Alpine: xen: security update to 4.11.0-r0

critical Tenable Self-Hosted Container Security Plugin ID 407745

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- An issue was discovered in Xen 4.7 through 4.10.x. libxl fails to pass the readonly flag to qemu when
setting up a SCSI disk, due to what was probably an erroneous merge conflict resolution. Malicious guest
administrators or (in some situations) users may be able to write to supposedly read-only disk images.
Only emulated SCSI disks (specified as "sd" in the libxl disk configuration, or an equivalent) are
affected. IDE disks ("hd") are not affected (because attempts to make them readonly are rejected).
Additionally, CDROM devices (that is, devices specified to be presented to the guest as CDROMs, regardless
of the nature of the backing storage on the host) are not affected; they are always read only. Only
systems using qemu-xen (rather than qemu-xen-traditional) as the device model version are vulnerable. Only
systems using libxl or libxl-based toolstacks are vulnerable. (This includes xl, and libvirt with the
libxl driver.) The vulnerability is present in Xen versions 4.7 and later. (In earlier versions, provided
that the patch for XSA-142 has been applied, attempts to create read only disks are rejected.) If the host
and guest together usually support PVHVM, the issue is exploitable only if the malicious guest
administrator has control of the guest kernel or guest kernel command line. (CVE-2018-12892)

- Systems with microprocessors utilizing speculative execution and speculative execution of memory reads
before the addresses of all prior memory writes are known may allow unauthorized disclosure of information
to an attacker with local user access via a side-channel analysis, aka Speculative Store Bypass (SSB),
Variant 4. (CVE-2018-3639)

- System software utilizing Lazy FP state restore technique on systems using Intel Core-based
microprocessors may potentially allow a local process to infer data from another process through a
speculative execution side channel. (CVE-2018-3665)

See Also

https://security.alpinelinux.org/vuln/CVE-2018-12891

https://security.alpinelinux.org/vuln/CVE-2018-12892

https://security.alpinelinux.org/vuln/CVE-2018-12893

https://security.alpinelinux.org/vuln/CVE-2018-3639

https://security.alpinelinux.org/vuln/CVE-2018-3665

Plugin Details

Severity: Critical

ID: 407745

Version: Revision 1.29

Type: Local

Published: 10/31/2023

Updated: 1/9/2026

Supported Sensors: Agentless Assessment

Risk Information

VPR

Risk Factor: Medium

Score: 6

Percentile: 96.99

CVSS v2

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.4

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P

CVSS Score Source: CVE-2018-12892

CVSS v3

Risk Factor: Critical

Base Score: 9.9

Temporal Score: 9.2

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 5/21/2018

Exploitable With

Core Impact

Reference Information

CVE: CVE-2018-12891, CVE-2018-12892, CVE-2018-12893, CVE-2018-3639, CVE-2018-3665

BID: 104232, 104460, 104570, 104571, 104572

IAVA: 2018-A-0169-S, 2018-A-0196-S, 2018-A-0237-S

IAVB: 2018-B-0094-S