SB2019010834 - Denial of service in xen (Alpine package)
Published: January 8, 2019
Security Bulletin ID
SB2019010834
CSH Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Adjecent network
Highest impact
Denial of service
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Denial of service (CVE-ID: CVE-2018-19961)
CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls
CVSSv4: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows an adjacent attacker to cause DoS condition on the target system.
The weakness exists due to insufficient TLB flushing after improper large page mappings with AMD IOMMUs. An adjacent attacker can cause the service to crash.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=f39fc76089047b3f9b0e1ec06aecb40cc1ac1786
- https://git.alpinelinux.org/aports/commit/?id=b1098f74cfa616c0046ba6c5f2d032ac2f1d8e02
- https://git.alpinelinux.org/aports/commit/?id=e28e1495e1510e8a1673d135dc5272813b38a0cf
- https://git.alpinelinux.org/aports/commit/?id=3157c8cf385f659174a6d95a9218bc3281359513