SB2018043025 - Information disclosure in xen (Alpine package)
Published: April 30, 2018
Security Bulletin ID
SB2018043025
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Adjecent network
Highest impact
Information disclosure
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Information disclosure (CVE-ID: CVE-2018-10472)
The vulnerability allows an adjacent attacker to obtain potentially sensitive information on the target system.
The weakness exists in certain configurations due to improper information control. An adjacent attacker can read arbitrary dom0 files via QMP live insertion of a CDROM, in conjunction with specifying the target file as the backing file of a snapshot.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=cf5828feef63ab62588f29482b15001535c73719
- https://git.alpinelinux.org/aports/commit/?id=96018bf2841ac59b632f6d84ad6247b5b825dc3a
- https://git.alpinelinux.org/aports/commit/?id=d2a71459869989207ef392e3d8338330ee055a7f
- https://git.alpinelinux.org/aports/commit/?id=9bdda5f2061773ab7f74bacd75ba922ce5fef8ac
- https://git.alpinelinux.org/aports/commit/?id=95c1be17ba7dd9d974289b72613f50e74a20e0a2
- https://git.alpinelinux.org/aports/commit/?id=73f6ed4311545e458f14db858c74d8d332f9c100