Bug 918998 – VUL-0: CVE-2015-2045: xen: XSA-122: Information leak through version information hypercall

Bug 918998 - (CVE-2015-2045) VUL-0: CVE-2015-2045: xen: XSA-122: Information leak through version information hypercall

(CVE-2015-2045)
Summary:	VUL-0: CVE-2015-2045: xen: XSA-122: Information leak through version informat...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:	maint:released:sle10-sp3:61379 maint:...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2015-02-23 09:23 UTC by Johannes Segitz
Modified:	2015-12-08 14:13 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Comment 1 Johannes Segitz 2015-02-23 11:02:50 UTC

CVE-2015-2045 got assigned

Comment 2 Swamp Workflow Management 2015-02-23 15:54:37 UTC

An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2015-03-09.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/60766

Comment 3 Swamp Workflow Management 2015-02-23 23:00:25 UTC

bugbot adjusting priority

Comment 4 Marcus Meissner 2015-03-05 12:22:02 UTC

public now.

            Xen Security Advisory CVE-2015-2045 / XSA-122
                              version 3

         Information leak through version information hypercall

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

The code handling certain sub-operations of the HYPERVISOR_xen_version
hypercall fails to fully initialize all fields of structures
subsequently copied back to guest memory. Due to this hypervisor stack
contents are copied into the destination of the operation, thus
becoming visible to the guest.

IMPACT
======

A malicious guest might be able to read sensitive data relating to
other guests.

VULNERABLE SYSTEMS
==================

Xen 3.2.x and later are vulnerable.
Xen 3.1.x and earlier have not been inspected.

MITIGATION
==========

There is no mitigation available for this issue.

CREDITS
=======

This issue was discovered by Aaron Adams of NCC Group.

RESOLUTION
==========

Applying the attached patch resolves this issue.

xsa122.patch        xen-unstable, Xen 4.5.x, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x
13404ef363ee347db1571ee91afaa962a68e616a7596c2441a29e26f6db9ec47  xsa122.patch
$

Comment 5 Charles Arnold 2015-03-06 23:13:55 UTC

Xen has been submitted with the following MR/SR numbers for
Maintenance Tracker 60766:

SLE12: MR#52782
SLE11-SP3: SR#52784
SLE11-SP2: SR#52786
SLE11-SP1: SR#52788
SLE11-SP1-Teradata: SR#52790
SLE10-SP4: SR#52792
SLE10-SP3: SR#52794

Bugs fixes included in each distro are as follows:

Security and Maintenance SLE12
==============================
- bnc#919098 - L3: XEN blktap device intermittently fails to connect
  Note to QA: This fix not relevant to sle12 but it is for sle11sp4.
       The patch fixes blktapctrl which is removed by spec file for sle12
       but not for sle11sp4.
- bnc#882089 - Windows 2012 R2 fails to boot up with greater than 60 vcpus
- bnc#919464 - VUL-0: CVE-2015-2151: xen: XSA-123: Hypervisor memory corruption due to x86 emulator flaw
- bnc#918998 - VUL-0: CVE-2015-2045: xen: XSA-122: Information leak through version information hypercall
- bnc#918995 - VUL-0: CVE-2015-2044: xen: XSA-121: Information leak via internal x86 system device emulation
- bnc#919663 - VUL-0: CVE-2015-2152: xen: XSA-119: HVM qemu unexpectedly enabling emulated VGA graphics backends
- bnc#895528 - VUL-1: CVE-2014-3615: xen,kvm,qemu: information leakage when guest sets high resolution
- bnc#903680 - Problems with detecting free loop devices on Xen guest startup
- bnc#861318 - xentop reports "Found interface vif101.0 but domain 101 does not exist."
- bnc#901488 - Intel ixgbe driver assigns rx/tx queues per core resulting in irq problems on servers with a large amount of CPU cores
- bnc#910254 - SLES11 SP3 Xen VT-d igb NIC doesn't work
- bnc#906996 - VUL-0: CVE-2014-9065, CVE-2014-9066: XSA-114: xen: p2m lock starvation
- bnc#904255 - XEN boot hangs in early boot on UEFI system
- bsc#912011 - high ping latency after upgrade to latest SLES11SP3 on xen Dom0
- bnc#903357 - Corrupted save/restore test leaves orphaned data in xenstore

Security and Maintenance SLE11-SP3
==================================
- bnc#919098 - L3: XEN blktap device intermittently fails to connect
- bnc#919464 - VUL-0: CVE-2015-2151: xen: XSA-123: Hypervisor memory corruption due to x86 emulator flaw
- bnc#918998 - VUL-0: CVE-2015-2045: xen: XSA-122: Information leak through version information hypercall
- bnc#918995 - VUL-0: CVE-2015-2044: xen: XSA-121: Information leak via internal x86 system device emulation
- bnc#919663 - VUL-0: CVE-2015-2152: xen: XSA-119: HVM qemu unexpectedly enabling emulated VGA graphics backends
- bnc#903680 - Problems with detecting free loop devices on Xen guest startup
- bnc#904255 - Partner-L3: XEN boot hangs in early boot on UEFI system
- bnc#910681 - VUL-0: CVE-2015-0361: XSA-116: xen: xen crash due to use after free on hvm guest teardown
- bnc#906996 - VUL-0: CVE-2014-9065, CVE-2014-9066: XSA-114: xen: p2m lock starvation
- bnc#901488 - Intel ixgbe driver assigns rx/tx queues per core resulting in irq problems on servers with a large amount of CPU cores
- bnc#910254 - SLES11 SP3 Xen VT-d igb NIC doesn't work
- bsc#912011 - high ping latency after upgrade to latest SLES11SP3 on xen Dom0
- bnc#882089 - Windows 2012 R2 fails to boot up with greater than 60 vcpus
- bnc#889526 - VUL-0: CVE-2014-5146,CVE-2014-5149: xen: XSA-97 Long latency virtual-mmu operations are not preemptible

Security SLE11-SP2
==================
- bnc#919464 - VUL-0: CVE-2015-2151: xen: XSA-123: Hypervisor memory corruption due to x86 emulator flaw
- bnc#918998 - VUL-0: CVE-2015-2045: xen: XSA-122: Information leak through version information hypercall
- bnc#918995 - VUL-0: CVE-2015-2044: xen: XSA-121: Information leak via internal x86 system device emulation
- bnc#919663 - VUL-0: CVE-2015-2152: xen: XSA-119: HVM qemu unexpectedly enabling emulated VGA graphics backends

Security SLE11-SP1
Security SUSE:SLE-11-SP1:Update:Teradata:Test
==================
- bnc#919464 - VUL-0: CVE-2015-2151: xen: XSA-123: Hypervisor memory corruption due to x86 emulator flaw
- bnc#918998 - VUL-0: CVE-2015-2045: xen: XSA-122: Information leak through version information hypercall
- bnc#918995 - VUL-0: CVE-2015-2044: xen: XSA-121: Information leak via internal x86 system device emulation

Security SLE10-SP4
==================
- bnc#919464 - VUL-0: CVE-2015-2151: xen: XSA-123: Hypervisor memory corruption due to x86 emulator flaw
- bnc#918998 - VUL-0: CVE-2015-2045: xen: XSA-122: Information leak through version information hypercall
- bnc#918995 - VUL-0: CVE-2015-2044: xen: XSA-121: Information leak via internal x86 system device emulation

Security SLE10-SP3
==================
- bnc#919464 - VUL-0: CVE-2015-2151: xen: XSA-123: Hypervisor memory corruption due to x86 emulator flaw
- bnc#918998 - VUL-0: CVE-2015-2045: xen: XSA-122: Information leak through version information hypercall
- bnc#918995 - VUL-0: CVE-2015-2044: xen: XSA-121: Information leak via internal x86 system device emulation


Bugs listed in Maintenance Tracker but incomplete 
=================================================
bnc#910258: Fix under review, not ready for release.
bnc#889526: Partial fix released. More upstream work pending.
bnc#826717: Partial fix released. More upstream work pending.


openSUSE Factory/13.2/13.1 will be updated after embargoes are lifted
for 919663 and 919464.

Comment 6 Swamp Workflow Management 2015-03-27 09:07:32 UTC

SUSE-SU-2015:0613-1: An update that solves 8 vulnerabilities and has 7 fixes is now available.

Category: security (important)
Bug References: 861318,882089,895528,901488,903680,904255,906996,910254,910681,912011,918995,918998,919098,919464,919663
CVE References: CVE-2014-3615,CVE-2014-9065,CVE-2014-9066,CVE-2015-0361,CVE-2015-2044,CVE-2015-2045,CVE-2015-2151,CVE-2015-2152
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    xen-4.4.1_10-9.1
SUSE Linux Enterprise Server 12 (src):    xen-4.4.1_10-9.1
SUSE Linux Enterprise Desktop 12 (src):    xen-4.4.1_10-9.1

Comment 7 Charles Arnold 2015-03-27 15:45:36 UTC

Additional bug fixes and resubmission (see comment #5 for original list).

SLE12 Submission:
=================
MR#53894

SLE11 Submissions:
=================
SP3: SR#53976
SP2: SR#53978
SP1: SR#53980
SP1-Terradata: SR#53982

SLE10 Submissions:
==================
SP4: SR#53984
SP3: SR#53986

Security and Maintenance SLE12
==============================
- bsc#922705 - VUL-0: xen: XSA-125: Long latency MMIO mapping operations are not preemptible
- bsc#922706 - VUL-0: xen: XSA-126: Unmediated PCI command register  access in qemu
- bsc#922709 - VUL-0: xen: XSA-127: Certain domctl operations may be abused to lock up the host
- bnc#923758 - xen dmesg contains bogus output in early boot

Security and Maintenance SLE11SP3
=================================
- bsc#922705 - VUL-0: xen: XSA-125: Long latency MMIO mapping operations are not preemptible
- bsc#922706 - VUL-0: xen: XSA-126: Unmediated PCI command register access in qemu
- bnc#919341 - SLES 11 SP4 Beta 1- Fully virtualized guest install from network source fails with 'cannot find guest domain' in XEN

Security SLE11-SP2
==================
- bsc#922705 - VUL-0: xen: XSA-125: Long latency MMIO mapping operations are not preemptible
- bsc#922706 - VUL-0: xen: XSA-126: Unmediated PCI command register access in qemu
- bsc#907755 - Regular crashes of dom-0 on different servers

Security SLE11-SP1
Security SUSE:SLE-11-SP1:Update:Teradata:Test
==================
- bsc#922705 - VUL-0: xen: XSA-125: Long latency MMIO mapping operations are not preemptible
- bsc#922706 - VUL-0: xen: XSA-126: Unmediated PCI command register access in qemu

Security SLE10-SP4
==================
- bsc#922705 - VUL-0: xen: XSA-125: Long latency MMIO mapping operations are not preemptible

Security SLE10-SP3
==================
- bsc#922705 - VUL-0: xen: XSA-125: Long latency MMIO mapping operations are not preemptible

Comment 8 Charles Arnold 2015-03-27 21:04:19 UTC

Due to upstream fixes to XSA-126 (bsc#922706), additional resubmissions are,

SLE12: MR#53990
SLE11SP3: SR#53992
SLE11SP2: SR#53994
SLE11SP1: SR#53996
SLE11SP1-Terradata: SR#53998

Comment 9 Swamp Workflow Management 2015-04-20 14:06:14 UTC

openSUSE-SU-2015:0732-1: An update that solves 7 vulnerabilities and has 5 fixes is now available.

Category: security (important)
Bug References: 861318,895528,901488,903680,910254,918995,918998,919098,919464,919663,922705,922706
CVE References: CVE-2014-3615,CVE-2015-2044,CVE-2015-2045,CVE-2015-2151,CVE-2015-2152,CVE-2015-2752,CVE-2015-2756
Sources used:
openSUSE 13.1 (src):    xen-4.3.4_02-41.1

Comment 10 Swamp Workflow Management 2015-04-21 18:05:18 UTC

SUSE-SU-2015:0744-1: An update that fixes 9 vulnerabilities is now available.

Category: security (moderate)
Bug References: 918995,918998,919464,922705
CVE References: CVE-2013-3495,CVE-2014-3615,CVE-2014-5146,CVE-2014-5149,CVE-2014-9065,CVE-2014-9066,CVE-2015-0361,CVE-2015-2044,CVE-2015-2045
Sources used:
SUSE Linux Enterprise Server 10 SP4 LTSS (src):    xen-3.2.3_17040_46-0.13.1

Comment 11 Swamp Workflow Management 2015-04-21 18:06:10 UTC

SUSE-SU-2015:0745-1: An update that solves four vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 918995,918998,919464,922705,922706
CVE References: CVE-2015-2044,CVE-2015-2045,CVE-2015-2151,CVE-2015-2756
Sources used:
SUSE Linux Enterprise Server 11 SP1 LTSS (src):    xen-4.0.3_21548_18-0.15.1

Comment 12 Swamp Workflow Management 2015-04-21 18:07:30 UTC

SUSE-SU-2015:0746-1: An update that solves four vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 907755,918995,918998,919464,922705,922706
CVE References: CVE-2015-2044,CVE-2015-2045,CVE-2015-2151,CVE-2015-2756
Sources used:
SUSE Linux Enterprise Server 11 SP2 LTSS (src):    xen-4.1.6_08-0.9.1

Comment 13 Swamp Workflow Management 2015-04-21 18:08:36 UTC

SUSE-SU-2015:0747-1: An update that solves four vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 918995,918998,919341,919464,922705,922706
CVE References: CVE-2015-2044,CVE-2015-2045,CVE-2015-2151,CVE-2015-2756
Sources used:
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    xen-4.2.5_04-0.9.1
SUSE Linux Enterprise Server 11 SP3 (src):    xen-4.2.5_04-0.9.1
SUSE Linux Enterprise Desktop 11 SP3 (src):    xen-4.2.5_04-0.9.1

Comment 14 Swamp Workflow Management 2015-06-22 10:07:26 UTC

openSUSE-SU-2015:1092-1: An update that solves 17 vulnerabilities and has 10 fixes is now available.

Category: security (important)
Bug References: 861318,882089,895528,901488,903680,906689,910254,912011,918995,918998,919098,919464,919663,921842,922705,922706,922709,923758,927967,929339,931625,931626,931627,931628,932770,932790,932996
CVE References: CVE-2014-3615,CVE-2015-2044,CVE-2015-2045,CVE-2015-2151,CVE-2015-2152,CVE-2015-2751,CVE-2015-2752,CVE-2015-2756,CVE-2015-3209,CVE-2015-3340,CVE-2015-3456,CVE-2015-4103,CVE-2015-4104,CVE-2015-4105,CVE-2015-4106,CVE-2015-4163,CVE-2015-4164
Sources used:
openSUSE 13.2 (src):    xen-4.4.2_06-23.1

Comment 15 Marcus Meissner 2015-12-08 14:13:08 UTC

released