SB2012082703 - SUSE Linux update for Xen and libvirt

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2012082703

SB2012082703 - SUSE Linux update for Xen and libvirt

Published: August 27, 2012

Security Bulletin ID SB2012082703
Severity
Low
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Adjecent network
Highest impact Denial of service

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 secuirty vulnerabilities.


1) Input validation error (CVE-ID: CVE-2012-2625)

The vulnerability allows a remote #AU# to perform service disruption.

The PyGrub boot loader in Xen unstable before changeset 25589:60f09d1ab1fe, 4.2.x, and 4.1.x allows local para-virtualized guest users to cause a denial of service (memory consumption) via a large (1) bzip2 or (2) lzma compressed kernel image.


2) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2012-3432)

The vulnerability allows a local non-authenticated attacker to perform service disruption.

The handle_mmio function in arch/x86/hvm/io.c in the MMIO operations emulator for Xen 3.3 and 4.x, when running an HVM guest, does not properly reset certain state information between emulation cycles, which allows local guest OS users to cause a denial of service (guest OS crash) via unspecified operations on MMIO regions.


3) Resource management error (CVE-ID: CVE-2012-3433)

The vulnerability allows a local non-authenticated attacker to perform a denial of service (DoS) attack.

Xen 4.0 and 4.1 allows local HVM guest OS kernels to cause a denial of service (domain 0 VCPU hang and kernel panic) by modifying the physical address space in a way that triggers excessive shared page search time during the p2m teardown.


Remediation

Install update from vendor's website.

References