SUSE update for xen
Security Bulletin
This security bulletin contains information about 17 vulnerabilities.
1) Release of invalid pointer or reference
EUVDB-ID: #VU70589
Risk: Medium
CVSSv3.1: 6.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-42309
CWE-ID:
CWE-763 - Release of invalid pointer or reference
Exploit availability: No
DescriptionThe vulnerability allows a malicious guest to perform a denial of service (DoS) attack.
The vulnerability exists due to usage of a wrong pointer during the node creation in Xenstore. A malicious guest can cause xenstored to crash.
Update the affected package xen to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server: 12-SP3-BCL
xen-tools-domU-debuginfo: before 4.9.4_34-3.114.1
xen-tools-domU: before 4.9.4_34-3.114.1
xen-tools-debuginfo: before 4.9.4_34-3.114.1
xen-tools: before 4.9.4_34-3.114.1
xen-libs-debuginfo: before 4.9.4_34-3.114.1
xen-libs-debuginfo-32bit: before 4.9.4_34-3.114.1
xen-libs: before 4.9.4_34-3.114.1
xen-libs-32bit: before 4.9.4_34-3.114.1
xen-doc-html: before 4.9.4_34-3.114.1
xen-debugsource: before 4.9.4_34-3.114.1
xen: before 4.9.4_34-3.114.1
External linkshttp://www.suse.com/support/update/announcement/2022/suse-su-20223960-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Resource management error
EUVDB-ID: #VU70588
Risk: Medium
CVSSv3.1: 6.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-42310
CWE-ID:
CWE-399 - Resource Management Errors
Exploit availability: No
DescriptionThe vulnerability allows a malicious guest to perform a denial of service (DoS) attack.
The vulnerability exists due to improper management of internal resources within Xenstore, which can result in orphaned nodes being created and never removed in the Xenstore database. A malicious guest can cause inconsistencies in the xenstored data base, resulting in unusual error responses or memory leaks in xenstored.
MitigationUpdate the affected package xen to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server: 12-SP3-BCL
xen-tools-domU-debuginfo: before 4.9.4_34-3.114.1
xen-tools-domU: before 4.9.4_34-3.114.1
xen-tools-debuginfo: before 4.9.4_34-3.114.1
xen-tools: before 4.9.4_34-3.114.1
xen-libs-debuginfo: before 4.9.4_34-3.114.1
xen-libs-debuginfo-32bit: before 4.9.4_34-3.114.1
xen-libs: before 4.9.4_34-3.114.1
xen-libs-32bit: before 4.9.4_34-3.114.1
xen-doc-html: before 4.9.4_34-3.114.1
xen-debugsource: before 4.9.4_34-3.114.1
xen: before 4.9.4_34-3.114.1
External linkshttp://www.suse.com/support/update/announcement/2022/suse-su-20223960-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Resource management error
EUVDB-ID: #VU70590
Risk: Medium
CVSSv3.1: 6.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-42311
CWE-ID:
CWE-399 - Resource Management Errors
Exploit availability: No
DescriptionThe vulnerability allows a malicious guest to perform a denial of service (DoS) attack.
The vulnerability exists due to improper management of internal resources within the Xenstore. A malicious guest can allocate huge amount of memory and perform a denial of service (DoS) attack.
MitigationUpdate the affected package xen to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server: 12-SP3-BCL
xen-tools-domU-debuginfo: before 4.9.4_34-3.114.1
xen-tools-domU: before 4.9.4_34-3.114.1
xen-tools-debuginfo: before 4.9.4_34-3.114.1
xen-tools: before 4.9.4_34-3.114.1
xen-libs-debuginfo: before 4.9.4_34-3.114.1
xen-libs-debuginfo-32bit: before 4.9.4_34-3.114.1
xen-libs: before 4.9.4_34-3.114.1
xen-libs-32bit: before 4.9.4_34-3.114.1
xen-doc-html: before 4.9.4_34-3.114.1
xen-debugsource: before 4.9.4_34-3.114.1
xen: before 4.9.4_34-3.114.1
External linkshttp://www.suse.com/support/update/announcement/2022/suse-su-20223960-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Resource management error
EUVDB-ID: #VU70591
Risk: Medium
CVSSv3.1: 6.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-42312
CWE-ID:
CWE-399 - Resource Management Errors
Exploit availability: No
DescriptionThe vulnerability allows a malicious guest to perform a denial of service (DoS) attack.
The vulnerability exists due to improper management of internal resources within the Xenstore. A malicious guest can allocate huge amount of memory and perform a denial of service (DoS) attack.
MitigationUpdate the affected package xen to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server: 12-SP3-BCL
xen-tools-domU-debuginfo: before 4.9.4_34-3.114.1
xen-tools-domU: before 4.9.4_34-3.114.1
xen-tools-debuginfo: before 4.9.4_34-3.114.1
xen-tools: before 4.9.4_34-3.114.1
xen-libs-debuginfo: before 4.9.4_34-3.114.1
xen-libs-debuginfo-32bit: before 4.9.4_34-3.114.1
xen-libs: before 4.9.4_34-3.114.1
xen-libs-32bit: before 4.9.4_34-3.114.1
xen-doc-html: before 4.9.4_34-3.114.1
xen-debugsource: before 4.9.4_34-3.114.1
xen: before 4.9.4_34-3.114.1
External linkshttp://www.suse.com/support/update/announcement/2022/suse-su-20223960-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Resource management error
EUVDB-ID: #VU70592
Risk: Medium
CVSSv3.1: 6.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-42313
CWE-ID:
CWE-399 - Resource Management Errors
Exploit availability: No
DescriptionThe vulnerability allows a malicious guest to perform a denial of service (DoS) attack.
The vulnerability exists due to improper management of internal resources within the Xenstore. A malicious guest can allocate huge amount of memory and perform a denial of service (DoS) attack.
MitigationUpdate the affected package xen to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server: 12-SP3-BCL
xen-tools-domU-debuginfo: before 4.9.4_34-3.114.1
xen-tools-domU: before 4.9.4_34-3.114.1
xen-tools-debuginfo: before 4.9.4_34-3.114.1
xen-tools: before 4.9.4_34-3.114.1
xen-libs-debuginfo: before 4.9.4_34-3.114.1
xen-libs-debuginfo-32bit: before 4.9.4_34-3.114.1
xen-libs: before 4.9.4_34-3.114.1
xen-libs-32bit: before 4.9.4_34-3.114.1
xen-doc-html: before 4.9.4_34-3.114.1
xen-debugsource: before 4.9.4_34-3.114.1
xen: before 4.9.4_34-3.114.1
External linkshttp://www.suse.com/support/update/announcement/2022/suse-su-20223960-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Resource management error
EUVDB-ID: #VU70593
Risk: Medium
CVSSv3.1: 6.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-42314
CWE-ID:
CWE-399 - Resource Management Errors
Exploit availability: No
DescriptionThe vulnerability allows a malicious guest to perform a denial of service (DoS) attack.
The vulnerability exists due to improper management of internal resources within the Xenstore. A malicious guest can allocate huge amount of memory and perform a denial of service (DoS) attack.
MitigationUpdate the affected package xen to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server: 12-SP3-BCL
xen-tools-domU-debuginfo: before 4.9.4_34-3.114.1
xen-tools-domU: before 4.9.4_34-3.114.1
xen-tools-debuginfo: before 4.9.4_34-3.114.1
xen-tools: before 4.9.4_34-3.114.1
xen-libs-debuginfo: before 4.9.4_34-3.114.1
xen-libs-debuginfo-32bit: before 4.9.4_34-3.114.1
xen-libs: before 4.9.4_34-3.114.1
xen-libs-32bit: before 4.9.4_34-3.114.1
xen-doc-html: before 4.9.4_34-3.114.1
xen-debugsource: before 4.9.4_34-3.114.1
xen: before 4.9.4_34-3.114.1
External linkshttp://www.suse.com/support/update/announcement/2022/suse-su-20223960-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Resource management error
EUVDB-ID: #VU70594
Risk: Medium
CVSSv3.1: 6.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-42315
CWE-ID:
CWE-399 - Resource Management Errors
Exploit availability: No
DescriptionThe vulnerability allows a malicious guest to perform a denial of service (DoS) attack.
The vulnerability exists due to improper management of internal resources within the Xenstore. A malicious guest can allocate huge amount of memory and perform a denial of service (DoS) attack.
MitigationUpdate the affected package xen to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server: 12-SP3-BCL
xen-tools-domU-debuginfo: before 4.9.4_34-3.114.1
xen-tools-domU: before 4.9.4_34-3.114.1
xen-tools-debuginfo: before 4.9.4_34-3.114.1
xen-tools: before 4.9.4_34-3.114.1
xen-libs-debuginfo: before 4.9.4_34-3.114.1
xen-libs-debuginfo-32bit: before 4.9.4_34-3.114.1
xen-libs: before 4.9.4_34-3.114.1
xen-libs-32bit: before 4.9.4_34-3.114.1
xen-doc-html: before 4.9.4_34-3.114.1
xen-debugsource: before 4.9.4_34-3.114.1
xen: before 4.9.4_34-3.114.1
External linkshttp://www.suse.com/support/update/announcement/2022/suse-su-20223960-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Resource management error
EUVDB-ID: #VU70595
Risk: Medium
CVSSv3.1: 6.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-42316
CWE-ID:
CWE-399 - Resource Management Errors
Exploit availability: No
DescriptionThe vulnerability allows a malicious guest to perform a denial of service (DoS) attack.
The vulnerability exists due to improper management of internal resources within the Xenstore. A malicious guest can allocate huge amount of memory and perform a denial of service (DoS) attack.
MitigationUpdate the affected package xen to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server: 12-SP3-BCL
xen-tools-domU-debuginfo: before 4.9.4_34-3.114.1
xen-tools-domU: before 4.9.4_34-3.114.1
xen-tools-debuginfo: before 4.9.4_34-3.114.1
xen-tools: before 4.9.4_34-3.114.1
xen-libs-debuginfo: before 4.9.4_34-3.114.1
xen-libs-debuginfo-32bit: before 4.9.4_34-3.114.1
xen-libs: before 4.9.4_34-3.114.1
xen-libs-32bit: before 4.9.4_34-3.114.1
xen-doc-html: before 4.9.4_34-3.114.1
xen-debugsource: before 4.9.4_34-3.114.1
xen: before 4.9.4_34-3.114.1
External linkshttp://www.suse.com/support/update/announcement/2022/suse-su-20223960-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Resource management error
EUVDB-ID: #VU70596
Risk: Medium
CVSSv3.1: 6.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-42317
CWE-ID:
CWE-399 - Resource Management Errors
Exploit availability: No
DescriptionThe vulnerability allows a malicious guest to perform a denial of service (DoS) attack.
The vulnerability exists due to improper management of internal resources within the Xenstore. A malicious guest can allocate huge amount of memory and perform a denial of service (DoS) attack.
MitigationUpdate the affected package xen to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server: 12-SP3-BCL
xen-tools-domU-debuginfo: before 4.9.4_34-3.114.1
xen-tools-domU: before 4.9.4_34-3.114.1
xen-tools-debuginfo: before 4.9.4_34-3.114.1
xen-tools: before 4.9.4_34-3.114.1
xen-libs-debuginfo: before 4.9.4_34-3.114.1
xen-libs-debuginfo-32bit: before 4.9.4_34-3.114.1
xen-libs: before 4.9.4_34-3.114.1
xen-libs-32bit: before 4.9.4_34-3.114.1
xen-doc-html: before 4.9.4_34-3.114.1
xen-debugsource: before 4.9.4_34-3.114.1
xen: before 4.9.4_34-3.114.1
External linkshttp://www.suse.com/support/update/announcement/2022/suse-su-20223960-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Resource management error
EUVDB-ID: #VU70597
Risk: Medium
CVSSv3.1: 6.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-42318
CWE-ID:
CWE-399 - Resource Management Errors
Exploit availability: No
DescriptionThe vulnerability allows a malicious guest to perform a denial of service (DoS) attack.
The vulnerability exists due to improper management of internal resources within the Xenstore. A malicious guest can allocate huge amount of memory and perform a denial of service (DoS) attack.
MitigationUpdate the affected package xen to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server: 12-SP3-BCL
xen-tools-domU-debuginfo: before 4.9.4_34-3.114.1
xen-tools-domU: before 4.9.4_34-3.114.1
xen-tools-debuginfo: before 4.9.4_34-3.114.1
xen-tools: before 4.9.4_34-3.114.1
xen-libs-debuginfo: before 4.9.4_34-3.114.1
xen-libs-debuginfo-32bit: before 4.9.4_34-3.114.1
xen-libs: before 4.9.4_34-3.114.1
xen-libs-32bit: before 4.9.4_34-3.114.1
xen-doc-html: before 4.9.4_34-3.114.1
xen-debugsource: before 4.9.4_34-3.114.1
xen: before 4.9.4_34-3.114.1
External linkshttp://www.suse.com/support/update/announcement/2022/suse-su-20223960-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Resource exhaustion
EUVDB-ID: #VU70587
Risk: Medium
CVSSv3.1: 6.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-42319
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a malicious guest to perform a denial of service (DoS) attack.
The vulnerability exists in Xenstore due to allocated temporary memory is freed only after the request is completely finished. A malicious guest can allocate large amounts of memory and perform a denial of service (DoS) attack.
MitigationUpdate the affected package xen to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server: 12-SP3-BCL
xen-tools-domU-debuginfo: before 4.9.4_34-3.114.1
xen-tools-domU: before 4.9.4_34-3.114.1
xen-tools-debuginfo: before 4.9.4_34-3.114.1
xen-tools: before 4.9.4_34-3.114.1
xen-libs-debuginfo: before 4.9.4_34-3.114.1
xen-libs-debuginfo-32bit: before 4.9.4_34-3.114.1
xen-libs: before 4.9.4_34-3.114.1
xen-libs-32bit: before 4.9.4_34-3.114.1
xen-doc-html: before 4.9.4_34-3.114.1
xen-debugsource: before 4.9.4_34-3.114.1
xen: before 4.9.4_34-3.114.1
External linkshttp://www.suse.com/support/update/announcement/2022/suse-su-20223960-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) Improper Privilege Management
EUVDB-ID: #VU70586
Risk: Medium
CVSSv3.1: 5.5 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-42320
CWE-ID:
CWE-269 - Improper Privilege Management
Exploit availability: No
DescriptionThe vulnerability allows a malicious guest to escalate privileges.
The vulnerability exists due to improper privilege management in Xenstore. A malicious new guest domain can access resources belonging to a previous domain. The impact depends on the software in use and cal result in a denial of service, information disclosure or privilege escalation.
Update the affected package xen to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server: 12-SP3-BCL
xen-tools-domU-debuginfo: before 4.9.4_34-3.114.1
xen-tools-domU: before 4.9.4_34-3.114.1
xen-tools-debuginfo: before 4.9.4_34-3.114.1
xen-tools: before 4.9.4_34-3.114.1
xen-libs-debuginfo: before 4.9.4_34-3.114.1
xen-libs-debuginfo-32bit: before 4.9.4_34-3.114.1
xen-libs: before 4.9.4_34-3.114.1
xen-libs-32bit: before 4.9.4_34-3.114.1
xen-doc-html: before 4.9.4_34-3.114.1
xen-debugsource: before 4.9.4_34-3.114.1
xen: before 4.9.4_34-3.114.1
External linkshttp://www.suse.com/support/update/announcement/2022/suse-su-20223960-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
13) Uncontrolled Recursion
EUVDB-ID: #VU70585
Risk: Medium
CVSSv3.1: 6.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-42321
CWE-ID:
CWE-674 - Uncontrolled Recursion
Exploit availability: No
DescriptionThe vulnerability allows a malicious guest to perform a denial of service (DoS) attack.
The vulnerability exists due to uncontrolled recursion in Xenstore. A malicious guest can create very deep nesting levels of Xenstore nodes and perform stack exhaustion on xenstored.
Update the affected package xen to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server: 12-SP3-BCL
xen-tools-domU-debuginfo: before 4.9.4_34-3.114.1
xen-tools-domU: before 4.9.4_34-3.114.1
xen-tools-debuginfo: before 4.9.4_34-3.114.1
xen-tools: before 4.9.4_34-3.114.1
xen-libs-debuginfo: before 4.9.4_34-3.114.1
xen-libs-debuginfo-32bit: before 4.9.4_34-3.114.1
xen-libs: before 4.9.4_34-3.114.1
xen-libs-32bit: before 4.9.4_34-3.114.1
xen-doc-html: before 4.9.4_34-3.114.1
xen-debugsource: before 4.9.4_34-3.114.1
xen: before 4.9.4_34-3.114.1
External linkshttp://www.suse.com/support/update/announcement/2022/suse-su-20223960-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
14) Resource exhaustion
EUVDB-ID: #VU70583
Risk: Medium
CVSSv3.1: 6.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-42322
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a malicious guest to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient control over consumption of internal resources in Xenstore. Two malicious guests working together can drive xenstored into an out of memory situation, resulting in a Denial of Service (DoS) of xenstored.
MitigationUpdate the affected package xen to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server: 12-SP3-BCL
xen-tools-domU-debuginfo: before 4.9.4_34-3.114.1
xen-tools-domU: before 4.9.4_34-3.114.1
xen-tools-debuginfo: before 4.9.4_34-3.114.1
xen-tools: before 4.9.4_34-3.114.1
xen-libs-debuginfo: before 4.9.4_34-3.114.1
xen-libs-debuginfo-32bit: before 4.9.4_34-3.114.1
xen-libs: before 4.9.4_34-3.114.1
xen-libs-32bit: before 4.9.4_34-3.114.1
xen-doc-html: before 4.9.4_34-3.114.1
xen-debugsource: before 4.9.4_34-3.114.1
xen: before 4.9.4_34-3.114.1
External linkshttp://www.suse.com/support/update/announcement/2022/suse-su-20223960-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
15) Resource exhaustion
EUVDB-ID: #VU70584
Risk: Medium
CVSSv3.1: 6.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-42323
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a malicious guest to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient control over consumption of internal resources in Xenstore. Two malicious guests working together can drive xenstored into an out of memory situation, resulting in a Denial of Service (DoS) of xenstored.
MitigationUpdate the affected package xen to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server: 12-SP3-BCL
xen-tools-domU-debuginfo: before 4.9.4_34-3.114.1
xen-tools-domU: before 4.9.4_34-3.114.1
xen-tools-debuginfo: before 4.9.4_34-3.114.1
xen-tools: before 4.9.4_34-3.114.1
xen-libs-debuginfo: before 4.9.4_34-3.114.1
xen-libs-debuginfo-32bit: before 4.9.4_34-3.114.1
xen-libs: before 4.9.4_34-3.114.1
xen-libs-32bit: before 4.9.4_34-3.114.1
xen-doc-html: before 4.9.4_34-3.114.1
xen-debugsource: before 4.9.4_34-3.114.1
xen: before 4.9.4_34-3.114.1
External linkshttp://www.suse.com/support/update/announcement/2022/suse-su-20223960-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
16) Resource exhaustion
EUVDB-ID: #VU70581
Risk: Medium
CVSSv3.1: 6.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-42325
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a malicious guest to perform a denial of service (DoS) attack.
The vulnerability exists due to missing control over the number of created nodes in Xenstore. A malicious guest can consume all available memory resources by created an unlimited number of nodes.
The vulnerability affects the C variant of Xenstore (e.g. xenstored and xenstore-stubdom).
Update the affected package xen to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server: 12-SP3-BCL
xen-tools-domU-debuginfo: before 4.9.4_34-3.114.1
xen-tools-domU: before 4.9.4_34-3.114.1
xen-tools-debuginfo: before 4.9.4_34-3.114.1
xen-tools: before 4.9.4_34-3.114.1
xen-libs-debuginfo: before 4.9.4_34-3.114.1
xen-libs-debuginfo-32bit: before 4.9.4_34-3.114.1
xen-libs: before 4.9.4_34-3.114.1
xen-libs-32bit: before 4.9.4_34-3.114.1
xen-doc-html: before 4.9.4_34-3.114.1
xen-debugsource: before 4.9.4_34-3.114.1
xen: before 4.9.4_34-3.114.1
External linkshttp://www.suse.com/support/update/announcement/2022/suse-su-20223960-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
17) Resource exhaustion
EUVDB-ID: #VU70582
Risk: Medium
CVSSv3.1: 6.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-42326
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a malicious guest to perform a denial of service (DoS) attack.
The vulnerability exists due to missing control over the number of created nodes in Xenstore. A malicious guest can consume all available memory resources by created an unlimited number of nodes.
The vulnerability affects the C variant of Xenstore (e.g. xenstored and xenstore-stubdom).
Update the affected package xen to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server: 12-SP3-BCL
xen-tools-domU-debuginfo: before 4.9.4_34-3.114.1
xen-tools-domU: before 4.9.4_34-3.114.1
xen-tools-debuginfo: before 4.9.4_34-3.114.1
xen-tools: before 4.9.4_34-3.114.1
xen-libs-debuginfo: before 4.9.4_34-3.114.1
xen-libs-debuginfo-32bit: before 4.9.4_34-3.114.1
xen-libs: before 4.9.4_34-3.114.1
xen-libs-32bit: before 4.9.4_34-3.114.1
xen-doc-html: before 4.9.4_34-3.114.1
xen-debugsource: before 4.9.4_34-3.114.1
xen: before 4.9.4_34-3.114.1
External linkshttp://www.suse.com/support/update/announcement/2022/suse-su-20223960-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
