rpm package
opensuse/xen&distro=openSUSE Tumbleweed
pkg:rpm/opensuse/xen&distro=openSUSE%20Tumbleweed
Vulnerabilities (279)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2022-42336 | — | < 4.17.1_04-1.1 | 4.17.1_04-1.1 | May 17, 2023 | Mishandling of guest SSBD selection on AMD hardware The current logic to set SSBD on AMD Family 17h and Hygon Family 18h processors requires that the setting of SSBD is coordinated at a core level, as the setting is shared between threads. Logic was introduced to keep track of ho | ||
| CVE-2022-42335 | — | < 4.17.1_02-1.1 | 4.17.1_02-1.1 | Apr 25, 2023 | x86 shadow paging arbitrary pointer dereference In environments where host assisted address translation is necessary but Hardware Assisted Paging (HAP) is unavailable, Xen will run guests in so called shadow mode. Due to too lax a check in one of the hypervisor routines used for | ||
| CVE-2022-42333 | — | < 4.17.0_06-1.1 | 4.17.0_06-1.1 | Mar 21, 2023 | x86/HVM pinned cache attributes mis-handling T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] To allow cachability control for HVM guests with passed through devices, an interface exists to explicitly | ||
| CVE-2022-42332 | — | < 4.17.0_06-1.1 | 4.17.0_06-1.1 | Mar 21, 2023 | x86 shadow plus log-dirty mode use-after-free In environments where host assisted address translation is necessary but Hardware Assisted Paging (HAP) is unavailable, Xen will run guests in so called shadow mode. Shadow mode maintains a pool of memory used for both shadow page tab | ||
| CVE-2022-42331 | — | < 4.17.0_06-1.1 | 4.17.0_06-1.1 | Mar 21, 2023 | x86: speculative vulnerability in 32bit SYSCALL path Due to an oversight in the very original Spectre/Meltdown security work (XSA-254), one entrypath performs its speculation-safety actions too late. In some configurations, there is an unprotected RET instruction which can be att | ||
| CVE-2022-27672 | Med | 4.7 | < 4.17.0_04-3.1 | 4.17.0_04-3.1 | Mar 1, 2023 | When SMT is enabled, certain AMD processors may speculatively execute instructions using a target from the sibling thread after an SMT mode switch potentially resulting in information disclosure. | |
| CVE-2022-42330 | — | < 4.17.0_04-1.1 | 4.17.0_04-1.1 | Jan 26, 2023 | Guests can cause Xenstore crash via soft reset When a guest issues a "Soft Reset" (e.g. for performing a kexec) the libxl based Xen toolstack will normally perform a XS_RELEASE Xenstore operation. Due to a bug in xenstored this can result in a crash of xenstored. Any other use of | ||
| CVE-2022-33748 | — | < 4.17.0_02-1.1 | 4.17.0_02-1.1 | Oct 11, 2022 | lock order inversion in transitive grant copy handling As part of XSA-226 a missing cleanup call was inserted on an error handling path. While doing so, locking requirements were not paid attention to. As a result two cooperating guests granting each other transitive grants can c | ||
| CVE-2022-33746 | — | < 4.17.0_02-1.1 | 4.17.0_02-1.1 | Oct 11, 2022 | P2M pool freeing may take excessively long The P2M pool backing second level address translation for guests may be of significant size. Therefore its freeing may take more time than is reasonable without intermediate preemption checks. Such checking for the need to preempt was so | ||
| CVE-2022-33745 | — | < 4.16.1_02-3.1 | 4.16.1_02-3.1 | Jul 26, 2022 | insufficient TLB flush for x86 PV guests in shadow mode For migration as well as to work around kernels unaware of L1TF (see XSA-273), PV guests may be run in shadow paging mode. To address XSA-401, code was moved inside a function in Xen. This code movement missed a variable cha | ||
| CVE-2022-21123 | — | < 4.16.1_02-3.1 | 4.16.1_02-3.1 | Jun 15, 2022 | Incomplete cleanup of multi-core shared buffers for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access. | ||
| CVE-2022-26362 | — | < 4.16.1_02-3.1 | 4.16.1_02-3.1 | Jun 9, 2022 | x86 pv: Race condition in typeref acquisition Xen maintains a type reference count for pages, in addition to a regular reference count. This scheme is used to maintain invariants required for Xen's safety, e.g. PV guests may not have direct writeable access to pagetables; updates | ||
| CVE-2022-26363 | — | < 4.16.1_02-3.1 | 4.16.1_02-3.1 | Jun 9, 2022 | x86 pv: Insufficient care with non-coherent mappings T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Xen maintains a type reference count for pages, in addition to a regular reference count. This sch | ||
| CVE-2022-26360 | — | < 4.16.0_08-1.1 | 4.16.0_08-1.1 | Apr 5, 2022 | IOMMU: RMRR (VT-d) and unity map (AMD-Vi) handling issues T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Certain PCI devices in a system might be assigned Reserved Memory Regions (specified via Rese | ||
| CVE-2022-26358 | — | < 4.16.0_08-1.1 | 4.16.0_08-1.1 | Apr 5, 2022 | IOMMU: RMRR (VT-d) and unity map (AMD-Vi) handling issues T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Certain PCI devices in a system might be assigned Reserved Memory Regions (specified via Rese | ||
| CVE-2022-26357 | — | < 4.16.0_08-1.1 | 4.16.0_08-1.1 | Apr 5, 2022 | race in VT-d domain ID cleanup Xen domain IDs are up to 15 bits wide. VT-d hardware may allow for only less than 15 bits to hold a domain ID associating a physical device with a particular domain. Therefore internally Xen domain IDs are mapped to the smaller value range. The clea | ||
| CVE-2022-26356 | — | < 4.16.0_08-1.1 | 4.16.0_08-1.1 | Apr 5, 2022 | Racy interactions between dirty vram tracking and paging log dirty hypercalls Activation of log dirty mode done by XEN_DMOP_track_dirty_vram (was named HVMOP_track_dirty_vram before Xen 4.9) is racy with ongoing log dirty hypercalls. A suitably timed call to XEN_DMOP_track_dirty_ | ||
| CVE-2022-0001 | — | < 4.16.0_06-3.1 | 4.16.0_06-3.1 | Mar 11, 2022 | Non-transparent sharing of branch predictor selectors between contexts in some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local access. | ||
| CVE-2022-23035 | — | < 4.16.0_04-3.1 | 4.16.0_04-3.1 | Jan 25, 2022 | Insufficient cleanup of passed-through device IRQs The management of IRQs associated with physical devices exposed to x86 HVM guests involves an iterative operation in particular when cleaning up after the guest's use of the device. In the case where an interrupt is not quiescent | ||
| CVE-2022-23034 | — | < 4.16.0_04-3.1 | 4.16.0_04-3.1 | Jan 25, 2022 | A PV guest could DoS Xen while unmapping a grant To address XSA-380, reference counting was introduced for grant mappings for the case where a PV guest would have the IOMMU enabled. PV guests can request two forms of mappings. When both are in use for any individual mapping, unma |
- CVE-2022-42336May 17, 2023affected < 4.17.1_04-1.1fixed 4.17.1_04-1.1
Mishandling of guest SSBD selection on AMD hardware The current logic to set SSBD on AMD Family 17h and Hygon Family 18h processors requires that the setting of SSBD is coordinated at a core level, as the setting is shared between threads. Logic was introduced to keep track of ho
- CVE-2022-42335Apr 25, 2023affected < 4.17.1_02-1.1fixed 4.17.1_02-1.1
x86 shadow paging arbitrary pointer dereference In environments where host assisted address translation is necessary but Hardware Assisted Paging (HAP) is unavailable, Xen will run guests in so called shadow mode. Due to too lax a check in one of the hypervisor routines used for
- CVE-2022-42333Mar 21, 2023affected < 4.17.0_06-1.1fixed 4.17.0_06-1.1
x86/HVM pinned cache attributes mis-handling T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] To allow cachability control for HVM guests with passed through devices, an interface exists to explicitly
- CVE-2022-42332Mar 21, 2023affected < 4.17.0_06-1.1fixed 4.17.0_06-1.1
x86 shadow plus log-dirty mode use-after-free In environments where host assisted address translation is necessary but Hardware Assisted Paging (HAP) is unavailable, Xen will run guests in so called shadow mode. Shadow mode maintains a pool of memory used for both shadow page tab
- CVE-2022-42331Mar 21, 2023affected < 4.17.0_06-1.1fixed 4.17.0_06-1.1
x86: speculative vulnerability in 32bit SYSCALL path Due to an oversight in the very original Spectre/Meltdown security work (XSA-254), one entrypath performs its speculation-safety actions too late. In some configurations, there is an unprotected RET instruction which can be att
- affected < 4.17.0_04-3.1fixed 4.17.0_04-3.1
When SMT is enabled, certain AMD processors may speculatively execute instructions using a target from the sibling thread after an SMT mode switch potentially resulting in information disclosure.
- CVE-2022-42330Jan 26, 2023affected < 4.17.0_04-1.1fixed 4.17.0_04-1.1
Guests can cause Xenstore crash via soft reset When a guest issues a "Soft Reset" (e.g. for performing a kexec) the libxl based Xen toolstack will normally perform a XS_RELEASE Xenstore operation. Due to a bug in xenstored this can result in a crash of xenstored. Any other use of
- CVE-2022-33748Oct 11, 2022affected < 4.17.0_02-1.1fixed 4.17.0_02-1.1
lock order inversion in transitive grant copy handling As part of XSA-226 a missing cleanup call was inserted on an error handling path. While doing so, locking requirements were not paid attention to. As a result two cooperating guests granting each other transitive grants can c
- CVE-2022-33746Oct 11, 2022affected < 4.17.0_02-1.1fixed 4.17.0_02-1.1
P2M pool freeing may take excessively long The P2M pool backing second level address translation for guests may be of significant size. Therefore its freeing may take more time than is reasonable without intermediate preemption checks. Such checking for the need to preempt was so
- CVE-2022-33745Jul 26, 2022affected < 4.16.1_02-3.1fixed 4.16.1_02-3.1
insufficient TLB flush for x86 PV guests in shadow mode For migration as well as to work around kernels unaware of L1TF (see XSA-273), PV guests may be run in shadow paging mode. To address XSA-401, code was moved inside a function in Xen. This code movement missed a variable cha
- CVE-2022-21123Jun 15, 2022affected < 4.16.1_02-3.1fixed 4.16.1_02-3.1
Incomplete cleanup of multi-core shared buffers for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.
- CVE-2022-26362Jun 9, 2022affected < 4.16.1_02-3.1fixed 4.16.1_02-3.1
x86 pv: Race condition in typeref acquisition Xen maintains a type reference count for pages, in addition to a regular reference count. This scheme is used to maintain invariants required for Xen's safety, e.g. PV guests may not have direct writeable access to pagetables; updates
- CVE-2022-26363Jun 9, 2022affected < 4.16.1_02-3.1fixed 4.16.1_02-3.1
x86 pv: Insufficient care with non-coherent mappings T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Xen maintains a type reference count for pages, in addition to a regular reference count. This sch
- CVE-2022-26360Apr 5, 2022affected < 4.16.0_08-1.1fixed 4.16.0_08-1.1
IOMMU: RMRR (VT-d) and unity map (AMD-Vi) handling issues T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Certain PCI devices in a system might be assigned Reserved Memory Regions (specified via Rese
- CVE-2022-26358Apr 5, 2022affected < 4.16.0_08-1.1fixed 4.16.0_08-1.1
IOMMU: RMRR (VT-d) and unity map (AMD-Vi) handling issues T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Certain PCI devices in a system might be assigned Reserved Memory Regions (specified via Rese
- CVE-2022-26357Apr 5, 2022affected < 4.16.0_08-1.1fixed 4.16.0_08-1.1
race in VT-d domain ID cleanup Xen domain IDs are up to 15 bits wide. VT-d hardware may allow for only less than 15 bits to hold a domain ID associating a physical device with a particular domain. Therefore internally Xen domain IDs are mapped to the smaller value range. The clea
- CVE-2022-26356Apr 5, 2022affected < 4.16.0_08-1.1fixed 4.16.0_08-1.1
Racy interactions between dirty vram tracking and paging log dirty hypercalls Activation of log dirty mode done by XEN_DMOP_track_dirty_vram (was named HVMOP_track_dirty_vram before Xen 4.9) is racy with ongoing log dirty hypercalls. A suitably timed call to XEN_DMOP_track_dirty_
- CVE-2022-0001Mar 11, 2022affected < 4.16.0_06-3.1fixed 4.16.0_06-3.1
Non-transparent sharing of branch predictor selectors between contexts in some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local access.
- CVE-2022-23035Jan 25, 2022affected < 4.16.0_04-3.1fixed 4.16.0_04-3.1
Insufficient cleanup of passed-through device IRQs The management of IRQs associated with physical devices exposed to x86 HVM guests involves an iterative operation in particular when cleaning up after the guest's use of the device. In the case where an interrupt is not quiescent
- CVE-2022-23034Jan 25, 2022affected < 4.16.0_04-3.1fixed 4.16.0_04-3.1
A PV guest could DoS Xen while unmapping a grant To address XSA-380, reference counting was introduced for grant mappings for the case where a PV guest would have the IOMMU enabled. PV guests can request two forms of mappings. When both are in use for any individual mapping, unma
Page 3 of 14