The XEN hypervisor was updated to fix two security issues :

  - Fixed a buffer overflow in the floppy drive emulation,     which could be used to denial of service attacks or     potential code execution against the host.
    (CVE-2015-3456)

  - Xen did not initialize certain fields, which allowed     certain remote service domains to obtain sensitive     information from memory via a (1) XEN_DOMCTL_gettscinfo     or (2) XEN_SYSCTL_getdomaininfolist request.
    (CVE-2015-3340)

Xen was updated to fix two security issues and a bug :

CVE-2015-3456: A buffer overflow in the floppy drive emulation, which could be used to carry out denial of service attacks or potential code execution against the host. This vulnerability is also known as VENOM.

CVE-2015-3340: Xen did not initialize certain fields, which allowed certain remote service domains to obtain sensitive information from memory via a (1) XEN_DOMCTL_gettscinfo or (2) XEN_SYSCTL_getdomaininfolist request.

An exception in setCPUAffinity when restoring guests. (bsc#910441)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Jason Geffner discovered that QEMU incorrectly handled the virtual floppy driver. This issue is known as VENOM. A malicious guest could use this issue to cause a denial of service, or possibly execute arbitrary code on the host as the user running the QEMU process. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile. (CVE-2015-3456)

Daniel P. Berrange discovered that QEMU incorrectly handled VNC websockets. A remote attacker could use this issue to cause QEMU to consume memory, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 14.10 and Ubuntu 15.04.
(CVE-2015-1779)

Jan Beulich discovered that QEMU, when used with Xen, didn't properly restrict access to PCI command registers. A malicious guest could use this issue to cause a denial of service. This issue only affected Ubuntu 14.04 LTS and Ubuntu 14.10. (CVE-2015-2756).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote OracleVM system is missing necessary patches to address critical security updates :

  - force the fifo access to be in bounds of the allocated     buffer This is CVE-2015-3456. [bug 21078935]     (CVE-2015-3456)

  - xen: limit guest control of PCI command register     Otherwise the guest can abuse that control to cause e.g.
    PCIe Unsupported Request responses (by disabling memory     and/or I/O decoding and subsequently causing [CPU side]     accesses to the respective address ranges), which     (depending on system configuration) may be fatal to the     host. This is CVE-2015-2756 / XSA-126.

    Conflicts: tools/ioemu-remote/hw/pass-through.c     (CVE-2015-2756)

  - Limit XEN_DOMCTL_memory_mapping hypercall to only     process up to 64 GFNs (or less) Said hypercall for large     BARs can take quite a while. As such we can require that     the hypercall MUST break up the request in smaller     values. Another approach is to add preemption to it -     whether we do the preemption using     hypercall_create_continuation or returning EAGAIN to     userspace (and have it re-invocate the call) - either     way the issue we cannot easily solve is that in     'map_mmio_regions' if we encounter an error we MUST call     'unmap_mmio_regions' for the whole BAR region. Since the     preemption would re-use input fields such as nr_mfns,     first_gfn, first_mfn - we would lose the original values
    - and only undo what was done in the current round (i.e.
    ignoring anything that was done prior to earlier     preemptions). Unless we re-used the return value as     'EAGAIN|nr_mfns_done<<10' but that puts a limit (since     the return value is a long) on the amount of nr_mfns     that can provided. This patch sidesteps this problem by :

  - Setting an hard limit of nr_mfns having to be 64 or     less.

  - Toolstack adjusts correspondingly to the nr_mfn limit.

  - If the there is an error when adding the toolstack will     call the remove operation to remove the whole region.
    The need to break this hypercall down is for large BARs     can take more than the guest (initial domain usually)     time-slice. This has the negative result in that the     guest is locked out for a long duration and is unable to     act on any pending events. We also augment the code to     return zero if nr_mfns instead of trying to the     hypercall. Suggested-by: Jan Beulich 

    This is CVE-2015-2752 / XSA-125. Conflicts:
    xen/arch/x86/domctl.c (CVE-2015-2752)

KVM was updated to fix the following security issues :

CVE-2015-3456: Buffer overflow in the floppy drive emulation, which could be used to carry out denial of service attacks or potential code execution against the host. This vulnerability is also known as VENOM.

CVE-2014-0222: Integer overflow in the qcow_open function in block/qcow.c in QEMU allowed remote attackers to cause a denial of service (crash) via a large L2 table in a QCOW version 1 image.

CVE-2014-0223: Integer overflow in the qcow_open function in block/qcow.c in QEMU allowed local users to cause a denial of service (crash) and possibly execute arbitrary code via a large image size, which triggers a buffer overflow or out-of-bounds read.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Three vulnerabilities have been fixed in the Debian squeeze-lts version of VirtualBox (package name: virtualbox-ose), a x86 virtualisation solution.

CVE-2015-0377

Avoid VirtualBox allowing local users to affect availability via unknown vectors related to Core, which might result in denial of service. (Other issue than CVE-2015-0418).

CVE-2015-0418

Avoid VirtualBox allowing local users to affect availability via unknown vectors related to Core, which might result in denial of service. (Other issue than CVE-2015-0377).

CVE-2015-3456

The Floppy Disk Controller (FDC) in QEMU, also used in VirtualBox and other virtualization products, allowed local guest users to cause a denial of service (out-of-bounds write and guest crash) or possibly execute arbitrary code via the (1) FD_CMD_READ_ID, (2) FD_CMD_DRIVE_SPECIFICATION_COMMAND, or other unspecified commands, aka VENOM.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote OracleVM system is missing necessary patches to address critical security updates :

  - fdc: force the fifo access to be in bounds of the     allocated buffer During processing of certain commands     such as FD_CMD_READ_ID and     FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory     access could get out of bounds leading to memory     corruption with values coming from the guest. Fix this     by making sure that the index is always bounded by the     allocated memory. This is CVE-2015-3456.

    XSA-133 (CVE-2015-3456)

  - fdc: force the fifo access to be in bounds of the     allocated buffer During processing of certain commands     such as FD_CMD_READ_ID and     FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory     access could get out of bounds leading to memory     corruption with values coming from the guest. Fix this     by making sure that the index is always bounded by the     allocated memory. This is CVE-2015-3456.

    XSA-133 (CVE-2015-3456)

  - domctl: don't allow a toolstack domain to call     domain_pause on itself These DOMCTL subops were     accidentally declared safe for disaggregation in the     wake of XSA-77. This is XSA-127. (CVE-2015-2751)

  - xen: limit guest control of PCI command register     Otherwise the guest can abuse that control to cause e.g.
    PCIe Unsupported Request responses (by disabling memory     and/or I/O decoding and subsequently causing [CPU side]     accesses to the respective address ranges), which     (depending on system configuration) may be fatal to the     host. This is CVE-2015-2756 / XSA-126.

    Conflicts:
    tools/qemu-xen-traditional-dir/hw/pass-through.c     (CVE-2015-2756)

  - xen: limit guest control of PCI command register     Otherwise the guest can abuse that control to cause e.g.
    PCIe Unsupported Request responses (by disabling memory     and/or I/O decoding and subsequently causing [CPU side]     accesses to the respective address ranges), which     (depending on system configuration) may be fatal to the     host. This is CVE-2015-2756 / XSA-126. (CVE-2015-2756)

  - Limit XEN_DOMCTL_memory_mapping hypercall to only     process up to 64 GFNs (or less) Said hypercall for large     BARs can take quite a while. As such we can require that     the hypercall MUST break up the request in smaller     values. Another approach is to add preemption to it -     whether we do the preemption using     hypercall_create_continuation or returning EAGAIN to     userspace (and have it re-invocate the call) - either     way the issue we cannot easily solve is that in     'map_mmio_regions' if we encounter an error we MUST call     'unmap_mmio_regions' for the whole BAR region. Since the     preemption would re-use input fields such as nr_mfns,     first_gfn, first_mfn - we would lose the original values
    - and only undo what was done in the current round (i.e.
    ignoring anything that was done prior to earlier     preemptions). Unless we re-used the return value as     'EAGAIN|nr_mfns_done<<10' but that puts a limit (since     the return value is a long) on the amount of nr_mfns     that can provided. This patch sidesteps this problem by :

  - Setting an hard limit of nr_mfns having to be 64 or     less.

  - Toolstack adjusts correspondingly to the nr_mfn limit.

  - If the there is an error when adding the toolstack will     call the remove operation to remove the whole region.
    The need to break this hypercall down is for large BARs     can take more than the guest (initial domain usually)     time-slice. This has the negative result in that the     guest is locked out for a long duration and is unable to     act on any pending events. We also augment the code to     return zero if nr_mfns instead of trying to the     hypercall. Suggested-by: Jan Beulich 

    This is CVE-2015-2752 / XSA-125. (CVE-2015-2752)

XEN was updated to fix two security issues and bugs.

Security issues fixed :

  - CVE-2015-3340: Xen did not initialize certain fields,     which allowed certain remote service domains to obtain     sensitive information from memory via a (1)     XEN_DOMCTL_gettscinfo or (2)     XEN_SYSCTL_getdomaininfolist request.

  - CVE-2015-2751: Xen, when using toolstack disaggregation,     allowed remote domains with partial management control     to cause a denial of service (host lock) via unspecified     domctl operations.

  - CVE-2015-2752: The XEN_DOMCTL_memory_mapping hypercall     in Xen, when using a PCI passthrough device, was not     preemptable, which allowed local x86 HVM domain users to     cause a denial of service (host CPU consumption) via a     crafted request to the device model (qemu-dm).

  - CVE-2015-3456: Fixed a buffer overflow in the floppy     drive emulation, which could be used to denial of     service attacks or potential code execution against the     host.

Bugs fixed :

  - xentop: Fix memory leak on read failure

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities were discovered in the qemu virtualisation solution :

  - CVE-2014-9718     It was discovered that the IDE controller emulation is     susceptible to denial of service.

  - CVE-2015-1779     Daniel P. Berrange discovered a denial of service     vulnerability in the VNC web socket decoder.

  - CVE-2015-2756     Jan Beulich discovered that unmediated PCI command     register could result in denial of service.

  - CVE-2015-3456     Jason Geffner discovered a buffer overflow in the     emulated floppy disk drive, resulting in the potential     execution of arbitrary code.

Xen was updated to 4.4.2 to fix multiple vulnerabilities and non-security bugs.

The following vulnerabilities were fixed :

  - CVE-2015-4103: Potential unintended writes to host MSI     message data field via qemu (XSA-128) (boo#931625)

  - CVE-2015-4104: PCI MSI mask bits inadvertently exposed     to guests (XSA-129) (boo#931626)

  - CVE-2015-4105: Guest triggerable qemu MSI-X pass-through     error messages (XSA-130) (boo#931627)

  - CVE-2015-4106: Unmediated PCI register access in qemu     (XSA-131) (boo#931628)

  - CVE-2015-4164: DoS through iret hypercall handler     (XSA-136) (boo#932996)

  - CVE-2015-4163: GNTTABOP_swap_grant_ref operation     misbehavior (XSA-134) (boo#932790)

  - CVE-2015-3209: heap overflow in qemu pcnet controller     allowing guest to host escape (XSA-135) (boo#932770)

  - CVE-2015-3456: Fixed a buffer overflow in the floppy     drive emulation, which could be used to denial of     service attacks or potential code execution against the     host. ()

  - CVE-2015-3340: Xen did not initialize certain fields,     which allowed certain remote service domains to obtain     sensitive information from memory via a (1)     XEN_DOMCTL_gettscinfo or (2)     XEN_SYSCTL_getdomaininfolist request. ()

  - CVE-2015-2752: Long latency MMIO mapping operations are     not preemptible (XSA-125 boo#922705)

  - CVE-2015-2756: Unmediated PCI command register access in     qemu (XSA-126 boo#922706)

  - CVE-2015-2751: Certain domctl operations may be abused     to lock up the host (XSA-127 boo#922709)

  - CVE-2015-2151: Hypervisor memory corruption due to x86     emulator flaw (boo#919464 XSA-123)

  - CVE-2015-2045: Information leak through version     information hypercall (boo#918998 XSA-122)

  - CVE-2015-2044: Information leak via internal x86 system     device emulation (boo#918995 (XSA-121)

  - CVE-2015-2152: HVM qemu unexpectedly enabling emulated     VGA graphics backends (boo#919663 XSA-119)

  - CVE-2014-3615: information leakage when guest sets high     resolution (boo#895528)

The following non-security bugs were fixed :

  - xentop: Fix memory leak on read failure 

  - boo#923758: xen dmesg contains bogus output in early     boot

  - boo#921842: Xentop doesn't display disk statistics for     VMs using qdisks

  - boo#919098: L3: XEN blktap device intermittently fails     to connect 

  - boo#882089: Windows 2012 R2 fails to boot up with     greater than 60 vcpus

  - boo#903680: Problems with detecting free loop devices on     Xen guest startup

  - boo#861318: xentop reports 'Found interface vif101.0 but     domain 101 does not exist.'

  - boo#901488: Intel ixgbe driver assigns rx/tx queues per     core resulting in irq problems on servers with a large     amount of CPU cores

  - boo#910254: SLES11 SP3 Xen VT-d igb NIC doesn't work

  - boo#912011: high ping latency after upgrade to latest     SLES11SP3 on xen Dom0

  - boo#906689: let systemd schedule xencommons after     network-online.target and remote-fs.target so that     xendomains has access to remote shares

The following functionality was enabled or enhanced :

  - Enable spice support in qemu for x86_64

  - Add Qxl vga support

  - Enhancement to virsh/libvirtd 'send-key' command     (FATE#317240)

  - Add domain_migrate_constraints_set API to Xend's http     interface (FATE#317239)

The remote host is affected by the vulnerability described in GLSA-201612-27 (VirtualBox: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in VirtualBox. Please       review the CVE identifiers referenced below for details.
  Impact :

    Local attackers could cause a Denial of Service condition, execute       arbitrary code, or escalate their privileges.
  Workaround :

    There is no known workaround at this time.

The remote host is affected by the vulnerability described in GLSA-201602-01 (QEMU: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in QEMU. Please review the       CVE identifiers referenced below for details.
  Impact :

    A remote attacker might cause a Denial of Service or gain escalated       privileges from a guest VM.
  Workaround :

    There is no known workaround at this time.

The remote host is affected by the vulnerability described in GLSA-201604-03 (Xen: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Xen. Please review the       CVE identifiers referenced below for details.
  Impact :

    A local attacker could possibly cause a Denial of Service condition or       obtain sensitive information.
  Workaround :

    There is no known workaround at this time.

The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2015-0068 for details.

ID	Name	Product	Family	Published	Updated	Severity
83965	openSUSE Security Update : xen (openSUSE-2015-391) (Venom)	Nessus	SuSE Local Security Checks	2015/06/03	2020/06/04	high
83853	SUSE SLED11 / SLES11 Security Update : Xen (SUSE-SU-2015:0927-1) (Venom)	Nessus	SuSE Local Security Checks	2015/05/27	2019/09/11	high
83435	Ubuntu 12.04 LTS / 14.04 LTS / 14.10 / 15.04 : qemu, qemu-kvm vulnerabilities (USN-2608-1) (Venom)	Nessus	Ubuntu Local Security Checks	2015/05/13	2019/09/18	high
83483	OracleVM 3.2 : xen (OVMSA-2015-0058) (Venom)	Nessus	OracleVM Local Security Checks	2015/05/15	2019/09/27	high
83854	SUSE SLES11 Security Update : KVM (SUSE-SU-2015:0929-1) (Venom)	Nessus	SuSE Local Security Checks	2015/05/27	2019/09/11	high
84551	Debian DLA-268-1 : virtualbox-ose security update (Venom)	Nessus	Debian Local Security Checks	2015/07/07	2020/03/12	high
83482	OracleVM 3.3 : xen (OVMSA-2015-0057) (Venom)	Nessus	OracleVM Local Security Checks	2015/05/15	2019/09/27	high
83757	SUSE SLED12 / SLES12 Security Update : xen (SUSE-SU-2015:0923-1) (Venom)	Nessus	SuSE Local Security Checks	2015/05/21	2019/09/11	high
83422	Debian DSA-3259-1 : qemu - security update (Venom)	Nessus	Debian Local Security Checks	2015/05/13	2018/11/10	high
84333	openSUSE Security Update : xen (openSUSE-2015-434) (Venom)	Nessus	SuSE Local Security Checks	2015/06/23	2020/06/04	high
95695	GLSA-201612-27 : VirtualBox: Multiple vulnerabilities (Venom)	Nessus	Gentoo Local Security Checks	2016/12/12	2019/04/11	high
88587	GLSA-201602-01 : QEMU: Multiple vulnerabilities (Venom)	Nessus	Gentoo Local Security Checks	2016/02/05	2019/04/11	critical
90380	GLSA-201604-03 : Xen: Multiple vulnerabilities (Venom)	Nessus	Gentoo Local Security Checks	2016/04/07	2019/08/12	high
84140	OracleVM 3.2 : xen (OVMSA-2015-0068) (POODLE) (Venom)	Nessus	OracleVM Local Security Checks	2015/06/12	2019/11/12	high

Plugins Search