Alpine: xen: security update to 4.10.2-r1

high Tenable Self-Hosted Container Security Plugin ID 407739

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- An issue was discovered in Xen through 4.11.x allowing x86 PV guest OS users to cause a denial of service
(host OS crash) or possibly gain host OS privileges because of an interpretation conflict for a union data
structure associated with shadow paging. NOTE: this issue exists because of an incorrect fix for
CVE-2017-15595. (CVE-2018-19966)

- An issue was discovered in Xen 4.9.x through 4.11.x, on Intel x86 platforms, allowing x86 HVM and PVH
guests to cause a host OS denial of service (NULL pointer dereference) or possibly have unspecified other
impact because nested VT-x is not properly restricted. (CVE-2018-18883)

- An issue was discovered in Xen through 4.11.x on AMD x86 platforms, possibly allowing guest OS users to
gain host OS privileges because TLB flushes do not always occur after IOMMU mapping changes.
(CVE-2018-19961)

- An issue was discovered in Xen through 4.11.x on AMD x86 platforms, possibly allowing guest OS users to
gain host OS privileges because small IOMMU mappings are unsafely combined into larger ones.
(CVE-2018-19962)

- An issue was discovered in Xen through 4.11.x allowing 64-bit PV guest OS users to cause a denial of
service (host OS crash) because #GP[0] can occur after a non-canonical address is passed to the TLB
flushing code. NOTE: this issue exists because of an incorrect CVE-2017-5754 (aka Meltdown) mitigation.
(CVE-2018-19965)

See Also

https://security.alpinelinux.org/vuln/CVE-2018-18883

https://security.alpinelinux.org/vuln/CVE-2018-19961

https://security.alpinelinux.org/vuln/CVE-2018-19962

https://security.alpinelinux.org/vuln/CVE-2018-19965

https://security.alpinelinux.org/vuln/CVE-2018-19966

https://security.alpinelinux.org/vuln/CVE-2018-19967

Plugin Details

Severity: High

ID: 407739

Version: Revision 1.29

Type: Local

Published: 10/31/2023

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 5

Percentile: 95.11

CVSS v2

Risk Factor: High

Base Score: 7.2

Temporal Score: 5.3

Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2018-19966

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.7

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 10/25/2018

Reference Information

CVE: CVE-2018-18883, CVE-2018-19961, CVE-2018-19962, CVE-2018-19965, CVE-2018-19966, CVE-2018-19967

BID: 105817, 105954, 106182

IAVA: 2018-A-0353-S

IAVB: 2018-B-0142-S, 2018-B-0149-S