CVE-2015-8555 — Sensitive Information Exposure in Citrix Xenserver

CWE-200 — Sensitive Information Exposure8 documents7 sources

Severity

8.6HIGHNVD

EPSS

0.6%

top 31.97%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

XEN Citrix Xenserver

Timeline

PublishedApr 13

Latest updateMay 17

Description

Xen 4.6.x, 4.5.x, 4.4.x, 4.3.x, and earlier do not initialize x86 FPU stack and XMM registers when XSAVE/XRSTOR are not used to manage guest extended register state, which allows local guest domains to obtain sensitive information from other domains via unspecified vectors.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:NExploitability: 3.9 | Impact: 4.0

Affected Packages3 packages

▶Debianxen/xen< 4.8.0~rc3-1+3

▶NVDxen/xen16 versions+15

▶NVDcitrix/xenserver6.0

Patches

Patch: xenbits.xen.org ↗Patch: xenbits.xen.org ↗

🔴Vulnerability Details

GHSA

GHSA-ffhp-28g8-p5m9: Xen 4↗2022-05-17

▶

CVEList

CVE-2015-8555: Xen 4↗2016-04-13

▶

OSV

CVE-2015-8555: Xen 4↗2016-04-13

▶

📋Vendor Advisories

Red Hat

xen: information leak in legacy x86 FPU/XMM initialization (XSA-165)↗2015-12-17

▶

Debian

CVE-2015-8555: xen - Xen 4.6.x, 4.5.x, 4.4.x, 4.3.x, and earlier do not initialize x86 FPU stack and ...↗2015

▶

💬Community

Bugzilla

CVE-2015-8554 CVE-2015-8555 CVE-2015-8550 CVE-2015-8551 CVE-2015-8552 CVE-2015-2150 CVE-2015-8553 xen: various flaws [fedora-all]↗2015-12-17

▶

Bugzilla

CVE-2015-8555 xsa165 xen: information leak in legacy x86 FPU/XMM initialization (XSA-165)↗2015-12-07

▶