SB2015033116 - Fedora 22 update for xen
Published: March 31, 2015 Updated: April 24, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Input validation error (CVE-ID: CVE-2015-2752)
The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
The XEN_DOMCTL_memory_mapping hypercall in Xen 3.2.x through 4.5.x, when using a PCI passthrough device, is not preemptible, which allows local x86 HVM domain users to cause a denial of service (host CPU consumption) via a crafted request to the device model (qemu-dm).
2) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2015-2756)
The vulnerability allows a local non-authenticated attacker to perform a denial of service (DoS) attack.
QEMU, as used in Xen 3.3.x through 4.5.x, does not properly restrict access to PCI command registers, which might allow local HVM guest users to cause a denial of service (non-maskable interrupt and host crash) by disabling the (1) memory or (2) I/O decoding for a PCI Express device and then accessing the device, which triggers an Unsupported Request (UR) response.
3) Input validation error (CVE-ID: CVE-2015-2751)
The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
Xen 4.3.x, 4.4.x, and 4.5.x, when using toolstack disaggregation, allows remote domains with partial management control to cause a denial of service (host lock) via unspecified domctl operations.
Remediation
Install update from vendor's website.