Main Vulnerability Database SB2024040334

SB2024040334 - SUSE update for xen

Published: April 3, 2024

Security Bulletin ID SB2024040334

Severity

Low

Patch available

YES

Number of vulnerabilities 2

Exploitation vector Local access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Information disclosure (CVE-ID: CVE-2023-28746)

The vulnerability allows a local user to gain access to potentially sensitive information.

The vulnerability exists due to information exposure through microarchitectural state after transient execution from some register files for some Intel Atom Processors. A local user can gain access to sensitive information.

2) Race condition (CVE-ID: CVE-2024-2193)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a speculative race condition. A local user can exploit the race and gain unauthorized access to contents of arbitrary host memory, including memory assigned to other guests.

The vulnerability was dubbed GhostRace.

Remediation

Install update from vendor's website.

References

https://www.suse.com/support/update/announcement/2024/suse-su-20241105-1/

Vulnerable Software

SUSE Linux Enterprise Software Development Kit 12: SP5
SUSE Linux Enterprise Server for SAP Applications 12: SP5
SUSE Linux Enterprise Server 12: SP5
SUSE Linux Enterprise High Performance Computing 12: SP5
xen-devel: before 4.12.4_46-3.106.1
xen-libs-32bit: before 4.12.4_46-3.106.1
xen-libs-debuginfo: before 4.12.4_46-3.106.1
xen-tools: before 4.12.4_46-3.106.1
xen-doc-html: before 4.12.4_46-3.106.1
xen-tools-domU-debuginfo: before 4.12.4_46-3.106.1
xen: before 4.12.4_46-3.106.1
xen-debugsource: before 4.12.4_46-3.106.1
xen-libs: before 4.12.4_46-3.106.1
xen-tools-debuginfo: before 4.12.4_46-3.106.1
xen-libs-debuginfo-32bit: before 4.12.4_46-3.106.1
xen-tools-domU: before 4.12.4_46-3.106.1