Detections
Analytics

Alpine: xen: security update to 4.16.6-r0

high Tenable Cloud Security Plugin ID 408363

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

 - Unlike 32-bit PV guests, HVM guests may switch freely between 64-bit and other modes. This in particular
 means that they may set registers used to pass 32-bit-mode hypercall arguments to values outside of the
 range 32-bit code would be able to set them to. When processing of hypercalls takes a considerable amount
 of time, the hypervisor may choose to invoke a hypercall continuation. Doing so involves putting (perhaps
 updated) hypercall arguments in respective registers. For guests not running in 64-bit mode this further
 involves a certain amount of translation of the values. Unfortunately internal sanity checking of these
 translated values assumes high halves of registers to always be clear when invoking a hypercall. When this
 is found not to be the case, it triggers a consistency check in the hypervisor and causes a crash.
 (CVE-2023-46842)

 - A cross-privilege Spectre v2 vulnerability allows attackers to bypass all deployed mitigations, including
 the recent Fine(IBT), and to leak arbitrary Linux kernel memory on Intel systems. (CVE-2024-2201)

 - Because of a logical error in XSA-407 (Branch Type Confusion), the mitigation is not applied properly when
 it is intended to be used. XSA-434 (Speculative Return Stack Overflow) uses the same infrastructure, so is
 equally impacted. For more details, see: https://xenbits.xen.org/xsa/advisory-407.html
 https://xenbits.xen.org/xsa/advisory-434.html (CVE-2024-31142)

See Also

https://security.alpinelinux.org/vuln/CVE-2023-46842

https://security.alpinelinux.org/vuln/CVE-2024-2201

https://security.alpinelinux.org/vuln/CVE-2024-31142

Plugin Details

Severity: High

ID: 408363

Version: Revision 1.29

Type: Local

Published: 4/10/2024

Updated: 6/12/2026

Supported Sensors: Agentless Assessment

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Medium

Base Score: 4

Temporal Score: 3

Vector: CVSS2#AV:L/AC:H/Au:N/C:C/I:N/A:N

CVSS Score Source: CVE-2024-31142

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 4/9/2024

Reference Information

CVE: CVE-2023-46842, CVE-2024-2201, CVE-2024-31142

IAVB: 2024-B-0200