| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2018-12893 |
264 |
|
DoS |
2018-07-02 |
2018-11-13 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
An issue was discovered in Xen through 4.10.x. One of the fixes in XSA-260 added some safety checks to help prevent Xen livelocking with debug exceptions. Unfortunately, due to an oversight, at least one of these safety checks can be triggered by a guest. A malicious PV guest can crash Xen, leading to a Denial of Service. All Xen systems which have applied the XSA-260 fix are vulnerable. Only x86 systems are vulnerable. ARM systems are not vulnerable. Only x86 PV guests can exploit the vulnerability. x86 HVM and PVH guests cannot exploit the vulnerability. An attacker needs to be able to control hardware debugging facilities to exploit the vulnerability, but such permissions are typically available to unprivileged users. |
|
2 |
CVE-2017-17046 |
200 |
|
+Info |
2017-11-28 |
2018-10-19 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
An issue was discovered in Xen through 4.9.x on the ARM platform allowing guest OS users to obtain sensitive information from DRAM after a reboot, because disjoint blocks, and physical addresses that do not start at zero, are mishandled. |
|
3 |
CVE-2017-15589 |
200 |
|
+Info |
2017-10-18 |
2018-10-19 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
An issue was discovered in Xen through 4.9.x allowing x86 HVM guest OS users to obtain sensitive information from the host OS (or an arbitrary guest OS) because intercepted I/O operations can cause a write of data from uninitialized hypervisor stack memory. |
|
4 |
CVE-2017-12855 |
200 |
|
+Info |
2017-08-15 |
2017-11-14 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
Xen maintains the _GTF_{read,writ}ing bits as appropriate, to inform the guest that a grant is in use. A guest is expected not to modify the grant details while it is in use, whereas the guest is free to modify/reuse the grant entry when it is not in use. Under some circumstances, Xen will clear the status bits too early, incorrectly informing the guest that the grant is no longer in use. A guest may prematurely believe that a granted frame is safely private again, and reuse it in a way which contains sensitive information, while the domain on the far end of the grant is still using the grant. Xen 4.9, 4.8, 4.7, 4.6, and 4.5 are affected. |
|
5 |
CVE-2016-10025 |
476 |
|
DoS |
2017-01-26 |
2017-01-27 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
VMFUNC emulation in Xen 4.6.x through 4.8.x on x86 systems using AMD virtualization extensions (aka SVM) allows local HVM guest OS users to cause a denial of service (hypervisor crash) by leveraging a missing NULL pointer check. |
|
6 |
CVE-2016-9932 |
200 |
|
+Info |
2017-01-26 |
2017-11-03 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
CMPXCHG8B emulation in Xen 3.3.x through 4.7.x on x86 systems allows local HVM guest OS users to obtain sensitive information from host stack memory via a "supposedly-ignored" operand size prefix. |
|
7 |
CVE-2016-9384 |
200 |
|
+Info |
2017-02-22 |
2017-07-27 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
Xen 4.7 allows local guest OS users to obtain sensitive host information by loading a 32-bit ELF symbol table. |
|
8 |
CVE-2016-9378 |
284 |
|
DoS |
2017-02-22 |
2017-07-27 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
Xen 4.5.x through 4.7.x on AMD systems without the NRip feature, when emulating instructions that generate software interrupts, allows local HVM guest OS users to cause a denial of service (guest crash) by leveraging an incorrect choice for software interrupt delivery. |
|
9 |
CVE-2016-9377 |
682 |
|
DoS |
2017-02-22 |
2017-07-27 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
Xen 4.5.x through 4.7.x on AMD systems without the NRip feature, when emulating instructions that generate software interrupts, allows local HVM guest OS users to cause a denial of service (guest crash) by leveraging IDT entry miscalculation. |
|
10 |
CVE-2016-3961 |
20 |
|
DoS |
2016-04-15 |
2016-11-28 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
Xen and the Linux kernel through 4.5.x do not properly suppress hugetlbfs support in x86 PV guests, which allows local PV guest OS users to cause a denial of service (guest OS crash) by attempting to access a hugetlbfs mapped area. |
|
11 |
CVE-2016-2271 |
|
|
DoS |
2016-02-19 |
2017-06-30 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
VMX in Xen 4.6.x and earlier, when using an Intel or Cyrix CPU, allows local HVM guest users to cause a denial of service (guest crash) via vectors related to a non-canonical RIP. |
|
12 |
CVE-2015-8615 |
254 |
|
DoS |
2016-01-08 |
2016-11-28 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
The hvm_set_callback_via function in arch/x86/hvm/irq.c in Xen 4.6 does not limit the number of printk console messages when logging the new callback method, which allows local HVM guest OS users to cause a denial of service via a large number of changes to the callback method (HVM_PARAM_CALLBACK_IRQ). |
|
13 |
CVE-2015-8553 |
200 |
|
+Info |
2016-04-13 |
2017-02-19 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
Xen allows guest OS users to obtain sensitive information from uninitialized locations in host OS kernel memory by not enabling memory and I/O decoding control bits. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-0777. |
|
14 |
CVE-2015-7972 |
399 |
|
DoS |
2015-10-30 |
2018-10-30 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
The (1) libxl_set_memory_target function in tools/libxl/libxl.c and (2) libxl__build_post function in tools/libxl/libxl_dom.c in Xen 3.4.x through 4.6.x do not properly calculate the balloon size when using the populate-on-demand (PoD) system, which allows local HVM guest users to cause a denial of service (guest crash) via unspecified vectors related to "heavy memory pressure." |
|
15 |
CVE-2015-7971 |
19 |
|
DoS |
2015-10-30 |
2018-10-30 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
Xen 3.2.x through 4.6.x does not limit the number of printk console messages when logging certain pmu and profiling hypercalls, which allows local guests to cause a denial of service via a sequence of crafted (1) HYPERCALL_xenoprof_op hypercalls, which are not properly handled in the do_xenoprof_op function in common/xenoprof.c, or (2) HYPERVISOR_xenpmu_op hypercalls, which are not properly handled in the do_xenpmu_op function in arch/x86/cpu/vpmu.c. |
|
16 |
CVE-2015-7813 |
399 |
|
DoS |
2015-10-30 |
2018-10-30 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
Xen 4.4.x, 4.5.x, and 4.6.x does not limit the number of printk console messages when reporting unimplemented hypercalls, which allows local guests to cause a denial of service via a sequence of (1) HYPERVISOR_physdev_op hypercalls, which are not properly handled in the do_physdev_op function in arch/arm/physdev.c, or (2) HYPERVISOR_hvm_op hypercalls, which are not properly handled in the do_hvm_op function in arch/arm/hvm.c. |
|
17 |
CVE-2015-6654 |
264 |
|
DoS |
2015-09-03 |
2016-12-07 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
The xenmem_add_to_physmap_one function in arch/arm/mm.c in Xen 4.5.x, 4.4.x, and earlier does not limit the number of printk console messages when reporting a failure to retrieve a reference on a foreign page, which allows remote domains to cause a denial of service by leveraging permissions to map the memory of a foreign guest. |
|
18 |
CVE-2015-3340 |
200 |
|
+Info |
2015-04-28 |
2018-10-30 |
2.9 |
None |
Local Network |
Medium |
Not required |
Partial |
None |
None |
|
Xen 4.2.x through 4.5.x does not initialize certain fields, which allows certain remote service domains to obtain sensitive information from memory via a (1) XEN_DOMCTL_gettscinfo or (2) XEN_SYSCTL_getdomaininfolist request. |
|
19 |
CVE-2015-2045 |
200 |
|
+Info |
2015-03-12 |
2018-10-30 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
The HYPERVISOR_xen_version hypercall in Xen 3.2.x through 4.5.x does not properly initialize data structures, which allows local guest users to obtain sensitive information via unspecified vectors. |
|
20 |
CVE-2015-2044 |
200 |
|
+Info |
2015-03-12 |
2018-10-30 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
The emulation routines for unspecified X86 devices in Xen 3.2.x through 4.5.x does not properly initialize data, which allow local HVM guest users to obtain sensitive information via vectors involving an unsupported access size. |
|
21 |
CVE-2015-1563 |
399 |
|
DoS |
2015-02-09 |
2018-10-30 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
The ARM GIC distributor virtualization in Xen 4.4.x and 4.5.x allows local guests to cause a denial of service by causing a large number messages to be logged. |
|
22 |
CVE-2015-0777 |
200 |
|
+Info |
2015-04-05 |
2016-12-07 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
drivers/xen/usbback/usbback.c in linux-2.6.18-xen-3.4.0 (aka the Xen 3.4.x support patches for the Linux kernel 2.6.18), as used in the Linux kernel 2.6.x and 3.x in SUSE Linux distributions, allows guest OS users to obtain sensitive information from uninitialized locations in host OS kernel memory via unspecified vectors. |
|
23 |
CVE-2014-4022 |
200 |
|
+Info |
2014-07-09 |
2018-10-30 |
2.7 |
None |
Local Network |
Low |
Single system |
Partial |
None |
None |
|
The alloc_domain_struct function in arch/arm/domain.c in Xen 4.4.x, when running on an ARM platform, does not properly initialize the structure containing the grant table pages for a domain, which allows local guest administrators to obtain sensitive information via the GNTTABOP_setup_table subhypercall. |
|
24 |
CVE-2014-4021 |
119 |
|
Overflow +Info |
2014-06-18 |
2018-10-30 |
2.7 |
None |
Local Network |
Low |
Single system |
Partial |
None |
None |
|
Xen 3.2.x through 4.4.x does not properly clean memory pages recovered from guests, which allows local guest OS users to obtain sensitive information via unspecified vectors. |
|
25 |
CVE-2014-3672 |
400 |
|
DoS |
2016-05-25 |
2017-09-07 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
The qemu implementation in libvirt before 1.3.0 and Xen allows local guest OS users to cause a denial of service (host disk consumption) by writing to stdout or stderr. |
|
26 |
CVE-2013-4375 |
399 |
|
DoS |
2014-01-19 |
2017-01-06 |
2.7 |
None |
Local Network |
Low |
Single system |
None |
None |
Partial |
|
The qdisk PV disk backend in qemu-xen in Xen 4.2.x and 4.3.x before 4.3.1, and qemu 1.1 and other versions, allows local HVM guests to cause a denial of service (domain grant reference consumption) via unspecified vectors. |
|
27 |
CVE-2013-4361 |
200 |
|
+Info |
2013-10-01 |
2017-01-06 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
The fbld instruction emulation in Xen 3.3.x through 4.3.x does not use the correct variable for the source effective address, which allows local HVM guests to obtain hypervisor stack information by reading the values used by the instruction. |
|
28 |
CVE-2012-4544 |
20 |
|
DoS |
2012-10-31 |
2017-08-28 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
The PV domain builder in Xen 4.2 and earlier does not validate the size of the kernel or ramdisk (1) before or (2) after decompression, which allows local guest administrators to cause a denial of service (domain 0 memory consumption) via a crafted (a) kernel or (b) ramdisk. |
|
29 |
CVE-2012-4539 |
399 |
|
DoS |
2012-11-21 |
2017-08-28 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
Xen 4.0 through 4.2, when running 32-bit x86 PV guests on 64-bit hypervisors, allows local guest OS administrators to cause a denial of service (infinite loop and hang or crash) via invalid arguments to GNTTABOP_get_status_frames, aka "Grant table hypercall infinite loop DoS vulnerability." |
|
30 |
CVE-2012-4537 |
16 |
|
DoS |
2012-11-21 |
2017-08-28 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
Xen 3.4 through 4.2, and possibly earlier versions, does not properly synchronize the p2m and m2p tables when the set_p2m_entry function fails, which allows local HVM guest OS administrators to cause a denial of service (memory consumption and assertion failure), aka "Memory mapping failure DoS vulnerability." |
|
31 |
CVE-2012-4536 |
|
|
DoS |
2012-11-21 |
2017-08-28 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
The (1) domain_pirq_to_emuirq and (2) physdev_unmap_pirq functions in Xen 2.2 allows local guest OS administrators to cause a denial of service (Xen crash) via a crafted pirq value that triggers an out-of-bounds read. |
|
32 |
CVE-2012-3494 |
264 |
|
DoS |
2012-11-23 |
2017-08-28 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
The set_debugreg hypercall in include/asm-x86/debugreg.h in Xen 4.0, 4.1, and 4.2, and Citrix XenServer 6.0.2 and earlier, when running on x86-64 systems, allows local OS guest users to cause a denial of service (host crash) by writing to the reserved bits of the DR7 debug control register. |
|
33 |
CVE-2012-2625 |
20 |
|
DoS |
2012-10-31 |
2018-04-13 |
2.7 |
None |
Local Network |
Low |
Single system |
None |
None |
Partial |
|
The PyGrub boot loader in Xen unstable before changeset 25589:60f09d1ab1fe, 4.2.x, and 4.1.x allows local para-virtualized guest users to cause a denial of service (memory consumption) via a large (1) bzip2 or (2) lzma compressed kernel image. |
