Gentoo Linux Security Advisory 201309-24 - Multiple vulnerabilities have been found in Xen, allowing attackers on a Xen Virtual Machine to execute arbitrary code, cause Denial of Service, or gain access to data on the host. Versions less than 4.2.2-r1 are affected.
42fbd346dc4e79100c814835fd5068ef0a6bd2ccc23977307e7f191f8be1cc22- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201309-24
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: High
Title: Xen: Multiple vulnerabilities
Date: September 27, 2013
Bugs: #385319, #386371, #420875, #431156, #454314, #464724,
#472214, #482860
ID: 201309-24
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been found in Xen, allowing attackers on
a Xen Virtual Machine to execute arbitrary code, cause Denial of
Service, or gain access to data on the host.
Background
==========
Xen is a bare-metal hypervisor.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 app-emulation/xen < 4.2.2-r1 >= 4.2.2-r1
2 app-emulation/xen-tools < 4.2.2-r3 >= 4.2.2-r3
3 app-emulation/xen-pvgrub
< 4.2.2-r1 >= 4.2.2-r1
-------------------------------------------------------------------
3 affected packages
Description
===========
Multiple vulnerabilities have been discovered in Xen. Please review the
CVE identifiers referenced below for details.
Impact
======
Guest domains could possibly gain privileges, execute arbitrary code,
or cause a Denial of Service on the host domain (Dom0). Additionally,
guest domains could gain information about other virtual machines
running on the same host or read arbitrary files on the host.
Workaround
==========
The CVEs listed below do not currently have fixes, but only apply to
Xen setups which have "tmem" specified on the hypervisor command line.
TMEM is not currently supported for use in production systems, and
administrators using tmem should disable it.
Relevant CVEs:
* CVE-2012-2497
* CVE-2012-6030
* CVE-2012-6031
* CVE-2012-6032
* CVE-2012-6033
* CVE-2012-6034
* CVE-2012-6035
* CVE-2012-6036
Resolution
==========
All Xen users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-emulation/xen-4.2.2-r1"
All Xen-tools users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=app-emulation/xen-tools-4.2.2-r3"
All Xen-pvgrub users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=app-emulation/xen-pvgrub-4.2.2-r1"
References
==========
[ 1 ] CVE-2011-2901
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2901
[ 2 ] CVE-2011-3262
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3262
[ 3 ] CVE-2011-3262
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3262
[ 4 ] CVE-2012-0217
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0217
[ 5 ] CVE-2012-0218
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0218
[ 6 ] CVE-2012-2934
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2934
[ 7 ] CVE-2012-3432
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3432
[ 8 ] CVE-2012-3433
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3433
[ 9 ] CVE-2012-3494
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3494
[ 10 ] CVE-2012-3495
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3495
[ 11 ] CVE-2012-3496
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3496
[ 12 ] CVE-2012-3497
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3497
[ 13 ] CVE-2012-3498
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3498
[ 14 ] CVE-2012-3515
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3515
[ 15 ] CVE-2012-4411
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4411
[ 16 ] CVE-2012-4535
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4535
[ 17 ] CVE-2012-4536
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4536
[ 18 ] CVE-2012-4537
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4537
[ 19 ] CVE-2012-4538
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4538
[ 20 ] CVE-2012-4539
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4539
[ 21 ] CVE-2012-5510
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5510
[ 22 ] CVE-2012-5511
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5511
[ 23 ] CVE-2012-5512
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5512
[ 24 ] CVE-2012-5513
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5513
[ 25 ] CVE-2012-5514
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5514
[ 26 ] CVE-2012-5515
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5515
[ 27 ] CVE-2012-5525
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5525
[ 28 ] CVE-2012-5634
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5634
[ 29 ] CVE-2012-6030
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6030
[ 30 ] CVE-2012-6031
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6031
[ 31 ] CVE-2012-6032
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6032
[ 32 ] CVE-2012-6033
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6033
[ 33 ] CVE-2012-6034
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6034
[ 34 ] CVE-2012-6035
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6035
[ 35 ] CVE-2012-6036
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6036
[ 36 ] CVE-2012-6075
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6075
[ 37 ] CVE-2012-6333
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6333
[ 38 ] CVE-2013-0151
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0151
[ 39 ] CVE-2013-0152
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0152
[ 40 ] CVE-2013-0153
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0153
[ 41 ] CVE-2013-0154
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0154
[ 42 ] CVE-2013-0215
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0215
[ 43 ] CVE-2013-1432
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1432
[ 44 ] CVE-2013-1917
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1917
[ 45 ] CVE-2013-1918
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1918
[ 46 ] CVE-2013-1919
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1919
[ 47 ] CVE-2013-1920
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1920
[ 48 ] CVE-2013-1922
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1922
[ 49 ] CVE-2013-1952
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1952
[ 50 ] CVE-2013-1964
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1964
[ 51 ] CVE-2013-2076
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2076
[ 52 ] CVE-2013-2077
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2077
[ 53 ] CVE-2013-2078
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2078
[ 54 ] CVE-2013-2194
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2194
[ 55 ] CVE-2013-2195
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2195
[ 56 ] CVE-2013-2196
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2196
[ 57 ] CVE-2013-2211
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2211
[ 58 ] Xen TMEM
https://lists.xen.org/archives/html/xen-announce/2012-09/msg00006.h=
tml
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/glsa-201309-24.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2013 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
https://creativecommons.org/licenses/by-sa/2.5
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed