ESB-2018.0639 - [SUSE] xen: Multiple vulnerabilities 2018-03-06

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.0639
               SUSE Security Update: Security update for xen
                               6 March 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           xen
Publisher:         SUSE
Operating System:  SUSE
Impact/Access:     Increased Privileges   -- Existing Account
                   Access Privileged Data -- Existing Account
                   Denial of Service      -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-5683 CVE-2017-18030 CVE-2017-17566
                   CVE-2017-17565 CVE-2017-17564 CVE-2017-17563
                   CVE-2017-15595 CVE-2017-5754 CVE-2017-5753
                   CVE-2017-5715  

Reference:         ASB-2018.0033
                   ASB-2018.0030
                   ESB-2018.0044
                   ESB-2018.0042.2

Original Bulletin: 
   https://www.suse.com/support/update/announcement/2018/suse-su-20180609-1/
   https://www.suse.com/support/update/announcement/2018/suse-su-20180601-1/

Comment: This bulletin contains two (2) SUSE security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

   SUSE Security Update: Security update for xen
______________________________________________________________________________

Announcement ID:    SUSE-SU-2018:0601-1
Rating:             important
References:         #1027519 #1035442 #1061081 #1068032 #1070158 
                    #1070159 #1070160 #1070163 #1074562 #1076116 
                    #1076180 #1080635 #1080662 
Cross-References:   CVE-2017-15595 CVE-2017-17563 CVE-2017-17564
                    CVE-2017-17565 CVE-2017-17566 CVE-2017-18030
                    CVE-2017-5715 CVE-2017-5753 CVE-2017-5754
                    CVE-2018-5683
Affected Products:
                    SUSE Linux Enterprise Server 12-LTSS
______________________________________________________________________________

   An update that solves 10 vulnerabilities and has three
   fixes is now available.

Description:

   This update for xen fixes several issues.

   These security issues were fixed:

   - CVE-2017-5753, CVE-2017-5715, CVE-2017-5754: Prevent information leaks
     via side effects of speculative execution, aka "Spectre" and "Meltdown"
     attacks (bsc#1074562, bsc#1068032)
   - CVE-2018-5683: The vga_draw_text function allowed local OS guest
     privileged users to cause a denial of service (out-of-bounds read and
     QEMU process crash) by leveraging improper memory address validation
     (bsc#1076116).
   - CVE-2017-18030: The cirrus_invalidate_region function allowed local OS
     guest privileged users to cause a denial of service (out-of-bounds array
     access and QEMU process crash) via vectors related to negative pitch
     (bsc#1076180).
   - CVE-2017-15595: x86 PV guest OS users were able to cause a DoS
     (unbounded recursion, stack consumption, and hypervisor crash) or
     possibly gain privileges via crafted page-table stacking (bsc#1061081)
   - CVE-2017-17566: Prevent PV guest OS users to cause a denial of service
     (host OS crash) or gain host OS privileges in shadow mode by mapping a
     certain auxiliary page (bsc#1070158).
   - CVE-2017-17563: Prevent guest OS users to cause a denial of service
     (host OS crash) or gain host OS privileges by leveraging an incorrect
     mask for reference-count overflow checking in shadow mode (bsc#1070159).
   - CVE-2017-17564: Prevent guest OS users to cause a denial of service
     (host OS crash) or gain host OS privileges by leveraging incorrect error
     handling for reference counting in shadow mode (bsc#1070160).
   - CVE-2017-17565: Prevent PV guest OS users to cause a denial of service
     (host OS crash) if shadow mode and log-dirty mode are in place, because
     of an incorrect assertion related to M2P (bsc#1070163).
   - Added missing intermediate preemption checks for guest requesting
     removal of memory. This allowed malicious guest administrator to cause
     denial of service due to the high cost of this operation (bsc#1080635).
   - Because of XEN not returning the proper error messages when
     transitioning grant tables from v2 to v1 a malicious guest was able to
     cause DoS or potentially allowed for privilege escalation as well as
     information leaks (bsc#1080662).

   This non-security issue was fixed:

   - bsc#1035442: Increased the value of LIBXL_DESTROY_TIMEOUT from 10 to 100
     seconds. If many domUs shutdown in parallel the backends couldn't keep up

   - Upstream patches from Jan (bsc#1027519)


Patch Instructions:

   To install this SUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Server 12-LTSS:

      zypper in -t patch SUSE-SLE-SERVER-12-2018-408=1

   To bring your system up-to-date, use "zypper patch".


Package List:

   - SUSE Linux Enterprise Server 12-LTSS (x86_64):

      xen-4.4.4_28-22.62.1
      xen-debugsource-4.4.4_28-22.62.1
      xen-doc-html-4.4.4_28-22.62.1
      xen-kmp-default-4.4.4_28_k3.12.61_52.119-22.62.1
      xen-kmp-default-debuginfo-4.4.4_28_k3.12.61_52.119-22.62.1
      xen-libs-32bit-4.4.4_28-22.62.1
      xen-libs-4.4.4_28-22.62.1
      xen-libs-debuginfo-32bit-4.4.4_28-22.62.1
      xen-libs-debuginfo-4.4.4_28-22.62.1
      xen-tools-4.4.4_28-22.62.1
      xen-tools-debuginfo-4.4.4_28-22.62.1
      xen-tools-domU-4.4.4_28-22.62.1
      xen-tools-domU-debuginfo-4.4.4_28-22.62.1


References:

   https://www.suse.com/security/cve/CVE-2017-15595.html
   https://www.suse.com/security/cve/CVE-2017-17563.html
   https://www.suse.com/security/cve/CVE-2017-17564.html
   https://www.suse.com/security/cve/CVE-2017-17565.html
   https://www.suse.com/security/cve/CVE-2017-17566.html
   https://www.suse.com/security/cve/CVE-2017-18030.html
   https://www.suse.com/security/cve/CVE-2017-5715.html
   https://www.suse.com/security/cve/CVE-2017-5753.html
   https://www.suse.com/security/cve/CVE-2017-5754.html
   https://www.suse.com/security/cve/CVE-2018-5683.html
   https://bugzilla.suse.com/1027519
   https://bugzilla.suse.com/1035442
   https://bugzilla.suse.com/1061081
   https://bugzilla.suse.com/1068032
   https://bugzilla.suse.com/1070158
   https://bugzilla.suse.com/1070159
   https://bugzilla.suse.com/1070160
   https://bugzilla.suse.com/1070163
   https://bugzilla.suse.com/1074562
   https://bugzilla.suse.com/1076116
   https://bugzilla.suse.com/1076180
   https://bugzilla.suse.com/1080635
   https://bugzilla.suse.com/1080662

- ------------------------------------------------------------------------------

SUSE Security Update: Security update for xen
______________________________________________________________________________

Announcement ID:    SUSE-SU-2018:0601-1
Rating:             important
References:         #1027519 #1035442 #1061081 #1068032 #1070158 
                    #1070159 #1070160 #1070163 #1074562 #1076116 
                    #1076180 #1080635 #1080662 
Cross-References:   CVE-2017-15595 CVE-2017-17563 CVE-2017-17564
                    CVE-2017-17565 CVE-2017-17566 CVE-2017-18030
                    CVE-2017-5715 CVE-2017-5753 CVE-2017-5754
                    CVE-2018-5683
Affected Products:
                    SUSE Linux Enterprise Server 12-LTSS
______________________________________________________________________________

   An update that solves 10 vulnerabilities and has three
   fixes is now available.

Description:

   This update for xen fixes several issues.

   These security issues were fixed:

   - CVE-2017-5753, CVE-2017-5715, CVE-2017-5754: Prevent information leaks
     via side effects of speculative execution, aka "Spectre" and "Meltdown"
     attacks (bsc#1074562, bsc#1068032)
   - CVE-2018-5683: The vga_draw_text function allowed local OS guest
     privileged users to cause a denial of service (out-of-bounds read and
     QEMU process crash) by leveraging improper memory address validation
     (bsc#1076116).
   - CVE-2017-18030: The cirrus_invalidate_region function allowed local OS
     guest privileged users to cause a denial of service (out-of-bounds array
     access and QEMU process crash) via vectors related to negative pitch
     (bsc#1076180).
   - CVE-2017-15595: x86 PV guest OS users were able to cause a DoS
     (unbounded recursion, stack consumption, and hypervisor crash) or
     possibly gain privileges via crafted page-table stacking (bsc#1061081)
   - CVE-2017-17566: Prevent PV guest OS users to cause a denial of service
     (host OS crash) or gain host OS privileges in shadow mode by mapping a
     certain auxiliary page (bsc#1070158).
   - CVE-2017-17563: Prevent guest OS users to cause a denial of service
     (host OS crash) or gain host OS privileges by leveraging an incorrect
     mask for reference-count overflow checking in shadow mode (bsc#1070159).
   - CVE-2017-17564: Prevent guest OS users to cause a denial of service
     (host OS crash) or gain host OS privileges by leveraging incorrect error
     handling for reference counting in shadow mode (bsc#1070160).
   - CVE-2017-17565: Prevent PV guest OS users to cause a denial of service
     (host OS crash) if shadow mode and log-dirty mode are in place, because
     of an incorrect assertion related to M2P (bsc#1070163).
   - Added missing intermediate preemption checks for guest requesting
     removal of memory. This allowed malicious guest administrator to cause
     denial of service due to the high cost of this operation (bsc#1080635).
   - Because of XEN not returning the proper error messages when
     transitioning grant tables from v2 to v1 a malicious guest was able to
     cause DoS or potentially allowed for privilege escalation as well as
     information leaks (bsc#1080662).

   This non-security issue was fixed:

   - bsc#1035442: Increased the value of LIBXL_DESTROY_TIMEOUT from 10 to 100
     seconds. If many domUs shutdown in parallel the backends couldn't keep up

   - Upstream patches from Jan (bsc#1027519)


Patch Instructions:

   To install this SUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Server 12-LTSS:

      zypper in -t patch SUSE-SLE-SERVER-12-2018-408=1

   To bring your system up-to-date, use "zypper patch".


Package List:

   - SUSE Linux Enterprise Server 12-LTSS (x86_64):

      xen-4.4.4_28-22.62.1
      xen-debugsource-4.4.4_28-22.62.1
      xen-doc-html-4.4.4_28-22.62.1
      xen-kmp-default-4.4.4_28_k3.12.61_52.119-22.62.1
      xen-kmp-default-debuginfo-4.4.4_28_k3.12.61_52.119-22.62.1
      xen-libs-32bit-4.4.4_28-22.62.1
      xen-libs-4.4.4_28-22.62.1
      xen-libs-debuginfo-32bit-4.4.4_28-22.62.1
      xen-libs-debuginfo-4.4.4_28-22.62.1
      xen-tools-4.4.4_28-22.62.1
      xen-tools-debuginfo-4.4.4_28-22.62.1
      xen-tools-domU-4.4.4_28-22.62.1
      xen-tools-domU-debuginfo-4.4.4_28-22.62.1


References:

   https://www.suse.com/security/cve/CVE-2017-15595.html
   https://www.suse.com/security/cve/CVE-2017-17563.html
   https://www.suse.com/security/cve/CVE-2017-17564.html
   https://www.suse.com/security/cve/CVE-2017-17565.html
   https://www.suse.com/security/cve/CVE-2017-17566.html
   https://www.suse.com/security/cve/CVE-2017-18030.html
   https://www.suse.com/security/cve/CVE-2017-5715.html
   https://www.suse.com/security/cve/CVE-2017-5753.html
   https://www.suse.com/security/cve/CVE-2017-5754.html
   https://www.suse.com/security/cve/CVE-2018-5683.html
   https://bugzilla.suse.com/1027519
   https://bugzilla.suse.com/1035442
   https://bugzilla.suse.com/1061081
   https://bugzilla.suse.com/1068032
   https://bugzilla.suse.com/1070158
   https://bugzilla.suse.com/1070159
   https://bugzilla.suse.com/1070160
   https://bugzilla.suse.com/1070163
   https://bugzilla.suse.com/1074562
   https://bugzilla.suse.com/1076116
   https://bugzilla.suse.com/1076180
   https://bugzilla.suse.com/1080635
   https://bugzilla.suse.com/1080662

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWp31p4x+lLeg9Ub1AQjwYRAAnr+tksPPnJeREUZmW8qqwTrwZx3YbQG+
n4UTYrsmKQ86CrhjnO9GFHILIugB6q18TI83h5g/b3sqwBLhT0AQgHoB0L12yMjO
4py7pccRRCN49WQl1qIJcmOsjFY11gfkVcrJ08IdwfUmddccpCPJ0QwOqiJvWCMm
h6ecOU0hCVEjwi4Piz8iy8+zVZZDBoK+9jhXh/jqaJrSMqXQgVp9dMkTp0OQWYyH
/VJr1MitxWNU+12p1Jnx8RUSv3ajvEtEz8Xdaj4afIAqq/Al979dAToFnWvjeC0G
8QWVPQD9qv7KM/JTgRbrAziGmeaS2Kz2St+ecDEX9Ib5DU9u/VVJAlK1ih8Uns7o
sfm52fZ4rv47p91KOwg/sEJrMQ0UXWHKxT2/rRZl8K0oC4XZO3yToWiRZ9FS3AfU
qc286LWe14nhkGikTQqVQnzcNFoAAdx7YIAenmNU4FCwBAGi+kvsv0CHOeqUc2Ax
4+Qp9zm0tQX2rE0GVETN1QdAGGFChREyLZVCXlnr20OSOZ3rfcXZNHM10IT2hd0t
1BmF9rNfdnoWxgGiYT0mk1qUNqVkKUUmuEm8g3bcNeK7Oreyp4dJ99fGMdxaWRaj
9VAHe6tcQbfFo3rdkYBaRBCzK9EivBCZ2kBzs9s4sIdIk0Taj6bR3ZroIhzeEhy5
1RI/5EUVIZc=
=031t
-----END PGP SIGNATURE-----

« Back to bulletins