SB2024013115 - SUSE update for xen
Published: January 31, 2024
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2023-46839)
The vulnerability allows a malicious guest to gain access to sensitive information.
The vulnerability exists due to an error in phantom functions implementation for PCI devices. Under certain circumstances a malicious guest assigned a PCI device with phantom functions may be able to access memory from a previous owner of the device.
2) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2023-46840)
The vulnerability allows a malicious guest to bypass implemented security restrictions.
The vulnerability exists due to incorrect placement of a preprocessor directive in source code, which results in a logic error when support for HVM guests is compiled out of Xen and CONFIG_HVM is disabled at Xen's build time. When a device is removed from a domain, it is not properly quarantined and retains its access to the domain to which it was previously assigned. An attacker with control over a malicious guest can retain access to the domain after it has been removed from it.
Remediation
Install update from vendor's website.