Bug 1192554 - (CVE-2021-28706) VUL-0: CVE-2021-28706: xen: guests may exceed their designated memory limit (XSA-385)
(CVE-2021-28706)
VUL-0: CVE-2021-28706: xen: guests may exceed their designated memory limit (...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/314700/
CVSSv3.1:SUSE:CVE-2021-28706:5.5:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-11-10 14:20 UTC by Gianluca Gabrielli
Modified: 2022-02-21 15:32 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
upstream patches (2.24 KB, patch)
2021-11-10 14:23 UTC, Gianluca Gabrielli
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Gianluca Gabrielli 2021-11-10 14:20:29 UTC
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

            Xen Security Advisory CVE-2021-28706 / XSA-385

             guests may exceed their designated memory limit

              *** EMBARGOED UNTIL 2021-11-23 12:00 UTC ***

ISSUE DESCRIPTION
=================

When a guest is permitted to have close to 16TiB of memory, it may be
able to issue hypercalls to increase its memory allocation beyond the
administrator established limit.  This is a result of a calculation
done with 32-bit precision, which may overflow.  It would then only
be the overflowed (and hence small) number which gets compared against
the established upper bound.

IMPACT
======

A guest may be able too allocate unbounded amounts of memory to itself.
This may result in a Denial of Service (DoS) affectinbg the entire host.

VULNERABLE SYSTEMS
==================

All Xen versions from at least 3.2 onwards are affected.

On x86, only Xen builds with the BIGMEM configuration option enabled are
affected.  (This option is off by default.)

Only hosts with more than 16 TiB of memory are affected.

MITIGATION
==========

Setting the maximum amount of memory a guest may allocate to strictly
less than 1023 GiB will avoid the vulnerability.

RESOLUTION
==========

Applying the appropriate first attached patch resolves this specific
issue.  The second patch in addition documents altered support status of
Xen on huge memory systems.

Note that patches for released versions are generally prepared to
apply to the stable branches, and may not apply cleanly to the most
recent release tarball.  Downstreams are encouraged to update to the
tip of the stable branch before applying these patches.

xsa385-?.patch           xen-unstable
xsa385-4.15.patch        Xen 4.15.x - 4.14.x
xsa385-4.13.patch        Xen 4.13.x
xsa385-4.12.patch        Xen 4.12.x

$ sha256sum xsa385*
05c158b2dbb3f3bc17240cf4762c56f236225d0c0b3337f74fe0d3d4be9acf89  xsa385-1.patch
46a5ccfbb763b857f6cd0df46a9b7eed155b9de399ca4c68c9925faf4d1d9adb  xsa385-2.patch
38ae28e4019c5e3427c22fb3e842bf82a1c098b6222186e8ed44d09cec1b347f  xsa385-4.12.patch
000dd10638abf84ba8caf1aed5b53b24282fe914ce62f3ac2209cb490a0946de  xsa385-4.13.patch
d6d47a51a25457c181e30f3ecec3a62d7ad055782ab232143bdffa8338fb5422  xsa385-4.15.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches described above (or others which are
substantially similar) is permitted during the embargo, even on public-
facing systems with untrusted guest users and administrators.

HOWEVER, deployment of the mitigation described above is NOT permitted
during the embargo on public-facing systems with untrusted guest users
and administrators.  This is because such a configuration change is
recognizable by the affected guests.

AND: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmGKtlMMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZlNwH+wfpSlrmpV5EempYXZ46SqSX44aD2eQCxfEn/MFK
KdX0moiyubdDLZYYiVqVYWnMnkO1uiFjytiumW6CNlE7AE4NMThUOLyMAuLdmFcR
eoo1Oj7vCp55tyhnT41RMzg41k7Y+RR+7Tyui4UNcHbXbZbY+Gaekd03w3FreBn2
fsKHl0osnPUptyjpL9hZp35Oy+4lnmh3eeB/ShMMwIEyWi3DEk1yERkkiPjkorUh
+2v5PPqFMrCC7jAAGReMfu+0d4VQfC1KdhQLmQmZFsYBDQ1x7VVj6ATdMFgtbtQX
iB6IH1VFjWfFicIjL34707tQe6Yo53LcBINrsReda9M9wOk=
=clFL
-----END PGP SIGNATURE-----
Comment 2 Gianluca Gabrielli 2021-11-10 14:23:01 UTC
Created attachment 853663 [details]
upstream patches
Comment 4 Gianluca Gabrielli 2021-11-11 15:25:40 UTC
According to the Xen SA, all the following packages are affected:
 - SUSE:SLE-11-SP1:Update:Teradata/xen     4.0.3_21548_20
 - SUSE:SLE-11-SP3:Update/xen              4.2.5_22
 - SUSE:SLE-11-SP3:Update:Teradata/xen     4.2.5_26
 - SUSE:SLE-11-SP4:Update/xen              4.4.4_48
 - SUSE:SLE-12-SP2:Update/xen              4.7.6_16
 - SUSE:SLE-12-SP3:Update/xen              4.9.4_22
 - SUSE:SLE-12-SP4:Update/xen              4.11.4_20
 - SUSE:SLE-12-SP5:Update/xen              4.12.4_14
 - SUSE:SLE-15-SP1:Update/xen              4.12.4_12
 - SUSE:SLE-15-SP2:Update/xen              4.13.3_04
 - SUSE:SLE-15-SP3:Update/xen              4.14.2_06
 - SUSE:SLE-15:Update/xen                  4.10.4_26
 - openSUSE:Factory/xen                    4.15.1_01
Comment 6 Marcus Meissner 2021-11-23 14:05:43 UTC
is public
Comment 7 Swamp Workflow Management 2021-11-29 14:17:58 UTC
SUSE-SU-2021:3813-1: An update that fixes 6 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1192554,1192557,1192559
CVE References: CVE-2021-28704,CVE-2021-28705,CVE-2021-28706,CVE-2021-28707,CVE-2021-28708,CVE-2021-28709
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 12-SP2-BCL (src):    xen-4.7.6_18-43.82.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Swamp Workflow Management 2021-12-01 20:21:44 UTC
SUSE-SU-2021:3851-1: An update that fixes 6 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1192554,1192557,1192559
CVE References: CVE-2021-28704,CVE-2021-28705,CVE-2021-28706,CVE-2021-28707,CVE-2021-28708,CVE-2021-28709
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    xen-4.9.4_24-3.97.1
SUSE OpenStack Cloud 8 (src):    xen-4.9.4_24-3.97.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    xen-4.9.4_24-3.97.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    xen-4.9.4_24-3.97.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    xen-4.9.4_24-3.97.1
HPE Helion Openstack 8 (src):    xen-4.9.4_24-3.97.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Swamp Workflow Management 2021-12-01 20:41:20 UTC
SUSE-SU-2021:3849-1: An update that fixes 7 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1189373,1189378,1189632,1192554,1192557,1192559
CVE References: CVE-2021-28701,CVE-2021-28704,CVE-2021-28705,CVE-2021-28706,CVE-2021-28707,CVE-2021-28708,CVE-2021-28709
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    xen-4.11.4_24-2.65.1
SUSE OpenStack Cloud 9 (src):    xen-4.11.4_24-2.65.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    xen-4.11.4_24-2.65.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    xen-4.11.4_24-2.65.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Swamp Workflow Management 2021-12-01 20:57:50 UTC
SUSE-SU-2021:3842-1: An update that fixes 7 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1189373,1189378,1189632,1192554,1192557,1192559
CVE References: CVE-2021-28701,CVE-2021-28704,CVE-2021-28705,CVE-2021-28706,CVE-2021-28707,CVE-2021-28708,CVE-2021-28709
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15 (src):    xen-4.10.4_30-3.68.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    xen-4.10.4_30-3.68.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    xen-4.10.4_30-3.68.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Swamp Workflow Management 2021-12-01 21:01:44 UTC
SUSE-SU-2021:3852-1: An update that fixes 7 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1027519,1191363,1191510,1192554,1192557,1192559
CVE References: CVE-2021-28702,CVE-2021-28704,CVE-2021-28705,CVE-2021-28706,CVE-2021-28707,CVE-2021-28708,CVE-2021-28709
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    xen-4.12.4_16-3.55.1
SUSE Linux Enterprise Server 12-SP5 (src):    xen-4.12.4_16-3.55.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Swamp Workflow Management 2021-12-01 21:07:53 UTC
SUSE-SU-2021:14848-1: An update that fixes 17 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1182654,1186013,1186429,1186433,1186434,1187369,1187376,1187378,1189150,1189376,1189378,1189632,1192526,1192554,1192555,1192559
CVE References: CVE-2021-0089,CVE-2021-20255,CVE-2021-28690,CVE-2021-28692,CVE-2021-28697,CVE-2021-28698,CVE-2021-28701,CVE-2021-28703,CVE-2021-28705,CVE-2021-28706,CVE-2021-28709,CVE-2021-3527,CVE-2021-3592,CVE-2021-3594,CVE-2021-3595,CVE-2021-3682,CVE-2021-3930
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 11-SP4-LTSS (src):    xen-4.4.4_50-61.67.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    xen-4.4.4_50-61.67.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Swamp Workflow Management 2021-12-03 14:50:47 UTC
SUSE-SU-2021:3888-1: An update that fixes 7 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1027519,1191363,1192554,1192557,1192559
CVE References: CVE-2021-28702,CVE-2021-28704,CVE-2021-28705,CVE-2021-28706,CVE-2021-28707,CVE-2021-28708,CVE-2021-28709
JIRA References: 
Sources used:
SUSE MicroOS 5.0 (src):    xen-4.13.4_02-3.40.1
SUSE Linux Enterprise Module for Server Applications 15-SP2 (src):    xen-4.13.4_02-3.40.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    xen-4.13.4_02-3.40.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Swamp Workflow Management 2021-12-06 18:36:45 UTC
openSUSE-SU-2021:1543-1: An update that fixes 7 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1027519,1191363,1192554,1192557,1192559
CVE References: CVE-2021-28702,CVE-2021-28704,CVE-2021-28705,CVE-2021-28706,CVE-2021-28707,CVE-2021-28708,CVE-2021-28709
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    xen-4.13.4_02-lp152.2.33.1
Comment 15 Swamp Workflow Management 2021-12-07 20:17:49 UTC
SUSE-SU-2021:3968-1: An update that fixes 7 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1027519,1191363,1192554,1192557,1192559
CVE References: CVE-2021-28702,CVE-2021-28704,CVE-2021-28705,CVE-2021-28706,CVE-2021-28707,CVE-2021-28708,CVE-2021-28709
JIRA References: 
Sources used:
SUSE MicroOS 5.1 (src):    xen-4.14.3_04-3.15.1
SUSE Linux Enterprise Module for Server Applications 15-SP3 (src):    xen-4.14.3_04-3.15.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    xen-4.14.3_04-3.15.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 Swamp Workflow Management 2021-12-07 20:29:33 UTC
openSUSE-SU-2021:3968-1: An update that fixes 7 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1027519,1191363,1192554,1192557,1192559
CVE References: CVE-2021-28702,CVE-2021-28704,CVE-2021-28705,CVE-2021-28706,CVE-2021-28707,CVE-2021-28708,CVE-2021-28709
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    xen-4.14.3_04-3.15.1
Comment 17 Swamp Workflow Management 2021-12-09 14:22:35 UTC
SUSE-SU-2021:3977-1: An update that fixes 8 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1027519,1189632,1191363,1192554,1192557,1192559
CVE References: CVE-2021-28701,CVE-2021-28702,CVE-2021-28704,CVE-2021-28705,CVE-2021-28706,CVE-2021-28707,CVE-2021-28708,CVE-2021-28709
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    xen-4.12.4_16-3.57.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    xen-4.12.4_16-3.57.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    xen-4.12.4_16-3.57.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    xen-4.12.4_16-3.57.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    xen-4.12.4_16-3.57.1
SUSE Enterprise Storage 6 (src):    xen-4.12.4_16-3.57.1
SUSE CaaS Platform 4.0 (src):    xen-4.12.4_16-3.57.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.