SB2022111746 - SUSE update for xen
Published: November 17, 2022
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 17 secuirty vulnerabilities.
1) Incorrect Resource Transfer Between Spheres (CVE-ID: CVE-2021-28689)
The vulnerability allows a local user to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by the application. A local user can gain unauthorized access to sensitive information on the system.
2) Resource exhaustion (CVE-ID: CVE-2022-33746)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources when freeing the P2M pool. A local user can trigger resource exhaustion and perform a denial of service (DoS) attack.
3) Improper handling of exceptional conditions (CVE-ID: CVE-2022-33748)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to lock order inversion in transitive grant copy handling As part of XSA-226 a missing cleanup call was inserted on an error handling path. A local user can send specially crafted input and perform a denial of service (DoS) attack.
4) Release of invalid pointer or reference (CVE-ID: CVE-2022-42309)
The vulnerability allows a malicious guest to perform a denial of service (DoS) attack.
The vulnerability exists due to usage of a wrong pointer during the node creation in Xenstore. A malicious guest can cause xenstored to crash.
5) Resource management error (CVE-ID: CVE-2022-42310)
The vulnerability allows a malicious guest to perform a denial of service (DoS) attack.
The vulnerability exists due to improper management of internal resources within Xenstore, which can result in orphaned nodes being created and never removed in the Xenstore database. A malicious guest can cause inconsistencies in the xenstored data base, resulting in unusual error responses or memory leaks in xenstored.
6) Resource management error (CVE-ID: CVE-2022-42311)
The vulnerability allows a malicious guest to perform a denial of service (DoS) attack.
The vulnerability exists due to improper management of internal resources within the Xenstore. A malicious guest can allocate huge amount of memory and perform a denial of service (DoS) attack.
7) Resource management error (CVE-ID: CVE-2022-42312)
The vulnerability allows a malicious guest to perform a denial of service (DoS) attack.
The vulnerability exists due to improper management of internal resources within the Xenstore. A malicious guest can allocate huge amount of memory and perform a denial of service (DoS) attack.
8) Resource management error (CVE-ID: CVE-2022-42313)
The vulnerability allows a malicious guest to perform a denial of service (DoS) attack.
The vulnerability exists due to improper management of internal resources within the Xenstore. A malicious guest can allocate huge amount of memory and perform a denial of service (DoS) attack.
9) Resource management error (CVE-ID: CVE-2022-42314)
The vulnerability allows a malicious guest to perform a denial of service (DoS) attack.
The vulnerability exists due to improper management of internal resources within the Xenstore. A malicious guest can allocate huge amount of memory and perform a denial of service (DoS) attack.
10) Resource management error (CVE-ID: CVE-2022-42315)
The vulnerability allows a malicious guest to perform a denial of service (DoS) attack.
The vulnerability exists due to improper management of internal resources within the Xenstore. A malicious guest can allocate huge amount of memory and perform a denial of service (DoS) attack.
11) Resource management error (CVE-ID: CVE-2022-42316)
The vulnerability allows a malicious guest to perform a denial of service (DoS) attack.
The vulnerability exists due to improper management of internal resources within the Xenstore. A malicious guest can allocate huge amount of memory and perform a denial of service (DoS) attack.
12) Resource management error (CVE-ID: CVE-2022-42317)
The vulnerability allows a malicious guest to perform a denial of service (DoS) attack.
The vulnerability exists due to improper management of internal resources within the Xenstore. A malicious guest can allocate huge amount of memory and perform a denial of service (DoS) attack.
13) Resource management error (CVE-ID: CVE-2022-42318)
The vulnerability allows a malicious guest to perform a denial of service (DoS) attack.
The vulnerability exists due to improper management of internal resources within the Xenstore. A malicious guest can allocate huge amount of memory and perform a denial of service (DoS) attack.
14) Improper Privilege Management (CVE-ID: CVE-2022-42320)
The vulnerability allows a malicious guest to escalate privileges.
The vulnerability exists due to improper privilege management in Xenstore. A malicious new guest domain can access resources belonging to a previous domain. The impact depends on the software in use and cal result in a denial of service, information disclosure or privilege escalation.
15) Uncontrolled Recursion (CVE-ID: CVE-2022-42321)
The vulnerability allows a malicious guest to perform a denial of service (DoS) attack.
The vulnerability exists due to uncontrolled recursion in Xenstore. A malicious guest can create very deep nesting levels of Xenstore nodes and perform stack exhaustion on xenstored.
16) Resource exhaustion (CVE-ID: CVE-2022-42322)
The vulnerability allows a malicious guest to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient control over consumption of internal resources in Xenstore. Two malicious guests working together can drive xenstored into an out of memory situation, resulting in a Denial of Service (DoS) of xenstored.
17) Resource exhaustion (CVE-ID: CVE-2022-42323)
The vulnerability allows a malicious guest to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient control over consumption of internal resources in Xenstore. Two malicious guests working together can drive xenstored into an out of memory situation, resulting in a Denial of Service (DoS) of xenstored.
Remediation
Install update from vendor's website.