Debian Xen vulnerabilities

CVE-2021-28703 [HIGH] CVE-2021-28703: xen - grant table v2 status pages may remain accessible after de-allocation (take two)... grant table v2 status pages may remain accessible after de-allocation (take two) Guest get permitted access to certain Xen-owned pages of memory. The majority of such pages remain allocated / associated with a guest for its entire lifetime. Grant table v2 status pages, however, get de-allocated when a guest switched (back) from v2 to v1. The freeing of such pages requir

CVE-2021-28705 [HIGH] CVE-2021-28705: xen - issues with partially successful P2M updates on x86 T[his CNA information record... issues with partially successful P2M updates on x86 T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] x86 HVM and PVH guests may be started in populate-on-demand (PoD) mode, to provide a way for them to later easily have more memory assigned. Guests are permitted to control certain P2M aspect

CVE-2021-28709 [HIGH] CVE-2021-28709: xen - issues with partially successful P2M updates on x86 T[his CNA information record... issues with partially successful P2M updates on x86 T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] x86 HVM and PVH guests may be started in populate-on-demand (PoD) mode, to provide a way for them to later easily have more memory assigned. Guests are permitted to control certain P2M aspect

CVE-2021-28697 [HIGH] CVE-2021-28697: xen - grant table v2 status pages may remain accessible after de-allocation Guest get ... grant table v2 status pages may remain accessible after de-allocation Guest get permitted access to certain Xen-owned pages of memory. The majority of such pages remain allocated / associated with a guest for its entire lifetime. Grant table v2 status pages, however, get de-allocated when a guest switched (back) from v2 to v1. The freeing of such pages requires that the

CVE-2021-28706 [HIGH] CVE-2021-28706: xen - guests may exceed their designated memory limit When a guest is permitted to hav... guests may exceed their designated memory limit When a guest is permitted to have close to 16TiB of memory, it may be able to issue hypercalls to increase its memory allocation beyond the administrator established limit. This is a result of a calculation done with 32-bit precision, which may overflow. It would then only be the overflowed (and hence small) number which g

CVE-2021-28692 [HIGH] CVE-2021-28692: xen - inappropriate x86 IOMMU timeout detection / handling IOMMUs process commands iss... inappropriate x86 IOMMU timeout detection / handling IOMMUs process commands issued to them in parallel with the operation of the CPU(s) issuing such commands. In the current implementation in Xen, asynchronous notification of the completion of such commands is not used. Instead, the issuing CPU spin-waits for the completion of the most recently issued command(s). Some

CVE-2021-28701 [HIGH] CVE-2021-28701: xen - Another race in XENMAPSPACE_grant_table handling Guests are permitted access to ... Another race in XENMAPSPACE_grant_table handling Guests are permitted access to certain Xen-owned pages of memory. The majority of such pages remain allocated / associated with a guest for its entire lifetime. Grant table v2 status pages, however, are de-allocated when a guest switches (back) from v2 to v1. Freeing such pages requires that the hypervisor enforce that no

CVE-2021-27379 [HIGH] CVE-2021-27379: xen - An issue was discovered in Xen through 4.11.x, allowing x86 Intel HVM guest OS u... An issue was discovered in Xen through 4.11.x, allowing x86 Intel HVM guest OS users to achieve unintended read/write DMA access, and possibly cause a denial of service (host OS crash) or gain privileges. This occurs because a backport missed a flush, and thus IOMMU updates were not always correct. NOTE: this issue exists because of an incomplete fix for CVE-2020-15565.

CVE-2021-28690 [MEDIUM] CVE-2021-28690: xen - x86: TSX Async Abort protections not restored after S3 This issue relates to the... x86: TSX Async Abort protections not restored after S3 This issue relates to the TSX Async Abort speculative security vulnerability. Please see https://xenbits.xen.org/xsa/advisory-305.html for details. Mitigating TAA by disabling TSX (the default and preferred option) requires selecting a non-default setting in MSR_TSX_CTRL. This setting isn't restored after S3 suspe

CVE-2021-26933 [MEDIUM] CVE-2021-26933: xen - An issue was discovered in Xen 4.9 through 4.14.x. On Arm, a guest is allowed to... An issue was discovered in Xen 4.9 through 4.14.x. On Arm, a guest is allowed to control whether memory accesses are bypassing the cache. This means that Xen needs to ensure that all writes (such as the ones during scrubbing) have reached the memory before handing over the page to a guest. Unfortunately, the operation to clean the cache is happening before checking if

CVE-2021-26313 [MEDIUM] CVE-2021-26313: xen - Potential speculative code store bypass in all supported CPU products, in conjun... Potential speculative code store bypass in all supported CPU products, in conjunction with software vulnerabilities relating to speculative execution of overwritten instructions, may cause an incorrect speculation and could result in data leakage. Scope: local bookworm: resolved (fixed in 4.14.2+25-gb6a8c4f72d-1) bullseye: resolved (fixed in 4.14.2+25-gb6a8c4f72d-1) f

CVE-2021-28693 [MEDIUM] CVE-2021-28693: xen - xen/arm: Boot modules are not scrubbed The bootloader will load boot modules (e.... xen/arm: Boot modules are not scrubbed The bootloader will load boot modules (e.g. kernel, initramfs...) in a temporary area before they are copied by Xen to each domain memory. To ensure sensitive data is not leaked from the modules, Xen must "scrub" them before handing the page over to the allocator. Unfortunately, it was discovered that modules will not be scrubbed

CVE-2021-0089 [MEDIUM] CVE-2021-0089: xen - Observable response discrepancy in some Intel(R) Processors may allow an authori... Observable response discrepancy in some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local access. Scope: local bookworm: resolved (fixed in 4.14.2+25-gb6a8c4f72d-1) bullseye: resolved (fixed in 4.14.2+25-gb6a8c4f72d-1) forky: resolved (fixed in 4.14.2+25-gb6a8c4f72d-1) sid: resolved (fixed in 4.14.2+25-gb6a8c4f72d-1)

CVE-2021-28694 [MEDIUM] CVE-2021-28694: xen - IOMMU page mapping issues on x86 T[his CNA information record relates to multipl... IOMMU page mapping issues on x86 T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Both AMD and Intel allow ACPI tables to specify regions of memory which should be left untranslated, which typically means these addresses should pass the translation phase unaltered. While these are typicall

CVE-2021-28698 [MEDIUM] CVE-2021-28698: xen - long running loops in grant table handling In order to properly monitor resource... long running loops in grant table handling In order to properly monitor resource use, Xen maintains information on the grant mappings a domain may create to map grants offered by other domains. In the process of carrying out certain actions, Xen would iterate over all such entries, including ones which aren't in use anymore and some which may have been created but nev

CVE-2021-28696 [MEDIUM] CVE-2021-28696: xen - IOMMU page mapping issues on x86 T[his CNA information record relates to multipl... IOMMU page mapping issues on x86 T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Both AMD and Intel allow ACPI tables to specify regions of memory which should be left untranslated, which typically means these addresses should pass the translation phase unaltered. While these are typicall

CVE-2021-3308 [MEDIUM] CVE-2021-3308: xen - An issue was discovered in Xen 4.12.3 through 4.12.4 and 4.13.1 through 4.14.x. ... An issue was discovered in Xen 4.12.3 through 4.12.4 and 4.13.1 through 4.14.x. An x86 HVM guest with PCI pass through devices can force the allocation of all IDT vectors on the system by rebooting itself with MSI or MSI-X capabilities enabled and entries setup. Such reboots will leak any vectors used by the MSI(-X) entries that the guest might had enabled, and hence wi

CVE-2021-28699 [MEDIUM] CVE-2021-28699: xen - inadequate grant-v2 status frames array bounds check The v2 grant table interfac... inadequate grant-v2 status frames array bounds check The v2 grant table interface separates grant attributes from grant status. That is, when operating in this mode, a guest has two tables. As a result, guests also need to be able to retrieve the addresses that the new status tracking table can be accessed through. For 32-bit guests on x86, translation of requests has

CVE-2021-28687 [MEDIUM] CVE-2021-28687: xen - HVM soft-reset crashes toolstack libxl requires all data structures passed acros... HVM soft-reset crashes toolstack libxl requires all data structures passed across its public interface to be initialized before use and disposed of afterwards by calling a specific set of functions. Many internal data structures also require this initialize / dispose discipline, but not all of them. When the "soft reset" feature was implemented, the libxl__domain_susp

CVE-2021-28695 [MEDIUM] CVE-2021-28695: xen - IOMMU page mapping issues on x86 T[his CNA information record relates to multipl... IOMMU page mapping issues on x86 T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Both AMD and Intel allow ACPI tables to specify regions of memory which should be left untranslated, which typically means these addresses should pass the translation phase unaltered. While these are typicall