SB2018041017 - SUSE Linux update for xen

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2018041017

SB2018041017 - SUSE Linux update for xen

Published: April 10, 2018

Security Bulletin ID SB2018041017
Severity
Medium
Patch available
YES
Number of vulnerabilities 5
Exploitation vector Adjecent network
Highest impact Code execution

Breakdown by Severity

Medium 20% Low 80%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 5 secuirty vulnerabilities.


1) Information disclosure (CVE-ID: CVE-2017-5715)

The vulnerability allows a local attacker to obtain potentially sensitive information.

The vulnerability exists in Intel CPU hardware due to improper implementation of the speculative execution of instructions. A local attacker can utilize branch target injection, execute arbitrary code, perform a side-channel attack and read sensitive memory information.


2) Information disclosure (CVE-ID: CVE-2017-5753)

The vulnerability allows a local attacker to obtain potentially sensitive information.

The vulnerability exists in Intel CPU hardware due to improper implementation of the speculative execution of instructions. A local attacker can perform a bounds check bypass, execute arbitrary code, conduct a side-channel attack and read sensitive memory information.


3) Information disclosure (CVE-ID: CVE-2017-5754)

The vulnerability allows a local attacker to obtain potentially sensitive information.

The vulnerability exists in Intel CPU hardware due to side-channel attacks, which are also referred to as Meltdown attacks. A local attacker can execute arbitrary code, perform a side-channel analysis of the data cache and gain access to sensitive information including memory from the CPU cache.


4) Resource exhaustion (CVE-ID: CVE-2018-7540)

The vulnerability allows an adjacent authenticated attacker to cause a DoS condition on the target system.

The weakness exists due to non-preemptable L3/L4 pagetable freeing. An adjacent attacker can exhaust all available CPU resources and cause the service to crash.

5) Memory corruption (CVE-ID: CVE-2018-7541)

The vulnerability allows an adjacent attacker to cause DoS condition and gain elevated privileges on the target system.

The weakness exists due to an error when transitioning from v2 to v1. An adjacent attacker can trigger memory corruption, cause the service to crash and gain root privileges.

Remediation

Install update from vendor's website.

References