SB2018103102 - Gentoo update for Xen
Published: October 31, 2018
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 19 secuirty vulnerabilities.
1) Information disclosure (CVE-ID: CVE-2017-5715)
The vulnerability allows a local attacker to obtain potentially sensitive information.
The vulnerability exists in Intel CPU hardware due to improper implementation of the speculative execution of instructions. A local attacker can utilize branch target injection, execute arbitrary code, perform a side-channel attack and read sensitive memory information.
2) Information disclosure (CVE-ID: CVE-2017-5753)
The vulnerability allows a local attacker to obtain potentially sensitive information.
The vulnerability exists in Intel CPU hardware due to improper implementation of the speculative execution of instructions. A local attacker can perform a bounds check bypass, execute arbitrary code, conduct a side-channel attack and read sensitive memory information.
3) Information disclosure (CVE-ID: CVE-2017-5754)
The vulnerability allows a local attacker to obtain potentially sensitive information.
The vulnerability exists in Intel CPU hardware due to side-channel attacks, which are also referred to as Meltdown attacks. A local attacker can execute arbitrary code, perform a side-channel analysis of the data cache and gain access to sensitive information including memory from the CPU cache.
4) Out-of-bounds write (CVE-ID: CVE-2018-10471)
The vulnerability allows an adjacent attacker to cause DoS condition or execute arbitrary code on the target system.The weakness exists due to an unconditional write attempt of the value zero to an address near 2^64. An adjacent attacker can cause the service to crash or execute arbitrary code via unexpected INT 80 processing.
Successful exploitation of the vulnerability may result in system compromise.
5) Information disclosure (CVE-ID: CVE-2018-10472)
The vulnerability allows an adjacent attacker to obtain potentially sensitive information on the target system.
The weakness exists in certain configurations due to improper information control. An adjacent attacker can read arbitrary dom0 files via QMP live insertion of a CDROM, in conjunction with specifying the target file as the backing file of a snapshot.
6) Infinite loop (CVE-ID: CVE-2018-10981)
The vulnerability allows an adjacent attacker to cause DoS condition on the target system.The weakness exists due to a failure to reject invalid transitions between states. An adjacent attacker can submit a specially crafted request designed to force the QEMU device model on the system to switch the request between two states, trigger infinite loop and cause the service to crash.
7) Integer overflow (CVE-ID: CVE-2018-10982)
The vulnerability allows an adjacent attacker to cause DoS condition or gain elevated privileges on the target system.The weakness exists due to an array overrun condition that occurs when the High Precision Event Timer (HPET) timer is configured to deliver interrupts in IO-APIC mode. An adjacent attacker who has the HPET timer configured to deliver interrupts in IO-APIC mode can cause the service to crash or gain root privileges.
8) Denial of service (CVE-ID: CVE-2018-12891)
The vulnerability allows an adjacent attacker to cause DoS condition on the target system.
The vulnerability exists on x86 systems due to unspecified flaw. An adjacent attacker can invoke certain PV MMU operations to preempt the current vCPU, prevent use of a physical CPU and cause the system to crash.
9) Security restrictions bypass (CVE-ID: CVE-2018-12892)
The vulnerability allows an adjacent attacker with administrative privileges to bypass security restrictions on the target system.
The vulnerability exists on x86 systems due to a flaw in libxl. An adjacent attacker can bypass the read-only restrictions on a SCSI disk image in certain cases.
10) Denial of service (CVE-ID: CVE-2018-12893)
The vulnerability allows an adjacent attacker to cause DoS condition on the target system.
The vulnerability exists on x86 systems due to unspecified flaw. An adjacent attacker can invoke hardware debugging facilities, trigger a debug exception and cause the system to crash.
11) Denial of service (CVE-ID: CVE-2018-15468)
The vulnerability allows an adjacent administrative attacker to cause DoS condition on the target system.
The vulnerability exists due to the DEBUGCTL MSR contains several debugging features, some of which virtualise cleanly, but some do not when Branch Trace Store is not virtualised by the processor. An adjacent attacker can lock up the entire host, choose any MSR_DEBUGCTL setting it likes and cause the service to crash.
12) Denial of service (CVE-ID: CVE-2018-15469)
The vulnerability allows an adjacent attacker to cause DoS condition on the target system.
The vulnerability exists due to improper implementation of version 2 of grant tables in the affected software, in the hypervisor or in Linux. An adjacent attacker can request version 2 grant tables, trigger a BUG() check and cause the service to crash.
13) Memory corruption (CVE-ID: CVE-2018-15470)
The vulnerability allows an adjacent attacker to cause DoS condition on the target system.
The vulnerability exists due to the affected software fails to enforce the quota-maxentity setting. An adjacent attacker can write an excessive number of XenStore entries, trigger unbounded memory usage and cause the service to crash.
14) Side-channel attack (CVE-ID: CVE-2018-3620)
The vulnerability allows a local attacker to obtain potentially sensitive information.
The vulnerability exists due to an error in systems with microprocessors utilizing speculative execution and address translations . A local attacker can trigger terminal page fault, conduct side-channel attack and gain access to potentially sensitive information residing in the L1 data cache.
15) Side-channel attack (CVE-ID: CVE-2018-3646)
The vulnerability allows an adjacent attacker to obtain potentially sensitive information.
The vulnerability exists due to an error in systems with microprocessors utilizing speculative execution and address translations. An adjacent attacker with guest OS privilege can trigger terminal page fault, conduct side-channel attack and gain access to potentially sensitive information residing in the L1 data cache.
16) Memory corruption (CVE-ID: CVE-2018-5244)
The vulnerability allows an adjacent administrative attacker to cause DoS condition on the guest system.
The vulnerability exists due to one tracking structure isn't freed when a vcpu is destroyed as new infrastructure was introduced as part of an overhaul to how MSR emulation happens for guests. A remote attacker can trigger host OS memory consumption and cause the system to crash by rebooting many times.
17) Resource exhaustion (CVE-ID: CVE-2018-7540)
The vulnerability allows an adjacent authenticated attacker to cause a DoS condition on the target system.The weakness exists due to non-preemptable L3/L4 pagetable freeing. An adjacent attacker can exhaust all available CPU resources and cause the service to crash.
18) Memory corruption (CVE-ID: CVE-2018-7541)
The vulnerability allows an adjacent attacker to cause DoS condition and gain elevated privileges on the target system.The weakness exists due to an error when transitioning from v2 to v1. An adjacent attacker can trigger memory corruption, cause the service to crash and gain root privileges.
19) NULL pointer dereference (CVE-ID: CVE-2018-7542)
The vulnerability allows an adjacent attacker to cause DoS condition on the target system.The weakness exists due to NULL pointer dereference. An adjacent attacker can cause the service to crash by leveraging the mishandling of configurations that lack a Local APIC.
Remediation
Install update from vendor's website.