Incomplete Cleanup Affecting xen-libs package, versions <4.10.4_40-150000.3.84.1


Severity

Recommended
0.0
high
0
10

Based on SUSE Linux Enterprise Server security rating.

Threat Intelligence

EPSS
0.05% (16th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-SLES150-XENLIBS-3112051
  • published10 Nov 2022
  • disclosed9 Nov 2022

Introduced: 9 Nov 2022

CVE-2022-42320  (opens in a new tab)
CWE-459  (opens in a new tab)

How to fix?

Upgrade SLES:15.0 xen-libs to version 4.10.4_40-150000.3.84.1 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream xen-libs package and not the xen-libs package as distributed by SLES. See How to fix? for SLES:15.0 relevant fixed versions and status.

Xenstore: Guests can get access to Xenstore nodes of deleted domains Access rights of Xenstore nodes are per domid. When a domain is gone, there might be Xenstore nodes left with access rights containing the domid of the removed domain. This is normally no problem, as those access right entries will be corrected when such a node is written later. There is a small time window when a new domain is created, where the access rights of a past domain with the same domid as the new one will be regarded to be still valid, leading to the new domain being able to get access to a node which was meant to be accessible by the removed domain. For this to happen another domain needs to write the node before the newly created domain is being introduced to Xenstore by dom0.

CVSS Scores

version 3.1