Alpine: multiple xen packages: security update to 4.6.0-r4 (deprecated)

high Tenable Self-Hosted Container Security Plugin ID 401058

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- The PV superpage functionality in arch/x86/mm.c in Xen 3.4.0, 3.4.1, and 4.1.x through 4.6.x allows local
PV guests to obtain sensitive information, cause a denial of service, gain privileges, or have unspecified
other impact via a crafted page identifier (MFN) to the (1) MMUEXT_MARK_SUPER or (2) MMUEXT_UNMARK_SUPER
sub-op in the HYPERVISOR_mmuext_op hypercall or (3) unknown vectors related to page table updates.
(CVE-2016-1570)

- The memory_exchange function in common/memory.c in Xen 3.2.x through 4.6.x does not properly hand back
pages to a domain, which might allow guest OS administrators to cause a denial of service (host crash) via
unspecified vectors related to domain teardown. (CVE-2015-8339)

- The memory_exchange function in common/memory.c in Xen 3.2.x through 4.6.x does not properly release
locks, which might allow guest OS administrators to cause a denial of service (deadlock or host crash) via
unspecified vectors, related to XENMEM_exchange error handling. (CVE-2015-8340)

- The libxl toolstack library in Xen 4.1.x through 4.6.x does not properly release mappings of files used as
kernels and initial ramdisks when managing multiple domains in the same process, which allows attackers to
cause a denial of service (memory and disk consumption) by starting domains. (CVE-2015-8341)

- Xen, when used on a system providing PV backends, allows local guest OS administrators to cause a denial
of service (host OS crash) or gain privileges by writing to memory shared between the frontend and
backend, aka a double fetch vulnerability. (CVE-2015-8550)

See Also

https://git.alpinelinux.org/aports/commit/?id=c1d177c44a1d6248d5d291e272caa8a8cd3428d6

https://git.alpinelinux.org/aports/commit/?id=ccba2d08cc9d7de25cfa2eccbe943cb2e4ced400

Plugin Details

Severity: High

ID: 401058

Version: Revision 1.24

Type: Local

Published: 8/16/2023

Updated: 6/22/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 5

Percentile: 95.11

CVSS v2

Risk Factor: Medium

Base Score: 6.9

Temporal Score: 5.1

Vector: CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2016-1570

CVSS v3

Risk Factor: High

Base Score: 8.6

Temporal Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS Score Source: CVE-2015-8555

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 2/24/2016

Vulnerability Publication Date: 12/8/2015

Reference Information

CVE: CVE-2015-8339, CVE-2015-8340, CVE-2015-8341, CVE-2015-8550, CVE-2015-8555, CVE-2015-8615, CVE-2016-1570, CVE-2016-1571, CVE-2016-2270, CVE-2016-2271

BID: 79036, 79038, 79543, 79592, 79644, 81291, 81292, 83188, 83292