Security update for Xen

SUSE Security Update: Security update for Xen
Announcement ID: SUSE-SU-2014:0470-1
Rating: important
References: #786516 #786517 #787163 #789950 #789951 #813673 #813677 #823011 #840592 #842511 #848657 #849668 #853049
Affected Products:
  • SUSE Linux Enterprise Server 10 SP3 LTSS

  • An update that fixes 15 vulnerabilities is now available.

    Description:


    The SUSE Linux Enterprise 10 Service Pack 3 LTSS Xen
    hypervisor and toolset have been updated to fix various
    security issues:

    The following security issues have been addressed:

    *

    XSA-20: CVE-2012-4535: Xen 3.4 through 4.2, and
    possibly earlier versions, allows local guest OS
    administrators to cause a denial of service (Xen infinite
    loop and physical CPU consumption) by setting a VCPU with
    an "inappropriate deadline". (bnc#786516)

    *

    XSA-22: CVE-2012-4537: Xen 3.4 through 4.2, and
    possibly earlier versions, does not properly synchronize
    the p2m and m2p tables when the set_p2m_entry function
    fails, which allows local HVM guest OS administrators to
    cause a denial of service (memory consumption and assertion
    failure), aka "Memory mapping failure DoS vulnerability".
    (bnc#786517)

    *

    XSA-25: CVE-2012-4544: The PV domain builder in Xen
    4.2 and earlier does not validate the size of the kernel or
    ramdisk (1) before or (2) after decompression, which allows
    local guest administrators to cause a denial of service
    (domain 0 memory consumption) via a crafted (a) kernel or
    (b) ramdisk. (bnc#787163)

    *

    XSA-29: CVE-2012-5513: The XENMEM_exchange handler in
    Xen 4.2 and earlier does not properly check the memory
    address, which allows local PV guest OS administrators to
    cause a denial of service (crash) or possibly gain
    privileges via unspecified vectors that overwrite memory in
    the hypervisor reserved range. (bnc#789951)

    *

    XSA-31: CVE-2012-5515: The (1)
    XENMEM_decrease_reservation, (2) XENMEM_populate_physmap,
    and (3) XENMEM_exchange hypercalls in Xen 4.2 and earlier
    allow local guest administrators to cause a denial of
    service (long loop and hang) via a crafted extent_order
    value. (bnc#789950)

    *

    XSA-44: CVE-2013-1917: Xen 3.1 through 4.x, when
    running 64-bit hosts on Intel CPUs, does not clear the NT
    flag when using an IRET after a SYSENTER instruction, which
    allows PV guest users to cause a denial of service
    (hypervisor crash) by triggering a #GP fault, which is not
    properly handled by another IRET instruction. (bnc#813673)

    *

    XSA-47: CVE-2013-1920: Xen 4.2.x, 4.1.x, and earlier,
    when the hypervisor is running "under memory pressure" and
    the Xen Security Module (XSM) is enabled, uses the wrong
    ordering of operations when extending the per-domain event
    channel tracking table, which causes a use-after-free and
    allows local guest kernels to inject arbitrary events and
    gain privileges via unspecified vectors. (bnc#813677)

    *

    XSA-55: CVE-2013-2196: Multiple unspecified
    vulnerabilities in the Elf parser (libelf) in Xen 4.2.x and
    earlier allow local guest administrators with certain
    permissions to have an unspecified impact via a crafted
    kernel, related to "other problems" that are not
    CVE-2013-2194 or CVE-2013-2195. (bnc#823011)

    *

    XSA-55: CVE-2013-2195: The Elf parser (libelf) in Xen
    4.2.x and earlier allow local guest administrators with
    certain permissions to have an unspecified impact via a
    crafted kernel, related to "pointer dereferences" involving
    unexpected calculations. (bnc#823011)

    *

    XSA-55: CVE-2013-2194: Multiple integer overflows in
    the Elf parser (libelf) in Xen 4.2.x and earlier allow
    local guest administrators with certain permissions to have
    an unspecified impact via a crafted kernel. (bnc#823011)

    *

    XSA-63: CVE-2013-4355: Xen 4.3.x and earlier does not
    properly handle certain errors, which allows local HVM
    guests to obtain hypervisor stack memory via a (1) port or
    (2) memory mapped I/O write or (3) other unspecified
    operations related to addresses without associated memory.
    (bnc#840592)

    *

    XSA-67: CVE-2013-4368: The outs instruction emulation
    in Xen 3.1.x, 4.2.x, 4.3.x, and earlier, when using FS: or
    GS: segment override, uses an uninitialized variable as a
    segment base, which allows local 64-bit PV guests to obtain
    sensitive information (hypervisor stack content) via
    unspecified vectors related to stale data in a segment
    register. (bnc#842511)

    *

    XSA-73: CVE-2013-4494: Xen before 4.1.x, 4.2.x, and
    4.3.x does not take the page_alloc_lock and
    grant_table.lock in the same order, which allows local
    guest administrators with access to multiple vcpus to cause
    a denial of service (host deadlock) via unspecified
    vectors. (bnc#848657)

    *

    XSA-76: CVE-2013-4554: Xen 3.0.3 through 4.1.x
    (possibly 4.1.6.1), 4.2.x (possibly 4.2.3), and 4.3.x
    (possibly 4.3.1) does not properly prevent access to
    hypercalls, which allows local guest users to gain
    privileges via a crafted application running in ring 1 or
    2. (bnc#849668)

    *

    XSA-82: CVE-2013-6885: The microcode on AMD 16h 00h
    through 0Fh processors does not properly handle the
    interaction between locked instructions and write-combined
    memory types, which allows local users to cause a denial of
    service (system hang) via a crafted application, aka the
    errata 793 issue. (bnc#853049)

    Security Issues references:

    * CVE-2012-4535
    >
    * CVE-2012-4537
    >
    * CVE-2012-4544
    >
    * CVE-2012-5513
    >
    * CVE-2012-5515
    >
    * CVE-2013-1917
    >
    * CVE-2013-1920
    >
    * CVE-2013-2194
    >
    * CVE-2013-2195
    >
    * CVE-2013-2196
    >
    * CVE-2013-4355
    >
    * CVE-2013-4368
    >
    * CVE-2013-4494
    >
    * CVE-2013-4554
    >
    * CVE-2013-6885
    >

    Indications:

    Everyone using the Xen hypervisor should update.

    Special Instructions and Notes:

    Please reboot the system after installing this update.

    Package List:

    • SUSE Linux Enterprise Server 10 SP3 LTSS (i586 x86_64):
    • xen-3.2.3_17040_28-0.6.21.3
    • xen-devel-3.2.3_17040_28-0.6.21.3
    • xen-doc-html-3.2.3_17040_28-0.6.21.3
    • xen-doc-pdf-3.2.3_17040_28-0.6.21.3
    • xen-doc-ps-3.2.3_17040_28-0.6.21.3
    • xen-kmp-debug-3.2.3_17040_28_2.6.16.60_0.113.9-0.6.21.3
    • xen-kmp-default-3.2.3_17040_28_2.6.16.60_0.113.9-0.6.21.3
    • xen-kmp-kdump-3.2.3_17040_28_2.6.16.60_0.113.9-0.6.21.3
    • xen-kmp-smp-3.2.3_17040_28_2.6.16.60_0.113.9-0.6.21.3
    • xen-libs-3.2.3_17040_28-0.6.21.3
    • xen-tools-3.2.3_17040_28-0.6.21.3
    • xen-tools-domU-3.2.3_17040_28-0.6.21.3
    • xen-tools-ioemu-3.2.3_17040_28-0.6.21.3
    • SUSE Linux Enterprise Server 10 SP3 LTSS (x86_64):
    • xen-libs-32bit-3.2.3_17040_28-0.6.21.3
    • SUSE Linux Enterprise Server 10 SP3 LTSS (i586):
    • xen-kmp-bigsmp-3.2.3_17040_28_2.6.16.60_0.113.9-0.6.21.3
    • xen-kmp-kdumppae-3.2.3_17040_28_2.6.16.60_0.113.9-0.6.21.3
    • xen-kmp-vmi-3.2.3_17040_28_2.6.16.60_0.113.9-0.6.21.3
    • xen-kmp-vmipae-3.2.3_17040_28_2.6.16.60_0.113.9-0.6.21.3

    References:

    • http://support.novell.com/security/cve/CVE-2012-4535.html
    • http://support.novell.com/security/cve/CVE-2012-4537.html
    • http://support.novell.com/security/cve/CVE-2012-4544.html
    • http://support.novell.com/security/cve/CVE-2012-5513.html
    • http://support.novell.com/security/cve/CVE-2012-5515.html
    • http://support.novell.com/security/cve/CVE-2013-1917.html
    • http://support.novell.com/security/cve/CVE-2013-1920.html
    • http://support.novell.com/security/cve/CVE-2013-2194.html
    • http://support.novell.com/security/cve/CVE-2013-2195.html
    • http://support.novell.com/security/cve/CVE-2013-2196.html
    • http://support.novell.com/security/cve/CVE-2013-4355.html
    • http://support.novell.com/security/cve/CVE-2013-4368.html
    • http://support.novell.com/security/cve/CVE-2013-4494.html
    • http://support.novell.com/security/cve/CVE-2013-4554.html
    • http://support.novell.com/security/cve/CVE-2013-6885.html
    • https://bugzilla.novell.com/786516
    • https://bugzilla.novell.com/786517
    • https://bugzilla.novell.com/787163
    • https://bugzilla.novell.com/789950
    • https://bugzilla.novell.com/789951
    • https://bugzilla.novell.com/813673
    • https://bugzilla.novell.com/813677
    • https://bugzilla.novell.com/823011
    • https://bugzilla.novell.com/840592
    • https://bugzilla.novell.com/842511
    • https://bugzilla.novell.com/848657
    • https://bugzilla.novell.com/849668
    • https://bugzilla.novell.com/853049
    • http://download.suse.com/patch/finder/?keywords=6f43bf900a8ce3d35255c35946732753