Alpine: multiple xen packages: security update to 4.2.0-r7 (deprecated)

high Tenable Self-Hosted Container Security Plugin ID 401189

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- The XENMEM_exchange handler in Xen 4.2 and earlier does not properly check the memory address, which
allows local PV guest OS administrators to cause a denial of service (crash) or possibly gain privileges
via unspecified vectors that overwrite memory in the hypervisor reserved range. (CVE-2012-5513)

- The PyGrub boot loader in Xen unstable before changeset 25589:60f09d1ab1fe, 4.2.x, and 4.1.x allows local
para-virtualized guest users to cause a denial of service (memory consumption) via a large (1) bzip2 or
(2) lzma compressed kernel image. (CVE-2012-2625)

- Xen 3.4 through 4.2, and possibly earlier versions, allows local guest OS administrators to cause a denial
of service (Xen infinite loop and physical CPU consumption) by setting a VCPU with an "inappropriate
deadline." (CVE-2012-4535)

- Xen 3.4 through 4.2, and possibly earlier versions, does not properly synchronize the p2m and m2p tables
when the set_p2m_entry function fails, which allows local HVM guest OS administrators to cause a denial of
service (memory consumption and assertion failure), aka "Memory mapping failure DoS vulnerability."
(CVE-2012-4537)

- The HVMOP_pagetable_dying hypercall in Xen 4.0, 4.1, and 4.2 does not properly check the pagetable state
when running on shadow pagetables, which allows a local HVM guest OS to cause a denial of service
(hypervisor crash) via unspecified vectors. (CVE-2012-4538)

See Also

https://git.alpinelinux.org/aports/commit/?id=119185999980a6a6a78506a6b49e1a70ab55ad03

https://git.alpinelinux.org/aports/commit/?id=e9b405d8ff38fc48ee475df80fd47fc7461ec7b1

Plugin Details

Severity: High

ID: 401189

Version: Revision 1.26

Type: Local

Published: 8/16/2023

Updated: 3/5/2025

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Medium

Base Score: 6.9

Temporal Score: 5.1

Vector: CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2012-5513

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 6.8

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 12/18/2012

Vulnerability Publication Date: 5/4/2012

Reference Information

CVE: CVE-2012-2625, CVE-2012-4535, CVE-2012-4537, CVE-2012-4538, CVE-2012-4539, CVE-2012-4544, CVE-2012-5510, CVE-2012-5511, CVE-2012-5513, CVE-2012-5514, CVE-2012-5515, CVE-2012-5525

BID: 53650, 56289, 56498, 56794, 56796, 56797, 56798, 56803, 56805