Information disclosure in xen (Alpine package)



Risk Low
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2018-12130
CWE-ID CWE-200
Exploitation vector Local
Public exploit N/A
Vulnerable software
 IBM Systems Director
Server applications / Other server solutions

xen (Alpine package)
Operating systems & Components / Operating system package or component

Vendor IBM Corporation
Alpine Linux Development Team

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Information disclosure

EUVDB-ID: #VU28396

Risk: Low

CVSSv4.0: 1.9 [CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2018-12130

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

Exploit availability: No

Description

The vulnerability allows a local authenticated user to gain access to sensitive information.

Microarchitectural Fill Buffer Data Sampling (MFBDS): Fill buffers on some microprocessors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access. A list of impacted products can be found here: https://www.intel.com/content/dam/www/public/us/en/documents/corporate-information/SA00233-microcode-update-guidance_05132019.pdf

Mitigation

Install update from vendor's website.

Vulnerable software versions

IBM Systems Director: 6.3.2.2

xen (Alpine package): 24.8-1

xen (Alpine package): 3.1.6.1-1

xen (Alpine package): 1.44-1 - 1.45-1

xen (Alpine package): 0.3.6.0amd12 - 1.12.9

xen (Alpine package): 1.9.9-3 - 1.9.10-1

xen (Alpine package): 0.16 - 0.35

xen (Alpine package): 0.2 - 0.9

xen (Alpine package): 0.4

xen (Alpine package): 2.5.3 - 2.17.5ubuntu1

xen (Alpine package): 3.4.0-1

xen (Alpine package): 0.14-1 - 0.15-2

xen (Alpine package): 2014.1-3

xen (Alpine package): 24.0-0ubuntu1

xen (Alpine package): 0.5.2-0ubuntu1 - 1.2.5ubuntu1daily13.06.14-0ubuntu1

xen (Alpine package): 3.0-0ubuntu1

xen (Alpine package): 1.5.2 - 1.6.2

xen (Alpine package): 0.1.8 - 1.0.75

xen (Alpine package): 1.20.0 - 2.18.2

xen (Alpine package): 20101020ubuntu323 - 20101020ubuntu468

xen (Alpine package): 0.2.12 - 1.5.49

xen (Alpine package): 1.8.8-2ubuntu1

xen (Alpine package): 0.2.8-8 - 0.2.11-1

xen (Alpine package): 0.3 - 1.8.42

xen (Alpine package): 5.3.28-3 - 5.3.28-4

xen (Alpine package): 1.5

xen (Alpine package): 0.4.5 - 0.5.8-2.2

xen (Alpine package): 0.2.11-1build1

xen (Alpine package): 0.63

xen (Alpine package): 0.3.1-0ubuntu1 - 0.10.0-3

xen (Alpine package): 0.13-1 - 0.22.1-2

xen (Alpine package): 2.1.0-2 - 2.1.26.dfsg1-14

xen (Alpine package): 0.5.16-3.5ubuntu1 - 0.5.17-6

xen (Alpine package): 1.3-1 - 1.3-3

xen (Alpine package): 5.11-1 - 7.35.0-1

xen (Alpine package): 1.3.9-17 - 2.0.3-2

xen (Alpine package): 0.1.2-1 - 0.2.6-1ubuntu1

xen (Alpine package): 1.0.47-2 - 1.0.64-0ubuntu1

xen (Alpine package): 2.1-3-dfsg-1 - 2.1-3-dfsg-2

xen (Alpine package): 0.100-3

xen (Alpine package): 2:1.0.6-2ubuntu7 - 2:1.6.4-1

xen (Alpine package): 0.8 - 9ubuntu2

xen (Alpine package): 3.0pl1-50 - 3.0pl1-119

xen (Alpine package): 1.0.0-0ubuntu1 - 1.0.0-0ubuntu2

xen (Alpine package): expression - 7.1.1-1

xen (Alpine package): 2.8.13-7 - 2.8.13-10

xen (Alpine package): 2.4.2-16 - 2.7-1

xen (Alpine package): 0.92-0ubuntu3 - 0.98-1

xen (Alpine package): 4.5.7-1 - 8.20-3ubuntu4

xen (Alpine package): 0.2.10-3 - 0.4.6-3

xen (Alpine package): 1.5 - 1.141

xen (Alpine package): 1:0.8.6-0ubuntu4 - 1:0.9.7.6-0ubuntu2

xen (Alpine package): 0.3ubuntu7 - 0.3ubuntu15.2

xen (Alpine package): 1.2.12-1ubuntu1 - 1.2.12-1

xen (Alpine package): 0.7-svn20050721 - 1.4.29-1

xen (Alpine package): 2.8.12.1-1.6 - 3.9.0-1

xen (Alpine package): 1.0.5-2 - 1.0.8-3

xen (Alpine package): 0.25-0ubuntu1 - 0.25-0ubuntu3

xen (Alpine package): 0.9-0ubuntu1 - 0.12-0ubuntu1

xen (Alpine package): 4.8.9

xen (Alpine package): 3.0.4

xen (Alpine package): 2.1.0

xen (Alpine package): 1.4.17

xen (Alpine package): 2.2.0b2

xen (Alpine package): r12.0 nil

xen (Alpine package): 3.0

xen (Alpine package):

xen (Alpine package): before 4.9.4-r1

CPE2.3 External links

https://git.alpinelinux.org/aports/commit/?id=e42bcd9d2c39e861c980adebf91418ddbe72bd21
https://git.alpinelinux.org/aports/commit/?id=c49084a961893d69e5cdba0b5a8072217ba8be67
https://git.alpinelinux.org/aports/commit/?id=9c1b7583516c05d0c924a44cbf3e3b651c58fa8e
https://git.alpinelinux.org/aports/commit/?id=a80b91506c3d39fd6d12fe94a65dd4a313261546
https://git.alpinelinux.org/aports/commit/?id=46c72db3ec91d42b57e2341cd9514a876b1b0952
https://git.alpinelinux.org/aports/commit/?id=49b770e54aaba339695f94b6940ff412732e4f8b
https://git.alpinelinux.org/aports/commit/?id=4cafe4f7ac5e95424824e1ef5835b409f1fe48e7
https://git.alpinelinux.org/aports/commit/?id=7fc5ca2a862219a65a85170d6e009147362ef8d8
https://git.alpinelinux.org/aports/commit/?id=1d0fe0196f9102c4c9edf2965deb91b142688924
https://git.alpinelinux.org/aports/commit/?id=0c47d89261a9f6f60cdd25fd3c7848e3d089f47a


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###