Alpine: xen: security update to 4.13.3-r1

high Tenable Self-Hosted Container Security Plugin ID 407781

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- Observable response discrepancy in some Intel(R) Processors may allow an authorized user to potentially
enable information disclosure via local access. (CVE-2021-0089)

- x86: TSX Async Abort protections not restored after S3 This issue relates to the TSX Async Abort
speculative security vulnerability. Please see https://xenbits.xen.org/xsa/advisory-305.html for details.
Mitigating TAA by disabling TSX (the default and preferred option) requires selecting a non-default
setting in MSR_TSX_CTRL. This setting isn't restored after S3 suspend. (CVE-2021-28690)

- inappropriate x86 IOMMU timeout detection / handling IOMMUs process commands issued to them in parallel
with the operation of the CPU(s) issuing such commands. In the current implementation in Xen, asynchronous
notification of the completion of such commands is not used. Instead, the issuing CPU spin-waits for the
completion of the most recently issued command(s). Some of these waiting loops try to apply a timeout to
fail overly-slow commands. The course of action upon a perceived timeout actually being detected is
inappropriate: - on Intel hardware guests which did not originally cause the timeout may be marked as
crashed, - on AMD hardware higher layer callers would not be notified of the issue, making them continue
as if the IOMMU operation succeeded. (CVE-2021-28692)

- xen/arm: Boot modules are not scrubbed The bootloader will load boot modules (e.g. kernel, initramfs...)
in a temporary area before they are copied by Xen to each domain memory. To ensure sensitive data is not
leaked from the modules, Xen must "scrub" them before handing the page over to the allocator.
Unfortunately, it was discovered that modules will not be scrubbed on Arm. (CVE-2021-28693)

See Also

https://security.alpinelinux.org/vuln/CVE-2021-0089

https://security.alpinelinux.org/vuln/CVE-2021-28690

https://security.alpinelinux.org/vuln/CVE-2021-28692

https://security.alpinelinux.org/vuln/CVE-2021-28693

Plugin Details

Severity: High

ID: 407781

Version: Revision 1.25

Type: Local

Published: 10/31/2023

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.3

Percentile: 53.04

CVSS v2

Risk Factor: Medium

Base Score: 5.6

Temporal Score: 4.1

Vector: CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:C

CVSS Score Source: CVE-2021-28692

CVSS v3

Risk Factor: High

Base Score: 7.1

Temporal Score: 6.2

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 6/9/2021

Reference Information

CVE: CVE-2021-0089, CVE-2021-28690, CVE-2021-28692, CVE-2021-28693

IAVB: 2021-B-0044-S, 2021-B-0060-S