SB2015031202 - Information disclosure in Xen
Published: March 12, 2015 Updated: July 28, 2020
Security Bulletin ID
SB2015031202
CSH Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Local access
Highest impact
Information disclosure
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Information disclosure (CVE-ID: CVE-2015-2045)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local non-authenticated attacker to gain access to sensitive information.
The HYPERVISOR_xen_version hypercall in Xen 3.2.x through 4.5.x does not properly initialize data structures, which allows local guest users to obtain sensitive information via unspecified vectors.
Remediation
Install update from vendor's website.
References
- http://lists.fedoraproject.org/pipermail/package-announce/2015-March/152483.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-March/152588.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-March/152776.html
- http://lists.opensuse.org/opensuse-security-announce/2015-04/msg00014.html
- http://support.citrix.com/article/CTX200484
- http://www.debian.org/security/2015/dsa-3181
- http://www.securityfocus.com/bid/72955
- http://www.securitytracker.com/id/1031806
- http://www.securitytracker.com/id/1031837
- http://www1.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-423503.htm
- http://xenbits.xen.org/xsa/advisory-122.html
- https://security.gentoo.org/glsa/201504-04