ID OPENVAS:1361412562310869777 Type openvas Reporter Copyright (C) 2015 Greenbone Networks GmbH Modified 2017-07-10T00:00:00
Description
Check the version of xen
###############################################################################
# OpenVAS Vulnerability Test
#
# Fedora Update for xen FEDORA-2015-11247
#
# Authors:
# System Generated Check
#
# Copyright:
# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# (or any later version), as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################
if(description)
{
script_oid("1.3.6.1.4.1.25623.1.0.869777");
script_version("$Revision: 6630 $");
script_tag(name:"last_modification", value:"$Date: 2017-07-10 08:34:32 +0200 (Mon, 10 Jul 2017) $");
script_tag(name:"creation_date", value:"2015-07-19 06:37:48 +0200 (Sun, 19 Jul 2015)");
script_cve_id("CVE-2015-3259", "CVE-2015-3209", "CVE-2015-4163", "CVE-2015-4164",
"CVE-2015-4103", "CVE-2015-4104", "CVE-2015-4105", "CVE-2015-4106",
"CVE-2015-3456", "CVE-2015-3340", "CVE-2015-2752", "CVE-2015-2756",
"CVE-2015-2751", "CVE-2015-2152", "CVE-2015-2151", "CVE-2015-1563",
"CVE-2015-2044", "CVE-2015-2045", "CVE-2015-0361", "CVE-2014-9065",
"CVE-2014-8866", "CVE-2014-8867", "CVE-2014-9030", "CVE-2014-8594",
"CVE-2014-8595", "CVE-2014-0150");
script_tag(name:"cvss_base", value:"7.8");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:N/I:N/A:C");
script_tag(name:"qod_type", value:"package");
script_name("Fedora Update for xen FEDORA-2015-11247");
script_tag(name: "summary", value: "Check the version of xen");
script_tag(name: "vuldetect", value: "Get the installed version with the help
of detect NVT and check if the version is vulnerable or not.");
script_tag(name: "insight", value: "This package contains the XenD daemon and xm command line
tools, needed to manage virtual machines running under the
Xen hypervisor
");
script_tag(name: "affected", value: "xen on Fedora 21");
script_tag(name: "solution", value: "Please Install the Updated Packages.");
script_xref(name: "FEDORA", value: "2015-11247");
script_xref(name: "URL" , value: "https://lists.fedoraproject.org/pipermail/package-announce/2015-July/162192.html");
script_tag(name:"solution_type", value:"VendorFix");
script_category(ACT_GATHER_INFO);
script_copyright("Copyright (C) 2015 Greenbone Networks GmbH");
script_family("Fedora Local Security Checks");
script_dependencies("gather-package-list.nasl");
script_mandatory_keys("ssh/login/fedora", "ssh/login/rpms");
exit(0);
}
include("revisions-lib.inc");
include("pkg-lib-rpm.inc");
release = get_kb_item("ssh/login/release");
res = "";
if(release == NULL){
exit(0);
}
if(release == "FC21")
{
if ((res = isrpmvuln(pkg:"xen", rpm:"xen~4.4.2~7.fc21", rls:"FC21")) != NULL)
{
security_message(data:res);
exit(0);
}
if (__pkg_match) exit(99); # Not vulnerable.
exit(0);
}
{"bulletinFamily": "scanner", "viewCount": 0, "naslFamily": "Fedora Local Security Checks", "reporter": "Copyright (C) 2015 Greenbone Networks GmbH", "references": ["2015-11247", "https://lists.fedoraproject.org/pipermail/package-announce/2015-July/162192.html"], "description": "Check the version of xen", "hashmap": [{"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "cvelist", "hash": "3b91c569bf6ec5f1163e046889c99268"}, {"key": "cvss", "hash": "ed3111898fb94205e2b64cefef5a2081"}, {"key": "description", "hash": "83ed4d9c27df53b503664fed06183dea"}, {"key": "href", "hash": "c7ef8525da264ea1651a844e802f152e"}, {"key": "modified", "hash": "0d134bf170d66438eb1e01173ee0187f"}, {"key": "naslFamily", "hash": "be931514784f88df80712740ad2723e7"}, {"key": "pluginID", "hash": "106d7f71c9dfd45cc38a5a2174898b34"}, {"key": "published", "hash": "d10460e04c9b4476c31bfd0577b5a9e3"}, {"key": "references", "hash": "4aa6130974d9b5dfc23ee7d559acca0c"}, {"key": "reporter", "hash": "1e898993712db5cf9f9a110102684025"}, {"key": "sourceData", "hash": "829fe99c0ca2760b92cc25a9f8f6d7e6"}, {"key": "title", "hash": "633319bf1d6ecdf9657996fbbe611a25"}, {"key": "type", "hash": "47c1f692ea47a21f716dad07043ade01"}], "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310869777", "modified": "2017-07-10T00:00:00", "objectVersion": "1.3", "enchantments": {"vulnersScore": 7.5}, "id": "OPENVAS:1361412562310869777", "title": "Fedora Update for xen FEDORA-2015-11247", "hash": "bd75cc0d705ceb429a16d5a5965b1b0f869613a26a204e2948b62776933a8f4c", "edition": 3, "published": "2015-07-19T00:00:00", "type": "openvas", "history": [{"lastseen": "2017-07-02T21:11:38", "bulletin": {"hash": "1acf028d3e072aff781e3098aeffd3bb615af5141bfefa89e17532388da17744", "viewCount": 0, "reporter": "Copyright (C) 2015 Greenbone Networks GmbH", "references": ["2015-11247", "https://lists.fedoraproject.org/pipermail/package-announce/2015-July/162192.html"], "description": "Check the version of xen", "hashmap": [{"key": "modified", "hash": "c40b903ef912c1c773edb1cd7cf44e35"}, {"key": "cvss", "hash": "ed3111898fb94205e2b64cefef5a2081"}, {"key": "pluginID", "hash": "106d7f71c9dfd45cc38a5a2174898b34"}, {"key": "cvelist", "hash": "3b91c569bf6ec5f1163e046889c99268"}, {"key": "type", "hash": "47c1f692ea47a21f716dad07043ade01"}, {"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "sourceData", "hash": "aba844379a49220566d9b1d456526a57"}, {"key": "naslFamily", "hash": "be931514784f88df80712740ad2723e7"}, {"key": "reporter", "hash": "1e898993712db5cf9f9a110102684025"}, {"key": "references", "hash": "4aa6130974d9b5dfc23ee7d559acca0c"}, {"key": "href", "hash": "c7ef8525da264ea1651a844e802f152e"}, {"key": "title", "hash": "633319bf1d6ecdf9657996fbbe611a25"}, {"key": "published", "hash": "d10460e04c9b4476c31bfd0577b5a9e3"}, {"key": "description", "hash": "83ed4d9c27df53b503664fed06183dea"}], "naslFamily": "Fedora Local Security Checks", "modified": "2016-05-18T00:00:00", "objectVersion": "1.3", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310869777", "published": "2015-07-19T00:00:00", "enchantments": {}, "id": "OPENVAS:1361412562310869777", "title": "Fedora Update for xen FEDORA-2015-11247", "bulletinFamily": "scanner", "edition": 1, "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for xen FEDORA-2015-11247\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.869777\");\n script_version(\"$Revision: 3342 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2016-05-18 09:45:03 +0200 (Wed, 18 May 2016) $\");\n script_tag(name:\"creation_date\", value:\"2015-07-19 06:37:48 +0200 (Sun, 19 Jul 2015)\");\n script_cve_id(\"CVE-2015-3259\", \"CVE-2015-3209\", \"CVE-2015-4163\", \"CVE-2015-4164\",\n \"CVE-2015-4103\", \"CVE-2015-4104\", \"CVE-2015-4105\", \"CVE-2015-4106\",\n \"CVE-2015-3456\", \"CVE-2015-3340\", \"CVE-2015-2752\", \"CVE-2015-2756\",\n \"CVE-2015-2751\", \"CVE-2015-2152\", \"CVE-2015-2151\", \"CVE-2015-1563\",\n \"CVE-2015-2044\", \"CVE-2015-2045\", \"CVE-2015-0361\", \"CVE-2014-9065\",\n \"CVE-2014-8866\", \"CVE-2014-8867\", \"CVE-2014-9030\", \"CVE-2014-8594\",\n \"CVE-2014-8595\", \"CVE-2014-0150\");\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for xen FEDORA-2015-11247\");\n script_tag(name: \"summary\", value: \"Check the version of xen\");\n script_tag(name: \"vuldetect\", value: \"Get the installed version with the help\nof detect NVT and check if the version is vulnerable or not.\");\n script_tag(name: \"insight\", value: \"This package contains the XenD daemon and xm command line\ntools, needed to manage virtual machines running under the\nXen hypervisor\n\");\n script_tag(name: \"affected\", value: \"xen on Fedora 21\");\n script_tag(name: \"solution\", value: \"Please Install the Updated Packages.\");\n script_xref(name: \"FEDORA\", value: \"2015-11247\");\n script_xref(name: \"URL\" , value: \"https://lists.fedoraproject.org/pipermail/package-announce/2015-July/162192.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_summary(\"Check for the Version of xen\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"HostDetails/OS/cpe:/o:fedoraproject:fedora\", \"login/SSH/success\", \"ssh/login/release\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC21\")\n{\n\n if ((res = isrpmvuln(pkg:\"xen\", rpm:\"xen~4.4.2~7.fc21\", rls:\"FC21\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "type": "openvas", "history": [], "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "cvelist": ["CVE-2015-4105", "CVE-2015-4103", "CVE-2014-9065", "CVE-2015-2044", "CVE-2015-3340", "CVE-2014-8866", "CVE-2014-8595", "CVE-2014-8867", "CVE-2015-0361", "CVE-2014-8594", "CVE-2015-3259", "CVE-2015-2045", "CVE-2014-0150", "CVE-2015-2752", "CVE-2015-3456", "CVE-2015-4164", "CVE-2015-4163", "CVE-2015-2151", "CVE-2015-4104", "CVE-2015-2751", "CVE-2015-2756", "CVE-2014-9030", "CVE-2015-1563", "CVE-2015-3209", "CVE-2015-4106", "CVE-2015-2152"], "lastseen": "2017-07-02T21:11:38", "pluginID": "1361412562310869777"}, "differentElements": ["modified", "sourceData"], "edition": 1}, {"lastseen": "2017-07-19T10:51:52", "bulletin": {"hash": "2403a61edfc72b4491b4e7d590198d44451aede97684c9c1dc804648265685f2", "viewCount": 0, "reporter": "Copyright (C) 2015 Greenbone Networks GmbH", "references": ["2015-11247", "https://lists.fedoraproject.org/pipermail/package-announce/2015-July/162192.html"], "description": "Check the version of xen", "hashmap": [{"key": "cvss", "hash": "ed3111898fb94205e2b64cefef5a2081"}, {"key": "pluginID", "hash": "106d7f71c9dfd45cc38a5a2174898b34"}, {"key": "cvelist", "hash": "3b91c569bf6ec5f1163e046889c99268"}, {"key": "type", "hash": "47c1f692ea47a21f716dad07043ade01"}, {"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "modified", "hash": "669578dff97c16a0f41051692e23b8aa"}, {"key": "naslFamily", "hash": "be931514784f88df80712740ad2723e7"}, {"key": "reporter", "hash": "1e898993712db5cf9f9a110102684025"}, {"key": "references", "hash": "4aa6130974d9b5dfc23ee7d559acca0c"}, {"key": "href", "hash": "c7ef8525da264ea1651a844e802f152e"}, {"key": "title", "hash": "633319bf1d6ecdf9657996fbbe611a25"}, {"key": "published", "hash": "d10460e04c9b4476c31bfd0577b5a9e3"}, {"key": "sourceData", "hash": "ec636cbcdf1c461178e7a1e4e4f101ed"}, {"key": "description", "hash": "83ed4d9c27df53b503664fed06183dea"}], "naslFamily": "Fedora Local Security Checks", "modified": "2017-07-04T00:00:00", "objectVersion": "1.3", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310869777", "published": "2015-07-19T00:00:00", "enchantments": {}, "id": "OPENVAS:1361412562310869777", "title": "Fedora Update for xen FEDORA-2015-11247", "bulletinFamily": "scanner", "edition": 2, "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for xen FEDORA-2015-11247\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.869777\");\n script_version(\"$Revision: 6513 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-04 11:59:28 +0200 (Tue, 04 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2015-07-19 06:37:48 +0200 (Sun, 19 Jul 2015)\");\n script_cve_id(\"CVE-2015-3259\", \"CVE-2015-3209\", \"CVE-2015-4163\", \"CVE-2015-4164\",\n \"CVE-2015-4103\", \"CVE-2015-4104\", \"CVE-2015-4105\", \"CVE-2015-4106\",\n \"CVE-2015-3456\", \"CVE-2015-3340\", \"CVE-2015-2752\", \"CVE-2015-2756\",\n \"CVE-2015-2751\", \"CVE-2015-2152\", \"CVE-2015-2151\", \"CVE-2015-1563\",\n \"CVE-2015-2044\", \"CVE-2015-2045\", \"CVE-2015-0361\", \"CVE-2014-9065\",\n \"CVE-2014-8866\", \"CVE-2014-8867\", \"CVE-2014-9030\", \"CVE-2014-8594\",\n \"CVE-2014-8595\", \"CVE-2014-0150\");\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for xen FEDORA-2015-11247\");\n script_tag(name: \"summary\", value: \"Check the version of xen\");\n script_tag(name: \"vuldetect\", value: \"Get the installed version with the help\nof detect NVT and check if the version is vulnerable or not.\");\n script_tag(name: \"insight\", value: \"This package contains the XenD daemon and xm command line\ntools, needed to manage virtual machines running under the\nXen hypervisor\n\");\n script_tag(name: \"affected\", value: \"xen on Fedora 21\");\n script_tag(name: \"solution\", value: \"Please Install the Updated Packages.\");\n script_xref(name: \"FEDORA\", value: \"2015-11247\");\n script_xref(name: \"URL\" , value: \"https://lists.fedoraproject.org/pipermail/package-announce/2015-July/162192.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"HostDetails/OS/cpe:/o:fedoraproject:fedora\", \"login/SSH/success\", \"ssh/login/release\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC21\")\n{\n\n if ((res = isrpmvuln(pkg:\"xen\", rpm:\"xen~4.4.2~7.fc21\", rls:\"FC21\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "type": "openvas", "history": [], "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "cvelist": ["CVE-2015-4105", "CVE-2015-4103", "CVE-2014-9065", "CVE-2015-2044", "CVE-2015-3340", "CVE-2014-8866", "CVE-2014-8595", "CVE-2014-8867", "CVE-2015-0361", "CVE-2014-8594", "CVE-2015-3259", "CVE-2015-2045", "CVE-2014-0150", "CVE-2015-2752", "CVE-2015-3456", "CVE-2015-4164", "CVE-2015-4163", "CVE-2015-2151", "CVE-2015-4104", "CVE-2015-2751", "CVE-2015-2756", "CVE-2014-9030", "CVE-2015-1563", "CVE-2015-3209", "CVE-2015-4106", "CVE-2015-2152"], "lastseen": "2017-07-19T10:51:52", "pluginID": "1361412562310869777"}, "differentElements": ["modified", "sourceData"], "edition": 2}], "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "cvelist": ["CVE-2015-4105", "CVE-2015-4103", "CVE-2014-9065", "CVE-2015-2044", "CVE-2015-3340", "CVE-2014-8866", "CVE-2014-8595", "CVE-2014-8867", "CVE-2015-0361", "CVE-2014-8594", "CVE-2015-3259", "CVE-2015-2045", "CVE-2014-0150", "CVE-2015-2752", "CVE-2015-3456", "CVE-2015-4164", "CVE-2015-4163", "CVE-2015-2151", "CVE-2015-4104", "CVE-2015-2751", "CVE-2015-2756", "CVE-2014-9030", "CVE-2015-1563", "CVE-2015-3209", "CVE-2015-4106", "CVE-2015-2152"], "lastseen": "2017-07-25T10:52:33", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for xen FEDORA-2015-11247\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.869777\");\n script_version(\"$Revision: 6630 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:34:32 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2015-07-19 06:37:48 +0200 (Sun, 19 Jul 2015)\");\n script_cve_id(\"CVE-2015-3259\", \"CVE-2015-3209\", \"CVE-2015-4163\", \"CVE-2015-4164\",\n \"CVE-2015-4103\", \"CVE-2015-4104\", \"CVE-2015-4105\", \"CVE-2015-4106\",\n \"CVE-2015-3456\", \"CVE-2015-3340\", \"CVE-2015-2752\", \"CVE-2015-2756\",\n \"CVE-2015-2751\", \"CVE-2015-2152\", \"CVE-2015-2151\", \"CVE-2015-1563\",\n \"CVE-2015-2044\", \"CVE-2015-2045\", \"CVE-2015-0361\", \"CVE-2014-9065\",\n \"CVE-2014-8866\", \"CVE-2014-8867\", \"CVE-2014-9030\", \"CVE-2014-8594\",\n \"CVE-2014-8595\", \"CVE-2014-0150\");\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for xen FEDORA-2015-11247\");\n script_tag(name: \"summary\", value: \"Check the version of xen\");\n script_tag(name: \"vuldetect\", value: \"Get the installed version with the help\nof detect NVT and check if the version is vulnerable or not.\");\n script_tag(name: \"insight\", value: \"This package contains the XenD daemon and xm command line\ntools, needed to manage virtual machines running under the\nXen hypervisor\n\");\n script_tag(name: \"affected\", value: \"xen on Fedora 21\");\n script_tag(name: \"solution\", value: \"Please Install the Updated Packages.\");\n script_xref(name: \"FEDORA\", value: \"2015-11247\");\n script_xref(name: \"URL\" , value: \"https://lists.fedoraproject.org/pipermail/package-announce/2015-July/162192.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC21\")\n{\n\n if ((res = isrpmvuln(pkg:\"xen\", rpm:\"xen~4.4.2~7.fc21\", rls:\"FC21\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "pluginID": "1361412562310869777"}
{"result": {"cve": [{"id": "CVE-2015-4105", "type": "cve", "title": "CVE-2015-4105", "description": "Xen 3.3.x through 4.5.x enables logging for PCI MSI-X pass-through error messages, which allows local x86 HVM guests to cause a denial of service (host disk consumption) via certain invalid operations.", "published": "2015-06-03T16:59:08", "cvss": {"score": 4.9, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4105", "cvelist": ["CVE-2015-4105"], "lastseen": "2017-11-15T11:55:51"}, {"id": "CVE-2015-4103", "type": "cve", "title": "CVE-2015-4103", "description": "Xen 3.3.x through 4.5.x does not properly restrict write access to the host MSI message data field, which allows local x86 HVM guest administrators to cause a denial of service (host interrupt handling confusion) via vectors related to qemu and accessing spanning multiple fields.", "published": "2015-06-03T16:59:06", "cvss": {"score": 4.9, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4103", "cvelist": ["CVE-2015-4103"], "lastseen": "2017-11-15T11:55:51"}, {"id": "CVE-2014-9065", "type": "cve", "title": "CVE-2014-9065", "description": "common/spinlock.c in Xen 4.4.x and earlier does not properly handle read and write locks, which allows local x86 guest users to cause a denial of service (write denial or NMI watchdog timeout and host crash) via a large number of read requests, a different vulnerability to CVE-2014-9066.", "published": "2014-12-09T18:59:08", "cvss": {"score": 4.4, "vector": "AV:LOCAL/AC:MEDIUM/Au:SINGLE_INSTANCE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9065", "cvelist": ["CVE-2014-9065"], "lastseen": "2017-09-08T10:27:07"}, {"id": "CVE-2015-2044", "type": "cve", "title": "CVE-2015-2044", "description": "The emulation routines for unspecified X86 devices in Xen 3.2.x through 4.5.x does not properly initialize data, which allow local HVM guest users to obtain sensitive information via vectors involving an unsupported access size.", "published": "2015-03-12T10:59:00", "cvss": {"score": 2.1, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2044", "cvelist": ["CVE-2015-2044"], "lastseen": "2017-04-18T15:56:19"}, {"id": "CVE-2015-3340", "type": "cve", "title": "CVE-2015-3340", "description": "Xen 4.2.x through 4.5.x does not initialize certain fields, which allows certain remote service domains to obtain sensitive information from memory via a (1) XEN_DOMCTL_gettscinfo or (2) XEN_SYSCTL_getdomaininfolist request.", "published": "2015-04-28T10:59:02", "cvss": {"score": 2.9, "vector": "AV:ADJACENT_NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3340", "cvelist": ["CVE-2015-3340"], "lastseen": "2017-07-01T10:43:24"}, {"id": "CVE-2014-8866", "type": "cve", "title": "CVE-2014-8866", "description": "The compatibility mode hypercall argument translation in Xen 3.3.x through 4.4.x, when running on a 64-bit hypervisor, allows local 32-bit HVM guests to cause a denial of service (host crash) via vectors involving altering the high halves of registers while in 64-bit mode.", "published": "2014-12-01T10:59:08", "cvss": {"score": 4.7, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8866", "cvelist": ["CVE-2014-8866"], "lastseen": "2017-11-15T11:55:36"}, {"id": "CVE-2014-8595", "type": "cve", "title": "CVE-2014-8595", "description": "arch/x86/x86_emulate/x86_emulate.c in Xen 3.2.1 through 4.4.x does not properly check privileges, which allows local HVM guest users to gain privileges or cause a denial of service (crash) via a crafted (1) CALL, (2) JMP, (3) RETF, (4) LCALL, (5) LJMP, or (6) LRET far branch instruction.", "published": "2014-11-19T13:59:11", "cvss": {"score": 1.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8595", "cvelist": ["CVE-2014-8595"], "lastseen": "2017-11-15T11:55:36"}, {"id": "CVE-2014-8867", "type": "cve", "title": "CVE-2014-8867", "description": "The acceleration support for the \"REP MOVS\" instruction in Xen 4.4.x, 3.2.x, and earlier lacks properly bounds checking for memory mapped I/O (MMIO) emulated in the hypervisor, which allows local HVM guests to cause a denial of service (host crash) via unspecified vectors.", "published": "2014-12-01T10:59:09", "cvss": {"score": 4.9, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8867", "cvelist": ["CVE-2014-8867"], "lastseen": "2017-11-15T11:55:36"}, {"id": "CVE-2015-0361", "type": "cve", "title": "CVE-2015-0361", "description": "Use-after-free vulnerability in Xen 4.2.x, 4.3.x, and 4.4.x allows remote domains to cause a denial of service (system crash) via a crafted hypercall during HVM guest teardown.", "published": "2015-01-07T14:59:05", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0361", "cvelist": ["CVE-2015-0361"], "lastseen": "2017-04-18T15:55:48"}, {"id": "CVE-2014-8594", "type": "cve", "title": "CVE-2014-8594", "description": "The do_mmu_update function in arch/x86/mm.c in Xen 4.x through 4.4.x does not properly restrict updates to only PV page tables, which allows remote PV guests to cause a denial of service (NULL pointer dereference) by leveraging hardware emulation services for HVM guests using Hardware Assisted Paging (HAP).", "published": "2014-11-19T13:59:10", "cvss": {"score": 5.4, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8594", "cvelist": ["CVE-2014-8594"], "lastseen": "2017-09-08T10:27:06"}], "xen": [{"id": "XSA-130", "type": "xen", "title": "Guest triggerable qemu MSI-X pass-through error messages", "description": "#### ISSUE DESCRIPTION\nDevice model code dealing with guest PCI MSI-X interrupt management activities logs messages on certain (supposedly) invalid guest operations.\n#### IMPACT\nA buggy or malicious guest repeatedly invoking such operations may result in the host disk to fill up, possibly leading to a Denial of Service.\n#### VULNERABLE SYSTEMS\nXen versions 3.3 and onwards are vulnerable due to supporting PCI pass-through.\nOnly x86 systems are vulnerable. ARM systems are not vulnerable.\nOnly HVM guests with their device model run in Dom0 can take advantage of this vulnerability.\nOnly HVM guests which have been granted access to physical PCI devices (`PCI passthrough') can take advantage of this vulnerability.\nFurthermore, the vulnerability is only applicable when the passed-through PCI devices are MSI-X capable. (Many modern devices are.)\n", "published": "2015-06-02T12:00:00", "cvss": {"score": 4.9, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "http://xenbits.xen.org/xsa/advisory-130.html", "cvelist": ["CVE-2015-4105"], "lastseen": "2016-09-04T11:24:09"}, {"id": "XSA-128", "type": "xen", "title": "Potential unintended writes to host MSI message data field via qemu", "description": "#### ISSUE DESCRIPTION\nLogic is in place to avoid writes to certain host config space fields when the guest must nevertheless be able to access their virtual counterparts. A bug in how this logic deals with accesses spanning multiple fields allows the guest to write to the host MSI message data field.\nWhile generally the writes write back the values previously read, their value in config space may have got changed by the host between the qemu read and write. In such a case host side interrupt handling could become confused, possibly losing interrupts or allowing spurious interrupt injection into other guests.\n#### IMPACT\nCertain untrusted guest administrators may be able to confuse host side interrupt handling, leading to a Denial of Service.\n#### VULNERABLE SYSTEMS\nXen versions 3.3 and onwards are vulnerable due to supporting PCI pass-through.\nOnly x86 systems are vulnerable. ARM systems are not vulnerable.\nOnly HVM guests with their device model run in Dom0 can take advantage of this vulnerability.\nOnly HVM guests which have been granted access to physical PCI devices (`PCI passthrough') can take advantage of this vulnerability.\nFurthermore, the vulnerability is only applicable when the passed-through PCI devices are MSI-capable. (Most modern devices are.)\n", "published": "2015-06-02T12:00:00", "cvss": {"score": 4.9, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "http://xenbits.xen.org/xsa/advisory-128.html", "cvelist": ["CVE-2015-4103"], "lastseen": "2016-09-04T11:24:09"}, {"id": "XSA-114", "type": "xen", "title": "p2m lock starvation", "description": "#### ISSUE DESCRIPTION\nThe current read/write lock implementation is read-biased, which allows a consistent stream of readers to starve writers indefinitely. There are certain rwlocks where guests are capable of applying arbitrary read pressure.\n#### IMPACT\nA malicious guest administrator can deny service to other tasks. If the NMI watchdog is active, a timeout might be triggered, resulting in a host crash.\n#### VULNERABLE SYSTEMS\nXen 4.2 and later systems are vulnerable.\nXen 4.1 and earlier are not vulnerable in normal configurations. 4.1 and earlier are vulnerable only insofar as features are used which have already been explicitly discounted for security support purposes (TMEM, see XSA-15; XSM-based radical disaggregation, see XSA-77).\nOnly x86 systems offer avenues for attacking this vulnerability. ARM systems do not and are therefore not vulnerable.\n", "published": "2014-12-08T12:00:00", "cvss": {"score": 4.7, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "http://xenbits.xen.org/xsa/advisory-114.html", "cvelist": ["CVE-2014-9065", "CVE-2014-9066"], "lastseen": "2016-04-01T21:57:14"}, {"id": "XSA-121", "type": "xen", "title": "Information leak via internal x86 system device emulation", "description": "#### ISSUE DESCRIPTION\nEmulation routines in the hypervisor dealing with certain system devices check whether the access size by the guest is a supported one. When the access size is unsupported these routines failed to set the data to be returned to the guest for read accesses, so that hypervisor stack contents are copied into the destination of the operation, thus becoming visible to the guest.\n#### IMPACT\nA malicious HVM guest might be able to read sensitive data relating to other guests.\n#### VULNERABLE SYSTEMS\nXen 3.2.x and later are vulnerable. Xen 3.1.x and earlier have not been inspected.\nOnly HVM guests can take advantage of this vulnerability.\nOnly x86 systems are vulnerable. ARM systems are not vulnerable.\n", "published": "2015-03-05T12:00:00", "cvss": {"score": 2.1, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "http://xenbits.xen.org/xsa/advisory-121.html", "cvelist": ["CVE-2015-2044"], "lastseen": "2016-09-04T11:24:09"}, {"id": "XSA-132", "type": "xen", "title": "Information leak through XEN_DOMCTL_gettscinfo", "description": "#### ISSUE DESCRIPTION\nThe handler for XEN_DOMCTL_gettscinfo failed to initialize a padding field subsequently copied to guest memory.\nA similar leak existed in XEN_SYSCTL_getdomaininfolist, which is being addressed here regardless of that operation being declared unsafe for disaggregation by XSA-77.\n#### IMPACT\nMalicious or buggy stub domain kernels or tool stacks otherwise living outside of Domain0 may be able to read sensitive data relating to the hypervisor or other guests not under the control of that domain.\n#### VULNERABLE SYSTEMS\nXen 4.0.x and later are vulnerable.\nOnly x86 systems are vulnerable. ARM systems are not vulnerable.\nThe vulnerability is only exposed to service domains with privilege over another guest. In a usual configuration that means only device model emulators (qemu-dm) when these are running in a separate domain.\nIn the case of HVM guests whose device model is running in an unrestricted dom0 process, qemu-dm already has the ability to cause problems for the whole system. So in that case the vulnerability is not applicable.\nThis vulnerability is applicable for an HVM guest with a stub qemu-dm. That is, where the device model runs in a separate domain (in the case of xl, as requested by "device_model_stubdomain_override=1" in the xl domain configuration file). In this case a guest which has already exploited another vulnerability, to gain control of the device model, would be able to exercise the information leak.\nHowever, the security of a system with qemu-dm running in a stub domain is still better than with a qemu-dm running as an unrestricted dom0 process. Therefore users with these configurations should not switch to an unrestricted dom0 qemu-dm.\nFinally, in a radically disaggregated system, where the service domain software (probably, the device model domain image in the HVM case) is not always supplied by the host administrator, a malicious service domain administrator can exercise this vulnerability.\n", "published": "2015-04-20T17:10:00", "cvss": {"score": 2.9, "vector": "AV:ADJACENT_NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "http://xenbits.xen.org/xsa/advisory-132.html", "cvelist": ["CVE-2015-3340"], "lastseen": "2016-09-04T11:24:08"}, {"id": "XSA-111", "type": "xen", "title": "Excessive checking in compatibility mode hypercall argument translation", "description": "#### ISSUE DESCRIPTION\nThe hypercall argument translation needed for 32-bit guests running on 64-bit hypervisors performs checks on the final register state. These checks cover all registers potentially holding hypercall arguments, not just the ones actually doing so for the hypercall being processed, since the code was originally intended for use only by PV guests.\nWhile this is not a problem for PV guests (as they can't enter 64-bit mode and hence can't alter the high halves of any of the registers), the subsequent reuse of the same functionality for HVM guests exposed those checks to values (specifically, unexpected values for the high halves of registers not holding hypercall arguments) controlled by guest software.\n#### IMPACT\nA buggy or malicious HVM guest can crash the host.\n#### VULNERABLE SYSTEMS\nXen 3.3 and onward are vulnerable.\nOnly x86 systems are vulnerable. ARM systems are not vulnerable.\n", "published": "2014-11-27T11:25:00", "cvss": {"score": 4.7, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "http://xenbits.xen.org/xsa/advisory-111.html", "cvelist": ["CVE-2014-8866"], "lastseen": "2016-09-04T11:24:09"}, {"id": "XSA-110", "type": "xen", "title": "Missing privilege level checks in x86 emulation of far branches", "description": "#### ISSUE DESCRIPTION\nThe emulation of far branch instructions (CALL, JMP, and RETF in Intel assembly syntax, LCALL, LJMP, and LRET in AT&T assembly syntax) incompletely performs privilege checks.\nHowever these instructions are not usually handled by the emulator. Exceptions to this are\n- when a memory operand lives in (emulated or passed through) memory mapped IO space,\n- in the case of guests running in 32-bit PAE mode, when such an instruction is (in execution flow) within four instructions of one doing a page table update,\n- when an Invalid Opcode exception gets raised by a guest instruction, and the guest then (likely maliciously) alters the instruction to become one of the affected ones,\n- when the guest is in real mode (in which case there are no privilege checks anyway).\n#### IMPACT\nMalicious HVM guest user mode code may be able to elevate its privileges to guest supervisor mode, or to crash the guest.\n#### VULNERABLE SYSTEMS\nXen 3.2.1 and onward are vulnerable on x86 systems.\nARM systems are not vulnerable.\nOnly user processes in x86 HVM guests can take advantage of this vulnerability.\n", "published": "2014-11-18T12:00:00", "cvss": {"score": 1.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://xenbits.xen.org/xsa/advisory-110.html", "cvelist": ["CVE-2014-8595"], "lastseen": "2016-09-04T11:24:07"}, {"id": "XSA-112", "type": "xen", "title": "Insufficient bounding of \"REP MOVS\" to MMIO emulated inside the hypervisor", "description": "#### ISSUE DESCRIPTION\nAcceleration support for the "REP MOVS" instruction, when the first iteration accesses memory mapped I/O emulated internally in the hypervisor, incorrectly assumes that the whole range accessed is handled by the same hypervisor sub-component.\n#### IMPACT\nA buggy or malicious HVM guest can crash the host.\n#### VULNERABLE SYSTEMS\nXen versions from at least 3.2.x onwards are vulnerable on x86 systems. Older versions have not been inspected. ARM systems are not vulnerable.\n", "published": "2014-11-27T11:25:00", "cvss": {"score": 4.9, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "http://xenbits.xen.org/xsa/advisory-112.html", "cvelist": ["CVE-2014-8867"], "lastseen": "2016-09-04T11:24:09"}, {"id": "XSA-116", "type": "xen", "title": "xen crash due to use after free on hvm guest teardown", "description": "#### ISSUE DESCRIPTION\nCertain data accessible (via hypercalls) by the domain controlling the execution of a HVM domain is being freed prematurely, leading to the respective memory regions to possibly be read from and written to in ways unexpected by their new owner(s).\n#### IMPACT\nMalicious or buggy stub domain kernels or tool stacks otherwise living outside of Domain0 can mount a denial of service attack which, if successful, can affect the whole system.\nOnly domains controlling HVM guests can exploit this vulnerability. (This includes domains providing hardware emulation services to HVM guests.)\n#### VULNERABLE SYSTEMS\nXen versions from 4.2 onwards are vulnerable on x86 systems. ARM systems are not vulnerable.\nThis vulnerability is only applicable to Xen systems using stub domains or other forms of disaggregation of control domains for HVM guests.\n", "published": "2015-01-06T12:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "http://xenbits.xen.org/xsa/advisory-116.html", "cvelist": ["CVE-2015-0361"], "lastseen": "2016-09-04T11:24:09"}, {"id": "XSA-109", "type": "xen", "title": "Insufficient restrictions on certain MMU update hypercalls", "description": "#### ISSUE DESCRIPTION\nMMU update operations targeting page tables are intended to be used on PV guests only. The lack of a respective check made it possible for such operations to access certain function pointers which remain NULL when the target guest is using Hardware Assisted Paging (HAP).\n#### IMPACT\nMalicious or buggy stub domain kernels or tool stacks otherwise living outside of Domain0 can mount a denial of service or privilege escalation attack which, if successful, can affect the whole system.\nOnly PV domains with privilege over other guests can exploit this vulnerability; and only when those other guests are HVM using HAP, or PVH. The vulnerability is therefore exposed to PV domains providing hardware emulation services to HVM guests.\n#### VULNERABLE SYSTEMS\nXen 4.0 and onward are vulnerable.\nOnly x86 systems are vulnerable. ARM systems are not vulnerable.\nThe vulnerability is only exposed to PV service domains for HVM or PVH guests which have privilege over the guest. In a usual configuration that means only device model emulators (qemu-dm).\nIn the case of HVM guests whose device model is running in an unrestricted dom0 process, qemu-dm already has the ability to cause problems for the whole system. So in that case the vulnerability is not applicable.\nThe situation is more subtle for an HVM guest with a stub qemu-dm. That is, where the device model runs in a separate domain (in the case of xl, as requested by "device_model_stubdomain_override=1" in the xl domain configuration file). The same applies with a qemu-dm in a dom0 process subjected to some kind kernel-based process privilege limitation (eg the chroot technique as found in some versions of XCP/XenServer).\nIn those latter situations this issue means that the extra isolation does not provide as good a defence as intended. That is the essence of this vulnerability.\nHowever, the security is still better than with a qemu-dm running as an unrestricted dom0 process. Therefore users with these configurations should not switch to an unrestricted dom0 qemu-dm.\nFinally, in a radically disaggregated system: where the HVM or PVH service domain software (probably, the device model domain image in the HVM case) is not always supplied by the host administrator, a malicious service domain administrator can exercise this vulnerability.\n", "published": "2014-11-18T12:00:00", "cvss": {"score": 5.4, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "http://xenbits.xen.org/xsa/advisory-109.html", "cvelist": ["CVE-2014-8594"], "lastseen": "2016-09-04T11:24:08"}], "freebsd": [{"id": "CBE1A0F9-27E9-11E5-A4A5-002590263BF5", "type": "freebsd", "title": "xen-tools -- Guest triggerable qemu MSI-X pass-through error messages", "description": "\nThe Xen Project reports:\n\nDevice model code dealing with guest PCI MSI-X interrupt management\n\t activities logs messages on certain (supposedly) invalid guest\n\t operations.\nA buggy or malicious guest repeatedly invoking such operations may\n\t result in the host disk to fill up, possibly leading to a Denial of\n\t Service.\n\n", "published": "2015-06-02T00:00:00", "cvss": {"score": 4.9, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://vuxml.freebsd.org/freebsd/cbe1a0f9-27e9-11e5-a4a5-002590263bf5.html", "cvelist": ["CVE-2015-4105"], "lastseen": "2016-09-26T17:24:17"}, {"id": "AF38CFEC-27E7-11E5-A4A5-002590263BF5", "type": "freebsd", "title": "xen-tools -- Potential unintended writes to host MSI message data field via qemu", "description": "\nThe Xen Project reports:\n\nLogic is in place to avoid writes to certain host config space\n\t fields when the guest must nevertheless be able to access their\n\t virtual counterparts. A bug in how this logic deals with accesses\n\t spanning multiple fields allows the guest to write to the host MSI\n\t message data field.\nWhile generally the writes write back the values previously read,\n\t their value in config space may have got changed by the host between\n\t the qemu read and write. In such a case host side interrupt handling\n\t could become confused, possibly losing interrupts or allowing\n\t spurious interrupt injection into other guests.\nCertain untrusted guest administrators may be able to confuse host\n\t side interrupt handling, leading to a Denial of Service.\n\n", "published": "2015-06-02T00:00:00", "cvss": {"score": 4.9, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://vuxml.freebsd.org/freebsd/af38cfec-27e7-11e5-a4a5-002590263bf5.html", "cvelist": ["CVE-2015-4103"], "lastseen": "2016-09-26T17:24:17"}, {"id": "5023F559-27E2-11E5-A4A5-002590263BF5", "type": "freebsd", "title": "xen-kernel -- Information leak via internal x86 system device emulation", "description": "\nThe Xen Project reports:\n\nEmulation routines in the hypervisor dealing with certain system\n\t devices check whether the access size by the guest is a supported\n\t one. When the access size is unsupported these routines failed to\n\t set the data to be returned to the guest for read accesses, so that\n\t hypervisor stack contents are copied into the destination of the\n\t operation, thus becoming visible to the guest.\nA malicious HVM guest might be able to read sensitive data relating\n\t to other guests.\n\n", "published": "2015-03-05T00:00:00", "cvss": {"score": 2.1, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://vuxml.freebsd.org/freebsd/5023f559-27e2-11e5-a4a5-002590263bf5.html", "cvelist": ["CVE-2015-2044"], "lastseen": "2016-09-26T17:24:17"}, {"id": "CE658051-27EA-11E5-A4A5-002590263BF5", "type": "freebsd", "title": "xen-kernel -- Information leak through XEN_DOMCTL_gettscinfo", "description": "\nThe Xen Project reports:\n\nThe handler for XEN_DOMCTL_gettscinfo failed to initialize a\n\t padding field subsequently copied to guest memory.\nA similar leak existed in XEN_SYSCTL_getdomaininfolist, which is\n\t being addressed here regardless of that operation being declared\n\t unsafe for disaggregation by XSA-77.\nMalicious or buggy stub domain kernels or tool stacks otherwise\n\t living outside of Domain0 may be able to read sensitive data\n\t relating to the hypervisor or other guests not under the control of\n\t that domain.\n\n", "published": "2015-04-20T00:00:00", "cvss": {"score": 2.9, "vector": "AV:ADJACENT_NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://vuxml.freebsd.org/freebsd/ce658051-27ea-11e5-a4a5-002590263bf5.html", "cvelist": ["CVE-2015-3340"], "lastseen": "2016-09-26T17:24:17"}, {"id": "F1DEED23-27EC-11E5-A4A5-002590263BF5", "type": "freebsd", "title": "xen-tools -- xl command line config handling stack overflow", "description": "\nThe Xen Project reports:\n\nThe xl command line utility mishandles long configuration values\n\t when passed as command line arguments, with a buffer overrun.\nA semi-trusted guest administrator or controller, who is intended\n\t to be able to partially control the configuration settings for a\n\t domain, can escalate their privileges to that of the whole host.\n\n", "published": "2015-07-07T00:00:00", "cvss": {"score": 6.8, "vector": "AV:LOCAL/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://vuxml.freebsd.org/freebsd/f1deed23-27ec-11e5-a4a5-002590263bf5.html", "cvelist": ["CVE-2015-3259"], "lastseen": "2016-09-26T17:24:17"}, {"id": "EF9D041E-27E2-11E5-A4A5-002590263BF5", "type": "freebsd", "title": "xen-kernel -- Information leak through version information hypercall", "description": "\nThe Xen Project reports:\n\nThe code handling certain sub-operations of the\n\t HYPERVISOR_xen_version hypercall fails to fully initialize all\n\t fields of structures subsequently copied back to guest memory. Due\n\t to this hypervisor stack contents are copied into the destination of\n\t the operation, thus becoming visible to the guest.\nA malicious guest might be able to read sensitive data relating to\n\t other guests.\n\n", "published": "2015-03-05T00:00:00", "cvss": {"score": 2.1, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://vuxml.freebsd.org/freebsd/ef9d041e-27e2-11e5-a4a5-002590263bf5.html", "cvelist": ["CVE-2015-2045"], "lastseen": "2016-09-26T17:24:17"}, {"id": "D40C66CB-27E4-11E5-A4A5-002590263BF5", "type": "freebsd", "title": "xen-kernel and xen-tools -- Long latency MMIO mapping operations are not preemptible", "description": "\nThe Xen Project reports:\n\nThe XEN_DOMCTL_memory_mapping hypercall allows long running\n\t operations without implementing preemption.\nThis hypercall is used by the device model as part of the emulation\n\t associated with configuration of PCI devices passed through to HVM\n\t guests and is therefore indirectly exposed to those guests.\nThis can cause a physical CPU to become busy for a significant\n\t period, leading to a host denial of service in some cases.\nIf a host denial of service is not triggered then it may instead be\n\t possible to deny service to the domain running the device model,\n\t e.g. domain 0.\nThis hypercall is also exposed more generally to all toolstacks.\n\t However the uses of it in libxl based toolstacks are not believed\n\t to open up any avenue of attack from an untrusted guest. Other\n\t toolstacks may be vulnerable however.\nThe vulnerability is exposed via HVM guests which have a PCI device\n\t assigned to them. A malicious HVM guest in such a configuration can\n\t mount a denial of service attack affecting the whole system via its\n\t associated device model (qemu-dm).\nA guest is able to trigger this hypercall via operations which it\n\t is legitimately expected to perform, therefore running the device\n\t model as a stub domain does not offer protection against the host\n\t denial of service issue. However it does offer some protection\n\t against secondary issues such as denial of service against dom0.\n\n", "published": "2015-03-31T00:00:00", "cvss": {"score": 4.9, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://vuxml.freebsd.org/freebsd/d40c66cb-27e4-11e5-a4a5-002590263bf5.html", "cvelist": ["CVE-2015-2752"], "lastseen": "2016-09-26T17:24:17"}, {"id": "2780E442-FC59-11E4-B18B-6805CA1D3BB1", "type": "freebsd", "title": "qemu, xen and VirtualBox OSE -- possible VM escape and code execution (\"VENOM\")", "description": "\nJason Geffner, CrowdStrike Senior Security Researcher reports:\n\nVENOM, CVE-2015-3456, is a security vulnerability in\n\t the virtual floppy drive code used by many computer\n\t virtualization platforms. This vulnerability may allow\n\t an attacker to escape from the confines of an affected\n\t virtual machine (VM) guest and potentially obtain\n\t code-execution access to the host. Absent mitigation,\n\t this VM escape could open access to the host system and\n\t all other VMs running on that host, potentially giving\n\t adversaries significant elevated access to the host's\n\t local network and adjacent systems.\n\n", "published": "2015-04-29T00:00:00", "cvss": {"score": 7.7, "vector": "AV:ADJACENT_NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://vuxml.freebsd.org/freebsd/2780e442-fc59-11e4-b18b-6805ca1d3bb1.html", "cvelist": ["CVE-2015-3456"], "lastseen": "2016-09-26T17:24:19"}, {"id": "8C31B288-27EC-11E5-A4A5-002590263BF5", "type": "freebsd", "title": "xen-kernel -- vulnerability in the iret hypercall handler", "description": "\nThe Xen Project reports:\n\nA buggy loop in Xen's compat_iret() function iterates the wrong way\n\t around a 32-bit index. Any 32-bit PV guest kernel can trigger this\n\t vulnerability by attempting a hypercall_iret with EFLAGS.VM set.\nGiven the use of __get/put_user(), and that the virtual addresses\n\t in question are contained within the lower canonical half, the guest\n\t cannot clobber any hypervisor data. Instead, Xen will take up to\n\t 2^33 pagefaults, in sequence, effectively hanging the host.\nMalicious guest administrators can cause a denial of service\n\t affecting the whole system.\n\n", "published": "2015-06-11T00:00:00", "cvss": {"score": 4.9, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://vuxml.freebsd.org/freebsd/8c31b288-27ec-11e5-a4a5-002590263bf5.html", "cvelist": ["CVE-2015-4164"], "lastseen": "2016-09-26T17:24:17"}, {"id": "80E846FF-27EB-11E5-A4A5-002590263BF5", "type": "freebsd", "title": "xen-kernel -- GNTTABOP_swap_grant_ref operation misbehavior", "description": "\nThe Xen Project reports:\n\nWith the introduction of version 2 grant table operations, a\n\t version check became necessary for most grant table related\n\t hypercalls. The GNTTABOP_swap_grant_ref call was lacking such a\n\t check. As a result, the subsequent code behaved as if version 2 was\n\t in use, when a guest issued this hypercall without a prior\n\t GNTTABOP_setup_table or GNTTABOP_set_version.\nThe effect is a possible NULL pointer dereferences. However, this\n\t cannot be exploited to elevate privileges of the attacking domain,\n\t as the maximum memory address that can be wrongly accessed this way\n\t is bounded to far below the start of hypervisor memory.\nMalicious or buggy guest domain kernels can mount a denial of\n\t service attack which, if successful, can affect the whole system.\n\n", "published": "2015-06-11T00:00:00", "cvss": {"score": 4.9, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://vuxml.freebsd.org/freebsd/80e846ff-27eb-11e5-a4a5-002590263bf5.html", "cvelist": ["CVE-2015-4163"], "lastseen": "2016-09-26T17:24:17"}], "nessus": [{"id": "FREEBSD_PKG_CBE1A0F927E911E5A4A5002590263BF5.NASL", "type": "nessus", "title": "FreeBSD : xen-tools -- Guest triggerable qemu MSI-X pass-through error messages (cbe1a0f9-27e9-11e5-a4a5-002590263bf5)", "description": "The Xen Project reports :\n\nDevice model code dealing with guest PCI MSI-X interrupt management activities logs messages on certain (supposedly) invalid guest operations.\n\nA buggy or malicious guest repeatedly invoking such operations may result in the host disk to fill up, possibly leading to a Denial of Service.", "published": "2015-07-14T00:00:00", "cvss": {"score": 4.9, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=84713", "cvelist": ["CVE-2015-4105"], "lastseen": "2017-10-29T13:38:33"}, {"id": "ORACLEVM_OVMSA-2015-0063.NASL", "type": "nessus", "title": "OracleVM 3.2 : xen (OVMSA-2015-0063)", "description": "The remote OracleVM system is missing necessary patches to address critical security updates :\n\n - xen/pt: unknown PCI config space fields should be read-only ... by default. Add a per-device 'permissive' mode similar to pciback's to allow restoring previous behavior (and hence break security again, i.e. should be used only for trusted guests). This is part of XSA-131.\n (CVE-2015-4106)\n\n - xen/pt: add a few PCI config space field descriptions Since the next patch will turn all not explicitly described fields read-only by default, those fields that have guest writable bits need to be given explicit descriptors. This is a preparatory patch for XSA-131.\n (CVE-2015-4106)\n\n - xen/pt: mark reserved bits in PCI config space fields The adjustments are solely to make the subsequent patches work right (and hence make the patch set consistent), namely if permissive mode (introduced by the last patch) gets used (as both reserved registers and reserved fields must be similarly protected from guest access in default mode, but the guest should be allowed access to them in permissive mode). This is a preparatory patch for XSA-131. (CVE-2015-4106)\n\n - xen/pt: mark all PCIe capability bits read-only xen_pt_emu_reg_pcie[]'s PCI_EXP_DEVCAP needs to cover all bits as read- only to avoid unintended write-back (just a precaution, the field ought to be read-only in hardware). This is a preparatory patch for XSA-131.\n (CVE-2015-4106)\n\n - xen/pt: split out calculation of throughable mask in PCI config space handling This is just to avoid having to adjust that calculation later in multiple places. Note that including ->ro_mask in get_throughable_mask's calculation is only an apparent (i.e. benign) behavioral change: For r/o fields it doesn't matter > whether they get passed through - either the same flag is also set in emu_mask (then there's no change at all) or the field is r/o in hardware (and hence a write won't change it anyway). This is a preparatory patch for XSA-131.\n (CVE-2015-4106)\n\n - xen/pt: correctly handle PM status bit xen_pt_pmcsr_reg_write needs an adjustment to deal with the RW1C nature of the not passed through bit 15 (PCI_PM_CTRL_PME_STATUS). This is a preparatory patch for XSA-131. (CVE-2015-4106)\n\n - xen/pt: consolidate PM capability emu_mask There's no point in xen_pt_pmcsr_reg_[read,write] each ORing PCI_PM_CTRL_STATE_MASK and PCI_PM_CTRL_NO_SOFT_RESET into a local emu_mask variable - we can have the same effect by setting the field descriptor's emu_mask member suitably right away. Note that xen_pt_pmcsr_reg_write is being retained in order to allow later patches to be less intrusive. This is a preparatory patch for XSA-131.\n (CVE-2015-4106)\n\n - xen/MSI: don't open-code pass-through of enable bit modifications Without this the actual XSA-131 fix would cause the enable bit to not get set anymore (due to the write back getting suppressed there based on the OR of emu_mask, ro_mask, and res_mask). Note that the fiddling with the enable bit shouldn't really be done by qemu, but making this work right (via libxc and the hypervisor) will require more extensive changes, which can be postponed until after the security issue got addressed. This is a preparatory patch for XSA-131.\n (CVE-2015-4106)\n\n - xen/MSI-X: disable logging by default ... to avoid allowing the guest to cause the control domain's disk to fill. This is XSA-130. (CVE-2015-4105)\n\n - xen: don't allow guest to control MSI mask register It's being used by the hypervisor. For now simply mimic a device not capable of masking, and fully emulate any accesses a guest may issue nevertheless as simple reads/writes without side effects. This is XSA-129.\n (CVE-2015-4104)\n\n - xen: properly gate host writes of modified PCI CFG contents The old logic didn't work as intended when an access spanned multiple fields (for example a 32-bit access to the location of the MSI Message Data field with the high 16 bits not being covered by any known field). Remove it and derive which fields not to write to from the accessed fields' emulation masks: When they're all ones, there's no point in doing any host write. This fixes a secondary issue at once: We obviously shouldn't make any host write attempt when already the host read failed. This is XSA-128.\n\n Conflicts: tools/ioemu-remote/hw/pass-through.c (CVE-2015-4103)", "published": "2015-06-03T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=83966", "cvelist": ["CVE-2015-4105", "CVE-2015-4103", "CVE-2015-4104", "CVE-2015-4106"], "lastseen": "2017-10-29T13:38:50"}, {"id": "FEDORA_2015-9466.NASL", "type": "nessus", "title": "Fedora 21 : xen-4.4.2-5.fc21 (2015-9466)", "description": "Potential unintended writes to host MSI message data field via qemu [XSA-128, CVE-2015-4103], PCI MSI mask bits inadvertently exposed to guests [XSA-129, CVE-2015-4104], Guest triggerable qemu MSI-X pass-through error messages [XSA-130, CVE-2015-4105], Unmediated PCI register access in qemu [XSA-131, CVE-2015-4106]\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2015-06-15T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=84178", "cvelist": ["CVE-2015-4105", "CVE-2015-4103", "CVE-2015-4104", "CVE-2015-4106"], "lastseen": "2017-10-29T13:42:06"}, {"id": "ORACLEVM_OVMSA-2015-0064.NASL", "type": "nessus", "title": "OracleVM 3.3 : xen (OVMSA-2015-0064)", "description": "The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2015-0064 for details.", "published": "2015-06-03T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=83967", "cvelist": ["CVE-2015-4105", "CVE-2015-4103", "CVE-2015-4104", "CVE-2015-4106"], "lastseen": "2017-10-29T13:32:56"}, {"id": "FEDORA_2015-9965.NASL", "type": "nessus", "title": "Fedora 20 : xen-4.3.4-6.fc20 (2015-9965)", "description": "Heap overflow in QEMU PCNET controller, allowing guest->host escape [XSA-135, CVE-2015-3209] (#1230537) GNTTABOP_swap_grant_ref operation misbehavior [XSA-134, CVE-2015-4163] vulnerability in the iret hypercall handler [XSA-136, CVE-2015-4164] Potential unintended writes to host MSI message data field via qemu [XSA-128, CVE-2015-4103], PCI MSI mask bits inadvertently exposed to guests [XSA-129, CVE-2015-4104], Guest triggerable qemu MSI-X pass-through error messages [XSA-130, CVE-2015-4105], Unmediated PCI register access in qemu [XSA-131, CVE-2015-4106]\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2015-06-25T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=84378", "cvelist": ["CVE-2015-4105", "CVE-2015-4103", "CVE-2015-4104", "CVE-2015-3209", "CVE-2015-4106"], "lastseen": "2017-10-29T13:35:37"}, {"id": "FEDORA_2015-9456.NASL", "type": "nessus", "title": "Fedora 22 : xen-4.5.0-10.fc22 (2015-9456)", "description": "replace deprecated gnutls use in qemu-xen-traditional based on qemu-xen patches, work around a gcc 5 bug, Potential unintended writes to host MSI message data field via qemu [XSA-128, CVE-2015-4103], PCI MSI mask bits inadvertently exposed to guests [XSA-129, CVE-2015-4104], Guest triggerable qemu MSI-X pass-through error messages [XSA-130, CVE-2015-4105], Unmediated PCI register access in qemu [XSA-131, CVE-2015-4106]\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2015-06-15T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=84177", "cvelist": ["CVE-2015-4105", "CVE-2015-4103", "CVE-2015-4104", "CVE-2015-4106"], "lastseen": "2017-10-29T13:42:32"}, {"id": "DEBIAN_DSA-3284.NASL", "type": "nessus", "title": "Debian DSA-3284-1 : qemu - security update", "description": "Several vulnerabilities were discovered in qemu, a fast processor emulator.\n\n - CVE-2015-3209 Matt Tait of Google's Project Zero security team discovered a flaw in the way QEMU's AMD PCnet Ethernet emulation handles multi-TMD packets with a length above 4096 bytes. A privileged guest user in a guest with an AMD PCNet ethernet card enabled can potentially use this flaw to execute arbitrary code on the host with the privileges of the hosting QEMU process.\n\n - CVE-2015-4037 Kurt Seifried of Red Hat Product Security discovered that QEMU's user mode networking stack uses predictable temporary file names when the -smb option is used. An unprivileged user can use this flaw to cause a denial of service.\n\n - CVE-2015-4103 Jan Beulich of SUSE discovered that the QEMU Xen code does not properly restrict write access to the host MSI message data field, allowing a malicious guest to cause a denial of service.\n\n - CVE-2015-4104 Jan Beulich of SUSE discovered that the QEMU Xen code does not properly restrict access to PCI MSI mask bits, allowing a malicious guest to cause a denial of service.\n\n - CVE-2015-4105 Jan Beulich of SUSE reported that the QEMU Xen code enables logging for PCI MSI-X pass-through error messages, allowing a malicious guest to cause a denial of service.\n\n - CVE-2015-4106 Jan Beulich of SUSE discovered that the QEMU Xen code does not properly restrict write access to the PCI config space for certain PCI pass-through devices, allowing a malicious guest to cause a denial of service, obtain sensitive information or potentially execute arbitrary code.", "published": "2015-06-15T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=84167", "cvelist": ["CVE-2015-4105", "CVE-2015-4103", "CVE-2015-4037", "CVE-2015-4104", "CVE-2015-3209", "CVE-2015-4106"], "lastseen": "2018-05-11T02:48:02"}, {"id": "UBUNTU_USN-2630-1.NASL", "type": "nessus", "title": "Ubuntu 12.04 LTS / 14.04 LTS / 14.10 / 15.04 : qemu, qemu-kvm vulnerabilities (USN-2630-1)", "description": "Matt Tait discovered that QEMU incorrectly handled the virtual PCNET driver. A malicious guest could use this issue to cause a denial of service, or possibly execute arbitrary code on the host as the user running the QEMU process. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile. (CVE-2015-3209)\n\nKurt Seifried discovered that QEMU incorrectly handled certain temporary files. A local attacker could use this issue to cause a denial of service. (CVE-2015-4037)\n\nJan Beulich discovered that the QEMU Xen code incorrectly restricted write access to the host MSI message data field. A malicious guest could use this issue to cause a denial of service. This issue only applied to Ubuntu 14.04 LTS, Ubuntu 14.10 and Ubuntu 15.04.\n(CVE-2015-4103)\n\nJan Beulich discovered that the QEMU Xen code incorrectly restricted access to the PCI MSI mask bits. A malicious guest could use this issue to cause a denial of service. This issue only applied to Ubuntu 14.04 LTS, Ubuntu 14.10 and Ubuntu 15.04. (CVE-2015-4104)\n\nJan Beulich discovered that the QEMU Xen code incorrectly handled MSI-X error messages. A malicious guest could use this issue to cause a denial of service. This issue only applied to Ubuntu 14.04 LTS, Ubuntu 14.10 and Ubuntu 15.04. (CVE-2015-4105)\n\nJan Beulich discovered that the QEMU Xen code incorrectly restricted write access to the PCI config space. A malicious guest could use this issue to cause a denial of service, obtain sensitive information, or possibly execute arbitrary code. This issue only applied to Ubuntu 14.04 LTS, Ubuntu 14.10 and Ubuntu 15.04. (CVE-2015-4106).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2015-06-11T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=84118", "cvelist": ["CVE-2015-4105", "CVE-2015-4103", "CVE-2015-4037", "CVE-2015-4104", "CVE-2015-3209", "CVE-2015-4106"], "lastseen": "2017-10-29T13:35:30"}, {"id": "SUSE_SU-2015-1156-1.NASL", "type": "nessus", "title": "SUSE SLES11 Security Update : Xen (SUSE-SU-2015:1156-1)", "description": "Xen was updated to fix six security issues :\n\nCVE-2015-4103: Potential unintended writes to host MSI message data field via qemu. (XSA-128, bsc#931625)\n\nCVE-2015-4104: PCI MSI mask bits inadvertently exposed to guests.\n(XSA-129, bsc#931626)\n\nCVE-2015-4105: Guest triggerable qemu MSI-X pass-through error messages. (XSA-130, bsc#931627)\n\nCVE-2015-4106: Unmediated PCI register access in qemu. (XSA-131, bsc#931628)\n\nCVE-2015-3209: heap overflow in qemu pcnet controller allowing guest to host escape. (XSA-135, bsc#932770)\n\nCVE-2015-4164: DoS through iret hypercall handler. (XSA-136, bsc#932996)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2015-06-30T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=84468", "cvelist": ["CVE-2015-4105", "CVE-2015-4103", "CVE-2015-4164", "CVE-2015-4104", "CVE-2015-3209", "CVE-2015-4106"], "lastseen": "2017-10-29T13:33:29"}, {"id": "ORACLEVM_OVMSA-2016-0012.NASL", "type": "nessus", "title": "OracleVM 2.2 : xen (OVMSA-2016-0012)", "description": "The remote OracleVM system is missing necessary patches to address critical security updates :\n\n - XSA-125: Limit XEN_DOMCTL_memory_mapping hypercall to only process up to 64 GFNs (or less) (Jan Beulich) [20732412] (CVE-2015-2752)\n\n - XSA-126: xen: limit guest control of PCI command register (Jan Beulich) [20739399] (CVE-2015-2756)\n\n - XSA-128: xen: properly gate host writes of modified PCI CFG contents (Jan Beulich) [21157440] (CVE-2015-4103)\n\n - XSA-129: xen: don't allow guest to control MSI mask register (Jan Beulich) [21158692] (CVE-2015-4104)\n\n - XSA-130: xen/MSI-X: disable logging by default (Jan Beulich) [21159408] (CVE-2015-4105)\n\n - XSA-131: [PATCH 1/8] xen/MSI: don't open-code pass-through of enable bit modifications (Jan Beulich) [21164529] (CVE-2015-4106)\n\n - XSA-131: [PATCH 2/8] xen/pt: consolidate PM capability emu_mask [21164529] (CVE-2015-4106)\n\n - XSA-131: [PATCH 3/8] xen/pt: correctly handle PM status bit [21164529] (CVE-2015-4106)\n\n - XSA-131: [PATCH 4/8] xen/pt: split out calculation of throughable mask in PCI config space handling [21164529] (CVE-2015-4106)\n\n - XSA-131: [PATCH 5/8] xen/pt: mark all PCIe capability bits read-only [21164529] (CVE-2015-4106)\n\n - XSA-131: [PATCH 6/8] xen/pt: mark reserved bits in PCI config space fields [21164529] (CVE-2015-4106)\n\n - XSA-131: [PATCH 7/8] xen/pt: add a few PCI config space field descriptions [21164529] (CVE-2015-4106)\n\n - XSA-131: [PATCH 8/8] xen/pt: unknown PCI config space fields should be read-only [21164529] (CVE-2015-4106)", "published": "2016-02-15T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=88737", "cvelist": ["CVE-2015-4105", "CVE-2015-4103", "CVE-2015-2752", "CVE-2015-4104", "CVE-2015-2756", "CVE-2015-4106"], "lastseen": "2017-10-29T13:34:33"}], "openvas": [{"id": "OPENVAS:1361412562310869512", "type": "openvas", "title": "Fedora Update for xen FEDORA-2015-9456", "description": "Check the version of xen", "published": "2015-07-07T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310869512", "cvelist": ["CVE-2015-4105", "CVE-2015-4103", "CVE-2015-3456", "CVE-2015-4104", "CVE-2015-4106"], "lastseen": "2017-07-25T10:53:24"}, {"id": "OPENVAS:703284", "type": "openvas", "title": "Debian Security Advisory DSA 3284-1 (qemu - security update)", "description": "Several vulnerabilities were discovered\nin qemu, a fast processor emulator.\n\nCVE-2015-3209 \nMatt Tait of Google", "published": "2015-06-13T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=703284", "cvelist": ["CVE-2015-4105", "CVE-2015-4103", "CVE-2015-4037", "CVE-2015-4104", "CVE-2015-3209", "CVE-2015-4106"], "lastseen": "2017-07-24T12:53:20"}, {"id": "OPENVAS:1361412562310842235", "type": "openvas", "title": "Ubuntu Update for qemu USN-2630-1", "description": "Check the version of qemu", "published": "2015-06-11T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310842235", "cvelist": ["CVE-2015-4105", "CVE-2015-4103", "CVE-2015-4037", "CVE-2015-4104", "CVE-2015-3209", "CVE-2015-4106"], "lastseen": "2018-04-30T14:06:29"}, {"id": "OPENVAS:1361412562310105841", "type": "openvas", "title": "Citrix NetScaler Service Delivery Appliance Multiple Security Updates (CTX206006)", "description": "A number of vulnerabilities have been identified in the Citrix NetScaler Service Delivery Appliance (SDX) that could allow a malicious administrative user to crash the host or other VMs and execute arbitrary code on the SDX host.", "published": "2016-08-01T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310105841", "cvelist": ["CVE-2015-4105", "CVE-2015-4103", "CVE-2015-4163", "CVE-2015-4104", "CVE-2015-2756", "CVE-2015-4106"], "lastseen": "2018-01-15T13:12:37"}, {"id": "OPENVAS:1361412562310851096", "type": "openvas", "title": "SuSE Update for Xen SUSE-SU-2015:1156-1 (Xen)", "description": "Check the version of Xen", "published": "2015-10-16T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310851096", "cvelist": ["CVE-2015-4105", "CVE-2015-4103", "CVE-2015-4164", "CVE-2015-4104", "CVE-2015-3209", "CVE-2015-4106"], "lastseen": "2017-12-12T11:15:20"}, {"id": "OPENVAS:1361412562310703284", "type": "openvas", "title": "Debian Security Advisory DSA 3284-1 (qemu - security update)", "description": "Several vulnerabilities were discovered\nin qemu, a fast processor emulator.\n\nCVE-2015-3209 \nMatt Tait of Google", "published": "2015-06-13T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310703284", "cvelist": ["CVE-2015-4105", "CVE-2015-4103", "CVE-2015-4037", "CVE-2015-4104", "CVE-2015-3209", "CVE-2015-4106"], "lastseen": "2018-04-06T11:27:41"}, {"id": "OPENVAS:1361412562310869775", "type": "openvas", "title": "Fedora Update for xen FEDORA-2015-11308", "description": "Check the version of xen", "published": "2015-07-19T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310869775", "cvelist": ["CVE-2015-4105", "CVE-2015-4103", "CVE-2015-3259", "CVE-2015-3456", "CVE-2015-4164", "CVE-2015-4163", "CVE-2015-4104", "CVE-2015-3209", "CVE-2015-4106"], "lastseen": "2017-07-25T10:53:02"}, {"id": "OPENVAS:1361412562310130069", "type": "openvas", "title": "Mageia Linux Local Check: mgasa-2015-0310", "description": "Mageia Linux Local Security Checks mgasa-2015-0310", "published": "2015-10-15T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310130069", "cvelist": ["CVE-2015-4105", "CVE-2015-4103", "CVE-2015-3214", "CVE-2015-4037", "CVE-2015-5745", "CVE-2015-4104", "CVE-2015-5154", "CVE-2015-3209", "CVE-2015-4106"], "lastseen": "2017-07-24T12:53:42"}, {"id": "OPENVAS:1361412562310851017", "type": "openvas", "title": "SuSE Update for xen SUSE-SU-2015:1042-1 (xen)", "description": "Check the version of xen", "published": "2015-10-16T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310851017", "cvelist": ["CVE-2015-4105", "CVE-2015-4103", "CVE-2015-4164", "CVE-2015-4163", "CVE-2015-4104", "CVE-2015-3209", "CVE-2015-4106"], "lastseen": "2017-12-12T11:15:18"}, {"id": "OPENVAS:1361412562310105296", "type": "openvas", "title": "Citrix XenServer Multiple Security Updates (CTX201145)", "description": "A number of security vulnerabilities have been identified in Citrix XenServer that may allow a malicious administrator\nof a guest VM to crash the host. These vulnerabilities affect all currently supported versions of Citrix XenServer up to and including\nCitrix XenServer 6.5 Service Pack 1.\n\nThe following vulnerabilities have been addressed:\n\n - CVE-2015-4106: Unmediated PCI register access in qemu.\n - CVE-2015-4163: GNTTABOP_swap_grant_ref operation misbehavior.\n - CVE-2015-4164: vulnerability in the iret hypercall handler\n - CVE-2015-2756: Unmediated PCI command register access in qemu\n - CVE-2015-4103: Potential unintended writes to host MSI message data field via qemu.\n - CVE-2015-4104: PCI MSI mask bits inadvertently exposed to guests.\n - CVE-2015-4105: Guest triggerable qemu MSI-X pass-through error messages", "published": "2015-06-12T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310105296", "cvelist": ["CVE-2015-4105", "CVE-2015-4103", "CVE-2015-4164", "CVE-2015-4163", "CVE-2015-4104", "CVE-2015-2756", "CVE-2015-4106"], "lastseen": "2017-07-02T21:11:53"}], "debian": [{"id": "DSA-3284", "type": "debian", "title": "qemu -- security update", "description": "Several vulnerabilities were discovered in qemu, a fast processor emulator.\n\n * [CVE-2015-3209](<https://security-tracker.debian.org/tracker/CVE-2015-3209>)\n\nMatt Tait of Google's Project Zero security team discovered a flaw in the way QEMU's AMD PCnet Ethernet emulation handles multi-TMD packets with a length above 4096 bytes. A privileged guest user in a guest with an AMD PCNet ethernet card enabled can potentially use this flaw to execute arbitrary code on the host with the privileges of the hosting QEMU process.\n\n * [CVE-2015-4037](<https://security-tracker.debian.org/tracker/CVE-2015-4037>)\n\nKurt Seifried of Red Hat Product Security discovered that QEMU's user mode networking stack uses predictable temporary file names when the -smb option is used. An unprivileged user can use this flaw to cause a denial of service.\n\n * [CVE-2015-4103](<https://security-tracker.debian.org/tracker/CVE-2015-4103>)\n\nJan Beulich of SUSE discovered that the QEMU Xen code does not properly restrict write access to the host MSI message data field, allowing a malicious guest to cause a denial of service.\n\n * [CVE-2015-4104](<https://security-tracker.debian.org/tracker/CVE-2015-4104>)\n\nJan Beulich of SUSE discovered that the QEMU Xen code does not properly restrict access to PCI MSI mask bits, allowing a malicious guest to cause a denial of service.\n\n * [CVE-2015-4105](<https://security-tracker.debian.org/tracker/CVE-2015-4105>)\n\nJan Beulich of SUSE reported that the QEMU Xen code enables logging for PCI MSI-X pass-through error messages, allowing a malicious guest to cause a denial of service.\n\n * [CVE-2015-4106](<https://security-tracker.debian.org/tracker/CVE-2015-4106>)\n\nJan Beulich of SUSE discovered that the QEMU Xen code does not properly restrict write access to the PCI config space for certain PCI pass-through devices, allowing a malicious guest to cause a denial of service, obtain sensitive information or potentially execute arbitrary code.\n\nFor the oldstable distribution (wheezy), these problems have been fixed in version 1.1.2+dfsg-6a+deb7u8. Only [CVE-2015-3209](<https://security-tracker.debian.org/tracker/CVE-2015-3209>) and [CVE-2015-4037](<https://security-tracker.debian.org/tracker/CVE-2015-4037>) affect oldstable.\n\nFor the stable distribution (jessie), these problems have been fixed in version 1:2.1+dfsg-12+deb8u1.\n\nFor the unstable distribution (sid), these problems have been fixed in version 1:2.3+dfsg-6.\n\nWe recommend that you upgrade your qemu packages.", "published": "2015-06-13T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "http://www.debian.org/security/dsa-3284", "cvelist": ["CVE-2015-4105", "CVE-2015-4103", "CVE-2015-4037", "CVE-2015-4104", "CVE-2015-3209", "CVE-2015-4106"], "lastseen": "2016-09-02T18:33:02"}, {"id": "DSA-3286", "type": "debian", "title": "xen -- security update", "description": "Multiple security issues have been found in the Xen virtualisation solution:\n\n * [CVE-2015-3209](<https://security-tracker.debian.org/tracker/CVE-2015-3209>)\n\nMatt Tait discovered a flaw in the way QEMU's AMD PCnet Ethernet emulation handles multi-TMD packets with a length above 4096 bytes. A privileged guest user in a guest with an AMD PCNet ethernet card enabled can potentially use this flaw to execute arbitrary code on the host with the privileges of the hosting QEMU process.\n\n * [CVE-2015-4103](<https://security-tracker.debian.org/tracker/CVE-2015-4103>)\n\nJan Beulich discovered that the QEMU Xen code does not properly restrict write access to the host MSI message data field, allowing a malicious guest to cause a denial of service.\n\n * [CVE-2015-4104](<https://security-tracker.debian.org/tracker/CVE-2015-4104>)\n\nJan Beulich discovered that the QEMU Xen code does not properly restrict access to PCI MSI mask bits, allowing a malicious guest to cause a denial of service.\n\n * [CVE-2015-4105](<https://security-tracker.debian.org/tracker/CVE-2015-4105>)\n\nJan Beulich reported that the QEMU Xen code enables logging for PCI MSI-X pass-through error messages, allowing a malicious guest to cause a denial of service.\n\n * [CVE-2015-4106](<https://security-tracker.debian.org/tracker/CVE-2015-4106>)\n\nJan Beulich discovered that the QEMU Xen code does not properly restrict write access to the PCI config space for certain PCI pass-through devices, allowing a malicious guest to cause a denial of service, obtain sensitive information or potentially execute arbitrary code.\n\n * [CVE-2015-4163](<https://security-tracker.debian.org/tracker/CVE-2015-4163>)\n\nJan Beulich discovered that a missing version check in the GNTTABOP_swap_grant_ref hypercall handler may result in denial of service. This only applies to Debian stable/jessie.\n\n * [CVE-2015-4164](<https://security-tracker.debian.org/tracker/CVE-2015-4164>)\n\nAndrew Cooper discovered a vulnerability in the iret hypercall handler, which may result in denial of service.\n\nFor the oldstable distribution (wheezy), these problems have been fixed in version 4.1.4-3+deb7u8. \n\nFor the stable distribution (jessie), these problems have been fixed in version 4.4.1-9+deb8u1. [CVE-2015-3209](<https://security-tracker.debian.org/tracker/CVE-2015-3209>), [CVE-2015-4103](<https://security-tracker.debian.org/tracker/CVE-2015-4103>), [CVE-2015-4104](<https://security-tracker.debian.org/tracker/CVE-2015-4104>), [CVE-2015-4105](<https://security-tracker.debian.org/tracker/CVE-2015-4105>) and [CVE-2015-4106](<https://security-tracker.debian.org/tracker/CVE-2015-4106>) don't affect the Xen package in stable jessie, it uses the standard qemu package and has already been fixed in DSA-3284-1.\n\nFor the unstable distribution (sid), these problems will be fixed soon.\n\nWe recommend that you upgrade your xen packages.", "published": "2015-06-13T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "http://www.debian.org/security/dsa-3286", "cvelist": ["CVE-2015-4105", "CVE-2015-4103", "CVE-2015-4164", "CVE-2015-4163", "CVE-2015-4104", "CVE-2015-3209", "CVE-2015-4106"], "lastseen": "2016-09-02T18:28:53"}, {"id": "DSA-3181", "type": "debian", "title": "xen -- security update", "description": "Multiple security issues have been found in the Xen virtualisation solution:\n\n * [CVE-2015-2044](<https://security-tracker.debian.org/tracker/CVE-2015-2044>)\n\nInformation leak via x86 system device emulation.\n\n * [CVE-2015-2045](<https://security-tracker.debian.org/tracker/CVE-2015-2045>)\n\nInformation leak in the HYPERVISOR_xen_version() hypercall.\n\n * [CVE-2015-2151](<https://security-tracker.debian.org/tracker/CVE-2015-2151>)\n\nMissing input sanitising in the x86 emulator could result in information disclosure, denial of service or potentially privilege escalation.\n\nIn addition the Xen developers reported an unfixable limitation in the handling of non-standard PCI devices. Please refer to <http://xenbits.xen.org/xsa/advisory-124.html> for further information.\n\nFor the stable distribution (wheezy), these problems have been fixed in version 4.1.4-3+deb7u5.\n\nFor the unstable distribution (sid), these problems will be fixed soon.\n\nWe recommend that you upgrade your xen packages.", "published": "2015-03-10T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://www.debian.org/security/dsa-3181", "cvelist": ["CVE-2015-2044", "CVE-2015-2045", "CVE-2015-2151"], "lastseen": "2016-09-02T18:20:01"}, {"id": "DSA-3414", "type": "debian", "title": "xen -- security update", "description": "Multiple security issues have been found in the Xen virtualisation solution, which may result in denial of service or information disclosure.\n\nFor the oldstable distribution (wheezy), an update will be provided later.\n\nFor the stable distribution (jessie), these problems have been fixed in version 4.4.1-9+deb8u3.\n\nFor the unstable distribution (sid), these problems will be fixed soon.\n\nWe recommend that you upgrade your xen packages.", "published": "2015-12-09T00:00:00", "cvss": {"score": 6.8, "vector": "AV:LOCAL/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://www.debian.org/security/dsa-3414", "cvelist": ["CVE-2015-6654", "CVE-2015-7969", "CVE-2015-7813", "CVE-2015-7971", "CVE-2015-7972", "CVE-2015-3340", "CVE-2015-3259", "CVE-2015-7311", "CVE-2015-7970", "CVE-2015-5307", "CVE-2015-7814", "CVE-2015-7812", "CVE-2015-8104"], "lastseen": "2016-09-02T18:28:12"}, {"id": "DSA-3140", "type": "debian", "title": "xen -- security update", "description": "Multiple security issues have been discovered in the Xen virtualisation solution which may result in denial of service, information disclosure or privilege escalation.\n\n * [CVE-2014-8594](<https://security-tracker.debian.org/tracker/CVE-2014-8594>)\n\nRoger Pau Monne and Jan Beulich discovered that incomplete restrictions on MMU update hypercalls may result in privilege escalation.\n\n * [CVE-2014-8595](<https://security-tracker.debian.org/tracker/CVE-2014-8595>)\n\nJan Beulich discovered that missing privilege level checks in the x86 emulation of far branches may result in privilege escalation.\n\n * [CVE-2014-8866](<https://security-tracker.debian.org/tracker/CVE-2014-8866>)\n\nJan Beulich discovered that an error in compatibility mode hypercall argument translation may result in denial of service.\n\n * [CVE-2014-8867](<https://security-tracker.debian.org/tracker/CVE-2014-8867>)\n\nJan Beulich discovered that an insufficient restriction in acceleration support for the REP MOVS instruction may result in denial of service.\n\n * [CVE-2014-9030](<https://security-tracker.debian.org/tracker/CVE-2014-9030>)\n\nAndrew Cooper discovered a page reference leak in MMU_MACHPHYS_UPDATE handling, resulting in denial of service.\n\nFor the stable distribution (wheezy), these problems have been fixed in version 4.1.4-3+deb7u4.\n\nFor the upcoming stable distribution (jessie), these problems have been fixed in version 4.4.1-4.\n\nFor the unstable distribution (sid), these problems have been fixed in version 4.4.1-4.\n\nWe recommend that you upgrade your xen packages.", "published": "2015-01-27T00:00:00", "cvss": {"score": 7.1, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "http://www.debian.org/security/dsa-3140", "cvelist": ["CVE-2014-8866", "CVE-2014-8595", "CVE-2014-8867", "CVE-2014-8594", "CVE-2014-9030"], "lastseen": "2016-09-02T18:37:20"}, {"id": "DSA-2909", "type": "debian", "title": "qemu -- security update", "description": "Michael S. Tsirkin of Red Hat discovered a buffer overflow flaw in the way qemu processed MAC addresses table update requests from the guest.\n\nA privileged guest user could use this flaw to corrupt qemu process memory on the host, which could potentially result in arbitrary code execution on the host with the privileges of the qemu process.\n\nFor the oldstable distribution (squeeze), this problem has been fixed in version 0.12.5+dfsg-3squeeze4.\n\nFor the stable distribution (wheezy), this problem has been fixed in version 1.1.2+dfsg-6a+deb7u1.\n\nFor the testing distribution (jessie), this problem has been fixed in version 1.7.0+dfsg-8.\n\nFor the unstable distribution (sid), this problem has been fixed in version 1.7.0+dfsg-8.\n\nWe recommend that you upgrade your qemu packages.", "published": "2014-04-18T00:00:00", "cvss": {"score": 4.9, "vector": "AV:ADJACENT_NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://www.debian.org/security/dsa-2909", "cvelist": ["CVE-2014-0150"], "lastseen": "2016-09-02T18:31:12"}, {"id": "DSA-2910", "type": "debian", "title": "qemu-kvm -- security update", "description": "Michael S. Tsirkin of Red Hat discovered a buffer overflow flaw in the way qemu processed MAC addresses table update requests from the guest.\n\nA privileged guest user could use this flaw to corrupt qemu process memory on the host, which could potentially result in arbitrary code execution on the host with the privileges of the qemu process.\n\nFor the oldstable distribution (squeeze), this problem has been fixed in version 0.12.5+dfsg-5+squeeze11.\n\nFor the stable distribution (wheezy), this problem has been fixed in version 1.1.2+dfsg-6+deb7u1.\n\nWe recommend that you upgrade your qemu-kvm packages.", "published": "2014-04-18T00:00:00", "cvss": {"score": 4.9, "vector": "AV:ADJACENT_NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://www.debian.org/security/dsa-2910", "cvelist": ["CVE-2014-0150"], "lastseen": "2016-09-02T18:36:01"}, {"id": "DLA-248", "type": "debian", "title": "qemu -- LTS security update", "description": "A vulnerability was discovered in the qemu virtualisation solution:\n\n * [CVE-2015-3456](<https://security-tracker.debian.org/tracker/CVE-2015-3456>)\n\nJason Geffner discovered a buffer overflow in the emulated floppy disk drive, resulting in the potential execution of arbitrary code.\n\nDespite the end-of-life of qemu support in the old-oldstable distribution (squeeze-lts), this problem has been fixed in version 0.12.5+dfsg-3squeeze4 of the qemu source package due to its severity (the so-called VENOM vulnerability).\n\nFurther problems may still be present in the qemu package in the old-oldstable distribution (squeeze-lts) and users who need to rely on qemu are encouraged to upgrade to a newer version of Debian.\n\nWe recommend that you upgrade your qemu packages.", "published": "2015-06-19T00:00:00", "cvss": {"score": 7.7, "vector": "AV:ADJACENT_NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://www.debian.org/security/2015/dla-248", "cvelist": ["CVE-2015-3456"], "lastseen": "2016-09-02T12:56:35"}, {"id": "DLA-249", "type": "debian", "title": "qemu-kvm -- LTS security update", "description": "A vulnerability was discovered in the qemu virtualisation solution:\n\n * [CVE-2015-3456](<https://security-tracker.debian.org/tracker/CVE-2015-3456>)\n\nJason Geffner discovered a buffer overflow in the emulated floppy disk drive, resulting in the potential execution of arbitrary code.\n\nDespite the end-of-life of qemu-kvm support in the old-oldstable distribution (squeeze-lts), this problem has been fixed in version 0.12.5+dfsg-5+squeeze11 of the qemu-kvm source package due to its severity (the so-called VENOM vulnerability).\n\nFurther problems may still be present in the qemu-kvm package in the old-oldstable distribution (squeeze-lts) and users who need to rely on qemu-kvm are encouraged to upgrade to a newer version of Debian.\n\nWe recommend that you upgrade your qemu-kvm packages.", "published": "2015-06-19T00:00:00", "cvss": {"score": 7.7, "vector": "AV:ADJACENT_NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://www.debian.org/security/2015/dla-249", "cvelist": ["CVE-2015-3456"], "lastseen": "2016-09-02T12:57:21"}, {"id": "DSA-3274", "type": "debian", "title": "virtualbox -- security update", "description": "Jason Geffner discovered a buffer overflow in the emulated floppy disk drive, resulting in potential privilege escalation.\n\nFor the oldstable distribution (wheezy), this problem has been fixed in version 4.1.18-dfsg-2+deb7u5.\n\nFor the stable distribution (jessie), this problem has been fixed in version 4.3.18-dfsg-3+deb8u2.\n\nFor the unstable distribution (sid), this problem has been fixed in version 4.3.28-dfsg-1.\n\nWe recommend that you upgrade your virtualbox packages.", "published": "2015-05-28T00:00:00", "cvss": {"score": 7.7, "vector": "AV:ADJACENT_NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://www.debian.org/security/dsa-3274", "cvelist": ["CVE-2015-3456"], "lastseen": "2016-09-02T18:36:07"}], "suse": [{"id": "SUSE-SU-2015:1156-1", "type": "suse", "title": "Security update for Xen (important)", "description": "Xen was updated to fix six security issues:\n\n * CVE-2015-4103: Potential unintended writes to host MSI message data\n field via qemu. (XSA-128, bsc#931625)\n * CVE-2015-4104: PCI MSI mask bits inadvertently exposed to guests.\n (XSA-129, bsc#931626)\n * CVE-2015-4105: Guest triggerable qemu MSI-X pass-through error\n messages. (XSA-130, bsc#931627)\n * CVE-2015-4106: Unmediated PCI register access in qemu. (XSA-131,\n bsc#931628)\n * CVE-2015-3209: heap overflow in qemu pcnet controller allowing guest\n to host escape. (XSA-135, bsc#932770)\n * CVE-2015-4164: DoS through iret hypercall handler. (XSA-136,\n bsc#932996)\n\n Security Issues:\n\n * CVE-2015-4103\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4103\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4103</a>>\n * CVE-2015-4104\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4104\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4104</a>>\n * CVE-2015-4105\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4105\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4105</a>>\n * CVE-2015-4106\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4106\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4106</a>>\n * CVE-2015-4164\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4164\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4164</a>>\n * CVE-2015-3209\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3209\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3209</a>>\n\n", "published": "2015-06-29T14:05:20", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00029.html", "cvelist": ["CVE-2015-4105", "CVE-2015-4103", "CVE-2015-4164", "CVE-2015-4104", "CVE-2015-3209", "CVE-2015-4106"], "lastseen": "2016-09-04T11:56:36"}, {"id": "OPENSUSE-SU-2015:1094-1", "type": "suse", "title": "Security update for xen (important)", "description": "Xen was updated to fix eight vulnerabilities.\n\n The following vulnerabilities were fixed:\n\n * CVE-2015-2751: Certain domctl operations may be abused to lock up the\n host (XSA-127 boo#922709)\n * CVE-2015-4103: Potential unintended writes to host MSI message data\n field via qemu (XSA-128) (boo#931625)\n * CVE-2015-4104: PCI MSI mask bits inadvertently exposed to guests\n (XSA-129) (boo#931626)\n * CVE-2015-4105: Guest triggerable qemu MSI-X pass-through error messages\n (XSA-130) (boo#931627)\n * CVE-2015-4106: Unmediated PCI register access in qemu (XSA-131)\n (boo#931628)\n * CVE-2015-4163: GNTTABOP_swap_grant_ref operation misbehavior (XSA-134)\n (boo#932790)\n * CVE-2015-3209: heap overflow in qemu pcnet controller allowing guest to\n host escape (XSA-135) (boo#932770)\n * CVE-2015-4164: DoS through iret hypercall handler (XSA-136) (boo#932996)\n\n", "published": "2015-06-22T14:04:51", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00017.html", "cvelist": ["CVE-2015-4105", "CVE-2015-4103", "CVE-2015-4164", "CVE-2015-4163", "CVE-2015-4104", "CVE-2015-2751", "CVE-2015-3209", "CVE-2015-4106"], "lastseen": "2016-09-04T11:29:41"}, {"id": "SUSE-SU-2015:1042-1", "type": "suse", "title": "Security update for xen (important)", "description": "Xen was updated to fix seven security issues and one non-security bug.\n\n The following vulnerabilities were fixed:\n\n * CVE-2015-4103: Potential unintended writes to host MSI message data\n field via qemu (XSA-128) (bnc#931625)\n * CVE-2015-4104: PCI MSI mask bits inadvertently exposed to guests\n (XSA-129) (bnc#931626)\n * CVE-2015-4105: Guest triggerable qemu MSI-X pass-through error messages\n (XSA-130) (bnc#931627)\n * CVE-2015-4106: Unmediated PCI register access in qemu (XSA-131)\n (bnc#931628)\n * CVE-2015-4163: GNTTABOP_swap_grant_ref operation misbehavior (XSA-134)\n (bnc#932790)\n * CVE-2015-3209: heap overflow in qemu pcnet controller allowing guest to\n host escape (XSA-135) (bnc#932770)\n * CVE-2015-4164: DoS through iret hypercall handler (XSA-136) (bnc#932996)\n\n The following non-security bug was fixed:\n\n * bnc#906689: let systemd schedule xencommons after network-online.target\n and remote-fs.target so that xendomains has access to remote shares\n\n", "published": "2015-06-11T17:05:28", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00004.html", "cvelist": ["CVE-2015-4105", "CVE-2015-4103", "CVE-2015-4164", "CVE-2015-4163", "CVE-2015-4104", "CVE-2015-3209", "CVE-2015-4106"], "lastseen": "2016-09-04T11:29:41"}, {"id": "SUSE-SU-2015:1045-1", "type": "suse", "title": "Security update for Xen (important)", "description": "Xen was updated to fix seven security vulnerabilities:\n\n * CVE-2015-4103: Potential unintended writes to host MSI message data\n field via qemu. (XSA-128, bnc#931625)\n * CVE-2015-4104: PCI MSI mask bits inadvertently exposed to guests.\n (XSA-129, bnc#931626)\n * CVE-2015-4105: Guest triggerable qemu MSI-X pass-through error\n messages. (XSA-130, bnc#931627)\n * CVE-2015-4106: Unmediated PCI register access in qemu. (XSA-131,\n bnc#931628)\n * CVE-2015-4163: GNTTABOP_swap_grant_ref operation misbehavior.\n (XSA-134, bnc#932790)\n * CVE-2015-3209: Heap overflow in qemu pcnet controller allowing guest\n to host escape. (XSA-135, bnc#932770)\n * CVE-2015-4164: DoS through iret hypercall handler. (XSA-136,\n bnc#932996)\n\n Security Issues:\n\n * CVE-2015-4103\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4103\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4103</a>>\n * CVE-2015-4104\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4104\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4104</a>>\n * CVE-2015-4105\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4105\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4105</a>>\n * CVE-2015-4106\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4106\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4106</a>>\n * CVE-2015-4163\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4163\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4163</a>>\n * CVE-2015-4164\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4164\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4164</a>>\n * CVE-2015-3209\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3209\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3209</a>>\n\n", "published": "2015-06-11T20:04:58", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00007.html", "cvelist": ["CVE-2015-4105", "CVE-2015-4103", "CVE-2015-4164", "CVE-2015-4163", "CVE-2015-4104", "CVE-2015-3209", "CVE-2015-4106"], "lastseen": "2016-09-04T11:37:36"}, {"id": "SUSE-SU-2015:1157-1", "type": "suse", "title": "Security update for Xen (important)", "description": "Xen was updated to fix six security issues:\n\n * CVE-2015-4103: Potential unintended writes to host MSI message data\n field via qemu. (XSA-128, bsc#931625)\n * CVE-2015-4104: PCI MSI mask bits inadvertently exposed to guests.\n (XSA-129, bsc#931626)\n * CVE-2015-4105: Guest triggerable qemu MSI-X pass-through error\n messages. (XSA-130, bsc#931627)\n * CVE-2015-4106: Unmediated PCI register access in qemu. (XSA-131,\n bsc#931628)\n * CVE-2015-3209: Heap overflow in qemu pcnet controller allowing guest\n to host escape. (XSA-135, bsc#932770)\n * CVE-2015-4164: DoS through iret hypercall handler. (XSA-136,\n bsc#932996)\n\n Security Issues:\n\n * CVE-2015-4103\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4103\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4103</a>>\n * CVE-2015-4104\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4104\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4104</a>>\n * CVE-2015-4105\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4105\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4105</a>>\n * CVE-2015-4106\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4106\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4106</a>>\n * CVE-2015-4163\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4163\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4163</a>>\n * CVE-2015-4164\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4164\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4164</a>>\n * CVE-2015-3209\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3209\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3209</a>>\n\n", "published": "2015-06-29T15:05:16", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00030.html", "cvelist": ["CVE-2015-4105", "CVE-2015-4103", "CVE-2015-4164", "CVE-2015-4163", "CVE-2015-4104", "CVE-2015-3209", "CVE-2015-4106"], "lastseen": "2016-09-04T11:57:34"}, {"id": "OPENSUSE-SU-2015:1092-1", "type": "suse", "title": "Security update for xen (important)", "description": "Xen was updated to 4.4.2 to fix multiple vulnerabilities and non-security\n bugs.\n\n The following vulnerabilities were fixed:\n\n * CVE-2015-4103: Potential unintended writes to host MSI message data\n field via qemu (XSA-128) (boo#931625)\n * CVE-2015-4104: PCI MSI mask bits inadvertently exposed to guests\n (XSA-129) (boo#931626)\n * CVE-2015-4105: Guest triggerable qemu MSI-X pass-through error messages\n (XSA-130) (boo#931627)\n * CVE-2015-4106: Unmediated PCI register access in qemu (XSA-131)\n (boo#931628)\n * CVE-2015-4164: DoS through iret hypercall handler (XSA-136) (boo#932996)\n * CVE-2015-4163: GNTTABOP_swap_grant_ref operation misbehavior (XSA-134)\n (boo#932790)\n * CVE-2015-3209: heap overflow in qemu pcnet controller allowing guest to\n host escape (XSA-135) (boo#932770)\n * CVE-2015-3456: Fixed a buffer overflow in the floppy drive emulation,\n which could be used to denial of service attacks or potential code\n execution against the host. ()\n * CVE-2015-3340: Xen did not initialize certain fields, which allowed\n certain remote service domains to obtain sensitive information from\n memory via a (1) XEN_DOMCTL_gettscinfo or (2)\n XEN_SYSCTL_getdomaininfolist request. ()\n * CVE-2015-2752: Long latency MMIO mapping operations are not preemptible\n (XSA-125 boo#922705)\n * CVE-2015-2756: Unmediated PCI command register access in qemu (XSA-126\n boo#922706)\n * CVE-2015-2751: Certain domctl operations may be abused to lock up the\n host (XSA-127 boo#922709)\n * CVE-2015-2151: Hypervisor memory corruption due to x86 emulator flaw\n (boo#919464 XSA-123)\n * CVE-2015-2045: Information leak through version information hypercall\n (boo#918998 XSA-122)\n * CVE-2015-2044: Information leak via internal x86 system device emulation\n (boo#918995 (XSA-121)\n * CVE-2015-2152: HVM qemu unexpectedly enabling emulated VGA graphics\n backends (boo#919663 XSA-119)\n * CVE-2014-3615: information leakage when guest sets high resolution\n (boo#895528)\n\n The following non-security bugs were fixed:\n\n * xentop: Fix memory leak on read failure\n * boo#923758: xen dmesg contains bogus output in early boot\n * boo#921842: Xentop doesn't display disk statistics for VMs using qdisks\n * boo#919098: L3: XEN blktap device intermittently fails to connect\n * boo#882089: Windows 2012 R2 fails to boot up with greater than 60 vcpus\n * boo#903680: Problems with detecting free loop devices on Xen guest\n startup\n * boo#861318: xentop reports "Found interface vif101.0 but domain 101 does\n not exist."\n * boo#901488: Intel ixgbe driver assigns rx/tx queues per core resulting\n in irq problems on servers with a large amount of CPU cores\n * boo#910254: SLES11 SP3 Xen VT-d igb NIC doesn't work\n * boo#912011: high ping latency after upgrade to latest SLES11SP3 on xen\n Dom0\n * boo#906689: let systemd schedule xencommons after network-online.target\n and remote-fs.target so that xendomains has access to remote shares\n\n The following functionality was enabled or enhanced:\n\n * Enable spice support in qemu for x86_64\n * Add Qxl vga support\n * Enhancement to virsh/libvirtd "send-key" command (FATE#317240)\n * Add domain_migrate_constraints_set API to Xend's http interface\n (FATE#317239)\n\n", "published": "2015-06-22T12:04:52", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00016.html", "cvelist": ["CVE-2015-4105", "CVE-2015-4103", "CVE-2015-2044", "CVE-2015-3340", "CVE-2015-2045", "CVE-2015-2752", "CVE-2015-3456", "CVE-2015-4164", "CVE-2015-4163", "CVE-2015-2151", "CVE-2015-4104", "CVE-2015-2751", "CVE-2015-2756", "CVE-2014-3615", "CVE-2015-3209", "CVE-2015-4106", "CVE-2015-2152"], "lastseen": "2016-09-04T11:57:45"}, {"id": "SUSE-SU-2015:0613-1", "type": "suse", "title": "Security update for Xen (important)", "description": "The XEN hypervisor received updates to fix various security issues and\n bugs.\n\n The following security issues were fixed:\n - CVE-2015-2151: XSA-123: A hypervisor memory corruption due to x86\n emulator flaw.\n - CVE-2015-2045: XSA-122: Information leak through version information\n hypercall.\n - CVE-2015-2044: XSA-121: Information leak via internal x86 system device\n emulation.\n - CVE-2015-2152: XSA-119: HVM qemu was unexpectedly enabling emulated VGA\n graphics backends.\n - CVE-2014-3615: Information leakage when guest sets high graphics\n resolution.\n - CVE-2015-0361: XSA-116: A xen crash due to use after free on hvm guest\n teardown.\n - CVE-2014-9065, CVE-2014-9066: XSA-114: xen: p2m lock starvation.\n\n Also the following bugs were fixed:\n - bnc#919098 - XEN blktap device intermittently fails to connect\n - bnc#882089 - Windows 2012 R2 fails to boot up with greater than 60 vcpus\n - bnc#903680 - Problems with detecting free loop devices on Xen guest\n startup\n - bnc#861318 - xentop reports "Found interface vif101.0 but domain 101\n does not exist."\n - Update seabios to rel-1.7.3.1 which is the correct version for Xen 4.4\n - Enhancement to virsh/libvirtd "send-key" command The xen side small fix.\n (FATE#317240)\n - bnc#901488 - Intel ixgbe driver assigns rx/tx queues per core resulting\n in irq problems on servers with a large amount of CPU cores\n - bnc#910254 - SLES11 SP3 Xen VT-d igb NIC doesn't work\n - Add domain_migrate_constraints_set API to Xend's http interface\n (FATE#317239)\n - Restore missing fixes from block-dmmd script\n - bnc#904255 - XEN boot hangs in early boot on UEFI system\n - bsc#912011 - high ping latency after upgrade to latest SLES11SP3 on xen\n Dom0\n - Fix missing banner by restoring the figlet program.\n\n", "published": "2015-03-27T10:04:56", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00031.html", "cvelist": ["CVE-2014-9065", "CVE-2015-2044", "CVE-2015-0361", "CVE-2015-2045", "CVE-2015-2151", "CVE-2014-9066", "CVE-2014-3615", "CVE-2015-2152"], "lastseen": "2016-09-04T12:43:37"}, {"id": "OPENSUSE-SU-2015:0256-1", "type": "suse", "title": "Security update for xen (important)", "description": "The XEN virtualization was updated to fix bugs and security issues:\n\n Security issues fixed: CVE-2015-0361: XSA-116: xen: xen crash due to use\n after free on hvm guest teardown\n\n CVE-2014-9065, CVE-2014-9066: XSA-114: xen: p2m lock starvation\n\n CVE-2014-9030: XSA-113: Guest effectable page reference leak in\n MMU_MACHPHYS_UPDATE handling\n\n CVE-2014-8867: XSA-112: xen: Insufficient bounding of "REP MOVS" to MMIO\n emulated inside the hypervisor\n\n CVE-2014-8866: XSA-111: xen: Excessive checking in compatibility mode\n hypercall argument translation\n\n CVE-2014-8595: XSA-110: xen: Missing privilege level checks in x86\n emulation of far branches\n\n CVE-2014-8594: XSA-109: xen: Insufficient restrictions on certain MMU\n update hypercalls\n\n CVE-2013-3495: XSA-59: xen: Intel VT-d Interrupt Remapping engines can be\n evaded by native NMI interrupts\n\n CVE-2014-5146, CVE-2014-5149: xen: XSA-97 Long latency virtual-mmu\n operations are not preemptible\n\n Bugs fixed:\n - Restore missing fixes from block-dmmd script\n\n - bnc#904255 - XEN boot hangs in early boot on UEFI system\n\n - Fix missing banner by restoring figlet program\n\n - bnc#903357 - Corrupted save/restore test leaves orphaned data in xenstore\n\n - bnc#903359 - Temporary migration name is not cleaned up after migration\n\n - bnc#903850 - Xen: guest user mode triggerable VM exits not handled by\n hypervisor\n\n - bnc#866902 - Xen save/restore of HVM guests cuts off disk and networking\n\n - bnc#901317 - increase limit domUloader to 32MB\n\n - bnc#898772 - SLES 12 RC3 - XEN Host crashes when assigning non-VF device\n (SR-IOV) to guest\n\n - bnc#882089 - Windows 2012 R2 fails to boot up with greater than 60 vcpus\n\n - bsc#900292 - xl: change default dump directory\n\n - Update xen2libvirt.py to better detect and handle file formats\n\n - bnc#882089 - Windows 2012 R2 fails to boot up with greater than 60 vcpus\n\n\n - bnc#897906 - libxc: check return values on mmap() and madvise()\n on xc_alloc_hypercall_buffer()\n\n - bnc#896023 - Adjust xentop column layout\n\n", "published": "2015-02-11T15:05:20", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00010.html", "cvelist": ["CVE-2014-5146", "CVE-2014-9065", "CVE-2013-3495", "CVE-2014-8866", "CVE-2014-8595", "CVE-2014-8867", "CVE-2015-0361", "CVE-2014-8594", "CVE-2014-9066", "CVE-2014-5149", "CVE-2014-9030"], "lastseen": "2016-09-04T12:09:51"}, {"id": "OPENSUSE-SU-2015:0226-1", "type": "suse", "title": "Security update for xen (important)", "description": "The virtualization software XEN was updated to version 4.3.3 and also to\n fix bugs and security issues.\n\n Security issues fixed: CVE-2015-0361: XSA-116: xen: xen crash due to use\n after free on hvm guest teardown\n\n CVE-2014-9065, CVE-2014-9066: XSA-114: xen: p2m lock starvation\n\n CVE-2014-9030: XSA-113: Guest effectable page reference leak in\n MMU_MACHPHYS_UPDATE handling\n\n CVE-2014-8867: XSA-112: xen: Insufficient bounding of "REP MOVS" to MMIO\n emulated inside the hypervisor\n\n CVE-2014-8866: XSA-111: xen: Excessive checking in compatibility mode\n hypercall argument translation\n\n CVE-2014-8595: XSA-110: xen: Missing privilege level checks in x86\n emulation of far branches\n\n CVE-2014-8594: XSA-109: xen: Insufficient restrictions on certain MMU\n update hypercalls\n\n CVE-2013-3495: XSA-59: xen: Intel VT-d Interrupt Remapping engines can be\n evaded by native NMI interrupts\n\n CVE-2014-5146, CVE-2014-5149: xen: XSA-97 Long latency virtual-mmu\n operations are not preemptible\n\n Bugs fixed:\n - bnc#903357 - Corrupted save/restore test leaves orphaned data in xenstore\n\n - bnc#903359 - Temporary migration name is not cleaned up after migration\n\n - bnc#903850 - VUL-0: Xen: guest user mode triggerable VM exits not\n handled by hypervisor\n\n - bnc#866902 - L3: Xen save/restore of HVM guests cuts off disk and\n networking\n\n - bnc#901317 - L3: increase limit domUloader to 32MB domUloader.py\n\n - bnc#882089 - Windows 2012 R2 fails to boot up with greater than 60 vcpus\n\n - bsc#900292 - xl: change default dump directory\n\n - Update to Xen 4.3.3\n\n", "published": "2015-02-06T11:05:09", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00005.html", "cvelist": ["CVE-2014-5146", "CVE-2014-9065", "CVE-2013-3495", "CVE-2014-8866", "CVE-2014-8595", "CVE-2014-8867", "CVE-2015-0361", "CVE-2014-8594", "CVE-2014-9066", "CVE-2014-5149", "CVE-2014-9030"], "lastseen": "2016-09-04T12:45:45"}, {"id": "OPENSUSE-SU-2015:0732-1", "type": "suse", "title": "Security update for xen (important)", "description": "Xen was updated to 4.3.4 to fix multiple vulnerabities and non-security\n bugs.\n\n The following vulnerabilities were fixed:\n\n - Long latency MMIO mapping operations are not preemptible (XSA-125\n CVE-2015-2752 bnc#922705)\n - Unmediated PCI command register access in qemu (XSA-126 CVE-2015-2756\n bnc#922706)\n - Hypervisor memory corruption due to x86 emulator flaw (bnc#919464\n CVE-2015-2151 XSA-123)\n - Information leak through version information hypercall (bnc#918998\n CVE-2015-2045 XSA-122)\n - Information leak via internal x86 system device emulation (bnc#918995\n (CVE-2015-2044 XSA-121)\n - HVM qemu unexpectedly enabling emulated VGA graphics backends\n (bnc#919663 CVE-2015-2152 XSA-119)\n - information leakage when guest sets high resolution (bnc#895528\n CVE-2014-3615)\n\n The following non-security bugs were fixed:\n\n - L3: XEN blktap device intermittently fails to connect (bnc#919098)\n - Problems with detecting free loop devices on Xen guest startup\n (bnc#903680)\n - xentop reports "Found interface vif101.0 but domain 101 does not exist."\n (bnc#861318)\n - Intel ixgbe driver assigns rx/tx queues per core resulting in irq\n problems on servers with a large amount of CPU cores (bnc#901488)\n - SLES11 SP3 Xen VT-d igb NIC doesn't work (bnc#910254)\n\n", "published": "2015-04-20T16:04:56", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2015-04/msg00014.html", "cvelist": ["CVE-2015-2044", "CVE-2015-2045", "CVE-2015-2752", "CVE-2015-2151", "CVE-2015-2756", "CVE-2014-3615", "CVE-2015-2152"], "lastseen": "2016-09-04T11:40:57"}], "ubuntu": [{"id": "USN-2630-1", "type": "ubuntu", "title": "QEMU vulnerabilities", "description": "Matt Tait discovered that QEMU incorrectly handled the virtual PCNET driver. A malicious guest could use this issue to cause a denial of service, or possibly execute arbitrary code on the host as the user running the QEMU process. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile. (CVE-2015-3209)\n\nKurt Seifried discovered that QEMU incorrectly handled certain temporary files. A local attacker could use this issue to cause a denial of service. (CVE-2015-4037)\n\nJan Beulich discovered that the QEMU Xen code incorrectly restricted write access to the host MSI message data field. A malicious guest could use this issue to cause a denial of service. This issue only applied to Ubuntu 14.04 LTS, Ubuntu 14.10 and Ubuntu 15.04. (CVE-2015-4103)\n\nJan Beulich discovered that the QEMU Xen code incorrectly restricted access to the PCI MSI mask bits. A malicious guest could use this issue to cause a denial of service. This issue only applied to Ubuntu 14.04 LTS, Ubuntu 14.10 and Ubuntu 15.04. (CVE-2015-4104)\n\nJan Beulich discovered that the QEMU Xen code incorrectly handled MSI-X error messages. A malicious guest could use this issue to cause a denial of service. This issue only applied to Ubuntu 14.04 LTS, Ubuntu 14.10 and Ubuntu 15.04. (CVE-2015-4105)\n\nJan Beulich discovered that the QEMU Xen code incorrectly restricted write access to the PCI config space. A malicious guest could use this issue to cause a denial of service, obtain sensitive information, or possibly execute arbitrary code. This issue only applied to Ubuntu 14.04 LTS, Ubuntu 14.10 and Ubuntu 15.04. (CVE-2015-4106)", "published": "2015-06-10T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://usn.ubuntu.com/2630-1/", "cvelist": ["CVE-2015-4105", "CVE-2015-4103", "CVE-2015-4037", "CVE-2015-4104", "CVE-2015-3209", "CVE-2015-4106"], "lastseen": "2018-03-29T18:20:27"}, {"id": "USN-2182-1", "type": "ubuntu", "title": "QEMU vulnerabilities", "description": "Michael S. Tsirkin discovered that QEMU incorrectly handled vmxnet3 devices. A local guest could possibly use this issue to cause a denial of service, or possibly execute arbitrary code on the host. This issue only applied to Ubuntu 13.10 and Ubuntu 14.04 LTS. (CVE-2013-4544)\n\nMichael S. Tsirkin discovered that QEMU incorrectly handled virtio-net MAC addresses. A local guest could possibly use this issue to cause a denial of service, or possibly execute arbitrary code on the host. (CVE-2014-0150)\n\nBeno\u0106\u00aet Canet discovered that QEMU incorrectly handled SMART self-tests. A local guest could possibly use this issue to cause a denial of service, or possibly execute arbitrary code on the host. (CVE-2014-2894)", "published": "2014-04-28T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://usn.ubuntu.com/2182-1/", "cvelist": ["CVE-2013-4544", "CVE-2014-2894", "CVE-2014-0150"], "lastseen": "2018-03-29T18:18:42"}, {"id": "USN-2608-1", "type": "ubuntu", "title": "QEMU vulnerabilities", "description": "Jason Geffner discovered that QEMU incorrectly handled the virtual floppy driver. This issue is known as VENOM. A malicious guest could use this issue to cause a denial of service, or possibly execute arbitrary code on the host as the user running the QEMU process. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile. (CVE-2015-3456)\n\nDaniel P. Berrange discovered that QEMU incorrectly handled VNC websockets. A remote attacker could use this issue to cause QEMU to consume memory, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 14.10 and Ubuntu 15.04. (CVE-2015-1779)\n\nJan Beulich discovered that QEMU, when used with Xen, didn\u2019t properly restrict access to PCI command registers. A malicious guest could use this issue to cause a denial of service. This issue only affected Ubuntu 14.04 LTS and Ubuntu 14.10. (CVE-2015-2756)", "published": "2015-05-13T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://usn.ubuntu.com/2608-1/", "cvelist": ["CVE-2015-1779", "CVE-2015-3456", "CVE-2015-2756"], "lastseen": "2018-03-29T18:17:48"}], "gentoo": [{"id": "GLSA-201604-03", "type": "gentoo", "title": "Xen: Multiple vulnerabilities", "description": "### Background\n\nXen is a bare-metal hypervisor.\n\n### Description\n\nMultiple vulnerabilities have been discovered in Xen. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nA local attacker could possibly cause a Denial of Service condition or obtain sensitive information. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll Xen 4.5 users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=app-emulation/xen-4.5.2-r5\"\n \n\nAll Xen 4.6 users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=app-emulation/xen-4.6.0-r9\"\n \n\nAll Xen tools 4.5 users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=app-emulation/xen-tools-4.5.2-r5\"\n \n\nAll Xen tools 4.6 users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=app-emulation/xen-tools-4.6.0-r9\"\n \n\nAll Xen pvgrub users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=app-emulation/xen-pvgrub-4.6.0\"", "published": "2016-04-05T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://security.gentoo.org/glsa/201604-03", "cvelist": ["CVE-2015-4105", "CVE-2015-4103", "CVE-2015-8551", "CVE-2012-6034", "CVE-2015-7969", "CVE-2015-7813", "CVE-2015-8340", "CVE-2012-3494", "CVE-2015-7971", "CVE-2015-7972", "CVE-2015-3340", "CVE-2015-8339", "CVE-2015-7835", "CVE-2016-2270", "CVE-2012-4535", "CVE-2012-4411", "CVE-2012-4539", "CVE-2015-3259", "CVE-2015-7311", "CVE-2012-3495", "CVE-2012-3498", "CVE-2015-7970", "CVE-2015-7504", "CVE-2015-3456", "CVE-2012-6030", "CVE-2012-3515", "CVE-2015-4164", "CVE-2015-8550", "CVE-2015-7814", "CVE-2015-8554", "CVE-2015-7812", "CVE-2012-3497", "CVE-2012-6035", "CVE-2012-6031", "CVE-2012-6033", "CVE-2012-4537", "CVE-2012-4538", "CVE-2015-4163", "CVE-2015-2151", "CVE-2015-8555", "CVE-2015-4104", "CVE-2012-3496", "CVE-2015-7871", "CVE-2012-6032", "CVE-2012-4536", "CVE-2012-6036", "CVE-2015-8341", "CVE-2016-2271", "CVE-2015-8552", "CVE-2015-5154", "CVE-2015-3209", "CVE-2015-4106"], "lastseen": "2016-09-06T19:46:33"}, {"id": "GLSA-201504-04", "type": "gentoo", "title": "Xen: Multiple vulnerabilities", "description": "### Background\n\nXen is a bare-metal hypervisor.\n\n### Description\n\nMultiple vulnerabilities have been discovered in Xen. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nA local attacker could possibly cause a Denial of Service condition or obtain sensitive information. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll Xen 4.4 users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=app-emulation/xen-4.4.2-r1\"\n \n\nAll Xen 4.2 users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=app-emulation/xen-4.2.5-r8\"", "published": "2015-04-11T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://security.gentoo.org/glsa/201504-04", "cvelist": ["CVE-2014-5146", "CVE-2014-9065", "CVE-2013-3495", "CVE-2015-2044", "CVE-2014-8866", "CVE-2014-3967", "CVE-2014-8595", "CVE-2014-8867", "CVE-2015-0361", "CVE-2014-8594", "CVE-2015-2045", "CVE-2015-2752", "CVE-2014-3968", "CVE-2015-2751", "CVE-2014-9066", "CVE-2015-2756", "CVE-2014-5149", "CVE-2014-9030", "CVE-2015-2152", "CVE-2013-2212"], "lastseen": "2016-09-06T19:46:07"}, {"id": "GLSA-201408-17", "type": "gentoo", "title": "QEMU: Multiple vulnerabilities", "description": "### Background\n\nQEMU is a generic and open source machine emulator and virtualizer.\n\n### Description\n\nMultiple vulnerabilities have been discovered in QEMU. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nA local attacker could possibly execute arbitrary code with the privileges of the process, or cause a Denial of Service condition. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll QEMU users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=app-emulation/qemu-2.0.0-r1\"", "published": "2014-08-30T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://security.gentoo.org/glsa/201408-17", "cvelist": ["CVE-2014-0146", "CVE-2014-0223", "CVE-2013-4544", "CVE-2014-0144", "CVE-2014-2894", "CVE-2007-6227", "CVE-2014-0222", "CVE-2014-0145", "CVE-2014-0150", "CVE-2014-0143", "CVE-2014-3461", "CVE-2013-4377", "CVE-2014-0147", "CVE-2014-0142"], "lastseen": "2016-09-06T19:46:25"}, {"id": "GLSA-201612-27", "type": "gentoo", "title": "VirtualBox: Multiple vulnerabilities", "description": "### Background\n\nVirtualBox is a powerful virtualization product from Oracle.\n\n### Description\n\nMultiple vulnerabilities have been discovered in VirtualBox. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nLocal attackers could cause a Denial of Service condition, execute arbitrary code, or escalate their privileges. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll VirtualBox users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=app-emulation/virtualbox-4.3.28\"\n \n\nAll VirtualBox-bin users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose\n \">=app-emulation/virtualbox-bin-4.3.28\"", "published": "2016-12-11T00:00:00", "cvss": {"score": 7.7, "vector": "AV:ADJACENT_NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://security.gentoo.org/glsa/201612-27", "cvelist": ["CVE-2016-5611", "CVE-2016-5608", "CVE-2015-0427", "CVE-2014-6595", "CVE-2014-0983", "CVE-2015-0418", "CVE-2016-5610", "CVE-2015-3456", "CVE-2014-0981", "CVE-2014-6590", "CVE-2016-5613", "CVE-2015-0377", "CVE-2014-6589", "CVE-2014-6588"], "lastseen": "2016-12-12T05:58:32"}, {"id": "GLSA-201602-01", "type": "gentoo", "title": "QEMU: Multiple vulnerabilities", "description": "### Background\n\nQEMU is a generic and open source machine emulator and virtualizer.\n\n### Description\n\nMultiple vulnerabilities have been discovered in QEMU. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nA remote attacker might cause a Denial of Service or gain escalated privileges from a guest VM. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll QEMU users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=app-emulation/qemu-2.5.0-r1\"", "published": "2016-02-04T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://security.gentoo.org/glsa/201602-01", "cvelist": ["CVE-2015-8567", "CVE-2015-8556", "CVE-2015-8558", "CVE-2015-6855", "CVE-2015-8666", "CVE-2015-1779", "CVE-2015-7504", "CVE-2015-5225", "CVE-2015-3456", "CVE-2015-7512", "CVE-2015-5279", "CVE-2015-5745", "CVE-2015-8345", "CVE-2015-8568", "CVE-2015-8744", "CVE-2015-7549", "CVE-2015-8743", "CVE-2016-1568", "CVE-2015-8701", "CVE-2015-8745", "CVE-2015-8504", "CVE-2015-6815", "CVE-2015-7295", "CVE-2015-5278"], "lastseen": "2016-09-06T19:46:27"}, {"id": "GLSA-201510-02", "type": "gentoo", "title": "QEMU: Arbitrary code execution", "description": "### Background\n\nQEMU is a generic and open source machine emulator and virtualizer.\n\n### Description\n\nHeap-based buffer overflow has been found in QEMU\u2019s PCNET controller.\n\n### Impact\n\nA remote attacker could execute arbitrary code via a specially crafted packets. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll QEMU users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=app-emulation/qemu-2.3.0-r4\"", "published": "2015-10-31T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://security.gentoo.org/glsa/201510-02", "cvelist": ["CVE-2015-3214", "CVE-2015-5158", "CVE-2015-5154", "CVE-2015-3209"], "lastseen": "2016-09-06T19:46:37"}], "huawei": [{"id": "HUAWEI-SA-20150327-01-XEN", "type": "huawei", "title": "Security Advisory - Xen Vulnerabilities on Huawei FusionSphere products", "description": "This security advisory (SA) describes the impact of Xen vulnerabilities discovered in website.\nThis vulnerability is referenced in this document as follows:\nXSA-120: Non-maskable interrupts triggerable by guests. In the event that the platform surfaces aforementioned UR responses as Non-Maskable Interrupts, and either the OS is configured to treat NMIs as fatal or (e.g. via ACPI's APEI) the platform tells the OS to treat these errors as fatal, the host would crash, leading to a Denial of Service.( HWPSIRT-2015-03019)\nThis Vulnerability has been assigned Common Vulnerabilities and Exposures (CVE) ID: CVE-2015-2150.\nXSA-123: Hypervisor memory corruption due to x86 emulator flaw. A malicious guest might be able to read sensitive data relating to other guests, or to cause denial of service on the host. Arbitrary code execution, and therefore privilege escalation, cannot be excluded. (HWPSIRT-2015-03020)\nThis Vulnerability has been assigned Common Vulnerabilities and Exposures (CVE) ID: CVE-2015-2151.\nXSA-121: Information leak via internal x86 system device emulation. A malicious HVM guest might be able to read sensitive data relating to other guests. (HWPSIRT-2015-03021)\nThis Vulnerability has been assigned Common Vulnerabilities and Exposures (CVE) ID: CVE-2015-2044.\nXSA-122: Information leak through version information hypercall. A malicious guest might be able to read sensitive data relating to other guests. \n\u00a0This Vulnerability has been assigned Common Vulnerabilities and Exposures (CVE) ID: CVE-2015-2045.", "published": "2015-04-10T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://www.huawei.com/en/psirt/security-advisories/2015/hw-423503", "cvelist": ["CVE-2015-2044", "CVE-2015-2045", "CVE-2015-2151", "CVE-2014-2045", "CVE-2015-2150", "CVE-2014-2151"], "lastseen": "2016-09-05T13:35:27"}, {"id": "HUAWEI-SA-20150609-01-VENOM", "type": "huawei", "title": "Security Advisory - VENOM Vulnerability in Huawei Products", "description": "Huawei has noticed the buffer overflow vulnerability in the floppy disk controller (FDC) of QEMU disclosed by open source organization Xen. This vulnerability allows an attacker to escape out of the virtual machine, execute code on the physical host with full privilege. (Vulnerability ID: HWPSIRT-2015-05025)This Vulnerability has been assigned Common Vulnerabilities and Exposures (CVE) ID: CVE-2015-3456.", "published": "2015-06-09T00:00:00", "cvss": {"score": 7.7, "vector": "AV:ADJACENT_NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://www.huawei.com/en/psirt/security-advisories/2015/hw-438937", "cvelist": ["CVE-2015-3456"], "lastseen": "2016-09-05T13:35:33"}], "oraclelinux": [{"id": "ELSA-2015-0783", "type": "oraclelinux", "title": "kernel security and bug fix update", "description": "kernel\n[2.6.18-404]\n- [infiniband] core: Prevent integer overflow in ib_umem_get (Doug Ledford) [1179353] {CVE-2014-8159}\n[2.6.18-403]\n- [s390] zcrypt: Toleration of new crypto hardware (Hendrik Brueckner) [1182522]\n- [fs] cifs: Use pid from cifsFileInfo in wrt pages/set_file_size (Sachin Prabhu) [1169304]\n- [xen] x86: confine internally handled MMIO to solitary regions (Denys Vlasenko) [1164256] {CVE-2014-8867}", "published": "2015-04-08T00:00:00", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://linux.oracle.com/errata/ELSA-2015-0783.html", "cvelist": ["CVE-2014-8867", "CVE-2014-8159"], "lastseen": "2016-09-04T11:17:14"}, {"id": "ELSA-2015-0783-1", "type": "oraclelinux", "title": "1 ", "description": "kernel\n[2.6.18-404.0.0.0.1]\n- [net] fix tcp_trim_head() (James Li) [orabug 14512145, 19219078]\n- ocfs2: dlm: fix recovery hung (Junxiao Bi) [orabug 13956772]\n- i386: fix MTRR code (Zhenzhong Duan) [orabug 15862649]\n- [oprofile] x86, mm: Add __get_user_pages_fast() [orabug 14277030]\n- [oprofile] export __get_user_pages_fast() function [orabug 14277030]\n- [oprofile] oprofile, x86: Fix nmi-unsafe callgraph support [orabug 14277030]\n- [oprofile] oprofile: use KM_NMI slot for kmap_atomic [orabug 14277030]\n- [oprofile] oprofile: i386 add get_user_pages_fast support [orabug 14277030]\n- [kernel] Initialize the local uninitialized variable stats. [orabug 14051367]\n- [fs] JBD:make jbd support 512B blocks correctly for ocfs2. [orabug 13477763]\n- [x86 ] fix fpu context corrupt when preempt in signal context [orabug 14038272]\n- [mm] fix hugetlb page leak (Dave McCracken) [orabug 12375075]\n- fix ia64 build error due to add-support-above-32-vcpus.patch(Zhenzhong Duan)\n- [x86] use dynamic vcpu_info remap to support more than 32 vcpus (Zhenzhong Duan)\n- [x86] Fix lvt0 reset when hvm boot up with noapic param\n- [scsi] remove printk's when doing I/O to a dead device (John Sobecki, Chris Mason)\n [orabug 12342275]\n- [char] ipmi: Fix IPMI errors due to timing problems (Joe Jin) [orabug 12561346]\n- [scsi] Fix race when removing SCSI devices (Joe Jin) [orabug 12404566]\n- [net] net: Redo the broken redhat netconsole over bonding (Tina Yang) [orabug 12740042]\n- [fs] nfs: Fix __put_nfs_open_context() NULL pointer panic (Joe Jin) [orabug 12687646]\n- fix filp_close() race (Joe Jin) [orabug 10335998]\n- make xenkbd.abs_pointer=1 by default [orabug 67188919]\n- [xen] check to see if hypervisor supports memory reservation change\n (Chuck Anderson) [orabug 7556514]\n- [net] Enable entropy for bnx2,bnx2x,e1000e,igb,ixgb,ixgbe,ixgbevf (John Sobecki)\n [orabug 10315433]\n- [NET] Add xen pv netconsole support (Tina Yang) [orabug 6993043] [bz 7258]\n- [mm] Patch shrink_zone to yield during severe mempressure events, avoiding\n hangs and evictions (John Sobecki,Chris Mason) [orabug 6086839]\n- [mm] Enhance shrink_zone patch allow full swap utilization, and also be\n NUMA-aware (John Sobecki,Chris Mason,Herbert van den Bergh) [orabug 9245919]\n- fix aacraid not to reset during kexec (Joe Jin) [orabug 8516042]\n- [xen] PVHVM guest with PoD crashes under memory pressure (Chuck Anderson)\n [orabug 9107465]\n- [xen] PV guest with FC HBA hangs during shutdown (Chuck Anderson)\n [orabug 9764220]\n- Support 256GB+ memory for pv guest (Mukesh Rathor) [orabug 9450615]\n- fix overcommit memory to use percpu_counter for (KOSAKI Motohiro,\n Guru Anbalagane) [orabug 6124033]\n- [ipmi] make configurable timeouts for kcs of ipmi [orabug 9752208]\n- [ib] fix memory corruption (Andy Grover) [orabug 9972346]\n- [usb] USB: fix __must_check warnings in drivers/usb/core/ (Junxiao Bi) [orabug 14795203]\n- [usb] usbcore: fix refcount bug in endpoint removal (Junxiao Bi) [orabug 14795203]", "published": "2015-04-08T00:00:00", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://linux.oracle.com/errata/ELSA-2015-0783-1.html", "cvelist": ["CVE-2014-8867", "CVE-2014-8159"], "lastseen": "2017-08-22T10:02:49"}, {"id": "ELSA-2014-0420", "type": "oraclelinux", "title": "qemu-kvm security update", "description": "[0.12.1.2-2.415.el6_5.8]\n- kvm-virtio-net-fix-guest-triggerable-buffer-overrun.patch [bz#1078605 bz#1078849]\n- kvm-qcow2-Check-backing_file_offset-CVE-2014-0144.patch [bz#1079452 bz#1079453]\n- kvm-qcow2-Check-refcount-table-size-CVE-2014-0144.patch [bz#1079452 bz#1079453]\n- kvm-qcow2-Validate-refcount-table-offset.patch [bz#1079518 bz#1086678]\n- kvm-qcow2-Validate-snapshot-table-offset-size-CVE-2014-0.patch [bz#1079452 bz#1079453]\n- kvm-qcow2-Validate-active-L1-table-offset-and-size-CVE-2.patch [bz#1079452 bz#1079453]\n- kvm-qcow2-Fix-backing-file-name-length-check.patch [bz#1079518 bz#1086678]\n- kvm-qcow2-Don-t-rely-on-free_cluster_index-in-alloc_refc.patch [bz#1079337 bz#1079338]\n- kvm-qcow2-Avoid-integer-overflow-in-get_refcount-CVE-201.patch [bz#1079318 bz#1079319]\n- kvm-qcow2-Check-new-refcount-table-size-on-growth.patch [bz#1079518 bz#1086678]\n- kvm-qcow2-Fix-types-in-qcow2_alloc_clusters-and-alloc_cl.patch [bz#1079518 bz#1086678]\n- kvm-qcow2-Protect-against-some-integer-overflows-in-bdrv.patch [bz#1079518 bz#1086678]\n- kvm-qcow2-Catch-some-L1-table-index-overflows.patch [bz#1079518 bz#1086678]\n- kvm-qcow2-Fix-new-L1-table-size-check-CVE-2014-0143.patch [bz#1079318 bz#1079319]\n- kvm-qcow2-Fix-NULL-dereference-in-qcow2_open-error-path-.patch [bz#1079330 bz#1079331]\n- kvm-qcow2-Limit-snapshot-table-size.patch [bz#1079518 bz#1086678]\n- kvm-block-cloop-validate-block_size-header-field-CVE-201.patch [bz#1079452 bz#1079453]\n- kvm-block-cloop-prevent-offsets_size-integer-overflow-CV.patch [bz#1079318 bz#1079319]\n- kvm-block-cloop-refuse-images-with-huge-offsets-arrays-C.patch [bz#1079452 bz#1079453]\n- kvm-block-cloop-Fix-coding-style.patch [bz#1079518 bz#1086678]\n- kvm-cloop-Fix-bdrv_open-error-handling.patch [bz#1079518 bz#1086678]\n- kvm-block-cloop-refuse-images-with-bogus-offsets-CVE-201.patch [bz#1079452 bz#1079453]\n- kvm-block-cloop-Use-g_free-instead-of-free.patch [bz#1079518 bz#1086678]\n- kvm-block-cloop-fix-offsets-size-off-by-one.patch [bz#1079518 bz#1086678]\n- kvm-bochs-Fix-bdrv_open-error-handling.patch [bz#1079518 bz#1086678]\n- kvm-bochs-Unify-header-structs-and-make-them-QEMU_PACKED.patch [bz#1079518 bz#1086678]\n- kvm-bochs-Use-unsigned-variables-for-offsets-and-sizes-C.patch [bz#1079337 bz#1079338]\n- kvm-bochs-Check-catalog_size-header-field-CVE-2014-0143.patch [bz#1079318 bz#1079319]\n- kvm-bochs-Check-extent_size-header-field-CVE-2014-0142.patch [bz#1079313 bz#1079314]\n- kvm-bochs-Fix-bitmap-offset-calculation.patch [bz#1079518 bz#1086678]\n- kvm-vpc-vhd-add-bounds-check-for-max_table_entries-and-b.patch [bz#1079452 bz#1079453]\n- kvm-vpc-Validate-block-size-CVE-2014-0142.patch [bz#1079313 bz#1079314]\n- kvm-vdi-add-bounds-checks-for-blocks_in_image-and-disk_s.patch [bz#1079452 bz#1079453]\n- kvm-vhdx-Bounds-checking-for-block_size-and-logical_sect.patch [bz#1079343 bz#1079344]\n- kvm-curl-check-data-size-before-memcpy-to-local-buffer.-.patch [bz#1079452 bz#1079453]\n- kvm-dmg-Fix-bdrv_open-error-handling.patch [bz#1079518 bz#1086678]\n- kvm-dmg-coding-style-and-indentation-cleanup.patch [bz#1079518 bz#1086678]\n- kvm-dmg-prevent-out-of-bounds-array-access-on-terminator.patch [bz#1079518 bz#1086678]\n- kvm-dmg-drop-broken-bdrv_pread-loop.patch [bz#1079518 bz#1086678]\n- kvm-dmg-use-appropriate-types-when-reading-chunks.patch [bz#1079518 bz#1086678]\n- kvm-dmg-sanitize-chunk-length-and-sectorcount-CVE-2014-0.patch [bz#1079323 bz#1079324]\n- kvm-dmg-use-uint64_t-consistently-for-sectors-and-length.patch [bz#1079518 bz#1086678]\n- kvm-dmg-prevent-chunk-buffer-overflow-CVE-2014-0145.patch [bz#1079323 bz#1079324]\n- kvm-block-Limit-request-size-CVE-2014-0143.patch [bz#1079318 bz#1079319]\n- kvm-parallels-Fix-catalog-size-integer-overflow-CVE-2014.patch [bz#1079318 bz#1079319]\n- kvm-parallels-Sanity-check-for-s-tracks-CVE-2014-0142.patch [bz#1079313 bz#1079314]\n- kvm-bochs-Fix-memory-leak-in-bochs_open-error-path.patch [bz#1079518 bz#1086678]\n- kvm-bochs-Fix-catalog-size-check.patch [bz#1079518 bz#1086678]\n- Resolves: bz#1078849\n (EMBARGOED CVE-2014-0150 qemu-kvm: qemu: virtio-net: buffer overflow in virtio_net_handle_mac() function [rhel-6.5.z])\n- Resolves: bz#1079313\n (CVE-2014-0142 qemu-kvm: qemu: crash by possible division by zero [rhel-6.5.z])\n- Resolves: bz#1079318\n (CVE-2014-0143 qemu-kvm: Qemu: block: multiple integer overflow flaws [rhel-6.5.z])\n- Resolves: bz#1079323\n (CVE-2014-0145 qemu-kvm: Qemu: prevent possible buffer overflows [rhel-6.5.z])\n- Resolves: bz#1079330\n (CVE-2014-0146 qemu-kvm: Qemu: qcow2: NULL dereference in qcow2_open() error path [rhel-6.5.z])\n- Resolves: bz#1079337\n (CVE-2014-0147 qemu-kvm: Qemu: block: possible crash due signed types or logic error [rhel-6.5.z])\n- Resolves: bz#1079343\n (CVE-2014-0148 qemu-kvm: Qemu: vhdx: bounds checking for block_size and logical_sector_size [rhel-6.5.z])\n- Resolves: bz#1079452\n (CVE-2014-0144 qemu-kvm: Qemu: block: missing input validation [rhel-6.5.z])\n- Resolves: bz#1086678\n (qemu-kvm: include leftover patches from block layer security audit)", "published": "2014-04-22T00:00:00", "cvss": {"score": 4.9, "vector": "AV:ADJACENT_NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://linux.oracle.com/errata/ELSA-2014-0420.html", "cvelist": ["CVE-2014-0146", "CVE-2014-0144", "CVE-2014-0145", "CVE-2014-0150", "CVE-2014-0143", "CVE-2014-0147", "CVE-2014-0148", "CVE-2014-0142"], "lastseen": "2016-09-04T11:16:47"}, {"id": "ELSA-2015-1002", "type": "oraclelinux", "title": "xen security update", "description": "[3.0.3-146.el5]\n- xen-fdc-force-the-fifo-access-to-be-in-bounds-of-the-all.patch\n- xen-FDC-Fix-buffer-overflow-Herv-Poussineau.patch\n- Resolves: bz#1219333\n (xen: qemu: floppy disk controller flaw [rhel-5.11.z])\n[3.0.3-144.el5]\n- xm: Fix vcpu-pin complain for CPU number out of range (rhbz 955656)\n- libxc: Support set affinity for more than 64 CPUS (rhbz 955656)\n- libxc: Fixes for 'support affinity for more than 64 CPUS' (rhbz 955656)\n- xend: Fix bug of a cpu affinity vcpu-pin under ia32pa (rhbz 955656)\n- libxc: Fix cpu number overflow for vcpu-pin (rhbz 955656)\n[3.0.3-143.el5]\n- libxc: move error checking next to the function which returned the error (rhbz 870413)\n- libxc: builder: limit maximum size of kernel/ramdisk (rhbz 870413)\n- e1000: discard packets that are too long if !SBP and !LPE (rhbz 910844)\n- e1000: discard oversized packets based on SBP|LPE (rhbz 910844)", "published": "2015-05-13T00:00:00", "cvss": {"score": 7.7, "vector": "AV:ADJACENT_NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://linux.oracle.com/errata/ELSA-2015-1002.html", "cvelist": ["CVE-2015-3456"], "lastseen": "2016-09-04T11:16:41"}, {"id": "ELSA-2015-1003", "type": "oraclelinux", "title": "kvm security update", "description": "[kvm-83-272.0.1.el5]\n- Added kvm-add-oracle-workaround-for-libvirt-bug.patch\n- Added kvm-Introduce-oel-machine-type.patch\n[kvm-83.272.el5]\n- kvm-fdc-force-the-fifo-access-to-be-in-bounds-of-the-all.patch [bz#1219266]\n- Resolves: bz#1219266\n (kvm: qemu: floppy disk controller flaw [rhel-5.11.z])", "published": "2015-05-13T00:00:00", "cvss": {"score": 7.7, "vector": "AV:ADJACENT_NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://linux.oracle.com/errata/ELSA-2015-1003.html", "cvelist": ["CVE-2015-3456"], "lastseen": "2016-09-04T11:16:00"}, {"id": "ELSA-2015-0998", "type": "oraclelinux", "title": "qemu-kvm security update", "description": "[0.12.1.2-2.448.el6_6.3]\n- kvm-fdc-force-the-fifo-access-to-be-in-bounds-of-the-all.patch [bz#1219267]\n- Resolves: bz#1219267\n (EMBARGOED CVE-2015-3456 qemu-kvm: qemu: floppy disk controller flaw [rhel-6.6.z])", "published": "2015-05-13T00:00:00", "cvss": {"score": 7.7, "vector": "AV:ADJACENT_NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://linux.oracle.com/errata/ELSA-2015-0998.html", "cvelist": ["CVE-2015-3456"], "lastseen": "2016-09-04T11:16:20"}, {"id": "ELSA-2015-0999", "type": "oraclelinux", "title": "qemu-kvm security update", "description": "[1.5.3-86.el7_1.2]\n- kvm-fdc-force-the-fifo-access-to-be-in-bounds-of-the-all.patch [bz#1219269]\n- Resolves: bz#1219269\n (EMBARGOED CVE-2015-3456 qemu-kvm: qemu: floppy disk controller flaw [rhel-7.1.z])", "published": "2015-05-13T00:00:00", "cvss": {"score": 7.7, "vector": "AV:ADJACENT_NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://linux.oracle.com/errata/ELSA-2015-0999.html", "cvelist": ["CVE-2015-3456"], "lastseen": "2016-09-04T11:16:11"}, {"id": "ELSA-2016-0450-1", "type": "oraclelinux", "title": "1 ", "description": "kernel\n[2.6.18-409.0.0.0.1]\n- [netfront] fix ring buffer index go back led vif stop [orabug 18272251]\n- [net] fix tcp_trim_head() (James Li) [orabug 14512145, 19219078]\n- ocfs2: dlm: fix recovery hung (Junxiao Bi) [orabug 13956772]\n- i386: fix MTRR code (Zhenzhong Duan) [orabug 15862649]\n- [oprofile] x86, mm: Add __get_user_pages_fast() [orabug 14277030]\n- [oprofile] export __get_user_pages_fast() function [orabug 14277030]\n- [oprofile] oprofile, x86: Fix nmi-unsafe callgraph support [orabug 14277030]\n- [oprofile] oprofile: use KM_NMI slot for kmap_atomic [orabug 14277030]\n- [oprofile] oprofile: i386 add get_user_pages_fast support [orabug 14277030]\n- [kernel] Initialize the local uninitialized variable stats. [orabug 14051367]\n- [fs] JBD:make jbd support 512B blocks correctly for ocfs2. [orabug 13477763]\n- [mm] fix hugetlb page leak (Dave McCracken) [orabug 12375075]\n- fix ia64 build error due to add-support-above-32-vcpus.patch(Zhenzhong Duan)\n- [x86] use dynamic vcpu_info remap to support more than 32 vcpus (Zhenzhong Duan)\n- [x86] Fix lvt0 reset when hvm boot up with noapic param\n- [scsi] remove printk's when doing I/O to a dead device (John Sobecki, Chris Mason)\n [orabug 12342275]\n- [char] ipmi: Fix IPMI errors due to timing problems (Joe Jin) [orabug 12561346]\n- [scsi] Fix race when removing SCSI devices (Joe Jin) [orabug 12404566]\n- [net] net: Redo the broken redhat netconsole over bonding (Tina Yang) [orabug 12740042]\n- [fs] nfs: Fix __put_nfs_open_context() NULL pointer panic (Joe Jin) [orabug 12687646]\n- fix filp_close() race (Joe Jin) [orabug 10335998]\n- make xenkbd.abs_pointer=1 by default [orabug 67188919]\n- [xen] check to see if hypervisor supports memory reservation change\n (Chuck Anderson) [orabug 7556514]\n- [net] Enable entropy for bnx2,bnx2x,e1000e,igb,ixgb,ixgbe,ixgbevf (John Sobecki)\n [orabug 10315433]\n- [NET] Add xen pv netconsole support (Tina Yang) [orabug 6993043] [bz 7258]\n- [mm] Patch shrink_zone to yield during severe mempressure events, avoiding\n hangs and evictions (John Sobecki,Chris Mason) [orabug 6086839]\n- [mm] Enhance shrink_zone patch allow full swap utilization, and also be\n NUMA-aware (John Sobecki,Chris Mason,Herbert van den Bergh) [orabug 9245919]\n- fix aacraid not to reset during kexec (Joe Jin) [orabug 8516042]\n- [xen] PVHVM guest with PoD crashes under memory pressure (Chuck Anderson)\n [orabug 9107465]\n- [xen] PV guest with FC HBA hangs during shutdown (Chuck Anderson)\n [orabug 9764220]\n- Support 256GB+ memory for pv guest (Mukesh Rathor) [orabug 9450615]\n- fix overcommit memory to use percpu_counter for (KOSAKI Motohiro,\n Guru Anbalagane) [orabug 6124033]\n- [ipmi] make configurable timeouts for kcs of ipmi [orabug 9752208]\n- [ib] fix memory corruption (Andy Grover) [orabug 9972346]\n- [usb] USB: fix __must_check warnings in drivers/usb/core/ (Junxiao Bi) [orabug 14795203]", "published": "2016-03-16T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://linux.oracle.com/errata/ELSA-2016-0450-1.html", "cvelist": ["CVE-2013-2596", "CVE-2015-2151"], "lastseen": "2017-08-22T10:02:11"}, {"id": "ELSA-2016-0450", "type": "oraclelinux", "title": "kernel security update", "description": "kernel\n[2.6.18-409]\n- [fs] ext4: limit group search loop for non-extent files (Lukas Czerner) [1301100]\n- [fb] vm: convert fb_mmap to vm_iomap_memory() helper (Jacob Tanenbaum) [1035240] {CVE-2013-2596}\n- [s390] add dummy io_remap_pfn_range() to asm-s390/pgtable.h (Jacob Tanenbaum) [1035240] {CVE-2013-2596}\n- [mm] vm: add vm_iomap_memory() helper function (Jacob Tanenbaum) [1035240] {CVE-2013-2596}\n- [sched] prevent division by zero x->cpu_power (Denys Vlasenko) [1209728]\n- [xen] x86: fully ignore segment override for register-only ops (Mateusz Guzik) [1200373] {CVE-2015-2151}", "published": "2016-03-15T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://linux.oracle.com/errata/ELSA-2016-0450.html", "cvelist": ["CVE-2013-2596", "CVE-2015-2151"], "lastseen": "2016-09-04T11:17:04"}, {"id": "ELSA-2015-1189", "type": "oraclelinux", "title": "kvm security update", "description": "[kvm-83-273.0.1.el5]\n- Added kvm-add-oracle-workaround-for-libvirt-bug.patch\n- Added kvm-Introduce-oel-machine-type.patch\n[kvm-83.273.el5]\n- kvm-pcnet-Properly-handle-TX-requests-during-Link-Fail.patch [bz#1225896]\n- kvm-pcnet-fix-Negative-array-index-read.patch [bz#1225896]\n- kvm-pcnet-force-the-buffer-access-to-be-in-bounds-during.patch [bz#1225896]\n- Resolves: bz#1225896\n (EMBARGOED CVE-2015-3209 kvm: qemu: pcnet: multi-tmd buffer overflow in the tx path [rhel-5.11.z)", "published": "2015-06-25T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://linux.oracle.com/errata/ELSA-2015-1189.html", "cvelist": ["CVE-2015-3209"], "lastseen": "2016-09-04T11:16:08"}], "centos": [{"id": "CESA-2015:0783", "type": "centos", "title": "kernel security update", "description": "**CentOS Errata and Security Advisory** CESA-2015:0783\n\n\nThe kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\n* It was found that the Linux kernel's Infiniband subsystem did not\nproperly sanitize input parameters while registering memory regions from\nuser space via the (u)verbs API. A local user with access to a\n/dev/infiniband/uverbsX device could use this flaw to crash the system or,\npotentially, escalate their privileges on the system. (CVE-2014-8159,\nImportant)\n\n* An insufficient bound checking flaw was found in the Xen hypervisor's\nimplementation of acceleration support for the \"REP MOVS\" instructions.\nA privileged HVM guest user could potentially use this flaw to crash the\nhost. (CVE-2014-8867, Important)\n\nRed Hat would like to thank Mellanox for reporting CVE-2014-8159, and the\nXen project for reporting CVE-2014-8867.\n\nThis update also fixes the following bugs:\n\n* Under memory pressure, cached data was previously flushed to the backing\nserver using the PID of the thread responsible for flushing the data in the\nServer Message Block (SMB) headers instead of the PID of the thread which\nactually wrote the data. As a consequence, when a file was locked by the\nwriting thread prior to writing, the server considered writes by the thread\nflushing the pagecache as being a separate process from writing to a locked\nfile, and thus rejected the writes. In addition, the data to be written was\ndiscarded. This update ensures that the correct PID is sent to the server,\nand data corruption is avoided when data is being written from a client\nunder memory pressure. (BZ#1169304)\n\n* This update adds support for new cryptographic hardware in toleration\nmode for IBM System z. (BZ#1182522)\n\nAll kernel users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. The system must be\nrebooted for this update to take effect.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2015-April/021056.html\n\n**Affected packages:**\nkernel\nkernel-PAE\nkernel-PAE-devel\nkernel-debug\nkernel-debug-devel\nkernel-devel\nkernel-doc\nkernel-headers\nkernel-xen\nkernel-xen-devel\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2015-0783.html", "published": "2015-04-07T22:09:26", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.centos.org/pipermail/centos-announce/2015-April/021056.html", "cvelist": ["CVE-2014-8867", "CVE-2014-8159"], "lastseen": "2017-10-03T18:24:49"}, {"id": "CESA-2014:0420", "type": "centos", "title": "qemu security update", "description": "**CentOS Errata and Security Advisory** CESA-2014:0420\n\n\nKVM (Kernel-based Virtual Machine) is a full virtualization solution for\nLinux on AMD64 and Intel 64 systems. The qemu-kvm package provides the\nuser-space component for running virtual machines using KVM.\n\nMultiple integer overflow, input validation, logic error, and buffer\noverflow flaws were discovered in various QEMU block drivers. An attacker\nable to modify a disk image file loaded by a guest could use these flaws to\ncrash the guest, or corrupt QEMU process memory on the host, potentially\nresulting in arbitrary code execution on the host with the privileges of\nthe QEMU process. (CVE-2014-0143, CVE-2014-0144, CVE-2014-0145,\nCVE-2014-0147)\n\nA buffer overflow flaw was found in the way the virtio_net_handle_mac()\nfunction of QEMU processed guest requests to update the table of MAC\naddresses. A privileged guest user could use this flaw to corrupt QEMU\nprocess memory on the host, potentially resulting in arbitrary code\nexecution on the host with the privileges of the QEMU process.\n(CVE-2014-0150)\n\nA divide-by-zero flaw was found in the seek_to_sector() function of the\nparallels block driver in QEMU. An attacker able to modify a disk image\nfile loaded by a guest could use this flaw to crash the guest.\n(CVE-2014-0142)\n\nA NULL pointer dereference flaw was found in the QCOW2 block driver in\nQEMU. An attacker able to modify a disk image file loaded by a guest could\nuse this flaw to crash the guest. (CVE-2014-0146)\n\nIt was found that the block driver for Hyper-V VHDX images did not\ncorrectly calculate BAT (Block Allocation Table) entries due to a missing\nbounds check. An attacker able to modify a disk image file loaded by a\nguest could use this flaw to crash the guest. (CVE-2014-0148)\n\nThe CVE-2014-0143 issues were discovered by Kevin Wolf and Stefan Hajnoczi\nof Red Hat, the CVE-2014-0144 issues were discovered by Fam Zheng, Jeff\nCody, Kevin Wolf, and Stefan Hajnoczi of Red Hat, the CVE-2014-0145 issues\nwere discovered by Stefan Hajnoczi of Red Hat, the CVE-2014-0150 issue was\ndiscovered by Michael S. Tsirkin of Red Hat, the CVE-2014-0142,\nCVE-2014-0146, and CVE-2014-0147 issues were discovered by Kevin Wolf of\nRed Hat, and the CVE-2014-0148 issue was discovered by Jeff Cody of\nRed Hat.\n\nAll qemu-kvm users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. After installing this\nupdate, shut down all running virtual machines. Once all virtual machines\nhave shut down, start them again for this update to take effect.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2014-April/020262.html\n\n**Affected packages:**\nqemu-guest-agent\nqemu-img\nqemu-kvm\nqemu-kvm-tools\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2014-0420.html", "published": "2014-04-22T19:33:34", "cvss": {"score": 4.9, "vector": "AV:ADJACENT_NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://lists.centos.org/pipermail/centos-announce/2014-April/020262.html", "cvelist": ["CVE-2014-0146", "CVE-2014-0144", "CVE-2014-0145", "CVE-2014-0150", "CVE-2014-0143", "CVE-2014-0147", "CVE-2014-0148", "CVE-2014-0142"], "lastseen": "2017-10-03T18:26:38"}, {"id": "CESA-2015:1002", "type": "centos", "title": "xen security update", "description": "**CentOS Errata and Security Advisory** CESA-2015:1002\n\n\nThe xen packages contain administration tools and the xend service for\nmanaging the kernel-xen kernel for virtualization on Red Hat Enterprise\nLinux.\n\nAn out-of-bounds memory access flaw was found in the way QEMU's virtual\nFloppy Disk Controller (FDC) handled FIFO buffer access while processing\ncertain FDC commands. A privileged guest user could use this flaw to crash\nthe guest or, potentially, execute arbitrary code on the host with the\nprivileges of the host's QEMU process corresponding to the guest.\n(CVE-2015-3456)\n\nRed Hat would like to thank Jason Geffner of CrowdStrike for reporting\nthis issue.\n\nAll xen users are advised to upgrade to these updated packages, which\ncontain a backported patch to correct this issue. After installing the\nupdated packages, all running fully-virtualized guests must be restarted\nfor this update to take effect.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2015-May/021135.html\n\n**Affected packages:**\nxen\nxen-devel\nxen-libs\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2015-1002.html", "published": "2015-05-13T15:16:55", "cvss": {"score": 7.7, "vector": "AV:ADJACENT_NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.centos.org/pipermail/centos-announce/2015-May/021135.html", "cvelist": ["CVE-2015-3456"], "lastseen": "2017-10-03T18:24:25"}, {"id": "CESA-2015:1003", "type": "centos", "title": "kmod, kvm security update", "description": "**CentOS Errata and Security Advisory** CESA-2015:1003\n\n\nKVM (Kernel-based Virtual Machine) is a full virtualization solution for\nLinux on AMD64 and Intel 64 systems.\n\nAn out-of-bounds memory access flaw was found in the way QEMU's virtual\nFloppy Disk Controller (FDC) handled FIFO buffer access while processing\ncertain FDC commands. A privileged guest user could use this flaw to crash\nthe guest or, potentially, execute arbitrary code on the host with the\nprivileges of the host's QEMU process corresponding to the guest.\n(CVE-2015-3456)\n\nRed Hat would like to thank Jason Geffner of CrowdStrike for reporting\nthis issue.\n\nAll kvm users are advised to upgrade to these updated packages, which\ncontain a backported patch to correct this issue. Note: The procedure in\nthe Solution section must be performed before this update will take effect.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2015-May/021139.html\n\n**Affected packages:**\nkmod-kvm\nkmod-kvm-debug\nkvm\nkvm-qemu-img\nkvm-tools\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2015-1003.html", "published": "2015-05-13T18:37:00", "cvss": {"score": 7.7, "vector": "AV:ADJACENT_NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.centos.org/pipermail/centos-announce/2015-May/021139.html", "cvelist": ["CVE-2015-3456"], "lastseen": "2017-10-03T18:25:31"}, {"id": "CESA-2015:0999", "type": "centos", "title": "libcacard, qemu security update", "description": "**CentOS Errata and Security Advisory** CESA-2015:0999\n\n\nKVM (Kernel-based Virtual Machine) is a full virtualization solution for\nLinux on AMD64 and Intel 64 systems. The qemu-kvm package provides the\nuser-space component for running virtual machines using KVM.\n\nAn out-of-bounds memory access flaw was found in the way QEMU's virtual\nFloppy Disk Controller (FDC) handled FIFO buffer access while processing\ncertain FDC commands. A privileged guest user could use this flaw to crash\nthe guest or, potentially, execute arbitrary code on the host with the\nprivileges of the host's QEMU process corresponding to the guest.\n(CVE-2015-3456)\n\nRed Hat would like to thank Jason Geffner of CrowdStrike for reporting\nthis issue.\n\nAll qemu-kvm users are advised to upgrade to these updated packages, which\ncontain a backported patch to correct this issue. After installing this\nupdate, shut down all running virtual machines. Once all virtual machines\nhave shut down, start them again for this update to take effect.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2015-May/021137.html\n\n**Affected packages:**\nlibcacard\nlibcacard-devel\nlibcacard-tools\nqemu-img\nqemu-kvm\nqemu-kvm-common\nqemu-kvm-tools\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2015-0999.html", "published": "2015-05-13T16:57:36", "cvss": {"score": 7.7, "vector": "AV:ADJACENT_NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.centos.org/pipermail/centos-announce/2015-May/021137.html", "cvelist": ["CVE-2015-3456"], "lastseen": "2017-10-03T18:24:43"}, {"id": "CESA-2015:0998", "type": "centos", "title": "qemu security update", "description": "**CentOS Errata and Security Advisory** CESA-2015:0998\n\n\nKVM (Kernel-based Virtual Machine) is a full virtualization solution for\nLinux on AMD64 and Intel 64 systems. The qemu-kvm package provides the\nuser-space component for running virtual machines using KVM.\n\nAn out-of-bounds memory access flaw was found in the way QEMU's virtual\nFloppy Disk Controller (FDC) handled FIFO buffer access while processing\ncertain FDC commands. A privileged guest user could use this flaw to crash\nthe guest or, potentially, execute arbitrary code on the host with the\nprivileges of the host's QEMU process corresponding to the guest.\n(CVE-2015-3456)\n\nRed Hat would like to thank Jason Geffner of CrowdStrike for reporting\nthis issue.\n\nAll qemu-kvm users are advised to upgrade to these updated packages, which\ncontain a backported patch to correct this issue. After installing this\nupdate, shut down all running virtual machines. Once all virtual machines\nhave shut down, start them again for this update to take effect.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2015-May/021136.html\n\n**Affected packages:**\nqemu-guest-agent\nqemu-img\nqemu-kvm\nqemu-kvm-tools\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2015-0998.html", "published": "2015-05-13T15:37:07", "cvss": {"score": 7.7, "vector": "AV:ADJACENT_NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.centos.org/pipermail/centos-announce/2015-May/021136.html", "cvelist": ["CVE-2015-3456"], "lastseen": "2017-10-03T18:26:00"}, {"id": "CESA-2016:0450", "type": "centos", "title": "kernel security update", "description": "**CentOS Errata and Security Advisory** CESA-2016:0450\n\n\nThe kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\n* An integer overflow flaw was found in the way the Linux kernel's Frame\nBuffer device implementation mapped kernel memory to user space via the\nmmap syscall. A local user able to access a frame buffer device file\n(/dev/fb*) could possibly use this flaw to escalate their privileges on the\nsystem. (CVE-2013-2596, Important)\n\n* It was found that the Xen hypervisor x86 CPU emulator implementation did\nnot correctly handle certain instructions with segment overrides,\npotentially resulting in a memory corruption. A malicious guest user could\nuse this flaw to read arbitrary data relating to other guests, cause a\ndenial of service on the host, or potentially escalate their privileges on\nthe host. (CVE-2015-2151, Important)\n\nThis update also fixes the following bugs:\n\n* Previously, the CPU power of a CPU group could be zero. As a consequence,\na kernel panic occurred at \"find_busiest_group+570\" with do_divide_error.\nThe provided patch ensures that the division is only performed if the CPU\npower is not zero, and the aforementioned panic no longer occurs.\n(BZ#1209728)\n\n* Prior to this update, a bug occurred when performing an online resize of\nan ext4 file system which had been previously converted from ext3. As a\nconsequence, the kernel crashed. The provided patch fixes online resizing\nfor such file systems by limiting the blockgroup search loop for non-extent\nfiles, and the mentioned kernel crash no longer occurs. (BZ#1301100)\n\nAll kernel users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. The system must be\nrebooted for this update to take effect.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2016-March/021734.html\n\n**Affected packages:**\nkernel\nkernel-PAE\nkernel-PAE-devel\nkernel-debug\nkernel-debug-devel\nkernel-devel\nkernel-doc\nkernel-headers\nkernel-xen\nkernel-xen-devel\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2016-0450.html", "published": "2016-03-16T14:17:08", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.centos.org/pipermail/centos-announce/2016-March/021734.html", "cvelist": ["CVE-2013-2596", "CVE-2015-2151"], "lastseen": "2017-10-03T18:24:24"}, {"id": "CESA-2015:1189", "type": "centos", "title": "kmod, kvm security update", "description": "**CentOS Errata and Security Advisory** CESA-2015:1189\n\n\nKVM (Kernel-based Virtual Machine) is a full virtualization solution for\nLinux on AMD64 and Intel 64 systems.\n\nA flaw was found in the way QEMU's AMD PCnet Ethernet emulation handled\nmulti-TMD packets with a length above 4096 bytes. A privileged guest user\nin a guest with an AMD PCNet ethernet card enabled could potentially use\nthis flaw to execute arbitrary code on the host with the privileges of the\nhosting QEMU process. (CVE-2015-3209)\n\nRed Hat would like to thank Matt Tait of Google's Project Zero security\nteam for reporting this issue.\n\nAll kvm users are advised to upgrade to these updated packages, which\ncontain a backported patch to correct this issue. Note: The procedure in\nthe Solution section must be performed before this update will take effect.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2015-June/021224.html\n\n**Affected packages:**\nkmod-kvm\nkmod-kvm-debug\nkvm\nkvm-qemu-img\nkvm-tools\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2015-1189.html", "published": "2015-06-26T12:05:54", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://lists.centos.org/pipermail/centos-announce/2015-June/021224.html", "cvelist": ["CVE-2015-3209"], "lastseen": "2017-10-03T18:25:02"}, {"id": "CESA-2015:1087", "type": "centos", "title": "qemu security update", "description": "**CentOS Errata and Security Advisory** CESA-2015:1087\n\n\nKVM (Kernel-based Virtual Machine) is a full virtualization solution for\nLinux on AMD64 and Intel 64 systems. The qemu-kvm package provides the\nuser-space component for running virtual machines using KVM.\n\nA flaw was found in the way QEMU's AMD PCnet Ethernet emulation handled\nmulti-TMD packets with a length above 4096 bytes. A privileged guest user\nin a guest with an AMD PCNet ethernet card enabled could potentially use\nthis flaw to execute arbitrary code on the host with the privileges of the\nhosting QEMU process. (CVE-2015-3209)\n\nRed Hat would like to thank Matt Tait of Google's Project Zero security\nteam for reporting this issue.\n\nAll qemu-kvm users are advised to upgrade to these updated packages, which\ncontain a backported patch to correct this issue. After installing this\nupdate, shut down all running virtual machines. Once all virtual machines\nhave shut down, start them again for this update to take effect.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2015-June/021168.html\n\n**Affected packages:**\nqemu-guest-agent\nqemu-img\nqemu-kvm\nqemu-kvm-tools\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2015-1087.html", "published": "2015-06-10T15:32:54", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://lists.centos.org/pipermail/centos-announce/2015-June/021168.html", "cvelist": ["CVE-2015-3209"], "lastseen": "2017-10-03T18:24:43"}], "redhat": [{"id": "RHSA-2015:0783", "type": "redhat", "title": "(RHSA-2015:0783) Important: kernel security and bug fix update", "description": "The kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\n* It was found that the Linux kernel's Infiniband subsystem did not\nproperly sanitize input parameters while registering memory regions from\nuser space via the (u)verbs API. A local user with access to a\n/dev/infiniband/uverbsX device could use this flaw to crash the system or,\npotentially, escalate their privileges on the system. (CVE-2014-8159,\nImportant)\n\n* An insufficient bound checking flaw was found in the Xen hypervisor's\nimplementation of acceleration support for the \"REP MOVS\" instructions.\nA privileged HVM guest user could potentially use this flaw to crash the\nhost. (CVE-2014-8867, Important)\n\nRed Hat would like to thank Mellanox for reporting CVE-2014-8159, and the\nXen project for reporting CVE-2014-8867.\n\nThis update also fixes the following bugs:\n\n* Under memory pressure, cached data was previously flushed to the backing\nserver using the PID of the thread responsible for flushing the data in the\nServer Message Block (SMB) headers instead of the PID of the thread which\nactually wrote the data. As a consequence, when a file was locked by the\nwriting thread prior to writing, the server considered writes by the thread\nflushing the pagecache as being a separate process from writing to a locked\nfile, and thus rejected the writes. In addition, the data to be written was\ndiscarded. This update ensures that the correct PID is sent to the server,\nand data corruption is avoided when data is being written from a client\nunder memory pressure. (BZ#1169304)\n\n* This update adds support for new cryptographic hardware in toleration\nmode for IBM System z. (BZ#1182522)\n\nAll kernel users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. The system must be\nrebooted for this update to take effect.\n", "published": "2015-04-07T04:00:00", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2015:0783", "cvelist": ["CVE-2014-8159", "CVE-2014-8867"], "lastseen": "2017-09-09T07:20:34"}, {"id": "RHSA-2014:0421", "type": "redhat", "title": "(RHSA-2014:0421) Moderate: qemu-kvm-rhev security update", "description": "KVM (Kernel-based Virtual Machine) is a full virtualization solution for\nLinux on AMD64 and Intel 64 systems. The qemu-kvm-rhev package provides the\nuser-space component for running virtual machines using KVM in environments\nmanaged by Red Hat Enterprise Virtualization Manager.\n\nMultiple integer overflow, input validation, logic error, and buffer\noverflow flaws were discovered in various QEMU block drivers. An attacker\nable to modify a disk image file loaded by a guest could use these flaws to\ncrash the guest, or corrupt QEMU process memory on the host, potentially\nresulting in arbitrary code execution on the host with the privileges of\nthe QEMU process. (CVE-2014-0143, CVE-2014-0144, CVE-2014-0145,\nCVE-2014-0147)\n\nA buffer overflow flaw was found in the way the virtio_net_handle_mac()\nfunction of QEMU processed guest requests to update the table of MAC\naddresses. A privileged guest user could use this flaw to corrupt QEMU\nprocess memory on the host, potentially resulting in arbitrary code\nexecution on the host with the privileges of the QEMU process.\n(CVE-2014-0150)\n\nA divide-by-zero flaw was found in the seek_to_sector() function of the\nparallels block driver in QEMU. An attacker able to modify a disk image\nfile loaded by a guest could use this flaw to crash the guest.\n(CVE-2014-0142)\n\nA NULL pointer dereference flaw was found in the QCOW2 block driver in\nQEMU. An attacker able to modify a disk image file loaded by a guest could\nuse this flaw to crash the guest. (CVE-2014-0146)\n\nIt was found that the block driver for Hyper-V VHDX images did not\ncorrectly calculate BAT (Block Allocation Table) entries due to a missing\nbounds check. An attacker able to modify a disk image file loaded by a\nguest could use this flaw to crash the guest. (CVE-2014-0148)\n\nThe CVE-2014-0143 issues were discovered by Kevin Wolf and Stefan Hajnoczi\nof Red Hat, the CVE-2014-0144 issues were discovered by Fam Zheng, Jeff\nCody, Kevin Wolf, and Stefan Hajnoczi of Red Hat, the CVE-2014-0145 issues\nwere discovered by Stefan Hajnoczi of Red Hat, the CVE-2014-0150 issue was\ndiscovered by Michael S. Tsirkin of Red Hat, the CVE-2014-0142,\nCVE-2014-0146, and CVE-2014-0147 issues were discovered by Kevin Wolf of\nRed Hat, and the CVE-2014-0148 issue was discovered by Jeff Cody of\nRed Hat.\n\nAll users of qemu-kvm-rhev are advised to upgrade to these updated\npackages, which contain backported patches to correct these issues. After\ninstalling this update, shut down all running virtual machines. Once all\nvirtual machines have shut down, start them again for this update to take\neffect.\n", "published": "2014-04-22T04:00:00", "cvss": {"score": 4.9, "vector": "AV:ADJACENT_NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://access.redhat.com/errata/RHSA-2014:0421", "cvelist": ["CVE-2014-0142", "CVE-2014-0143", "CVE-2014-0144", "CVE-2014-0145", "CVE-2014-0146", "CVE-2014-0147", "CVE-2014-0148", "CVE-2014-0150"], "lastseen": "2018-06-12T23:59:18"}, {"id": "RHSA-2014:0435", "type": "redhat", "title": "(RHSA-2014:0435) Moderate: qemu-kvm-rhev security update", "description": "KVM (Kernel-based Virtual Machine) is a full virtualization solution for\nLinux on AMD64 and Intel 64 systems. The qemu-kvm-rhev package provides the\nuser-space component for running virtual machines using KVM in environments\nmanaged by Red Hat Enterprise Linux OpenStack Platform.\n\nMultiple integer overflow, input validation, logic error, and buffer\noverflow flaws were discovered in various QEMU block drivers. An attacker\nable to modify a disk image file loaded by a guest could use these flaws to\ncrash the guest, or corrupt QEMU process memory on the host, potentially\nresulting in arbitrary code execution on the host with the privileges of\nthe QEMU process. (CVE-2014-0143, CVE-2014-0144, CVE-2014-0145,\nCVE-2014-0147)\n\nA buffer overflow flaw was found in the way the virtio_net_handle_mac()\nfunction of QEMU processed guest requests to update the table of MAC\naddresses. A privileged guest user could use this flaw to corrupt QEMU\nprocess memory on the host, potentially resulting in arbitrary code\nexecution on the host with the privileges of the QEMU process.\n(CVE-2014-0150)\n\nA divide-by-zero flaw was found in the seek_to_sector() function of the\nparallels block driver in QEMU. An attacker able to modify a disk image\nfile loaded by a guest could use this flaw to crash the guest.\n(CVE-2014-0142)\n\nA NULL pointer dereference flaw was found in the QCOW2 block driver in\nQEMU. An attacker able to modify a disk image file loaded by a guest could\nuse this flaw to crash the guest. (CVE-2014-0146)\n\nIt was found that the block driver for Hyper-V VHDX images did not\ncorrectly calculate BAT (Block Allocation Table) entries due to a missing\nbounds check. An attacker able to modify a disk image file loaded by a\nguest could use this flaw to crash the guest. (CVE-2014-0148)\n\nThe CVE-2014-0143 issues were discovered by Kevin Wolf and Stefan Hajnoczi\nof Red Hat, the CVE-2014-0144 issues were discovered by Fam Zheng, Jeff\nCody, Kevin Wolf, and Stefan Hajnoczi of Red Hat, the CVE-2014-0145 issues\nwere discovered by Stefan Hajnoczi of Red Hat, the CVE-2014-0150 issue was\ndiscovered by Michael S. Tsirkin of Red Hat, the CVE-2014-0142,\nCVE-2014-0146, and CVE-2014-0147 issues were discovered by Kevin Wolf of\nRed Hat, and the CVE-2014-0148 issue was discovered by Jeff Cody of\nRed Hat.\n\nAll users of qemu-kvm-rhev are advised to upgrade to these updated\npackages, which contain backported patches to correct these issues. After\ninstalling this update, shut down all running virtual machines. Once all\nvirtual machines have shut down, start them again for this update to take\neffect.\n", "published": "2014-04-24T04:00:00", "cvss": {"score": 4.9, "vector": "AV:ADJACENT_NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://access.redhat.com/errata/RHSA-2014:0435", "cvelist": ["CVE-2014-0142", "CVE-2014-0143", "CVE-2014-0144", "CVE-2014-0145", "CVE-2014-0146", "CVE-2014-0147", "CVE-2014-0148", "CVE-2014-0150"], "lastseen": "2018-06-13T00:00:28"}, {"id": "RHSA-2014:0420", "type": "redhat", "title": "(RHSA-2014:0420) Moderate: qemu-kvm security update", "description": "KVM (Kernel-based Virtual Machine) is a full virtualization solution for\nLinux on AMD64 and Intel 64 systems. The qemu-kvm package provides the\nuser-space component for running virtual machines using KVM.\n\nMultiple integer overflow, input validation, logic error, and buffer\noverflow flaws were discovered in various QEMU block drivers. An attacker\nable to modify a disk image file loaded by a guest could use these flaws to\ncrash the guest, or corrupt QEMU process memory on the host, potentially\nresulting in arbitrary code execution on the host with the privileges of\nthe QEMU process. (CVE-2014-0143, CVE-2014-0144, CVE-2014-0145,\nCVE-2014-0147)\n\nA buffer overflow flaw was found in the way the virtio_net_handle_mac()\nfunction of QEMU processed guest requests to update the table of MAC\naddresses. A privileged guest user could use this flaw to corrupt QEMU\nprocess memory on the host, potentially resulting in arbitrary code\nexecution on the host with the privileges of the QEMU process.\n(CVE-2014-0150)\n\nA divide-by-zero flaw was found in the seek_to_sector() function of the\nparallels block driver in QEMU. An attacker able to modify a disk image\nfile loaded by a guest could use this flaw to crash the guest.\n(CVE-2014-0142)\n\nA NULL pointer dereference flaw was found in the QCOW2 block driver in\nQEMU. An attacker able to modify a disk image file loaded by a guest could\nuse this flaw to crash the guest. (CVE-2014-0146)\n\nIt was found that the block driver for Hyper-V VHDX images did not\ncorrectly calculate BAT (Block Allocation Table) entries due to a missing\nbounds check. An attacker able to modify a disk image file loaded by a\nguest could use this flaw to crash the guest. (CVE-2014-0148)\n\nThe CVE-2014-0143 issues were discovered by Kevin Wolf and Stefan Hajnoczi\nof Red Hat, the CVE-2014-0144 issues were discovered by Fam Zheng, Jeff\nCody, Kevin Wolf, and Stefan Hajnoczi of Red Hat, the CVE-2014-0145 issues\nwere discovered by Stefan Hajnoczi of Red Hat, the CVE-2014-0150 issue was\ndiscovered by Michael S. Tsirkin of Red Hat, the CVE-2014-0142,\nCVE-2014-0146, and CVE-2014-0147 issues were discovered by Kevin Wolf of\nRed Hat, and the CVE-2014-0148 issue was discovered by Jeff Cody of\nRed Hat.\n\nAll qemu-kvm users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. After installing this\nupdate, shut down all running virtual machines. Once all virtual machines\nhave shut down, start them again for this update to take effect.\n", "published": "2014-04-22T04:00:00", "cvss": {"score": 4.9, "vector": "AV:ADJACENT_NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://access.redhat.com/errata/RHSA-2014:0420", "cvelist": ["CVE-2014-0142", "CVE-2014-0143", "CVE-2014-0144", "CVE-2014-0145", "CVE-2014-0146", "CVE-2014-0147", "CVE-2014-0148", "CVE-2014-0150"], "lastseen": "2018-06-12T21:10:48"}, {"id": "RHSA-2014:0434", "type": "redhat", "title": "(RHSA-2014:0434) Moderate: qemu-kvm-rhev security update", "description": "KVM (Kernel-based Virtual Machine) is a full virtualization solution for\nLinux on AMD64 and Intel 64 systems. The qemu-kvm-rhev package provides the\nuser-space component for running virtual machines using KVM in environments\nmanaged by Red Hat Enterprise Linux OpenStack Platform.\n\nMultiple integer overflow, input validation, logic error, and buffer\noverflow flaws were discovered in various QEMU block drivers. An attacker\nable to modify a disk image file loaded by a guest could use these flaws to\ncrash the guest, or corrupt QEMU process memory on the host, potentially\nresulting in arbitrary code execution on the host with the privileges of\nthe QEMU process. (CVE-2014-0143, CVE-2014-0144, CVE-2014-0145,\nCVE-2014-0147)\n\nA buffer overflow flaw was found in the way the virtio_net_handle_mac()\nfunction of QEMU processed guest requests to update the table of MAC\naddresses. A privileged guest user could use this flaw to corrupt QEMU\nprocess memory on the host, potentially resulting in arbitrary code\nexecution on the host with the privileges of the QEMU process.\n(CVE-2014-0150)\n\nA divide-by-zero flaw was found in the seek_to_sector() function of the\nparallels block driver in QEMU. An attacker able to modify a disk image\nfile loaded by a guest could use this flaw to crash the guest.\n(CVE-2014-0142)\n\nA NULL pointer dereference flaw was found in the QCOW2 block driver in\nQEMU. An attacker able to modify a disk image file loaded by a guest could\nuse this flaw to crash the guest. (CVE-2014-0146)\n\nIt was found that the block driver for Hyper-V VHDX images did not\ncorrectly calculate BAT (Block Allocation Table) entries due to a missing\nbounds check. An attacker able to modify a disk image file loaded by a\nguest could use this flaw to crash the guest. (CVE-2014-0148)\n\nThe CVE-2014-0143 issues were discovered by Kevin Wolf and Stefan Hajnoczi\nof Red Hat, the CVE-2014-0144 issues were discovered by Fam Zheng, Jeff\nCody, Kevin Wolf, and Stefan Hajnoczi of Red Hat, the CVE-2014-0145 issues\nwere discovered by Stefan Hajnoczi of Red Hat, the CVE-2014-0150 issue was\ndiscovered by Michael S. Tsirkin of Red Hat, the CVE-2014-0142,\nCVE-2014-0146, and CVE-2014-0147 issues were discovered by Kevin Wolf of\nRed Hat, and the CVE-2014-0148 issue was discovered by Jeff Cody of\nRed Hat.\n\nAll users of qemu-kvm-rhev are advised to upgrade to these updated\npackages, which contain backported patches to correct these issues. After\ninstalling this update, shut down all running virtual machines. Once all\nvirtual machines have shut down, start them again for this update to take\neffect.\n", "published": "2014-04-24T04:00:00", "cvss": {"score": 4.9, "vector": "AV:ADJACENT_NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://access.redhat.com/errata/RHSA-2014:0434", "cvelist": ["CVE-2014-0142", "CVE-2014-0143", "CVE-2014-0144", "CVE-2014-0145", "CVE-2014-0146", "CVE-2014-0147", "CVE-2014-0148", "CVE-2014-0150"], "lastseen": "2018-06-06T23:49:51"}, {"id": "RHSA-2014:0674", "type": "redhat", "title": "(RHSA-2014:0674) Moderate: rhev-hypervisor6 3.4.0 security, bug fix, and enhancement update", "description": "The rhev-hypervisor6 package provides a Red Hat Enterprise Virtualization\nHypervisor ISO disk image. The Red Hat Enterprise Virtualization Hypervisor\nis a dedicated Kernel-based Virtual Machine (KVM) hypervisor.\n\nMultiple integer overflow, input validation, logic error, and buffer\noverflow flaws were discovered in various QEMU block drivers. An attacker\nable to modify a disk image file loaded by a guest could use these flaws to\ncrash the guest, or corrupt QEMU process memory on the host, potentially\nresulting in arbitrary code execution on the host with the privileges of\nthe QEMU process. (CVE-2014-0143, CVE-2014-0144, CVE-2014-0145,\nCVE-2014-0147)\n\nMultiple buffer overflow, input validation, and out-of-bounds write flaws\nwere found in the way the virtio, virtio-net, virtio-scsi, and usb drivers\nof QEMU handled state loading after migration. A user able to alter the\nsavevm data (either on the disk or over the wire during migration) could\nuse either of these flaws to corrupt QEMU process memory on the\n(destination) host, which could potentially result in arbitrary code\nexecution on the host with the privileges of the QEMU process.\n(CVE-2013-4148, CVE-2013-4151, CVE-2013-4535, CVE-2013-4536, CVE-2013-4541,\nCVE-2013-4542, CVE-2013-6399, CVE-2014-0182, CVE-2014-3461)\n\nAn out-of-bounds memory access flaw was found in the way QEMU's IDE device\ndriver handled the execution of SMART EXECUTE OFFLINE commands.\nA privileged guest user could use this flaw to corrupt QEMU process memory\non the host, which could potentially result in arbitrary code execution on\nthe host with the privileges of the QEMU process. (CVE-2014-2894)\n\nA buffer overflow flaw was found in the way the virtio_net_handle_mac()\nfunction of QEMU processed guest requests to update the table of MAC\naddresses. A privileged guest user could use this flaw to corrupt QEMU\nprocess memory on the host, potentially resulting in arbitrary code\nexecution on the host with the privileges of the QEMU process.\n(CVE-2014-0150)\n\nA divide-by-zero flaw was found in the seek_to_sector() function of the\nparallels block driver in QEMU. An attacker able to modify a disk image\nfile loaded by a guest could use this flaw to crash the guest.\n(CVE-2014-0142)\n\nA NULL pointer dereference flaw was found in the QCOW2 block driver in\nQEMU. An attacker able to modify a disk image file loaded by a guest could\nuse this flaw to crash the guest. (CVE-2014-0146)\n\nIt was found that the block driver for Hyper-V VHDX images did not\ncorrectly calculate BAT (Block Allocation Table) entries due to a missing\nbounds check. An attacker able to modify a disk image file loaded by a\nguest could use this flaw to crash the guest. (CVE-2014-0148)\n\nThe CVE-2014-0143 issues were discovered by Kevin Wolf and Stefan Hajnoczi\nof Red Hat, the CVE-2014-0144 issues were discovered by Fam Zheng, Jeff\nCody, Kevin Wolf, and Stefan Hajnoczi of Red Hat, the CVE-2014-0145 issues\nwere discovered by Stefan Hajnoczi of Red Hat, the CVE-2014-0150 issue was\ndiscovered by Michael S. Tsirkin of Red Hat, the CVE-2014-0142,\nCVE-2014-0146, and CVE-2014-0147 issues were discovered by Kevin Wolf of\nRed Hat, the CVE-2014-0148 issue was discovered by Jeff Cody of Red Hat,\nand the CVE-2013-4148, CVE-2013-4151, CVE-2013-4535, CVE-2013-4536,\nCVE-2013-4541, CVE-2013-4542, CVE-2013-6399, CVE-2014-0182, and\nCVE-2014-3461 issues were discovered by Michael S. Tsirkin of Red Hat,\nAnthony Liguori, and Michael Roth.\n\nOther changes to the rhev-hypervisor6 component:\n\n* The most recent builds of rhn-virtualization-common and\nrhn-virtualization-host are included in version 3.4.0. (BZ#1095812)\n\nAll users of qemu-kvm-rhev are advised to upgrade to these updated\npackages, which contain backported patches to correct these issues and add\nthese enhancements. After installing this update, shut down all running\nvirtual machines. Once all virtual machines have shut down, start them\nagain for this update to take effect.\n", "published": "2014-06-09T04:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://access.redhat.com/errata/RHSA-2014:0674", "cvelist": ["CVE-2013-4148", "CVE-2013-4151", "CVE-2013-4535", "CVE-2013-4536", "CVE-2013-4541", "CVE-2013-4542", "CVE-2013-6399", "CVE-2014-0142", "CVE-2014-0143", "CVE-2014-0144", "CVE-2014-0145", "CVE-2014-0146", "CVE-2014-0147", "CVE-2014-0148", "CVE-2014-0150", "CVE-2014-0182", "CVE-2014-2894", "CVE-2014-3461"], "lastseen": "2018-06-07T05:58:53"}, {"id": "RHSA-2015:1031", "type": "redhat", "title": "(RHSA-2015:1031) Important: qemu-kvm security update", "description": "KVM (Kernel-based Virtual Machine) is a full virtualization solution for\nLinux on AMD64 and Intel 64 systems. The qemu-kvm package provides the\nuser-space component for running virtual machines using KVM.\n\nAn out-of-bounds memory access flaw was found in the way QEMU's virtual\nFloppy Disk Controller (FDC) handled FIFO buffer access while processing\ncertain FDC commands. A privileged guest user could use this flaw to crash\nthe guest or, potentially, execute arbitrary code on the host with the\nprivileges of the host's QEMU process corresponding to the guest.\n(CVE-2015-3456)\n\nRed Hat would like to thank Jason Geffner of CrowdStrike for reporting\nthis issue.\n\nAll qemu-kvm users are advised to upgrade to these updated packages, which\ncontain a backported patch to correct this issue. After installing this\nupdate, shut down all running virtual machines. Once all virtual machines\nhave shut down, start them again for this update to take effect.\n", "published": "2015-05-27T04:00:00", "cvss": {"score": 7.7, "vector": "AV:ADJACENT_NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2015:1031", "cvelist": ["CVE-2015-3456"], "lastseen": "2016-09-04T11:17:36"}, {"id": "RHSA-2015:1003", "type": "redhat", "title": "(RHSA-2015:1003) Important: kvm security update", "description": "KVM (Kernel-based Virtual Machine) is a full virtualization solution for\nLinux on AMD64 and Intel 64 systems.\n\nAn out-of-bounds memory access flaw was found in the way QEMU's virtual\nFloppy Disk Controller (FDC) handled FIFO buffer access while processing\ncertain FDC commands. A privileged guest user could use this flaw to crash\nthe guest or, potentially, execute arbitrary code on the host with the\nprivileges of the host's QEMU process corresponding to the guest.\n(CVE-2015-3456)\n\nRed Hat would like to thank Jason Geffner of CrowdStrike for reporting\nthis issue.\n\nAll kvm users are advised to upgrade to these updated packages, which\ncontain a backported patch to correct this issue. Note: The procedure in\nthe Solution section must be performed before this update will take effect.\n", "published": "2015-05-13T04:00:00", "cvss": {"score": 7.7, "vector": "AV:ADJACENT_NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2015:1003", "cvelist": ["CVE-2015-3456"], "lastseen": "2017-09-09T07:19:41"}, {"id": "RHSA-2015:1000", "type": "redhat", "title": "(RHSA-2015:1000) Important: qemu-kvm-rhev security update", "description": "KVM (Kernel-based Virtual Machine) is a full virtualization solution for\nLinux on AMD64 and Intel 64 systems. The qemu-kvm-rhev package provides the\nuser-space component for running virtual machines using KVM.\n\nAn out-of-bounds memory access flaw was found in the way QEMU's virtual\nFloppy Disk Controller (FDC) handled FIFO buffer access while processing\ncertain FDC commands. A privileged guest user could use this flaw to crash\nthe guest or, potentially, execute arbitrary code on the host with the\nprivileges of the host's QEMU process corresponding to the guest.\n(CVE-2015-3456)\n\nRed Hat would like to thank Jason Geffner of CrowdStrike for reporting\nthis issue.\n\nAll qemu-kvm-rhev users are advised to upgrade to these updated packages,\nwhich contain a backported patch to correct this issue. After installing\nthis update, shut down all running virtual machines. Once all virtual\nmachines have shut down, start them again for this update to take effect.", "published": "2015-05-13T14:57:32", "cvss": {"score": 7.7, "vector": "AV:ADJACENT_NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2015:1000", "cvelist": ["CVE-2015-3456"], "lastseen": "2018-04-25T14:47:28"}, {"id": "RHSA-2015:1011", "type": "redhat", "title": "(RHSA-2015:1011) Important: rhev-hypervisor security update", "description": "The rhev-hypervisor packages provide a Red Hat Enterprise Virtualization\nHypervisor ISO disk image. The Red Hat Enterprise Virtualization Hypervisor\nis a dedicated Kernel-based Virtual Machine (KVM) hypervisor. It includes\neverything necessary to run and manage virtual machines: a subset of the\nRed Hat Enterprise Linux operating environment and the Red Hat Enterprise\nVirtualization Agent.\n\nNote: Red Hat Enterprise Virtualization Hypervisor is only available for\nthe Intel 64 and AMD64 architectures with virtualization extensions.\n\nAn out-of-bounds memory access flaw was found in the way QEMU's virtual\nFloppy Disk Controller (FDC) handled FIFO buffer access while processing\ncertain FDC commands. A privileged guest user could use this flaw to crash\nthe guest or, potentially, execute arbitrary code on the host with the\nprivileges of the host's QEMU process corresponding to the guest.\n(CVE-2015-3456)\n\nRed Hat would like to thank Jason Geffner of CrowdStrike for reporting\nthis issue.\n\nUsers of the Red Hat Enterprise Virtualization Hypervisor are advised to\nupgrade to this updated package.\n", "published": "2015-05-15T04:00:00", "cvss": {"score": 7.7, "vector": "AV:ADJACENT_NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2015:1011", "cvelist": ["CVE-2015-3456"], "lastseen": "2018-06-12T23:59:48"}], "seebug": [{"id": "SSV:62220", "type": "seebug", "title": "Qemu virtio-net "virtio_net_handle_mac()"\u6574\u6570\u6ea2\u51fa\u6f0f\u6d1e", "description": "CVE ID:CVE-2014-0150\r\n\r\nQEMU\u662f\u4e00\u6b3e\u9762\u5411\u5b8c\u6574PC\u7cfb\u7edf\u7684\u5f00\u6e90\u4eff\u771f\u5668\u3002\r\n\r\nQEMU "virtio_net_handle_mac()"\u51fd\u6570(hw/net/virtio-net.c)\u5b58\u5728\u6574\u6570\u6ea2\u51fa\u9519\u8bef\uff0c\u5141\u8bb8\u672c\u5730\u653b\u51fb\u8005\u5229\u7528\u6f0f\u6d1e\u4f7f\u7cfb\u7edf\u5d29\u6e83\uff0c\u9020\u6210\u62d2\u7edd\u670d\u52a1\u653b\u51fb\u3002\n0\nQemu 1.x\r\nQemu 0.x\n\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8bf7\u4e0b\u8f7d\u4f7f\u7528\uff1a\r\nhttp://thread.gmane.org/gmane.comp.emulators.qemu/266713", "published": "2014-04-18T00:00:00", "cvss": {"score": 4.9, "vector": "AV:ADJACENT_NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.seebug.org/vuldb/ssvid-62220", "cvelist": ["CVE-2014-0150"], "lastseen": "2017-11-19T17:26:55"}], "kaspersky": [{"id": "KLA10527", "type": "kaspersky", "title": "\r KLA10527Multiple vulnerabilities in different versions of Xen ", "description": "### *CVSS*:\n7.1\n\n### *Detect date*:\n04/01/2015\n\n### *Severity*:\nHigh\n\n### *Description*:\nMultiple serious vulnerabilities have been found in Xen. Malicious users can exploit these vulnerabilities to cause denial of service or bypass security restrictions.\n\n### *Affected products*:\nXen 4.5 all versions and earlier\n\n### *Solution*:\nUpdate to the latest version \n[Get Xen](<http://xenserver.org/>)\n\n### *Impacts*:\nSB \n\n### *CVE-IDS*:\n[CVE-2015-2751](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2751>) \n[CVE-2015-2752](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2752>) \n[CVE-2015-2756](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2756>) \n[CVE-2015-2152](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2152>) \n[CVE-2015-1563](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1563>)", "published": "2015-04-01T00:00:00", "cvss": {"score": 7.1, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://threats.kaspersky.com/en/vulnerability/KLA10527", "cvelist": ["CVE-2015-2752", "CVE-2015-2751", "CVE-2015-2756", "CVE-2015-1563", "CVE-2015-2152"], "lastseen": "2018-07-06T07:32:21"}], "f5": [{"id": "F5:K16620", "type": "f5", "title": "QEMU vulnerability CVE-2015-3456", "description": "", "published": "2015-05-13T21:14:00", "cvss": {"score": 7.7, "vector": "AV:ADJACENT_NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://support.f5.com/csp/article/K16620", "cvelist": ["CVE-2015-3456"], "lastseen": "2017-12-20T20:16:42"}, {"id": "SOL16620", "type": "f5", "title": "SOL16620 - QEMU vulnerability CVE-2015-3456", "description": "1 vCMP is not available on BIG-IP versions prior to 11.0.0. \n\n\nRecommended Action\n\nIf the previous table lists a version in the **Versions known to be not vulnerable column**, you can eliminate this vulnerability by upgrading to the listed version. If the listed version is older than the version you are currently running, or if the table does not list any version in the column, then no upgrade candidate currently exists.\n\nF5 responds to vulnerabilities in accordance with the Severity values published in the previous table. The Severity values and other security vulnerability parameters are defined in SOL4602: Overview of the F5 security vulnerability response policy.\n\nSupplemental Information\n\n * SOL14088: vCMP host and supported guest version matrix\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4918: Overview of the F5 critical issue hotfix policy\n * SOL167: Downloading software and firmware from F5\n * SOL13123: Managing BIG-IP product hotfixes (11.x - 12.x)\n * SOL9502: BIG-IP hotfix matrix\n", "published": "2015-05-13T00:00:00", "cvss": {"score": 7.7, "vector": "AV:ADJACENT_NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://support.f5.com/kb/en-us/solutions/public/16000/600/sol16620.html", "cvelist": ["CVE-2015-3456"], "lastseen": "2016-03-19T09:01:59"}, {"id": "F5:K63519101", "type": "f5", "title": "Multiple QEMU vulnerabilities", "description": "\nF5 Product Development has assigned IDs 572590, 572592, 572596, 572597, and 572599 (BIG-IP) to this vulnerability. Additionally, [BIG-IP iHealth](<http://www.f5.com/support/support-tools/big-ip-ihealth/>) may list Heuristic H63519101 on the **Diagnostics** > **Identified** > **Low** screen.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct | Versions known to be vulnerable | Versions known to be not vulnerable | Severity | Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM | 12.0.0 \n11.0.0 - 11.6.1 | 12.1.0 \n10.1.0 - 10.2.4 | Low | vCMP \nBIG-IP AAM | 12.0.0 \n11.4.0 - 11.6.1 | 12.1.0 | Low | vCMP \nBIG-IP AFM | 12.0.0 \n11.3.0 - 11.6.1 | 12.1.0 | Low | vCMP \nBIG-IP Analytics | 12.0.0 \n11.0.0 - 11.6.1 | 12.1.0 | Low | vCMP \nBIG-IP APM | 12.0.0 \n11.0.0 - 11.6.1 | 12.1.0 \n10.1.0 - 10.2.4 | Low | vCMP \nBIG-IP ASM | 12.0.0 \n11.0.0 - 11.6.1 | 12.1.0 \n10.1.0 - 10.2.4 | Low | vCMP \nBIG-IP DNS | 12.0.0 | 12.1.0 | Low | vCMP \nBIG-IP Edge Gateway | 11.0.0 - 11.3.0 | 10.1.0 - 10.2.4 | Low | vCMP \nBIG-IP GTM | 11.0.0 - 11.6.1 | 10.1.0 - 10.2.4 | Low | vCMP \nBIG-IP Link Controller | 12.0.0 \n11.0.0 - 11.6.1 | 12.1.0 \n10.1.0 - 10.2.4 | Low | vCMP \nBIG-IP PEM | 12.0.0 \n11.3.0 - 11.6.1 | 12.1.0 | Low | vCMP \nBIG-IP PSM | 11.0.0 - 11.4.1 | 10.1.0 - 10.2.4 | Low | vCMP \nBIG-IP WebAccelerator | 11.0.0 - 11.3.0 | 10.1.0 - 10.2.4 | Low | vCMP \nBIG-IP WOM | 11.0.0 - 11.3.0 | 10.1.0 - 10.2.4 | Low | vCMP \nARX | None | 6.0.0 - 6.4.0 | Not vulnerable | None \nEnterprise Manager | None | 3.0.0 - 3.1.1 | Not vulnerable | None \nFirePass | None | 7.0.0 \n6.0.0 - 6.1.0 | Not vulnerable | None \nBIG-IQ Cloud | None | 4.0.0 - 4.5.0 | Not vulnerable | None \nBIG-IQ Device | None | 4.2.0 - 4.5.0 | Not vulnerable | None \nBIG-IQ Security | None | 4.0.0 - 4.5.0 | Not vulnerable | None \nBIG-IQ ADC | None | 4.5.0 | Not vulnerable | None \nBIG-IQ Centralized Management | None | 4.6.0 | Not vulnerable | None \nBIG-IQ Cloud and Orchestration | None | 1.0.0 | Not vulnerable | None \nLineRate | None | 2.5.0 - 2.6.1 | Not vulnerable | None \nF5 WebSafe | None | 1.0.0 | Not vulnerable | None \nTraffix SDC | None | 4.0.0 - 4.4.0 \n3.3.2 - 3.5.1 | Not vulnerable | None\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the** Versions known to be not vulnerable **column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nMitigation\n\nNone\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n", "published": "2016-02-16T19:39:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://support.f5.com/csp/article/K63519101", "cvelist": ["CVE-2014-8106", "CVE-2015-7504", "CVE-2015-7512", "CVE-2015-5279", "CVE-2007-1320", "CVE-2015-3209", "CVE-2015-5165"], "lastseen": "2017-11-16T02:57:58"}, {"id": "SOL63519101", "type": "f5", "title": "SOL63519101 - Multiple QEMU vulnerabilities", "description": "Vulnerability Recommended Actions\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the** Versions known to be not vulnerable **column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nF5 responds to vulnerabilities in accordance with the **Severity** values published in the previous table. The **Severity** values and other security vulnerability parameters are defined in SOL4602: Overview of the F5 security vulnerability response policy.\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4918: Overview of the F5 critical issue hotfix policy\n * SOL167: Downloading software and firmware from F5\n", "published": "2016-02-16T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://support.f5.com/kb/en-us/solutions/public/k/63/sol63519101.html", "cvelist": ["CVE-2014-8106", "CVE-2015-7504", "CVE-2015-7512", "CVE-2015-5279", "CVE-2007-1320", "CVE-2015-3209", "CVE-2015-5165"], "lastseen": "2016-11-09T00:09:49"}], "exploitdb": [{"id": "EDB-ID:37053", "type": "exploitdb", "title": "QEMU - Floppy Disk Controller FDC PoC", "description": "VENOM, Xen 4.5.x, QEMU. CVE-2015-3456. Dos exploits for multiple platform", "published": "2015-05-18T00:00:00", "cvss": {"score": 7.7, "vector": "AV:ADJACENT_NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/37053/", "cvelist": ["CVE-2015-3456"], "lastseen": "2016-02-04T04:58:35"}], "thn": [{"id": "THN:7BD85D2AA21CA4E7244B437A1836EBFC", "type": "thn", "title": "Venom Vulnerability Exposes Most Data Centers to Cyber Attacks", "description": "[](<https://4.bp.blogspot.com/-v6lXMdGjJrM/VVS9GudB5vI/AAAAAAAAi7Y/6L81WEvdn0k/s1600/venom-virtualisation-vulnerability.jpg>)\n\nJust after a new security vulnerability surfaced Wednesday, many tech outlets started comparing it with HeartBleed, the serious security glitch uncovered last year that rendered communications with many well-known web services insecure, potentially exposing Millions of plain-text passwords.\n\n \n\n\nBut don\u2019t panic. Though the recent vulnerability has a more terrific name than **[HeartBleed](<https://thehackernews.com/2014/04/heartbleed-bug-explained-10-most.html>)**, it is not going to cause as much danger as HeartBleed did.\n\n \n\n\nDubbed **_[VENOM](<http://venom.crowdstrike.com/>)_**, stands for **_Virtualized Environment Neglected Operations Manipulation_**, is a virtual machine security flaw uncovered by security firm CrowdStrike that could expose most of the data centers to malware attacks, but in theory.\n\n \n\n\nYes, the risk of Venom vulnerability is theoretical as there is no real-time exploitation seen yet, while, on the other hand, last year\u2019s HeartBleed bug was practically exploited by hackers unknown number of times, leading to the theft of critical personal information.\n\n \n\n\n### Now let\u2019s know more about Venom:\n\n \n\n\nVenom (**_CVE-2015-3456_**) resides in the virtual floppy drive code used by a several number of computer virtualization platforms that if exploited\u2026\n\n \n\n\n...could allow an attacker to escape from a guest 'virtual machine' (VM) and gain full control of the operating system hosting them, as well as any other guest VMs running on the same host machine.\n\n \n\n\nAccording to CrowdStrike, this roughly decade-old bug was discovered in the open-source virtualization package QEMU, affecting its Virtual Floppy Disk Controller (FDC) that is being used in many modern virtualization platforms and appliances, including Xen, KVM, Oracle's VirtualBox, and the native QEMU client.\n\n \n\n\nJason Geffner, a senior security researcher at CrowdStrike who discovered the flaw, warned that the vulnerability affects all the versions of QEMU dated back to 2004, when the virtual floppy controller was introduced at the very first.\n\n \n\n\nHowever, Geffner also added that so far, there is no known exploit that could successfully exploit the vulnerability. Venom is critical and disturbing enough to be considered a high-priority bug.\n\n \n\n\n### **Successful exploitation of Venom required:**\n\nFor successful exploitation, an attacker sitting on the guest virtual machine would need sufficient permissions to get access to the floppy disk controller I/O ports.\n\n \n\n\nWhen considering on Linux guest machine, an attacker would need to have either root access or elevated privilege. However on Windows guest, practically anyone would have sufficient permissions to access the FDC.\n\n \n\n\nHowever, comparing Venom with Heartbleed is something of no comparison. Where HeartBleed allowed hackers to probe Millions of systems, Venom bug simply would not be exploitable at the same scale.\n\n \n\n\nFlaws like Venom are typically used in a highly targeted attack such as corporate espionage, cyber warfare or other targeted attacks of these kinds.\n\n \n\n\n### Did venom poison Clouds Services?\n\n \n\n\nPotentially more concerning are most of the large cloud providers, including Amazon, Oracle, Citrix, and Rackspace, which rely heavily on QEMU-based virtualization are vulnerable to Venom.\n\n \n\n\nHowever, the good news is that most of them have resolved the issue, assuring that their customers needn't worry.\n\n> \"_There is no risk to AWS customer data or instances_,\" Amazon Web Services said in a [statement](<https://aws.amazon.com/security/security-bulletins/XSA_Security_Advisory_CVE_2015_3456/>).\n\nRackspace also said the flaw does affect a portion of its Cloud Servers, but assured its customers that it has \"_applied the appropriate patch to our infrastructure and are working with customers to remediate fully this vulnerability._\"\n\n \n\n\nAzure cloud service by Microsoft, on the other hand, uses its homemade virtualization hypervisor technology, and, therefore, its customers are not affected by Venom bug.\n\n \n\n\nMeanwhile, Google also assured that its Cloud Service Platform does not use the vulnerable software, thus was never vulnerable to Venom.\n\n \n\n\n### **Patch Now! Prevent yourself**\n\n \n\n\nBoth Xen and QEMU have rolled out [patches for Venom](<http://git.qemu.org/?p=qemu.git;a=commitdiff;h=e907746266721f305d67bc0718795fedee2e824c>). If you're running an earlier version of Xen or QEMU, [upgrade and apply the patch](<https://xenbits.xen.org/xsa/advisory-133.html>).\n\n \n\n\nNote: All versions of [Red Hat Enterprise Linux](<https://access.redhat.com/articles/1444903>), which includes QEMU, are vulnerable to Venom. Red Hat recommend its users to update their system using the commands, \"_yum update_\" or \"_yum update qemu-kvm._\"\n\n \n\n\nOnce done, you must \"power off\" all your guests Virtual Machines for the update to take place, and then restart it to be on the safer side. But remember, only restarting without power off the guest operating system is not enough for the administrators because it would still use the old QEMU binary.\n", "published": "2015-05-14T05:32:00", "cvss": {"score": 7.7, "vector": "AV:ADJACENT_NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://thehackernews.com/2015/05/venom-vulnerability.html", "cvelist": ["CVE-2015-3456"], "lastseen": "2018-01-27T09:17:29"}], "myhack58": [{"id": "MYHACK58:62201562439", "type": "myhack58", "title": "Vulnerability warning:\u201cvenom\uff08VENOM\u201dthe vulnerability affects millions worldwide virtual machine security-vulnerability warning-the black bar safety net", "description": "! [](/Article/UploadPic/2015-5/201551503620824.jpg) \nCrowdStrike, the company security researchers said that a named\u201cvenom\uff08VENOM\u201dQEMU could allow millions of virtual machines in a cyber-attack risk, the vulnerability can cause the virtual machine to escape, the threat to the world's largest cloud service provider's data security. QEMU is an instruction-level simulator of free software, is widely used in various GNU/Linux distributions. \nThe vulnerability principle \nThis is called the venom\uff08VENOM, numbered CVE-2 0 1 5-3 4 5 6 security vulnerability threatens entire security industry, can cause the virtual machine to escape. QEMU is an instruction-level simulator of free software, is widely used in various GNU/Linux distributions, including Debian, Gentoo, SUSE, RedHat, CentOS, etc. \nVENOM vulnerability by CrowdStrike senior security researcher Jason Geffner found, he explained that an attacker can use the vulnerability to hazards of the data center network of any one machine, and millions of virtual machines are vulnerable to exploitation of this vulnerability. Geffner in a blog post said: \n\u201cVENOM\uff08CVE-2 0 1 5-3 4 5 6 a present in the virtual floppy drives the FDC code for the security vulnerability, the code exists in many computer virtualization platform. The vulnerability may allow an attacker from the infected virtual machine to get a guest limit, and it is possible to get the host code execution permissions. In addition, an attacker also can use it to access the host system and running on the host all virtual machines, and be able to enhance the important access, so that the attacker can access the host in the local network and the neighbor system.\u201d \nClient[operating system](<http://www.myhack58.com/Article/48/Article_048_1.htm>)by the wanted to FDC input and output port to send to search, read, write, format and other instructions with the FDC to communicate. QEMU virtual FDC using a fixed-size buffer to store the instruction and its associated data parameters. FDC track and is expected of each instruction how much data, in the instruction of all the expected data reception is completed, the FDC will execute the next instruction and clear the buffer for the next instruction. \nAfter processing all of the FDC instruction in addition to the two defined command, it will immediately reset the buffer. The attacker can be from the client system sends these instructions and elaborate the parameters of the data to the FDC, so that overflow of the data buffer, and the host of the monitoring program the process environment in the execution of arbitrary code. \n! [](/Article/UploadPic/2015-5/2 0 1 5 5 1 5 0 3 6 2 3 1 3 7. png) \nVulnerability \nVENOM is a\u201cvirtual environment is the neglect of the business operations\u201dof the abbreviation, which is capable of affecting QEMU floppy disk controller driver vulnerabilities, QEMU is used to manage the virtual machine open-source PC simulator. The attacker can be from the client system to send commands and crafting of the parameter data to the floppy disk controller, in order to cause the data to a buffer overflow, and in the host management program the process environment in the execution of arbitrary code. \nVENOM is very dangerous, because if to be able to exploit the vulnerability, it will affect the world within the scope of a large number of virtualization platform, and its running condition is very simple, need only in the default configuration of the virtual machine can be, the most important is, it can execute arbitrary code. The expert explained that the VENOM will be able to impact thousands of institutions and millions of end users. The attacker can make the monitoring program to crash, and be able to get the target machine and on which all the virtual machines running control. \nGeffner explains: \n\u201cThe use of VENOM vulnerabilities can expose corporate intellectual property access, in addition to sensitive data and personal identity information, may also affect thousands of relevant agencies and millions of end-users, these organizations and users rely on the affected virtual machine to allocate shared computing resources, connectivity, storage, security and privacy services.\u201d \nThe vulnerability exists in the QEMU virtual floppy Controller FDC, and FDC codes used in many virtualization platforms and devices, especially Xen, KVM as well as the local QEMU client. However, VMware, Microsoft hyper-V and Bochs management program is not affected by the vulnerability. \n! [](/Article/UploadPic/2015-5/201551503623457.jpg) \nVulnerability POC \n#include /io. h> \n#define FIFO 0x3f5 \nint main() { \nint i; \niopl(3); \noutb(0x0a,0x3f5); /* READ ID */ \nfor (i=0;i \nSafety recommendations \nIf you manage a run Xen, KVM or a local QEMU client system, we recommend that you review and apply the latest vulnerability patches. \nIf you're using a provider's service or equipment affected by this vulnerability, it is recommended that you as soon as possible contact the supplier of the support group and consult the product whether it has fixed this vulnerability or whether the release of vulnerability patches. \nReference: published patch the provider \nQEMU: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=e907746266721f305d67bc0718795fedee2e824c \nXen Project: http://xenbits.xen.org/xsa/advisory-133.html \nRed Hat: https://access.redhat.com/articles/1444903 \nCitrix: http://support.citrix.com/Article/CTX201078 \nFireEye: https://www.fireeye.com/content/dam/fireeye-www/support/pdfs/fireeye-venom-vulnerability.pdf \nLinode: https://blog.linode.com/2015/05/13/venom-cve-2015-3456-vulnerability-and-linode/ \nRackspace: https://community.rackspace.com/general/f/53/t/5187 \nUbuntu: http://www.ubuntu.com/usn/usn-2608-1/ \nDebian: https://security-tracker.debian.org/tracker/CVE-2015-3456 \nSuse: https://www.suse.com/support/kb/doc.php?id=7016497 \nDigitalOcean: https://www.digitalocean.com/company/blog/update-on-CVE-2015-3456/ \nf5: https://support.f5.com/kb/en-us/solutions/public/16000/600/sol16620.html \n\n", "published": "2015-05-15T00:00:00", "cvss": {"score": 7.7, "vector": "AV:ADJACENT_NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://www.myhack58.com/Article/html/3/62/2015/62439.htm", "cvelist": ["CVE-2015-3456"], "lastseen": "2016-10-28T18:37:31"}], "archlinux": [{"id": "ASA-201505-9", "type": "archlinux", "title": "qemu: arbitrary code execution", "description": "The guest operating system communicates with the FDC by sending commands\nsuch as seek, read, write, format, etc. to the FDC’s input/output port.\nQEMU’s virtual FDC uses a fixed-size buffer for storing these commands\nand their associated data parameters. The FDC keeps track of how much\ndata to expect for each command and, after all expected data for a given\ncommand is received from the guest system, the FDC executes the command\nand clears the buffer for the next command.\n\nThis buffer reset is performed immediately at the completion of\nprocessing for all FDC commands, except for two of the defined commands.\nAn attacker can send these commands and specially crafted parameter data\nfrom the guest system to the FDC to overflow the data buffer and execute\narbitrary code in the context of the host’s hypervisor process.", "published": "2015-05-14T00:00:00", "cvss": {"score": 7.7, "vector": "AV:ADJACENT_NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://lists.archlinux.org/pipermail/arch-security/2015-May/000328.html", "cvelist": ["CVE-2015-3456"], "lastseen": "2016-09-02T18:44:41"}], "threatpost": [{"id": "VENOM-FLAW-IN-VIRTUALIZATION-SOFTWARE-COULD-LEAD-TO-VM-ESCAPES-DATA-THEFT/112772", "type": "threatpost", "title": "Flaw in Virtualization Software Could Lead to VM Escapes, Data Theft", "description": "Researchers have uncovered a vulnerability in an obscure component of many virtualization platforms that they say can allow an attacker to escape from a guest virtual machine and gain code execution on the host, as well as any other VMs operating on that machine. Experts say the bug affects a wide variety of virtualization software running on all major operating systems.\n\nThe simple route to exploiting this vulnerability is for an attacker to buy space on a cloud hosting provider. From there, he can use the vulnerability to escape the VM he\u2019s running and move laterally among the other VMs on that host. The attacker may then be able to access the local network running the host and get to sensitive data stored there. The bug was discovered by Jason Geffner, a senior security researcher at CrowdStrike.\n\n### Related Posts\n\n#### [Android Patch Fixes Nexus 5X Critical Vulnerability](<https://threatpost.com/android-patch-fixes-nexus-5x-critical-vulnerability/120346/> \"Permalink to Android Patch Fixes Nexus 5X Critical Vulnerability\" )\n\nSeptember 2, 2016 , 12:49 pm\n\n#### [Apple Patches Trident Vulnerabilities in OS X, Safari](<https://threatpost.com/apple-patches-trident-vulnerabilities-in-os-x-safari/120336/> \"Permalink to Apple Patches Trident Vulnerabilities in OS X, Safari\" )\n\nSeptember 2, 2016 , 10:00 am\n\n#### [Threatpost News Wrap, September 2, 2016](<https://threatpost.com/threatpost-news-wrap-september-2-2016/120332/> \"Permalink to Threatpost News Wrap, September 2, 2016\" )\n\nSeptember 2, 2016 , 9:00 am\n\nThe vulnerability itself lies in the virtual floppy disk controller component of QEMU, an open-source virtualization package. The component is included in a number of virtualization platforms, including Xen and KVM, and the largest target base for attackers would be hosting providers who run these platforms, experts say. With so many enterprises moving their resources to cloud providers, the danger from the decade-old vulnerability is high.\n\n\u201cThere is a cost to this move, which is that attackers who once needed to find an exploit may get some degree of local privilege using money. There\u2019s a lot riding on the code that isolates VM\u2019s, but like all code there\u2019s a risk of bugs. Many cloud providers offer enhanced isolation of hardware, such that at minimum you\u2019re only exposed to other VM\u2019s from your own organization. When feasible it\u2019s worth outbidding attackers to acquire this isolation,\u201d said researcher Dan Kaminsky, co-founder of White Ops. \n\nAlthough floppy drives are hopelessly obsolete, the FDC code that\u2019s at the heart of this vulnerability is present in many places.\n\n\u201cFor many of the affected virtualization products, a virtual floppy drive is added to new virtual machines by default. And on Xen and QEMU, even if the administrator explicitly disables the virtual floppy drive, an unrelated bug causes the vulnerable FDC code to remain active and exploitable by attackers,\u201d the FAQ on the vulnerability says.\n\nThe bug is being called [VENOM](<http://venom.crowdstrike.com>), for virtualized environment neglected operations manipulation, and CrowdStrike\u2019s Geffner discovered it during an audit of virtual machine hypervisors. The bug has existed since 2004, when the virtual FDC code was added to QEMU. Both Xen and QEMU have produced patches for the vulnerability and most of the large cloud providers have addressed the bug. But Kaminsky, who worked with CrowdStrike to produce a fix for the VENOM flaw, said the threat from attackers is still real.\n\n\u201cWe are increasingly using sandboxes on the network to analyze traffic. Nothing is without cost; these sorts of VM escapes (this one being particularly special, it being so inherited across the ecosystem) do create the threat of attackers with global visibility across your network. If nothing else, sandboxing architecture can\u2019t be patched like normal network equipment. If you\u2019ve got it, fire drill it, because even unlike a domain controller attackers can make it run stuff by design,\u201d Kaminsky said.\n\nThe Xen Project has released an [advisory](<http://xenbits.xen.org/xsa/advisory-133.html>) on the vulnerability.\n\n\u201cAll Xen systems running x86 HVM guests without stubdomains are vulnerable to this depending on the specific guest configuration. The default configuration is vulnerable. Guests using either the traditional \u2018qemu-xen\u2019 or upstream qemu device models are vulnerable. Guests using a qemu-dm stubdomain to run the device model are only vulnerable to takeover of that service domain,\u201d the advisory says.\n\nAmazon, one of the larger cloud services providers, said that its systems are not vulnerable to the VENOM bug.\n\n\u201cWe are aware of the QEMU security issue assigned CVE-2015-3456, also known as \u2018VENOM,\u2019 which impacts various virtualized platforms. There is no risk to AWS customer data or instances,\u201d Amazon [said](<https://aws.amazon.com/security/security-bulletins/XSA_Security_Advisory_CVE_2015_3456/>).\n\nThough the vulnerable code has been in QEMU for 11 years, it wasn\u2019t known until now, and [knowing is half the battle](<https://www.youtube.com/watch?v=pele5vptVgc>).", "published": "2015-05-13T09:34:00", "cvss": {"score": 7.7, "vector": "AV:ADJACENT_NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://threatpost.com/venom-flaw-in-virtualization-software-could-lead-to-vm-escapes-data-theft/112772/", "cvelist": ["CVE-2015-3456"], "lastseen": "2016-09-04T20:53:40"}], "lenovo": [{"id": "LENOVO:PS500033-NOSID", "type": "lenovo", "title": "Venom", "description": "**Lenovo Security Advisory:** LEN-2015-046 \n**Potential Impact:** Escalation of Privileges \n****Severity****: High \n \n**Summary:** \nA buffer overflow vulnerability affecting the Floppy Disk Controller (FDC) emulation implemented in the QEMU component has been identified in the KVM/QEMU and Xen hypervisors. This vulnerability has been assigned CVE-2015-3456 and is being referred to as VENOM. \n \n**Description:** \nQEMU is a generic and open source machine emulator and virtualizer and is used as a foundation and hardware emulation layer for running virtual machines under the Xen and KVM/QEMU hypervisors. \n \nA privileged guest user could use this flaw to crash the guest or, potentially, execute arbitrary code on the host with the privileges of the host's QEMU process corresponding to the guest. It needs to be noted that even if a guest does not explicitly have a virtual floppy disk configured and attached, this issue is exploitable. The problem exists in the Floppy Disk Controller, which is initialized for every x86 and x86_64 guest regardless of the configuration and cannot be removed or disabled. \n \nThere is currently no known exploit that would make use of this vulnerability, but it is recommended that customers update to the latest code versions.\n\n**Mitigation Strategy for Customers (what you should do to protect yourself):** \nUpdate your product to the latest levels using the steps below:\n\n \n**Product Impact:** \nPlease apply the latest versions of the following software updates:\n\n**Product Affected** | **Fix Version** | **Update Instructions** | **Software fix location: ** \n---|---|---|--- \nLenovoEMC px12-400r IVX application | Version 1.0.10.33264 and later | See <http://download.lenovo.com/nasupdate/help/lifeline/4.1a/px12-400r/en_US/Content/software_update.html> for instructions on updating to the latest software version | \n\n[http://lifelineapps.com/?user_lang=en&device=px12450r&version=&category=&sort=1&redirect_url=](<http://lifelineapps.com/?user_lang=en&device=px12450r&version=&category=&sort=1&redirect_url=>) \n \nLenovoEMC px12-450r IVX application | Version 1.0.10.33264 and later | See <http://download.lenovo.com/nasupdate/help/lifeline/4.1a/px12-450r/en_US/Content/software_update.html> for instructions on updating to the latest software version | [http://lifelineapps.com/?user_lang=en&device=px12450r&version=&category=&sort=1&redirect_url=](<http://lifelineapps.com/?user_lang=en&device=px12450r&version=&category=&sort=1&redirect_url=>) \n \n \n**Other information and references:**\n\n * <https://access.redhat.com/articles/1444903>\n \n**Revision History:**\n\n****Revision****\n\n| \n\n****Date****\n\n| \n\n****Description**** \n \n---|---|--- \n** 1.0** | ** 20 Jul 2015** | ** Initial release**\n", "published": "2017-01-23T00:00:00", "cvss": {"score": 7.7, "vector": "AV:ADJACENT_NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://support.lenovo.com/us/en/product_security/venom", "cvelist": ["CVE-2015-3456"], "lastseen": "2018-02-21T17:02:21"}], "oracle": [{"id": "ORACLE:CPUJUL2015-2367936", "type": "oracle", "title": "Oracle Critical Patch Update - July 2015", "description": "A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:\n\n \n\n\n[Critical Patch Updates and Security Alerts](<http://www.oracle.com/technetwork/topics/security/alerts-086861.html>) for information about Oracle Security Advisories.\n\n \n\n\n**Oracle continues to periodically receive reports of malicious exploitation of vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that malicious attackers have been successful because customers had failed to apply available Oracle patches. Oracle therefore _strongly_ recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes _without_ delay.**\n\n \n\n\nThis Critical Patch Update contains 193 new security fixes across the product families listed below. Please note that a blog entry summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at <https://blogs.oracle.com/security>.\n\n \n\n\n** Please note that on May 15, 2015, Oracle released [Security Alert for CVE-2015-3456 (QEMU \"Venom\")](<http://www.oracle.com/technetwork/topics/security/alert-cve-2015-3456-2542656.html>). Customers of affected Oracle products are strongly advised to apply the fixes and/or configuration steps that were announced for CVE-2015-3456. **\n\n \n\n\nThis Critical Patch Update advisory is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle's use of CVRF is available at: <http://www.oracle.com/technetwork/topics/security/cpufaq-098434.html#CVRF>.\n\n \n\n", "published": "2015-07-14T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "cvelist": ["CVE-2015-1926", "CVE-2015-1802", "CVE-2015-4000", "CVE-2015-2591", "CVE-2015-0443", "CVE-2015-1803", "CVE-2015-4771", "CVE-2015-2627", "CVE-2015-2615", "CVE-2014-3566", "CVE-2015-4764", "CVE-2015-4774", "CVE-2015-2601", "CVE-2015-4738", "CVE-2014-8098", "CVE-2015-0235", "CVE-2015-4729", "CVE-2015-1804", "CVE-2015-4751", "CVE-2015-0444", "CVE-2015-0445", "CVE-2015-4749", "CVE-2014-8092", "CVE-2015-4758", "CVE-2014-7809", "CVE-2015-2643", "CVE-2015-4770", "CVE-2015-4747", "CVE-2015-2661", "CVE-2015-4778", "CVE-2015-2632", "CVE-2015-2625", "CVE-2015-2617", "CVE-2015-4784", "CVE-2015-2664", "CVE-2015-2605", "CVE-2015-2597", "CVE-2015-4785", "CVE-2015-4732", "CVE-2015-2653", "CVE-2014-3572", "CVE-2014-3613", "CVE-2015-0206", "CVE-2014-0227", "CVE-2015-2595", "CVE-2015-4782", "CVE-2015-0286", "CVE-2015-3244", "CVE-2015-2648", "CVE-2015-2657", "CVE-2014-0230", "CVE-2014-8100", "CVE-2015-4789", "CVE-2015-2581", "CVE-2015-2613", "CVE-2015-2658", "CVE-2014-3571", "CVE-2015-4736", "CVE-2015-2599", "CVE-2013-2251", "CVE-2013-5704", "CVE-2015-4739", "CVE-2015-0288", "CVE-2015-4790", "CVE-2013-6422", "CVE-2015-2589", "CVE-2010-1324", "CVE-2015-2623", "CVE-2015-2631", "CVE-2010-4020", "CVE-2015-2596", "CVE-2015-4763", "CVE-2015-0285", "CVE-2015-4783", "CVE-2015-2620", "CVE-2015-2650", "CVE-2011-3389", "CVE-2015-2654", "CVE-2015-0207", "CVE-2015-2607", "CVE-2015-2639", "CVE-2015-2611", "CVE-2015-2645", "CVE-2015-2634", "CVE-2015-2594", "CVE-2014-8275", "CVE-2015-3456", "CVE-2015-0467", "CVE-2015-2584", "CVE-2015-0208", "CVE-2015-2808", "CVE-2013-0249", "CVE-2014-3570", "CVE-2015-2590", "CVE-2015-2656", "CVE-2015-2626", "CVE-2015-2628", "CVE-2015-4768", "CVE-2015-4761", "CVE-2015-4745", "CVE-2015-4750", "CVE-2014-0139", "CVE-2015-2635", "CVE-2015-4756", "CVE-2015-2647", "CVE-2014-3707", "CVE-2015-0293", "CVE-2015-2600", "CVE-2015-2580", "CVE-2014-8097", "CVE-2014-8101", "CVE-2015-2640", "CVE-2015-4733", "CVE-2015-2646", "CVE-2014-1568", "CVE-2015-2651", "CVE-2015-2603", "CVE-2014-8091", "CVE-2015-4765", "CVE-2015-2660", "CVE-2015-2604", "CVE-2015-0255", "CVE-2015-4772", "CVE-2015-2662", "CVE-2015-4735", "CVE-2015-0468", "CVE-2015-4779", "CVE-2015-0209", "CVE-2015-2585", "CVE-2013-2186", "CVE-2014-3567", "CVE-2015-2614", "CVE-2014-0015", "CVE-2015-4737", "CVE-2015-4776", "CVE-2015-4757", "CVE-2015-4728", "CVE-2015-2637", "CVE-2015-2606", "CVE-2015-4769", "CVE-2015-0204", "CVE-2015-2621", "CVE-2015-4786", "CVE-2015-4787", "CVE-2015-2638", "CVE-2015-4740", "CVE-2015-2619", "CVE-2015-4731", "CVE-2014-8095", "CVE-2015-4727", "CVE-2015-4741", "CVE-2015-2636", "CVE-2015-2659", "CVE-2015-2655", "CVE-2015-4775", "CVE-2015-4773", "CVE-2014-8102", "CVE-2015-0291", "CVE-2015-4746", "CVE-2015-2629", "CVE-2014-8096", "CVE-2015-4788", "CVE-2015-4755", "CVE-2015-2602", "CVE-2015-4748", "CVE-2015-0287", "CVE-2015-2622", "CVE-2015-2610", "CVE-2012-0036", "CVE-2013-2174", "CVE-2015-2663", "CVE-2015-4742", "CVE-2014-8093", "CVE-2015-0289", "CVE-2015-2652", "CVE-2015-4759", "CVE-2015-0446", "CVE-2015-0292", "CVE-2015-2582", "CVE-2015-4780", "CVE-2014-1569", "CVE-2015-4781", "CVE-2015-2618", "CVE-2015-2641", "CVE-2015-2593", "CVE-2015-4744", "CVE-2015-2598", "CVE-2014-0138", "CVE-2015-2587", "CVE-2015-2630", "CVE-2015-2592", "CVE-2015-4767", "CVE-2015-0290", "CVE-2015-2616", "CVE-2015-0205", "CVE-2015-2624", "CVE-2015-2609", "CVE-2015-4777", "CVE-2010-1323", "CVE-2015-1787", "CVE-2015-4754", "CVE-2014-3569", "CVE-2015-2588", "CVE-2015-4760", "CVE-2015-2583", "CVE-2015-4743", "CVE-2013-4545", "CVE-2015-4752", "CVE-2015-2586", "CVE-2015-4753", "CVE-2015-2649", "CVE-2015-2612", "CVE-2015-2644"], "lastseen": "2018-04-18T20:24:06"}]}}
