Alpine: multiple xen packages: security update to 4.7.0-r0 (deprecated)

high Tenable Self-Hosted Container Security Plugin ID 400950

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- The get_page_from_l3e function in arch/x86/mm.c in Xen allows local 32-bit PV guest OS administrators to
gain host OS privileges via vectors related to L3 recursive pagetables. (CVE-2016-7092)

- Xen 4.5.3, 4.6.3, and 4.7.x allow local HVM guest OS administrators to overwrite hypervisor memory and
consequently gain host OS privileges by leveraging mishandling of instruction pointer truncation during
emulation. (CVE-2016-7093)

- Buffer overflow in Xen 4.7.x and earlier allows local x86 HVM guest OS administrators on guests running
with shadow paging to cause a denial of service via a pagetable update. (CVE-2016-7094)

See Also

https://git.alpinelinux.org/aports/commit/?id=6a2b1e8bc87aca9f100a08c15335246a1744b1fd

https://git.alpinelinux.org/aports/commit/?id=d3322b94f04cd8666c3d6fc68fd17e26859f932a

Plugin Details

Severity: High

ID: 400950

Version: Revision 1.23

Type: Local

Published: 8/16/2023

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 5

Percentile: 95.09

CVSS v2

Risk Factor: High

Base Score: 7.2

Temporal Score: 5.3

Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2016-7093

CVSS v3

Risk Factor: High

Base Score: 8.2

Temporal Score: 7.1

Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 9/14/2016

Vulnerability Publication Date: 9/8/2016

Reference Information

CVE: CVE-2016-7092, CVE-2016-7093, CVE-2016-7094

BID: 92862, 92864, 92865

IAVA: 2016-A-0234-S

IAVB: 2016-B-0140-S