Main Vulnerability Database SB2022072636

SB2022072636 - Denial of service in Xen shadow mode

Published: July 26, 2022

Security Bulletin ID SB2022072636

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Denial of service

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Resource exhaustion (CVE-ID: CVE-2022-33745)

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to an error in code responsible for migration and work around of kernels unaware of L1TF in shadow mode, related to TLB flush. A remote user with access to x86 PV guest can start the migration process to trigger the vulnerability and exhaust all available memory, resulting in a denial of service (DoS) attack.

Remediation

Install update from vendor's website.

References

https://xenbits.xenproject.org/xsa/advisory-408.txt