Information Exposure Affecting xen package, versions <4.9.0-r1
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-ALPINE320-XEN-7012812
- published 23 May 2024
- disclosed 15 Aug 2017
Introduced: 15 Aug 2017
CVE-2017-12855 Open this link in a new tabHow to fix?
Upgrade Alpine:3.20 xen to version 4.9.0-r1 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream xen package and not the xen package as distributed by Alpine.
See How to fix? for Alpine:3.20 relevant fixed versions and status.
Xen maintains the GTF{read,writ}ing bits as appropriate, to inform the guest that a grant is in use. A guest is expected not to modify the grant details while it is in use, whereas the guest is free to modify/reuse the grant entry when it is not in use. Under some circumstances, Xen will clear the status bits too early, incorrectly informing the guest that the grant is no longer in use. A guest may prematurely believe that a granted frame is safely private again, and reuse it in a way which contains sensitive information, while the domain on the far end of the grant is still using the grant. Xen 4.9, 4.8, 4.7, 4.6, and 4.5 are affected.