Resource management error in xen (Alpine package)

Published: 2014-08-25

Risk	Low
Patch available	YES
Number of vulnerabilities	1
CVE-ID	CVE-2014-5146
CWE-ID	CWE-399
Exploitation vector	Local
Public exploit	N/A
Vulnerable software	xen (Alpine package) Operating systems & Components / Operating system package or component
Vendor	Alpine Linux Development Team

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Resource management error

EUVDB-ID: #VU32502

Risk: Low

CVSSv4.0: 4.6 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2014-5146

CWE-ID: CWE-399 - Resource Management Errors

Exploit availability: No

Description

The vulnerability allows a local non-authenticated attacker to perform a denial of service (DoS) attack.

Certain MMU virtualization operations in Xen 4.2.x through 4.4.x before the xsa97-hap patch, when using Hardware Assisted Paging (HAP), are not preemptible, which allows local HVM guest to cause a denial of service (vcpu consumption) by invoking these operations, which process every page assigned to a guest, a different vulnerability than CVE-2014-5149.

Mitigation

Install update from vendor's website.

Vulnerable software versions

xen (Alpine package): 4.2.1-r0 - 4.2.2-r11

CPE2.3

External links

https://git.alpinelinux.org/aports/commit/?id=695a72617ae53a60aaefe8567f3e245882e5d6b8
https://git.alpinelinux.org/aports/commit/?id=34cd3222cc7f54f16d6de20f5c5868a69c0edc4b
https://git.alpinelinux.org/aports/commit/?id=9a7a36301a933b7cb457c5d81ecc31c4667d2668
https://git.alpinelinux.org/aports/commit/?id=deffb3e9dbc9198afd2ea6c8e648a32a574a0056

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.