Resource exhaustion in Xen - CVE-2022-42322
Published: January 2, 2023 / Updated: January 2, 2023
Vulnerability identifier: #VU70583
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:U/U:Green
CVE-ID: CVE-2022-42322
CWE-ID: CWE-400
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Xen Project
Affected software:
Xen
Xen
Detailed vulnerability description
The vulnerability allows a malicious guest to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient control over consumption of internal resources in Xenstore. Two malicious guests working together can drive xenstored into an out of memory situation, resulting in a Denial of Service (DoS) of xenstored.
How to mitigate CVE-2022-42322
Install updates from vendor's website.
Sources
- https://xenbits.xenproject.org/xsa/advisory-419.txt
- http://xenbits.xen.org/xsa/advisory-419.html
- http://www.openwall.com/lists/oss-security/2022/11/01/9
- https://www.debian.org/security/2022/dsa-5272
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZLI2NPNEH7CNJO3VZGQNOI4M4EWLNKPZ/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YZVXG7OOOXCX6VIPEMLFDPIPUTFAYWPE/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YTMITQBGC23MSDHUCAPCVGLMVXIBXQTQ/