Alpine: multiple xen packages: security update to 4.2.2-r0 (deprecated)

high Tenable Cloud Security Plugin ID 401224

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- Xen 4.0.x, 4.1.x, and 4.2.x, when running on AMD64 processors, only save/restore the FOP, FIP, and FDP x87
registers in FXSAVE/FXRSTOR when an exception is pending, which allows one domain to determine portions of
the state of floating point instructions of other domains, which can be leveraged to obtain sensitive
information such as cryptographic keys, a similar vulnerability to CVE-2006-1056. NOTE: this is the
documented behavior of AMD64 processors, but it is inconsistent with Intel processors in a security-
relevant fashion that was not addressed by the kernels. (CVE-2013-2076)

- Xen 4.0.x, 4.1.x, and 4.2.x does not properly restrict the contents of a XRSTOR, which allows local PV
guest users to cause a denial of service (unhandled exception and hypervisor crash) via unspecified
vectors. (CVE-2013-2077)

- Xen 4.0.2 through 4.0.4, 4.1.x, and 4.2.x allows local PV guest users to cause a denial of service
(hypervisor crash) via certain bit combinations to the XSETBV instruction. (CVE-2013-2078)

See Also

https://git.alpinelinux.org/aports/commit/?id=0d259bc43cda35fc7d64c6de9bff0c679183657e

https://git.alpinelinux.org/aports/commit/?id=f6e99451d47fbe7cdb852f48dd11006808db52ae

Plugin Details

Severity: High

ID: 401224

Version: Revision 1.25

Type: Local

Published: 8/16/2023

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.15

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.2

Vector: CVSS2#AV:A/AC:H/Au:S/C:C/I:N/A:N

CVSS Score Source: CVE-2013-2076

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 6/4/2013

Vulnerability Publication Date: 6/3/2013

Reference Information

CVE: CVE-2013-2076, CVE-2013-2077, CVE-2013-2078

BID: 60277, 60278, 60282