#VU70583 Resource exhaustion in Xen - CVE-2022-42322
Published: January 2, 2023 / Updated: January 2, 2023
Vulnerability identifier: #VU70583
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:U/U:Green
CVE-ID: CVE-2022-42322
CWE-ID: CWE-400
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Xen
Xen
Software vendor:
Xen Project
Xen Project
Description
The vulnerability allows a malicious guest to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient control over consumption of internal resources in Xenstore. Two malicious guests working together can drive xenstored into an out of memory situation, resulting in a Denial of Service (DoS) of xenstored.
Remediation
Install updates from vendor's website.
External links
- https://xenbits.xenproject.org/xsa/advisory-419.txt
- http://xenbits.xen.org/xsa/advisory-419.html
- http://www.openwall.com/lists/oss-security/2022/11/01/9
- https://www.debian.org/security/2022/dsa-5272
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZLI2NPNEH7CNJO3VZGQNOI4M4EWLNKPZ/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YZVXG7OOOXCX6VIPEMLFDPIPUTFAYWPE/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YTMITQBGC23MSDHUCAPCVGLMVXIBXQTQ/