#VU70588 Resource management error in Xen - CVE-2022-42310
Published: January 2, 2023
Vulnerability identifier: #VU70588
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:U/U:Green
CVE-ID: CVE-2022-42310
CWE-ID: CWE-399
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Xen
Xen
Software vendor:
Xen Project
Xen Project
Description
The vulnerability allows a malicious guest to perform a denial of service (DoS) attack.
The vulnerability exists due to improper management of internal resources within Xenstore, which can result in orphaned nodes being created and never removed in the Xenstore database. A malicious guest can cause inconsistencies in the xenstored data base, resulting in unusual error responses or memory leaks in xenstored.
Remediation
Install updates from vendor's website.
External links
- https://xenbits.xenproject.org/xsa/advisory-415.txt
- http://xenbits.xen.org/xsa/advisory-415.html
- http://www.openwall.com/lists/oss-security/2022/11/01/5
- https://www.debian.org/security/2022/dsa-5272
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZLI2NPNEH7CNJO3VZGQNOI4M4EWLNKPZ/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YZVXG7OOOXCX6VIPEMLFDPIPUTFAYWPE/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YTMITQBGC23MSDHUCAPCVGLMVXIBXQTQ/