Alpine: multiple xen packages: security update to 4.2.0-r6 (deprecated)

high Tenable Self-Hosted Container Security Plugin ID 401327

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- The XENMEM_exchange handler in Xen 4.2 and earlier does not properly check the memory address, which
allows local PV guest OS administrators to cause a denial of service (crash) or possibly gain privileges
via unspecified vectors that overwrite memory in the hypervisor reserved range. (CVE-2012-5513)

- Xen 4.x, when downgrading the grant table version, does not properly remove the status page from the
tracking list when freeing the page, which allows local guest OS administrators to cause a denial of
service (hypervisor crash) via unspecified vectors. (CVE-2012-5510)

- Stack-based buffer overflow in the dirty video RAM tracking functionality in Xen 3.4 through 4.1 allows
local HVM guest OS administrators to cause a denial of service (crash) via a large bitmap image.
(CVE-2012-5511)

- The guest_physmap_mark_populate_on_demand function in Xen 4.2 and earlier does not properly unlock the
subject GFNs when checking if they are in use, which allows local guest HVM administrators to cause a
denial of service (hang) via unspecified vectors. (CVE-2012-5514)

See Also

https://git.alpinelinux.org/aports/commit/?id=02c9cf16cb335a73de4a175a8f9a451a4a19a1ed

https://git.alpinelinux.org/aports/commit/?id=9dcb820d809f104dd8d04314d3ab175334a7470f

Plugin Details

Severity: High

ID: 401327

Version: Revision 1.26

Type: Local

Published: 8/16/2023

Updated: 3/5/2025

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Medium

Base Score: 6.9

Temporal Score: 5.1

Vector: CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2012-5513

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 6.8

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 12/4/2012

Vulnerability Publication Date: 12/3/2012

Reference Information

CVE: CVE-2012-5510, CVE-2012-5511, CVE-2012-5513, CVE-2012-5514, CVE-2012-5515, CVE-2012-5525

BID: 56794, 56796, 56797, 56798, 56803, 56805