Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.2534 Security update for xen 28 August 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: xen Publisher: SUSE Operating System: SUSE Impact/Access: Execute Arbitrary Code/Commands -- Existing Account Increased Privileges -- Existing Account Access Privileged Data -- Existing Account Denial of Service -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2018-12893 CVE-2018-12891 CVE-2018-12617 CVE-2018-11806 CVE-2018-10982 CVE-2018-10981 CVE-2018-3665 CVE-2018-3646 CVE-2018-3639 CVE-2017-5754 CVE-2017-5753 CVE-2017-5715 Reference: ASB-2018.0204 ASB-2018.0192 ASB-2018.0116 ASB-2018.0033 ESB-2018.2429 ASB-2018.0002.4 Original Bulletin: https://www.suse.com/support/update/announcement/2018/suse-su-20182528-1/ - --------------------------BEGIN INCLUDED TEXT-------------------- SUSE Security Update: Security update for xen ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2528-1 Rating: important References: #1027519 #1074562 #1079730 #1090822 #1090823 #1091107 #1092631 #1095242 #1096224 #1097206 #1097521 #1097522 #1098744 Cross-References: CVE-2017-5715 CVE-2017-5753 CVE-2017-5754 CVE-2018-10981 CVE-2018-10982 CVE-2018-11806 CVE-2018-12617 CVE-2018-12891 CVE-2018-12893 CVE-2018-3639 CVE-2018-3646 CVE-2018-3665 Affected Products: SUSE Linux Enterprise Server 11-SP3-LTSS SUSE Linux Enterprise Point of Sale 11-SP3 SUSE Linux Enterprise Debuginfo 11-SP3 ______________________________________________________________________________ An update that solves 12 vulnerabilities and has one errata is now available. Description: This update for xen fixes the following issues: These security issue were fixed: - CVE-2018-3646: Systems with microprocessors utilizing speculative execution and address translations may have allowed unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access with guest OS privilege via a terminal page fault and a side-channel analysis (bsc#1091107, bsc#1027519). - CVE-2018-12617: An integer overflow that could cause a segmentation fault in qmp_guest_file_read() with g_malloc() in qemu-guest-agent was fixed (bsc#1098744) - CVE-2018-3665: System software utilizing Lazy FP state restore technique on systems using Intel Core-based microprocessors may potentially allow a local process to infer data from another process through a speculative execution side channel. (bsc#1095242) - CVE-2018-3639: Systems with microprocessors utilizing speculative execution and speculative execution of memory reads before the addresses of all prior memory writes are known may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis, aka Speculative Store Bypass (SSB), Variant 4. (bsc#1092631) - CVE-2017-5715: Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis. (bsc#1074562) - CVE-2017-5753: Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis. (bsc#1074562) - CVE-2017-5754: Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache. (bsc#1074562) - CVE-2018-12891: Certain PV MMU operations may take a long time to process. For that reason Xen explicitly checks for the need to preempt the current vCPU at certain points. A few rarely taken code paths did bypass such checks. By suitably enforcing the conditions through its own page table contents, a malicious guest may cause such bypasses to be used for an unbounded number of iterations. A malicious or buggy PV guest may cause a Denial of Service (DoS) affecting the entire host. Specifically, it may prevent use of a physical CPU for an indeterminate period of time. (bsc#1097521) - CVE-2018-12893: One of the fixes in XSA-260 added some safety checks to help prevent Xen livelocking with debug exceptions. Unfortunately, due to an oversight, at least one of these safety checks can be triggered by a guest. A malicious PV guest can crash Xen, leading to a Denial of Service. Only x86 PV guests can exploit the vulnerability. x86 HVM and PVH guests cannot exploit the vulnerability. An attacker needs to be able to control hardware debugging facilities to exploit the vulnerability, but such permissions are typically available to unprivileged users. (bsc#1097522) - CVE-2018-11806: m_cat in slirp/mbuf.c in Qemu has a heap-based buffer overflow via incoming fragmented datagrams. (bsc#1096224) - CVE-2018-10982: An issue was discovered in Xen allowed x86 HVM guest OS users to cause a denial of service (unexpectedly high interrupt number, array overrun, and hypervisor crash) or possibly gain hypervisor privileges by setting up an HPET timer to deliver interrupts in IO-APIC mode, aka vHPET interrupt injection. (bsc#1090822) - CVE-2018-10981: An issue was discovered in Xen that allowed x86 HVM guest OS users to cause a denial of service (host OS infinite loop) in situations where a QEMU device model attempts to make invalid transitions between states of a request. (bsc#1090823) Following bugs were fixed: - After updating to kernel 3.0.101-0.47.106.32-xen system crashes in check_bugs() (bsc#1097206) - bsc#1079730 - in xen-kmp, unplug emulated devices after migration This is required since xen-4.10 and/or qemu-2.10 because the state of unplug is not propagated from one dom0 to another. Without this unplug qemu's block-backend will be unable to open qcow2 disks on the receiving dom0 Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP3-LTSS: zypper in -t patch slessp3-xen-13752=1 - SUSE Linux Enterprise Point of Sale 11-SP3: zypper in -t patch sleposp3-xen-13752=1 - SUSE Linux Enterprise Debuginfo 11-SP3: zypper in -t patch dbgsp3-xen-13752=1 Package List: - SUSE Linux Enterprise Server 11-SP3-LTSS (i586 x86_64): xen-kmp-default-4.2.5_21_3.0.101_0.47.106.43-45.25.1 xen-libs-4.2.5_21-45.25.1 xen-tools-domU-4.2.5_21-45.25.1 - SUSE Linux Enterprise Server 11-SP3-LTSS (x86_64): xen-4.2.5_21-45.25.1 xen-doc-html-4.2.5_21-45.25.1 xen-doc-pdf-4.2.5_21-45.25.1 xen-libs-32bit-4.2.5_21-45.25.1 xen-tools-4.2.5_21-45.25.1 - SUSE Linux Enterprise Server 11-SP3-LTSS (i586): xen-kmp-pae-4.2.5_21_3.0.101_0.47.106.43-45.25.1 - SUSE Linux Enterprise Point of Sale 11-SP3 (i586): xen-kmp-default-4.2.5_21_3.0.101_0.47.106.43-45.25.1 xen-kmp-pae-4.2.5_21_3.0.101_0.47.106.43-45.25.1 xen-libs-4.2.5_21-45.25.1 xen-tools-domU-4.2.5_21-45.25.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (i586 x86_64): xen-debuginfo-4.2.5_21-45.25.1 xen-debugsource-4.2.5_21-45.25.1 References: https://www.suse.com/security/cve/CVE-2017-5715.html https://www.suse.com/security/cve/CVE-2017-5753.html https://www.suse.com/security/cve/CVE-2017-5754.html https://www.suse.com/security/cve/CVE-2018-10981.html https://www.suse.com/security/cve/CVE-2018-10982.html https://www.suse.com/security/cve/CVE-2018-11806.html https://www.suse.com/security/cve/CVE-2018-12617.html https://www.suse.com/security/cve/CVE-2018-12891.html https://www.suse.com/security/cve/CVE-2018-12893.html https://www.suse.com/security/cve/CVE-2018-3639.html https://www.suse.com/security/cve/CVE-2018-3646.html https://www.suse.com/security/cve/CVE-2018-3665.html https://bugzilla.suse.com/1027519 https://bugzilla.suse.com/1074562 https://bugzilla.suse.com/1079730 https://bugzilla.suse.com/1090822 https://bugzilla.suse.com/1090823 https://bugzilla.suse.com/1091107 https://bugzilla.suse.com/1092631 https://bugzilla.suse.com/1095242 https://bugzilla.suse.com/1096224 https://bugzilla.suse.com/1097206 https://bugzilla.suse.com/1097521 https://bugzilla.suse.com/1097522 https://bugzilla.suse.com/1098744 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBW4TJpWaOgq3Tt24GAQhR4w//S3xR9SKbI3JLZLNiQWjIySwzdQufFBeQ iHS5BYSB0y0k/HjiVmThlDHFV0d39TWZUE3htU1xk/0Kf7tnBpXr+1Z/ocTB6jJe VHr/QvLlqozkZeMIJHoda09P6ou2sQU3HbDNmd/txGRi6R15EF2veER6UUGse/PW byVeds0AWGcQIHZKs2q2w1dKGxbIlhiJXQQjx45i41kfm11CgRH8WoqRItX8E9yW c6e+72N6RZYHFEWLr7DFBVMfldFTFQY7k8yluoGSKitQEVsPs5PhVqnfljYzjEHy sfxFS/CugSVJnX99r3rdMBZe8LINmOgBkt4P0GK2yprnCfLxPq68M0u5Efa8boo/ TqLNyc6dU7klaYziMJVFnxNzPYW1OP3I5P5JhQP1i5ItCg3238U5+iDLkBfTt9Tb n/fdfHauvVv1xeNyBF4pMK6Ym3ykbiA3kqKCCirmMrU7S+xn0x7Ubv7Kpz0EhGQF Ld8lljm9IDPua0stH8jkaSQvXLIaEYyi/xv82VaD6OyrBkzmtqOf9vzyaE8zJCE8 WiRU6NEyNZG2XLbIrbmGFFFKIxkKAFrJlhHA0XtwGOLHn1KDt9Ifyoy0pShEWWaL b2au0eBNEzn3JH7XaqWevo39q7GZOPWongtbkZqRlOVL8a6suPXp5s5Veh5loeVM V8ig9y9ngus= =dCjL -----END PGP SIGNATURE-----