Alpine: xen: security update to 4.8.4-r0

critical Tenable Self-Hosted Container Security Plugin ID 407898

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- Systems with microprocessors utilizing speculative execution and speculative execution of memory reads
before the addresses of all prior memory writes are known may allow unauthorized disclosure of information
to an attacker with local user access via a side-channel analysis, aka Speculative Store Bypass (SSB),
Variant 4. (CVE-2018-3639)

- System software utilizing Lazy FP state restore technique on systems using Intel Core-based
microprocessors may potentially allow a local process to infer data from another process through a
speculative execution side channel. (CVE-2018-3665)

- An issue was discovered in Xen through 4.10.x. Certain PV MMU operations may take a long time to process.
For that reason Xen explicitly checks for the need to preempt the current vCPU at certain points. A few
rarely taken code paths did bypass such checks. By suitably enforcing the conditions through its own page
table contents, a malicious guest may cause such bypasses to be used for an unbounded number of
iterations. A malicious or buggy PV guest may cause a Denial of Service (DoS) affecting the entire host.
Specifically, it may prevent use of a physical CPU for an indeterminate period of time. All Xen versions
from 3.4 onwards are vulnerable. Xen versions 3.3 and earlier are vulnerable to an even wider class of
attacks, due to them lacking preemption checks altogether in the affected code paths. Only x86 systems are
affected. ARM systems are not affected. Only multi-vCPU x86 PV guests can leverage the vulnerability. x86
HVM or PVH guests as well as x86 single-vCPU PV ones cannot leverage the vulnerability. (CVE-2018-12891)

- An issue was discovered in Xen 4.7 through 4.10.x. libxl fails to pass the readonly flag to qemu when
setting up a SCSI disk, due to what was probably an erroneous merge conflict resolution. Malicious guest
administrators or (in some situations) users may be able to write to supposedly read-only disk images.
Only emulated SCSI disks (specified as "sd" in the libxl disk configuration, or an equivalent) are
affected. IDE disks ("hd") are not affected (because attempts to make them readonly are rejected).
Additionally, CDROM devices (that is, devices specified to be presented to the guest as CDROMs, regardless
of the nature of the backing storage on the host) are not affected; they are always read only. Only
systems using qemu-xen (rather than qemu-xen-traditional) as the device model version are vulnerable. Only
systems using libxl or libxl-based toolstacks are vulnerable. (This includes xl, and libvirt with the
libxl driver.) The vulnerability is present in Xen versions 4.7 and later. (In earlier versions, provided
that the patch for XSA-142 has been applied, attempts to create read only disks are rejected.) If the host
and guest together usually support PVHVM, the issue is exploitable only if the malicious guest
administrator has control of the guest kernel or guest kernel command line. (CVE-2018-12892)

- An issue was discovered in Xen through 4.10.x. One of the fixes in XSA-260 added some safety checks to
help prevent Xen livelocking with debug exceptions. Unfortunately, due to an oversight, at least one of
these safety checks can be triggered by a guest. A malicious PV guest can crash Xen, leading to a Denial
of Service. All Xen systems which have applied the XSA-260 fix are vulnerable. Only x86 systems are
vulnerable. ARM systems are not vulnerable. Only x86 PV guests can exploit the vulnerability. x86 HVM and
PVH guests cannot exploit the vulnerability. An attacker needs to be able to control hardware debugging
facilities to exploit the vulnerability, but such permissions are typically available to unprivileged
users. (CVE-2018-12893)

See Also

https://security.alpinelinux.org/vuln/CVE-2018-12891

https://security.alpinelinux.org/vuln/CVE-2018-12892

https://security.alpinelinux.org/vuln/CVE-2018-12893

https://security.alpinelinux.org/vuln/CVE-2018-3639

https://security.alpinelinux.org/vuln/CVE-2018-3665

Plugin Details

Severity: Critical

ID: 407898

Version: Revision 1.30

Type: Local

Published: 10/31/2023

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 6

Percentile: 96.99

CVSS v2

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.4

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P

CVSS Score Source: CVE-2018-12892

CVSS v3

Risk Factor: Critical

Base Score: 9.9

Temporal Score: 9.2

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 5/21/2018

Exploitable With

Core Impact

Reference Information

CVE: CVE-2018-12891, CVE-2018-12892, CVE-2018-12893, CVE-2018-3639, CVE-2018-3665

BID: 104232, 104460, 104570, 104571, 104572

IAVA: 2018-A-0169-S, 2018-A-0196-S, 2018-A-0237-S

IAVB: 2018-B-0094-S