Alpine: multiple xen packages: security update to 4.6.3-r1 (deprecated)

high Tenable Self-Hosted Container Security Plugin ID 401005

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- The virtqueue_pop function in hw/virtio/virtio.c in QEMU allows local guest OS administrators to cause a
denial of service (memory consumption and QEMU process crash) by submitting requests without waiting for
completion. (CVE-2016-5403)

- The PV pagetable code in arch/x86/mm.c in Xen 4.7.x and earlier allows local 32-bit PV guest OS
administrators to gain host OS privileges by leveraging fast-paths for updating pagetable entries.
(CVE-2016-6258)

- Xen 4.5.x through 4.7.x do not implement Supervisor Mode Access Prevention (SMAP) whitelisting in 32-bit
exception and event delivery, which allows local 32-bit PV guest OS kernels to cause a denial of service
(hypervisor and VM crash) by triggering a safety check. (CVE-2016-6259)

See Also

https://git.alpinelinux.org/aports/commit/?id=c79838c3a14eed1cee24731f89d7b1171751d304

https://git.alpinelinux.org/aports/commit/?id=ee4ffbb28c8a78a28e0315d7050f8837fa316dc5

Plugin Details

Severity: High

ID: 401005

Version: Revision 1.23

Type: Local

Published: 8/16/2023

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 5

Percentile: 95.09

CVSS v2

Risk Factor: High

Base Score: 7.2

Temporal Score: 5.3

Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2016-6258

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.7

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 8/15/2016

Vulnerability Publication Date: 7/26/2016

Reference Information

CVE: CVE-2016-5403, CVE-2016-6258, CVE-2016-6259

BID: 92130, 92131, 92148

IAVA: 2016-A-0198-S

IAVB: 2016-B-0118-S