Input validation error in Xen - CVE-2019-18420
Published: November 6, 2019
Vulnerability identifier: #VU22541
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:U/U:Green
CVE-ID: CVE-2019-18420
CWE-ID: CWE-20
Exploitation vector: Adjecent network
Exploit availability:
No public exploit available
Vendor: Xen Project
Affected software:
Xen
Xen
Detailed vulnerability description
The vulnerability allows a remote user to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input within the VCPUOP_initialise hypercall in Xen. A remote user on a guest operating system can run a specially crafted program and perform a denial of service attack against the host operating system.
How to mitigate CVE-2019-18420
xsa296.patch Xen 4.9 ... unstable xsa296-4.8.patch Xen 4.7 ... 4.8 $ sha256sum xsa296* 71bd433f788dd511fad90165bc5ba9bcabe949eecd912f2a616e3c996960d67d xsa296.meta ccfd81b162b8535d952f56b1f87dfdd960e71bf07c1cf8388976e78e2e86cde5 xsa296.patch b283be3df6789402553172b7fd582bfffb4fa72a6b33543439bd2fb1b87bfbd4 xsa296-4.8.patch $