Alpine: xen: security update to 4.15.4-r0

high Tenable Cloud Security Plugin ID 407821

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- network backend may cause Linux netfront to use freed SKBs While adding logic to support XDP (eXpress Data
Path), a code label was moved in a way allowing for SKBs having references (pointers) retained for further
processing to nevertheless be freed. (CVE-2022-33743)

- IBPB may not prevent return branch predictions from being specified by pre-IBPB branch targets leading to
a potential information disclosure. (CVE-2022-23824)

- Arm guests can cause Dom0 DoS via PV devices When mapping pages of guests on Arm, dom0 is using an rbtree
to keep track of the foreign mappings. Updating of that rbtree is not always done completely with the
related lock held, resulting in a small race window, which can be used by unprivileged guests via PV
devices to cause inconsistencies of the rbtree. These inconsistencies can lead to Denial of Service (DoS)
of dom0, e.g. by causing crashes or the inability to perform further mappings of other guests' memory
pages. (CVE-2022-33744)

- P2M pool freeing may take excessively long The P2M pool backing second level address translation for
guests may be of significant size. Therefore its freeing may take more time than is reasonable without
intermediate preemption checks. Such checking for the need to preempt was so far missing. (CVE-2022-33746)

See Also

https://security.alpinelinux.org/vuln/CVE-2022-23824

https://security.alpinelinux.org/vuln/CVE-2022-33743

https://security.alpinelinux.org/vuln/CVE-2022-33744

https://security.alpinelinux.org/vuln/CVE-2022-33746

https://security.alpinelinux.org/vuln/CVE-2022-33747

https://security.alpinelinux.org/vuln/CVE-2022-33748

https://security.alpinelinux.org/vuln/CVE-2022-33749

https://security.alpinelinux.org/vuln/CVE-2022-42309

https://security.alpinelinux.org/vuln/CVE-2022-42310

https://security.alpinelinux.org/vuln/CVE-2022-42311

https://security.alpinelinux.org/vuln/CVE-2022-42312

https://security.alpinelinux.org/vuln/CVE-2022-42313

https://security.alpinelinux.org/vuln/CVE-2022-42314

https://security.alpinelinux.org/vuln/CVE-2022-42315

https://security.alpinelinux.org/vuln/CVE-2022-42316

https://security.alpinelinux.org/vuln/CVE-2022-42317

https://security.alpinelinux.org/vuln/CVE-2022-42318

https://security.alpinelinux.org/vuln/CVE-2022-42319

https://security.alpinelinux.org/vuln/CVE-2022-42320

https://security.alpinelinux.org/vuln/CVE-2022-42321

https://security.alpinelinux.org/vuln/CVE-2022-42322

https://security.alpinelinux.org/vuln/CVE-2022-42323

https://security.alpinelinux.org/vuln/CVE-2022-42324

https://security.alpinelinux.org/vuln/CVE-2022-42325

https://security.alpinelinux.org/vuln/CVE-2022-42326

https://security.alpinelinux.org/vuln/CVE-2022-42327

Plugin Details

Severity: High

ID: 407821

Version: Revision 1.38

Type: Local

Published: 10/31/2023

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 6.9

Percentile: 97.35

CVSS v2

Risk Factor: Medium

Base Score: 4.6

Temporal Score: 3.4

Vector: CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2022-33743

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.7

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS Score Source: CVE-2022-42309

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 7/21/2021

Reference Information

CVE: CVE-2022-23824, CVE-2022-33743, CVE-2022-33744, CVE-2022-33746, CVE-2022-33747, CVE-2022-33748, CVE-2022-33749, CVE-2022-42309, CVE-2022-42310, CVE-2022-42311, CVE-2022-42312, CVE-2022-42313, CVE-2022-42314, CVE-2022-42315, CVE-2022-42316, CVE-2022-42317, CVE-2022-42318, CVE-2022-42319, CVE-2022-42320, CVE-2022-42321, CVE-2022-42322, CVE-2022-42323, CVE-2022-42324, CVE-2022-42325, CVE-2022-42326, CVE-2022-42327

IAVB: 2021-B-0068-S, 2022-B-0048-S