SB2020041908 - Information disclosure in xen (Alpine package)
Published: April 19, 2020
Security Bulletin ID
SB2020041908
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Adjecent network
Highest impact
Information disclosure
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Information disclosure (CVE-ID: CVE-2020-11740)
The vulnerability allows a remote user to gain access to potentially sensitive information.
An issue was discovered in xenoprof in Xen through 4.13.x, allowing guest OS users (without active profiling) to obtain sensitive information about other guests. Unprivileged guests can request to map xenoprof buffers, even if profiling has not been enabled for those guests.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=5c40dfc3f9763d20de339d8f1b694b48631d253b
- https://git.alpinelinux.org/aports/commit/?id=7c4c7fb75cb36f33395f8a86ae820e4fb9f8d59e
- https://git.alpinelinux.org/aports/commit/?id=95332e4ed106c72d58a0a5490d0f608e3d76b83e
- https://git.alpinelinux.org/aports/commit/?id=fa008233b860d6652d640df8ed23f5bdd8e42b9b
- https://git.alpinelinux.org/aports/commit/?id=05b5ec57508952a3bf13538e1f72d2a5e9357796