bafcc0ddf859c23ce6a2ff21a80ff

  - BUILDINFO: QEMU traditional     commit=346fdd7edd73f8287d0d0a2bab9c67b71bc6b8ba

  - BUILDINFO: IPXE     commit=9a93db3f0947484e30e753bbd61a10b17336e20e

  - BUILDINFO: SeaBIOS     commit=7d9cbe613694924921ed1a6f8947d711c5832eee

  - xend: if secure boot is enabled don't write pci config     space (Elena Ufimtseva)&nbsp  [Orabug: 27533309]

  - BUILDINFO: xen     commit=81602116e75b6bbc519366b242c71888aa1b1673

  - BUILDINFO: QEMU upstream     commit=8bff6989bd0bafcc0ddf859c23ce6a2ff21a80ff

  - BUILDINFO: QEMU traditional     commit=346fdd7edd73f8287d0d0a2bab9c67b71bc6b8ba

  - BUILDINFO: IPXE     commit=9a93db3f0947484e30e753bbd61a10b17336e20e

  - BUILDINFO: SeaBIOS     commit=7d9cbe613694924921ed1a6f8947d711c5832eee

  - x86/spec_ctrl: Fix several bugs in     SPEC_CTRL_ENTRY_FROM_INTR_IST (Andrew Cooper)&nbsp     [Orabug: 27553376]&nbsp  (CVE-2017-5753) (CVE-2017-5715)     (CVE-2017-5754)

  - x86: allow easier disabling of BTI mitigations     (Zhenzhong Duan) [Orabug: 27553376]&nbsp     (CVE-2017-5753) (CVE-2017-5715) (CVE-2017-5754)

  - x86/boot: Make alternative patching NMI-safe (Andrew     Cooper) [Orabug: 27553376]&nbsp  (CVE-2017-5753)     (CVE-2017-5715) (CVE-2017-5754)

  - xen/cmdline: Fix parse_boolean for unadorned values     (Andrew Cooper)&nbsp  [Orabug: 27553376]&nbsp     (CVE-2017-5753) (CVE-2017-5715) (CVE-2017-5754)

  - Optimize the context switch code a bit (Zhenzhong     Duan)&nbsp  [Orabug: 27553376]&nbsp  (CVE-2017-5753)     (CVE-2017-5715) (CVE-2017-5754)

  - Update init_speculation_mitigations to upstream's     (Zhenzhong Duan)&nbsp  [Orabug: 27553376]&nbsp     (CVE-2017-5753) (CVE-2017-5715) (CVE-2017-5754)

  - x86/entry: Avoid using alternatives in NMI/#MC paths     (Andrew Cooper)&nbsp  [Orabug: 27553376]&nbsp     (CVE-2017-5753) (CVE-2017-5715) (CVE-2017-5754)

  - Update RSB related implementation to upstream ones     (Zhenzhong Duan)&nbsp  [Orabug: 27553376]&nbsp     (CVE-2017-5753) (CVE-2017-5715) (CVE-2017-5754)

  - BUILDINFO: xen     commit=c6a2fe8d72a3eba01b22cbe495e60cb6837fe8d0

  - BUILDINFO: QEMU upstream     commit=8bff6989bd0bafcc0ddf859c23ce6a2ff21a80ff

  - BUILDINFO: QEMU traditional     commit=346fdd7edd73f8287d0d0a2bab9c67b71bc6b8ba

  - BUILDINFO: IPXE     commit=9a93db3f0947484e30e753bbd61a10b17336e20e

  - BUILDINFO: SeaBIOS     commit=7d9cbe613694924921ed1a6f8947d711c5832eee

  - x86: Expose CPUID.7, EDX.26->27 and CPUID.0x80000008,     EBX.12 (redux) (Konrad Rzeszutek Wilk)&nbsp  [Orabug:
    27445678]

  - BUILDINFO: xen     commit=9657d91fcbf49798d2c5135866e1947113d536dc

  - BUILDINFO: QEMU upstream     commit=8bff6989bd0bafcc0ddf859c23ce6a2ff21a80ff

  - BUILDINFO: QEMU traditional     commit=346fdd7edd73f8287d0d0a2bab9c67b71bc6b8ba

  - BUILDINFO: IPXE     commit=9a93db3f0947484e30e753bbd61a10b17336e20e

  - BUILDINFO: SeaBIOS     commit=7d9cbe613694924921ed1a6f8947d711c5832eee

  - x86/Spectre: Set thunk to THUNK_NONE if compiler support     is not available (Boris Ostrovsky)&nbsp  [Orabug:
    27375688]

  - BUILDINFO: xen     commit=4e5826dfcb56d3a868a9934646989f8483f03b3c

  - BUILDINFO: QEMU upstream     commit=8bff6989bd0bafcc0ddf859c23ce6a2ff21a80ff

  - BUILDINFO: QEMU traditional     commit=346fdd7edd73f8287d0d0a2bab9c67b71bc6b8ba

  - BUILDINFO: IPXE     commit=9a93db3f0947484e30e753bbd61a10b17336e20e

  - BUILDINFO: SeaBIOS     commit=7d9cbe613694924921ed1a6f8947d711c5832eee

  - xen: No dependencies on dracut and microcode_ctl RPMs     (Boris Ostrovsky)&nbsp  [Orabug: 27409718]

The remote OracleVM system is missing necessary patches to address critical security updates :

  - BUILDINFO: OVMF     commit=173bf5c847e3ca8b42c11796ce048d8e2e916ff8

  - BUILDINFO: xen     commit=9ccc143584e12027a8db854d19ce8a120d22cfac

  - BUILDINFO: QEMU upstream     commit=8bff6989bd0bafcc0ddf859c23ce6a2ff21a80ff

  - BUILDINFO: QEMU traditional     commit=346fdd7edd73f8287d0d0a2bab9c67b71bc6b8ba

  - BUILDINFO: IPXE     commit=9a93db3f0947484e30e753bbd61a10b17336e20e

  - BUILDINFO: SeaBIOS     commit=7d9cbe613694924921ed1a6f8947d711c5832eee

  - gnttab: don't blindly free status pages upon version     change (Andrew Cooper)&nbsp  [Orabug: 27614581]&nbsp     (CVE-2018-7541)

  - memory: don't implicitly unpin for decrease-reservation     (Andrew Cooper)&nbsp  [Orabug: 27614605]&nbsp     (CVE-2018-7540)

  - xend: allow setting topology if smt is off in bios     (Elena Ufimtseva)&nbsp  

  - x86/svm: clear CPUID IBPB when feature is not supported     (Elena Ufimtseva)&nbsp  [Orabug: 27416699]

  - x86/domain: Move hvm_vcpu_initialize before     cpuid_policy_changed (Elena Ufimtseva)&nbsp  [Orabug:
    27416699]

  - x86, amd_ucode: support multiple container files     appended together (Aravind Gopalakrishnan)&nbsp     [Orabug: 27416699]

  - x86/intel: change default governor to performance (Joao     Martins) 

  - x86/cpuidle: Disable deep C-states due to erratum AAJ72     (Joao Martins)&nbsp  [Orabug: 27614625]

  - Revert 'set max cstate to 1' (Joao Martins)&nbsp     [Orabug: 27614625]

  - x86/cpuidle: add new CPU families (Jan Beulich)&nbsp     [Orabug: 27614625]

  - x86/Intel: Broadwell doesn't have     PKG_C[8,9,10]_RESIDENCY MSRs (Jan Beulich)&nbsp     [Orabug: 27614625]

  - x86: support newer Intel CPU models (Jan Beulich)&nbsp     [Orabug: 27614625]

  - mwait-idle: add KBL support (Len Brown)&nbsp  [Orabug:
    27614625]

  - mwait-idle: add SKX support (Len Brown)&nbsp  [Orabug:
    27614625]

  - mwait_idle: Skylake Client Support (Len Brown)&nbsp     [Orabug: 27614625]

  - x86: support newer Intel CPU models (Jan Beulich)&nbsp     [Orabug: 27614625]

  - x86/idle: update to include further package/core     residency MSRs (Jan Beulich)&nbsp  [Orabug: 27614625]

  - mwait-idle: support additional Broadwell model (Len     Brown) [Orabug: 27614625]

  - x86/mwait-idle: Broadwell support (Len Brown)&nbsp     [Orabug: 27614625]

  - x86/mwait-idle: disable Baytrail Core and Module C6     auto-demotion (Len Brown)&nbsp  [Orabug: 27614625]

  - mwait-idle: add CPU model 54 (Atom N2000 series) (Jan     Kiszka) [Orabug: 27614625]

  - mwait-idle: support Bay Trail (Len Brown)&nbsp  [Orabug:
    27614625]

  - mwait-idle: allow sparse sub-state numbering, for Bay     Trail (Len Brown)&nbsp  [Orabug: 27614625]

  - BUILDINFO: OVMF     commit=173bf5c847e3ca8b42c11796ce048d8e2e916ff8

  - BUILDINFO: xen     commit=c837c35e1c04791a50f930926ba815ca5b4d3661

  - BUILDINFO: QEMU upstream     commit=8bff6989bd0bafcc0ddf859c23ce6a2ff21a80ff

  - BUILDINFO: QEMU traditional     commit=346fdd7edd73f8287d0d0a2bab9c67b71bc6b8ba

  - BUILDINFO: IPXE     commit=9a93db3f0947484e30e753bbd61a10b17336e20e

  - BUILDINFO: SeaBIOS     commit=7d9cbe613694924921ed1a6f8947d711c5832eee

  - xend: restore smt parameter on guest reboot (Elena     Ufimtseva) [Orabug: 27574191]

  - BUILDINFO: OVMF     commit=173bf5c847e3ca8b42c11796ce048d8e2e916ff8

  - BUILDINFO: xen     commit=f36f7903ae0886ab4ef7e3e01c83c9dba819537b

  - BUILDINFO: QEMU upstream     commit=8bff6989bd0bafcc0ddf859c23ce6a2ff21a80ff

  - BUILDINFO: QEMU traditional     commit=346fdd7edd73f8287d0d0a2bab9c67b71bc6b8ba

  - BUILDINFO: IPXE     commit=9a93db3f0947484e30e753bbd61a10b17336e20e

  - BUILDINFO: SeaBIOS     commit=7d9cbe613694924921ed1a6f8947d711c5832eee

  - x86/spec_ctrl: Fix several bugs in     SPEC_CTRL_ENTRY_FROM_INTR_IST (Andrew Cooper)&nbsp     [Orabug: 27553369]&nbsp  (CVE-2017-5753) (CVE-2017-5715)     (CVE-2017-5754)

  - x86: allow easier disabling of BTI mitigations     (Zhenzhong Duan) [Orabug: 27553369]&nbsp     (CVE-2017-5753) (CVE-2017-5715) (CVE-2017-5754)

  - x86/boot: Make alternative patching NMI-safe (Andrew     Cooper) [Orabug: 27553369]&nbsp  (CVE-2017-5753)     (CVE-2017-5715) (CVE-2017-5754)

  - xen/cmdline: Fix parse_boolean for unadorned values     (Andrew Cooper)&nbsp  [Orabug: 27553369]&nbsp     (CVE-2017-5753) (CVE-2017-5715) (CVE-2017-5754)

  - Optimize the context switch code a bit (Zhenzhong     Duan)&nbsp  [Orabug: 27553369]&nbsp  (CVE-2017-5753)     (CVE-2017-5715) (CVE-2017-5754)

  - Update init_speculation_mitigations to upstream's     (Zhenzhong Duan)&nbsp  [Orabug: 27553369]&nbsp     (CVE-2017-5753) (CVE-2017-5715) (CVE-2017-5754)

  - x86/entry: Avoid using alternatives in NMI/#MC paths     (Andrew Cooper)&nbsp  [Orabug: 27553369]&nbsp     (CVE-2017-5753) (CVE-2017-5715) (CVE-2017-5754)

  - Update RSB related implementation to upstream ones     (Zhenzhong Duan)&nbsp  [Orabug: 27553369]&nbsp     (CVE-2017-5753) (CVE-2017-5715) (CVE-2017-5754)

  - BUILDINFO: OVMF     commit=173bf5c847e3ca8b42c11796ce048d8e2e916ff8

  - BUILDINFO: xen     commit=bdecffda647e17f8aaeb4057bd1064236075bc9c

  - BUILDINFO: QEMU upstream     commit=8bff6989bd0bafcc0ddf859c23ce6a2ff21a80ff

  - BUILDINFO: QEMU traditional     commit=346fdd7edd73f8287d0d0a2bab9c67b71bc6b8ba

  - BUILDINFO: IPXE     commit=9a93db3f0947484e30e753bbd61a10b17336e20e

  - BUILDINFO: SeaBIOS     commit=7d9cbe613694924921ed1a6f8947d711c5832eee

  - xend: if secure boot is enabled don't write pci config     space (Elena Ufimtseva)&nbsp  [Orabug: 27533309]

  - BUILDINFO: OVMF     commit=173bf5c847e3ca8b42c11796ce048d8e2e916ff8

  - BUILDINFO: xen     commit=46aa4f995b266e9dc0bce98b448423c5fdc79fde

  - BUILDINFO: QEMU upstream     commit=8bff6989bd0bafcc0ddf859c23ce6a2ff21a80ff

  - BUILDINFO: QEMU traditional     commit=346fdd7edd73f8287d0d0a2bab9c67b71bc6b8ba

  - BUILDINFO: IPXE     commit=9a93db3f0947484e30e753bbd61a10b17336e20e

  - BUILDINFO: SeaBIOS     commit=7d9cbe613694924921ed1a6f8947d711c5832eee

  - hvmloader: Correct nr_vnodes when init_vnuma_info fails     (Annie Li)&nbsp  

  - BUILDINFO: OVMF     commit=173bf5c847e3ca8b42c11796ce048d8e2e916ff8

  - BUILDINFO: xen     commit=1fb819ca1b801af1f59983f34776501336a57979

  - BUILDINFO: QEMU upstream     commit=8bff6989bd0bafcc0ddf859c23ce6a2ff21a80ff

  - BUILDINFO: QEMU traditional     commit=346fdd7edd73f8287d0d0a2bab9c67b71bc6b8ba

  - BUILDINFO: IPXE     commit=9a93db3f0947484e30e753bbd61a10b17336e20e

  - BUILDINFO: SeaBIOS     commit=7d9cbe613694924921ed1a6f8947d711c5832eee

  - Fail migration if destination does not allow pv guest     running (Annie Li)&nbsp  [Orabug: 27465310]

  - BUILDINFO: OVMF     commit=173bf5c847e3ca8b42c11796ce048d8e2e916ff8

  - BUILDINFO: xen     commit=dfc241a5b6a952bde385b1d68ef42acf8f80302c

  - BUILDINFO: QEMU upstream     commit=8bff6989bd0bafcc0ddf859c23ce6a2ff21a80ff

  - BUILDINFO: QEMU traditional     commit=346fdd7edd73f8287d0d0a2bab9c67b71bc6b8ba

  - BUILDINFO: IPXE     commit=9a93db3f0947484e30e753bbd61a10b17336e20e

  - BUILDINFO: SeaBIOS     commit=7d9cbe613694924921ed1a6f8947d711c5832eee

  - x86: Expose CPUID.7, EDX.26->27 and CPUID.0x80000008,     EBX.12 (redux) (Konrad Rzeszutek Wilk)&nbsp  [Orabug:
    27445667]

  - BUILDINFO: OVMF     commit=173bf5c847e3ca8b42c11796ce048d8e2e916ff8

  - BUILDINFO: xen     commit=d5afa57c42732dc35a572582099c67ee3c397434

  - BUILDINFO: QEMU upstream     commit=8bff6989bd0bafcc0ddf859c23ce6a2ff21a80ff

  - BUILDINFO: QEMU traditional     commit=346fdd7edd73f8287d0d0a2bab9c67b71bc6b8ba

  - BUILDINFO: IPXE     commit=9a93db3f0947484e30e753bbd61a10b17336e20e

  - BUILDINFO: SeaBIOS     commit=7d9cbe613694924921ed1a6f8947d711c5832eee

  - Enable creating pv guest on OVM3.4.4 by default (Annie     Li) [Orabug: 27424482]

  - BUILDINFO: OVMF     commit=173bf5c847e3ca8b42c11796ce048d8e2e916ff8

  - BUILDINFO: xen     commit=619dd3aa6aac97dbc9f23fdae3d6fd6dfab8a0da

  - BUILDINFO: QEMU upstream     commit=8bff6989bd0bafcc0ddf859c23ce6a2ff21a80ff

  - BUILDINFO: QEMU traditional     commit=346fdd7edd73f8287d0d0a2bab9c67b71bc6b8ba

  - BUILDINFO: IPXE     commit=9a93db3f0947484e30e753bbd61a10b17336e20e

  - BUILDINFO: SeaBIOS     commit=7d9cbe613694924921ed1a6f8947d711c5832eee

  - xen/x86: Make sure identify_cpu is called with traps     enabled (Joao Martins)&nbsp  [Orabug: 27393237]

  - xend: disallow pv guests to run (Joao Martins)&nbsp     [Orabug: 27370330]

  - hvmloader, x86/hvm, domctl: enumerate apicid based on     vcpu_to_vnode (Joao Martins)&nbsp  [Orabug: 27119689]

  - xend: conditionally use dom0 vcpus for vnuma auto (Joao     Martins) 

  - x86/Spectre: Set thunk to THUNK_NONE if compiler support     is not available (Boris Ostrovsky)&nbsp  [Orabug:
    27375704]

  - BUILDINFO: OVMF     commit=173bf5c847e3ca8b42c11796ce048d8e2e916ff8

  - BUILDINFO: xen     commit=1d2270f50ef2b1b22b8f6ee7a9b571ea96f7f37b

  - BUILDINFO: QEMU upstream     commit=8bff6989bd0bafcc0ddf859c23ce6a2ff21a80ff

  - BUILDINFO: QEMU traditional     commit=346fdd7edd73f8287d0d0a2bab9c67b71bc6b8ba

  - BUILDINFO: IPXE     commit=9a93db3f0947484e30e753bbd61a10b17336e20e

  - BUILDINFO: SeaBIOS     commit=7d9cbe613694924921ed1a6f8947d711c5832eee

  - xen: No dependencies on dracut and microcode_ctl RPMs     (Boris Ostrovsky)&nbsp  [Orabug: 27409734]

Multiple vulnerabilities have been discovered in the Xen hypervisor :

  - CVE-2018-7540     Jann Horn discovered that missing checks in page table     freeing may result in denial of service.

  - CVE-2018-7541     Jan Beulich discovered that incorrect error handling in     grant table checks may result in guest-to-host denial of     service and potentially privilege escalation.

  - CVE-2018-7542     Ian Jackson discovered that insufficient handling of x86     PVH guests without local APICs may result in     guest-to-host denial of service.

According to its self-reported version number, the Xen hypervisor installed on the remote host is affected by a denial of service vulnerability.

Note that Nessus has checked the changeset versions based on the xen.git change log. Nessus did not check guest hardware configurations or if patches were applied manually to the source code before a recompile and reinstall.

ID	Name	Product	Family	Severity
118963	OracleVM 3.2 : xen (OVMSA-2018-0272) (Foreshadow) (Spectre)	Nessus	OracleVM Local Security Checks	high
118962	OracleVM 3.3 : xen (OVMSA-2018-0271) (Foreshadow) (Spectre)	Nessus	OracleVM Local Security Checks	high
118892	Debian DLA-1577-1 : xen security update	Nessus	Debian Local Security Checks	high
118506	GLSA-201810-06 : Xen: Multiple vulnerabilities (Foreshadow) (Meltdown) (Spectre)	Nessus	Gentoo Local Security Checks	high
111992	OracleVM 3.4 : xen (OVMSA-2018-0248) (Bunker Buster) (Foreshadow) (Meltdown) (POODLE) (Spectre)	Nessus	OracleVM Local Security Checks	critical
109987	OracleVM 3.4 : xen (OVMSA-2018-0218) (Meltdown) (Spectre)	Nessus	OracleVM Local Security Checks	high
109751	openSUSE Security Update : xen (openSUSE-2018-454) (Meltdown)	Nessus	SuSE Local Security Checks	high
109677	SUSE SLED12 / SLES12 Security Update : xen (SUSE-SU-2018:1184-1) (Meltdown)	Nessus	SuSE Local Security Checks	high
109001	SUSE SLED12 / SLES12 Security Update : xen (SUSE-SU-2018:0909-1) (Meltdown) (Spectre)	Nessus	SuSE Local Security Checks	medium
108887	Citrix XenServer Multiple Vulnerabilities (CTX232655)	Nessus	Misc.	high
108886	Citrix XenServer Multiple Vulnerabilities (CTX232096)	Nessus	Misc.	medium
108492	Fedora 26 : xen (2018-0746dac335)	Nessus	Fedora Local Security Checks	medium
108369	SUSE SLES11 Security Update : xen (SUSE-SU-2018:0678-1) (Meltdown) (Spectre)	Nessus	SuSE Local Security Checks	high
107176	Fedora 27 : xen (2018-c553a586c8)	Nessus	Fedora Local Security Checks	medium
107134	Debian DLA-1300-1 : xen security update	Nessus	Debian Local Security Checks	medium
107130	OracleVM 3.4 : xen (OVMSA-2018-0021) (Meltdown) (Spectre)	Nessus	OracleVM Local Security Checks	medium
107129	OracleVM 3.4 : xen (OVMSA-2018-0020) (Meltdown) (Spectre)	Nessus	OracleVM Local Security Checks	medium
107123	Debian DSA-4131-1 : xen - security update	Nessus	Debian Local Security Checks	medium
107097	Xen guest_remove_page() Function Pagetable Unpinning Handling Guest-to-host DoS (XSA-252)	Nessus	Misc.	medium

CVE-2018-7540

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins