Alpine: multiple xen packages: security update to 4.14.0-r2

high Tenable Self-Hosted Container Security Plugin ID 424697

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- An issue was discovered in Xen through 4.14.x allowing x86 guest OS users to cause a denial of service
(data corruption), cause a data leak, or possibly gain privileges because an AMD IOMMU page-table entry
can be half-updated. (CVE-2020-27670)

- An issue was discovered in Xen through 4.14.x allowing x86 HVM and PVH guest OS users to cause a denial of
service (data corruption), cause a data leak, or possibly gain privileges because coalescing of per-page
IOMMU TLB flushes is mishandled. (CVE-2020-27671)

- An issue was discovered in Xen through 4.14.x allowing x86 guest OS users to cause a host OS denial of
service, achieve data corruption, or possibly gain privileges by exploiting a race condition that leads to
a use-after-free involving 2MiB and 1GiB superpages. (CVE-2020-27672)

- An issue was discovered in Xen through 4.14.x allowing x86 PV guest OS users to gain guest OS privileges
by modifying kernel memory contents, because invalidation of TLB entries is mishandled during use of an
INVLPG-like attack technique. (CVE-2020-27674)

- Xen through 4.14.x allows guest OS administrators to obtain sensitive information (such as AES keys from
outside the guest) via a side-channel attack on a power/energy monitoring interface, aka a "Platypus"
attack. NOTE: there is only one logically independent fix: to change the access control for each such
interface in Xen. (CVE-2020-28368)

See Also

https://security.alpinelinux.org/vuln/CVE-2020-27670

https://security.alpinelinux.org/vuln/CVE-2020-27671

https://security.alpinelinux.org/vuln/CVE-2020-27672

https://security.alpinelinux.org/vuln/CVE-2020-27674

https://security.alpinelinux.org/vuln/CVE-2020-28368

Plugin Details

Severity: High

ID: 424697

Version: Revision 1.18

Type: Local

Published: 4/4/2025

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 5

Percentile: 95.11

CVSS v2

Risk Factor: Medium

Base Score: 6.9

Temporal Score: 5.1

Vector: CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2020-27672

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 6.8

Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS Score Source: CVE-2020-27671

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 9/24/2020

Reference Information

CVE: CVE-2020-27670, CVE-2020-27671, CVE-2020-27672, CVE-2020-27674, CVE-2020-28368

IAVB: 2020-B-0056-S, 2020-B-0066-S