Alpine: multiple xen packages: security update to 4.14.1-r0

high Tenable Self-Hosted Container Security Plugin ID 424699

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- An issue was discovered in Xen through 4.14.x. In the Ocaml xenstored implementation, the internal
representation of the tree has special cases for the root node, because this node has no parent.
Unfortunately, permissions were not checked for certain operations on the root node. Unprivileged guests
can get and modify permissions, list, and delete the root node. (Deleting the whole xenstore tree is a
host-wide denial of service.) Achieving xenstore write access is also possible. All systems using
oxenstored are vulnerable. Building and using oxenstored is the default in the upstream Xen distribution,
if the Ocaml compiler is available. Systems using C xenstored are not vulnerable. (CVE-2020-29479)

- An issue was discovered in Xen through 4.14.x. Neither xenstore implementation does any permission checks
when reporting a xenstore watch event. A guest administrator can watch the root xenstored node, which will
cause notifications for every created, modified, and deleted key. A guest administrator can also use the
special watches, which will cause a notification every time a domain is created and destroyed. Data may
include: number, type, and domids of other VMs; existence and domids of driver domains; numbers of virtual
interfaces, block devices, vcpus; existence of virtual framebuffers and their backend style (e.g.,
existence of VNC service); Xen VM UUIDs for other domains; timing information about domain creation and
device setup; and some hints at the backend provisioning of VMs and their devices. The watch events do not
contain values stored in xenstore, only key names. A guest administrator can observe non-sensitive domain
and device lifecycle events relating to other guests. This information allows some insight into overall
system configuration (including the number and general nature of other guests), and configuration of other
guests (including the number and general nature of other guests' devices). This information might be
commercially interesting or might make other attacks easier. There is not believed to be exposure of
sensitive data. Specifically, there is no exposure of VNC passwords, port numbers, pathnames in host and
guest filesystems, cryptographic keys, or within-guest data. (CVE-2020-29480)

- An issue was discovered in Xen through 4.14.x. Access rights of Xenstore nodes are per domid.
Unfortunately, existing granted access rights are not removed when a domain is being destroyed. This means
that a new domain created with the same domid will inherit the access rights to Xenstore nodes from the
previous domain(s) with the same domid. Because all Xenstore entries of a guest below
/local/domain/<domid> are being deleted by Xen tools when a guest is destroyed, only Xenstore entries of
other guests still running are affected. For example, a newly created guest domain might be able to read
sensitive information that had belonged to a previously existing guest domain. Both Xenstore
implementations (C and Ocaml) are vulnerable. (CVE-2020-29481)

- An issue was discovered in Xen through 4.14.x. A guest may access xenstore paths via absolute paths
containing a full pathname, or via a relative path, which implicitly includes /local/domain/$DOMID for
their own domain id. Management tools must access paths in guests' namespaces, necessarily using absolute
paths. oxenstored imposes a pathname limit that is applied solely to the relative or absolute path
specified by the client. Therefore, a guest can create paths in its own namespace which are too long for
management tools to access. Depending on the toolstack in use, a malicious guest administrator might cause
some management tools and debugging operations to fail. For example, a guest administrator can cause
"xenstore-ls -r" to fail. However, a guest administrator cannot prevent the host administrator from
tearing down the domain. All systems using oxenstored are vulnerable. Building and using oxenstored is the
default in the upstream Xen distribution, if the Ocaml compiler is available. Systems using C xenstored
are not vulnerable. (CVE-2020-29482)

See Also

https://security.alpinelinux.org/vuln/CVE-2020-29479

https://security.alpinelinux.org/vuln/CVE-2020-29480

https://security.alpinelinux.org/vuln/CVE-2020-29481

https://security.alpinelinux.org/vuln/CVE-2020-29482

https://security.alpinelinux.org/vuln/CVE-2020-29483

https://security.alpinelinux.org/vuln/CVE-2020-29484

https://security.alpinelinux.org/vuln/CVE-2020-29485

https://security.alpinelinux.org/vuln/CVE-2020-29486

https://security.alpinelinux.org/vuln/CVE-2020-29566

https://security.alpinelinux.org/vuln/CVE-2020-29567

https://security.alpinelinux.org/vuln/CVE-2020-29570

https://security.alpinelinux.org/vuln/CVE-2020-29571

Plugin Details

Severity: High

ID: 424699

Version: Revision 1.12

Type: Local

Published: 4/4/2025

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 5

Percentile: 95.11

CVSS v2

Risk Factor: High

Base Score: 7.2

Temporal Score: 5.3

Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2020-29479

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.7

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS Score Source: CVE-2020-29481

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 12/15/2020

Reference Information

CVE: CVE-2020-29479, CVE-2020-29480, CVE-2020-29481, CVE-2020-29482, CVE-2020-29483, CVE-2020-29484, CVE-2020-29485, CVE-2020-29486, CVE-2020-29566, CVE-2020-29567, CVE-2020-29570, CVE-2020-29571

IAVB: 2020-B-0077-S