Bug 1192559 - (CVE-2021-28705) VUL-0: CVE-2021-28705,CVE-2021-28709: xen: issues with partially successful P2M updates on x86 (XSA-389)
(CVE-2021-28705)
VUL-0: CVE-2021-28705,CVE-2021-28709: xen: issues with partially successful P...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/314709/
CVSSv3.1:SUSE:CVE-2021-28705:5.5:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-11-10 14:34 UTC by Gianluca Gabrielli
Modified: 2022-08-11 23:15 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
upstream patche (6.81 KB, patch)
2021-11-10 14:35 UTC, Gianluca Gabrielli
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Gianluca Gabrielli 2021-11-10 14:34:01 UTC
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

            Xen Security Advisory CVE-2021-28705 / XSA-389

          issues with partially successful P2M updates on x86

              *** EMBARGOED UNTIL 2021-11-23 12:00 UTC ***

ISSUE DESCRIPTION
=================

x86 HVM and PVH guests may be started in populate-on-demand (PoD) mode,
to provide a way for them to later easily have more memory assigned.

Guests are permitted to control certain P2M aspects of individual
pages via hypercalls.  These hypercalls may act on ranges of pages
specified via page orders (resulting in a power-of-2 number of pages).
In some cases the hypervisor carries out the requests by splitting
them into smaller chunks.  Error handling in certain PoD cases has
been insufficient in that in particular partial success of some
operations was not properly accounted for.

IMPACT
======

Malicious or buggy guest kernels may be able to mount a Denial of
Service (DoS) attack affecting the entire system.  Privilege escalation
and information leaks cannot be ruled out.

VULNERABLE SYSTEMS
==================

All Xen versions from 3.4 onwards are affected.  Xen versions 3.3 and
older are believed to not be affected.

Only x86 HVM and PVH guests started in populate-on-demand mode are
believed to be able to leverage the vulnerability.  Populate-on-demand
mode is activated when the guest's xl configuration file specifies a
"maxmem" value which is larger than the "memory" value.

MITIGATION
==========

Not starting x86 HVM or PVH guests in populate-on-demand mode is
believed to allow avoiding the vulnerability.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.  Note that
for the time being the sole patch made available here will not work as
is; see the patch itself.

Note that patches for released versions are generally prepared to
apply to the stable branches, and may not apply cleanly to the most
recent release tarball.  Downstreams are encouraged to update to the
tip of the stable branch before applying these patches.

xsa389.patch           xen-unstable
<tbd>                  Xen 4.15.x
<tbd>                  Xen 4.14.x
<tbd>                  Xen 4.13.x
<tbd>                  Xen 4.12.x

$ sha256sum xsa389*
e5a0eede9d34701da138fe35c96754798816730dc5e0b0df615173067a665bfd  xsa389.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches described above (or others which are
substantially similar) is permitted during the embargo, even on public-
facing systems with untrusted guest users and administrators.

HOWEVER, deployment of the mitigation described above is NOT permitted
during the embargo on public-facing systems with untrusted guest users
and administrators.  This is because such a configuration change is
recognizable by the affected guests.

AND: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmGKtlUMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZ/l8H/0Sc5EAWUr00zusnV2hEspHEJICGtDCzs6/Mu87t
DGaah03sTw26yb4PQah+d5IWL/2nGyQQlt79MmfPCfCJkOvauyRtvenG/QFaEecy
gsnnNmW3kktwyAV5d1Jj8cXtmRaDuQYQbHoD7vz9eQotcaoLi+yZbMLzAg/UrhlH
GKuP8+I5CEuAbPLWS7OdOUDuaxDbegMM3OJiiE1JKlyiGsu6qSshy6z9QuUBvJe4
8jMAg8zzDc6QNZNLjgVmOU8FjBPuvYTGKUvn6A2ICV7BRPFoOWQ60FFhiaUvzdwx
Nck0CHJRGBYqvyzr0hJ5DXPBtq34jo2B6y77jDP4DhYo+i8=
=JVfr
-----END PGP SIGNATURE-----
Comment 3 Gianluca Gabrielli 2021-11-10 14:35:01 UTC
Created attachment 853667 [details]
upstream patche
Comment 4 Gianluca Gabrielli 2021-11-10 14:35:36 UTC
     Xen Security Advisory CVE-2021-28705,CVE-2021-28709 / XSA-389
                               version 2

          issues with partially successful P2M updates on x86

              *** EMBARGOED UNTIL 2021-11-23 12:00 UTC ***

UPDATES IN VERSION 2
====================

Properly applicable master patch plus backports.

CVE split: there are, in principle, three independently fixable issues
here, which according to the CVE rules requires two CVEs.  We do not
intend anyone to apply only one of the fixes.

Additional CVE assigned.
Comment 5 Gianluca Gabrielli 2021-11-11 15:20:44 UTC
According to the Xen SA, all the following packages are affected:
 - SUSE:SLE-11-SP1:Update:Teradata/xen     4.0.3_21548_20
 - SUSE:SLE-11-SP3:Update/xen              4.2.5_22
 - SUSE:SLE-11-SP3:Update:Teradata/xen     4.2.5_26
 - SUSE:SLE-11-SP4:Update/xen              4.4.4_48
 - SUSE:SLE-12-SP2:Update/xen              4.7.6_16
 - SUSE:SLE-12-SP3:Update/xen              4.9.4_22
 - SUSE:SLE-12-SP4:Update/xen              4.11.4_20
 - SUSE:SLE-12-SP5:Update/xen              4.12.4_14
 - SUSE:SLE-15-SP1:Update/xen              4.12.4_12
 - SUSE:SLE-15-SP2:Update/xen              4.13.3_04
 - SUSE:SLE-15-SP3:Update/xen              4.14.2_06
 - SUSE:SLE-15:Update/xen                  4.10.4_26
 - openSUSE:Factory/xen                    4.15.1_01
Comment 7 Marcus Meissner 2021-11-23 14:04:53 UTC
is public
Comment 8 Swamp Workflow Management 2021-11-29 14:18:14 UTC
SUSE-SU-2021:3813-1: An update that fixes 6 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1192554,1192557,1192559
CVE References: CVE-2021-28704,CVE-2021-28705,CVE-2021-28706,CVE-2021-28707,CVE-2021-28708,CVE-2021-28709
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 12-SP2-BCL (src):    xen-4.7.6_18-43.82.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Swamp Workflow Management 2021-12-01 20:21:59 UTC
SUSE-SU-2021:3851-1: An update that fixes 6 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1192554,1192557,1192559
CVE References: CVE-2021-28704,CVE-2021-28705,CVE-2021-28706,CVE-2021-28707,CVE-2021-28708,CVE-2021-28709
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    xen-4.9.4_24-3.97.1
SUSE OpenStack Cloud 8 (src):    xen-4.9.4_24-3.97.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    xen-4.9.4_24-3.97.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    xen-4.9.4_24-3.97.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    xen-4.9.4_24-3.97.1
HPE Helion Openstack 8 (src):    xen-4.9.4_24-3.97.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Swamp Workflow Management 2021-12-01 20:41:35 UTC
SUSE-SU-2021:3849-1: An update that fixes 7 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1189373,1189378,1189632,1192554,1192557,1192559
CVE References: CVE-2021-28701,CVE-2021-28704,CVE-2021-28705,CVE-2021-28706,CVE-2021-28707,CVE-2021-28708,CVE-2021-28709
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    xen-4.11.4_24-2.65.1
SUSE OpenStack Cloud 9 (src):    xen-4.11.4_24-2.65.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    xen-4.11.4_24-2.65.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    xen-4.11.4_24-2.65.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Swamp Workflow Management 2021-12-01 20:58:04 UTC
SUSE-SU-2021:3842-1: An update that fixes 7 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1189373,1189378,1189632,1192554,1192557,1192559
CVE References: CVE-2021-28701,CVE-2021-28704,CVE-2021-28705,CVE-2021-28706,CVE-2021-28707,CVE-2021-28708,CVE-2021-28709
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15 (src):    xen-4.10.4_30-3.68.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    xen-4.10.4_30-3.68.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    xen-4.10.4_30-3.68.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Swamp Workflow Management 2021-12-01 21:02:00 UTC
SUSE-SU-2021:3852-1: An update that fixes 7 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1027519,1191363,1191510,1192554,1192557,1192559
CVE References: CVE-2021-28702,CVE-2021-28704,CVE-2021-28705,CVE-2021-28706,CVE-2021-28707,CVE-2021-28708,CVE-2021-28709
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    xen-4.12.4_16-3.55.1
SUSE Linux Enterprise Server 12-SP5 (src):    xen-4.12.4_16-3.55.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Swamp Workflow Management 2021-12-01 21:08:08 UTC
SUSE-SU-2021:14848-1: An update that fixes 17 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1182654,1186013,1186429,1186433,1186434,1187369,1187376,1187378,1189150,1189376,1189378,1189632,1192526,1192554,1192555,1192559
CVE References: CVE-2021-0089,CVE-2021-20255,CVE-2021-28690,CVE-2021-28692,CVE-2021-28697,CVE-2021-28698,CVE-2021-28701,CVE-2021-28703,CVE-2021-28705,CVE-2021-28706,CVE-2021-28709,CVE-2021-3527,CVE-2021-3592,CVE-2021-3594,CVE-2021-3595,CVE-2021-3682,CVE-2021-3930
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 11-SP4-LTSS (src):    xen-4.4.4_50-61.67.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    xen-4.4.4_50-61.67.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Swamp Workflow Management 2021-12-03 14:51:02 UTC
SUSE-SU-2021:3888-1: An update that fixes 7 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1027519,1191363,1192554,1192557,1192559
CVE References: CVE-2021-28702,CVE-2021-28704,CVE-2021-28705,CVE-2021-28706,CVE-2021-28707,CVE-2021-28708,CVE-2021-28709
JIRA References: 
Sources used:
SUSE MicroOS 5.0 (src):    xen-4.13.4_02-3.40.1
SUSE Linux Enterprise Module for Server Applications 15-SP2 (src):    xen-4.13.4_02-3.40.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    xen-4.13.4_02-3.40.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Swamp Workflow Management 2021-12-06 18:37:20 UTC
openSUSE-SU-2021:1543-1: An update that fixes 7 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1027519,1191363,1192554,1192557,1192559
CVE References: CVE-2021-28702,CVE-2021-28704,CVE-2021-28705,CVE-2021-28706,CVE-2021-28707,CVE-2021-28708,CVE-2021-28709
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    xen-4.13.4_02-lp152.2.33.1
Comment 16 Swamp Workflow Management 2021-12-07 20:18:05 UTC
SUSE-SU-2021:3968-1: An update that fixes 7 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1027519,1191363,1192554,1192557,1192559
CVE References: CVE-2021-28702,CVE-2021-28704,CVE-2021-28705,CVE-2021-28706,CVE-2021-28707,CVE-2021-28708,CVE-2021-28709
JIRA References: 
Sources used:
SUSE MicroOS 5.1 (src):    xen-4.14.3_04-3.15.1
SUSE Linux Enterprise Module for Server Applications 15-SP3 (src):    xen-4.14.3_04-3.15.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    xen-4.14.3_04-3.15.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 17 Swamp Workflow Management 2021-12-07 20:29:47 UTC
openSUSE-SU-2021:3968-1: An update that fixes 7 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1027519,1191363,1192554,1192557,1192559
CVE References: CVE-2021-28702,CVE-2021-28704,CVE-2021-28705,CVE-2021-28706,CVE-2021-28707,CVE-2021-28708,CVE-2021-28709
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    xen-4.14.3_04-3.15.1
Comment 18 Swamp Workflow Management 2021-12-09 14:22:56 UTC
SUSE-SU-2021:3977-1: An update that fixes 8 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1027519,1189632,1191363,1192554,1192557,1192559
CVE References: CVE-2021-28701,CVE-2021-28702,CVE-2021-28704,CVE-2021-28705,CVE-2021-28706,CVE-2021-28707,CVE-2021-28708,CVE-2021-28709
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    xen-4.12.4_16-3.57.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    xen-4.12.4_16-3.57.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    xen-4.12.4_16-3.57.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    xen-4.12.4_16-3.57.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    xen-4.12.4_16-3.57.1
SUSE Enterprise Storage 6 (src):    xen-4.12.4_16-3.57.1
SUSE CaaS Platform 4.0 (src):    xen-4.12.4_16-3.57.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.