Alpine: xen: security update to 4.16.6-r1

high Tenable Cloud Security Plugin ID 408485

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- An optional feature of PCI MSI called "Multiple Message" allows a device to use multiple consecutive
interrupt vectors. Unlike for MSI-X, the setting up of these consecutive vectors needs to happen all in
one go. In this handling an error path could be taken in different situations, with or without a
particular lock held. This error path wrongly releases the lock even when it is not currently held.
(CVE-2024-31143)

- Certain PCI devices in a system might be assigned Reserved Memory Regions (specified via Reserved Memory
Region Reporting, "RMRR") for Intel VT-d or Unity Mapping ranges for AMD-Vi. These are typically used for
platform tasks such as legacy USB emulation. Since the precise purpose of these regions is unknown, once a
device associated with such a region is active, the mappings of these regions need to remain continuouly
accessible by the device. In the logic establishing these mappings, error handling was flawed, resulting
in such mappings to potentially remain in place when they should have been removed again. Respective
guests would then gain access to memory regions which they aren't supposed to have access to.
(CVE-2024-31145)

See Also

https://security.alpinelinux.org/vuln/CVE-2024-31143

https://security.alpinelinux.org/vuln/CVE-2024-31145

Plugin Details

Severity: High

ID: 408485

Version: Revision 1.38

Type: Local

Published: 8/21/2024

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 5

Percentile: 94.5

CVSS v2

Risk Factor: High

Base Score: 7.1

Temporal Score: 5.3

Vector: CVSS2#AV:N/AC:H/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2024-31143

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS Score Source: CVE-2024-31145

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 7/16/2024

Reference Information

CVE: CVE-2024-31143, CVE-2024-31145

IAVB: 2024-B-0095-S