Allocation of Resources Without Limits or Throttling Affecting xen package, versions <4.15.4-r0


0.0
medium

Snyk CVSS

    Attack Complexity Low
    Scope Changed
    Availability High

    Threat Intelligence

    EPSS 0.05% (13th percentile)
Expand this section
NVD
6.5 medium
Expand this section
SUSE
6 medium

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-ALPINE314-XEN-3136188
  • published 20 Nov 2022
  • disclosed 1 Nov 2022

How to fix?

Upgrade Alpine:3.14 xen to version 4.15.4-r0 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream xen package and not the xen package as distributed by Alpine. See How to fix? for Alpine:3.14 relevant fixed versions and status.

Xenstore: guests can let run xenstored out of memory T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Malicious guests can cause xenstored to allocate vast amounts of memory, eventually resulting in a Denial of Service (DoS) of xenstored. There are multiple ways how guests can cause large memory allocations in xenstored: - - by issuing new requests to xenstored without reading the responses, causing the responses to be buffered in memory - - by causing large number of watch events to be generated via setting up multiple xenstore watches and then e.g. deleting many xenstore nodes below the watched path - - by creating as many nodes as allowed with the maximum allowed size and path length in as many transactions as possible - - by accessing many nodes inside a transaction