CVE-2017-8903XEN vulnerability

7 documents6 sources
Severity
8.8HIGHNVD
EPSS
0.3%
top 46.62%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
XENDebian XEN
Timeline
PublishedMay 11
Latest updateMay 13

Description

Xen through 4.8.x on 64-bit platforms mishandles page tables after an IRET hypercall, which might allow PV guest OS users to execute arbitrary code on the host OS, aka XSA-213.

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HExploitability: 2.0 | Impact: 6.0

Affected Packages3 packages

debiandebian/xen< xen 4.8.1-1+deb9u1 (bookworm)
Debianxen/xen< 4.8.1-1+deb9u1+3
NVDxen/xen4.8.0, 4.8.1+1

Patches

Patch: xenbits.xen.orgPatch: xenbits.xen.org

🔴Vulnerability Details

2
GHSA
GHSA-qx4f-g697-2347: Xen through 42022-05-13
OSV
CVE-2017-8903: Xen through 42017-05-11

📋Vendor Advisories

2
Red Hat
xen: x86: 64bit PV guest breakout via pagetable use-after-mode-change (XSA-213)2017-05-02
Debian
CVE-2017-8903: xen - Xen through 4.8.x on 64-bit platforms mishandles page tables after an IRET hyper...2017

💬Community

2
Bugzilla
CVE-2017-8903 CVE-2017-8904 CVE-2017-8905 xen: various flaws [fedora-all]2017-05-02
Bugzilla
CVE-2017-8903 xsa213 xen: x86: 64bit PV guest breakout via pagetable use-after-mode-change (XSA-213)2017-04-18