Detections
Analytics

Alpine: multiple xen packages: security update to 4.9.0-r5 (deprecated)

high Tenable Self-Hosted Container Security Plugin ID 400780

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

 - An issue was discovered in Xen through 4.9.x allowing x86 PV guest OS users to cause a denial of service
 (unbounded recursion, stack consumption, and hypervisor crash) or possibly gain privileges via crafted
 page-table stacking. (CVE-2017-15595)

 - An issue was discovered in Xen through 4.9.x allowing x86 PV guest OS users to execute arbitrary code on
 the host OS because of a race condition that can cause a stale TLB entry. (CVE-2017-15588)

 - An issue was discovered in Xen through 4.9.x allowing x86 HVM guest OS users to obtain sensitive
 information from the host OS (or an arbitrary guest OS) because intercepted I/O operations can cause a
 write of data from uninitialized hypervisor stack memory. (CVE-2017-15589)

 - An issue was discovered in Xen through 4.9.x allowing x86 guest OS users to cause a denial of service
 (hypervisor crash) or possibly gain privileges because MSI mapping was mishandled. (CVE-2017-15590)

 - An issue was discovered in Xen through 4.9.x allowing x86 HVM guest OS users to cause a denial of service
 (hypervisor crash) or possibly gain privileges because self-linear shadow mappings are mishandled for
 translated guests. (CVE-2017-15592)

See Also

https://git.alpinelinux.org/aports/commit/?id=18a6777daafbe3fd88dbaf2551e6f19185683693

https://git.alpinelinux.org/aports/commit/?id=a977efc91e7ab0455214c2803a0947f439f9e221

Plugin Details

Severity: High

ID: 400780

Version: Revision 1.22

Type: Local

Published: 8/16/2023

Updated: 1/17/2024

Supported Sensors: Agentless Assessment

Risk Information

VPR

Risk Factor: High

Score: 7.3

CVSS v2

Risk Factor: High

Base Score: 7.2

Temporal Score: 5.6

Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2017-15595

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.9

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 10/23/2017

Vulnerability Publication Date: 10/12/2017

Reference Information

CVE: CVE-2017-15588, CVE-2017-15589, CVE-2017-15590, CVE-2017-15592, CVE-2017-15593, CVE-2017-15594, CVE-2017-15595

BID: 101490, 101496, 101500, 101513

IAVA: 2017-A-0300-S, 2017-A-0351-S

IAVB: 2017-B-0142-S