Bug 1201394 – VUL-0: CVE-2022-33745: xen: insufficient TLB flush for x86 PV guests in shadow mode (XSA-408)

Bug 1201394 - (CVE-2022-33745) VUL-0: CVE-2022-33745: xen: insufficient TLB flush for x86 PV guests in shadow mode (XSA-408)

(CVE-2022-33745)
Summary:	VUL-0: CVE-2022-33745: xen: insufficient TLB flush for x86 PV guests in shado...

Status:	NEW

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/336775/
Whiteboard:	CVSSv3.1:SUSE:CVE-2022-33745:7.5:(AV:...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2022-07-12 06:52 UTC by Carlos López
Modified:	2022-10-19 22:22 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Carlos López 2022-07-12 06:52:31 UTC

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

            Xen Security Advisory CVE-2022-33745 / XSA-408

        insufficient TLB flush for x86 PV guests in shadow mode

              *** EMBARGOED UNTIL 2022-07-26 12:00 UTC ***

ISSUE DESCRIPTION
=================

For migration as well as to work around kernels unaware of L1TF (see
XSA-273), PV guests may be run in shadow paging mode.  To address
XSA-401, code was moved inside a function in Xen.  This code movement
missed a variable changing meaning / value between old and new code
positions.  The now wrong use of the variable did lead to a wrong TLB
flush condition, omitting flushes where such are necessary.

IMPACT
======

The known (observed) impact would be a Denial of Service (DoS) affecting
the entire host, due to running out of memory.  Privilege escalation and
information leaks cannot be ruled out.

VULNERABLE SYSTEMS
==================

All versions of Xen with the XSA-401 fixes applied are vulnerable.

Only x86 PV guests can trigger this vulnerability, and only when running
in shadow mode.  Shadow mode would be in use when migrating guests or as
a workaround for XSA-273 (L1TF).

MITIGATION
==========

Not running x86 PV guests will avoid the vulnerability.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

Note that patches for released versions are generally prepared to
apply to the stable branches, and may not apply cleanly to the most
recent release tarball.  Downstreams are encouraged to update to the
tip of the stable branch before applying these patches.

xsa408.patch           xen-unstable - Xen 4.14.x
xsa408-4.13.patch      Xen 4.13.x

$ sha256sum xsa408*
55f81ac154da27df1b3f5d50b6416e7bdcce433d995a29de5d3f8544706a9d32  xsa408.patch
9c8c25e47760d01e1984f243f7605ef101f81eccf67ba4368962641a603f196d  xsa408-4.13.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmLMZVQMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZp44H/24JnMH5ecpD/2knT7NUv9hRpCWMESOv9V8mB3EG
MPER0GHq3eYRO4jeuxH8QS5G5frQBNlxD4P74gDqoc5JwcJFQGETMvsE5Tsy8i1e
299CdqhSMCux+O3uJHhXs12zW7wgRs+Ndmf1RYB8R+eur4XG+aag7mP6Ea0xtUu4
R+emKKC8dd51WqdzCZ2S0RggyvUpxMfA02WtPfH1JJjLyW8oOYUf42RwbV05Ftoa
3Bh+e/IjNgMhHuLYFnr8aVGIb2wuOlUvkN7VxSRL+zN2dXdx3Vdyus1oN/ttjxOt
YDPWP0B63L0DT/Z6qFYhDzURHIuP2FU7oaCU74fdZqB//no=
=IBgy
-----END PGP SIGNATURE-----

Comment 5 Carlos López 2022-07-12 08:02:29 UTC

The following have received so far the patch for XSA-401 (bnc#1199965) that moved the logic down:
 - SUSE:SLE-12-SP5:Update
 - SUSE:SLE-15-SP1:Update
 - SUSE:SLE-15-SP2:Update
 - SUSE:SLE-15-SP3:Update
 - SUSE:SLE-15-SP4:Update

Not sure if there are plans to submit to the rest of codestreams for that bug by the way, but they are tracked as affected at the moment.

Comment 7 Carlos López 2022-07-26 12:49:49 UTC

Public:
https://xenbits.xen.org/xsa/advisory-408.html

Comment 8 Swamp Workflow Management 2022-07-27 13:19:03 UTC

SUSE-SU-2022:2557-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 1200549,1201394,1201469
CVE References: CVE-2022-21123,CVE-2022-21125,CVE-2022-21166,CVE-2022-23816,CVE-2022-23825,CVE-2022-29900,CVE-2022-33745
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    xen-4.12.4_26-3.74.1
SUSE Linux Enterprise Server 12-SP5 (src):    xen-4.12.4_26-3.74.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 9 Swamp Workflow Management 2022-07-27 16:21:59 UTC

SUSE-SU-2022:2560-1: An update that fixes 10 vulnerabilities is now available.

Category: security (important)
Bug References: 1199965,1199966,1200549,1201394,1201469
CVE References: CVE-2022-21123,CVE-2022-21125,CVE-2022-21166,CVE-2022-23816,CVE-2022-23825,CVE-2022-26362,CVE-2022-26363,CVE-2022-26364,CVE-2022-29900,CVE-2022-33745
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    xen-4.11.4_30-2.76.1
SUSE OpenStack Cloud 9 (src):    xen-4.11.4_30-2.76.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    xen-4.11.4_30-2.76.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    xen-4.11.4_30-2.76.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 10 Swamp Workflow Management 2022-07-27 19:19:56 UTC

SUSE-SU-2022:2569-1: An update that fixes 10 vulnerabilities is now available.

Category: security (important)
Bug References: 1199965,1199966,1200549,1201394,1201469
CVE References: CVE-2022-21123,CVE-2022-21125,CVE-2022-21166,CVE-2022-23816,CVE-2022-23825,CVE-2022-26362,CVE-2022-26363,CVE-2022-26364,CVE-2022-29900,CVE-2022-33745
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 12-SP2-BCL (src):    xen-4.7.6_24-43.91.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 11 Swamp Workflow Management 2022-07-28 13:17:57 UTC

SUSE-SU-2022:2574-1: An update that fixes 10 vulnerabilities is now available.

Category: security (important)
Bug References: 1199965,1199966,1200549,1201394,1201469
CVE References: CVE-2022-21123,CVE-2022-21125,CVE-2022-21166,CVE-2022-23816,CVE-2022-23825,CVE-2022-26362,CVE-2022-26363,CVE-2022-26364,CVE-2022-29900,CVE-2022-33745
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 12-SP3-BCL (src):    xen-4.9.4_30-3.106.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 12 Swamp Workflow Management 2022-07-29 16:16:47 UTC

SUSE-SU-2022:2591-1: An update that fixes 10 vulnerabilities is now available.

Category: security (important)
Bug References: 1027519,1199965,1199966,1200549,1201394,1201469
CVE References: CVE-2022-21123,CVE-2022-21125,CVE-2022-21166,CVE-2022-23816,CVE-2022-23825,CVE-2022-26362,CVE-2022-26363,CVE-2022-26364,CVE-2022-29900,CVE-2022-33745
JIRA References: 
Sources used:
SUSE Manager Server 4.1 (src):    xen-4.13.4_12-150200.3.58.1
SUSE Manager Retail Branch Server 4.1 (src):    xen-4.13.4_12-150200.3.58.1
SUSE Manager Proxy 4.1 (src):    xen-4.13.4_12-150200.3.58.1
SUSE Linux Enterprise Server for SAP 15-SP2 (src):    xen-4.13.4_12-150200.3.58.1
SUSE Linux Enterprise Server 15-SP2-LTSS (src):    xen-4.13.4_12-150200.3.58.1
SUSE Linux Enterprise Server 15-SP2-BCL (src):    xen-4.13.4_12-150200.3.58.1
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    xen-4.13.4_12-150200.3.58.1
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src):    xen-4.13.4_12-150200.3.58.1
SUSE Enterprise Storage 7 (src):    xen-4.13.4_12-150200.3.58.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 13 Swamp Workflow Management 2022-07-29 19:17:40 UTC

SUSE-SU-2022:2597-1: An update that fixes 10 vulnerabilities is now available.

Category: security (important)
Bug References: 1027519,1199965,1199966,1200549,1201394,1201469
CVE References: CVE-2022-21123,CVE-2022-21125,CVE-2022-21166,CVE-2022-23816,CVE-2022-23825,CVE-2022-26362,CVE-2022-26363,CVE-2022-26364,CVE-2022-29900,CVE-2022-33745
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    xen-4.16.1_06-150400.4.8.1
SUSE Linux Enterprise Module for Server Applications 15-SP4 (src):    xen-4.16.1_06-150400.4.8.1
SUSE Linux Enterprise Module for Basesystem 15-SP4 (src):    xen-4.16.1_06-150400.4.8.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 14 Swamp Workflow Management 2022-07-29 19:19:52 UTC

SUSE-SU-2022:2601-1: An update that fixes 10 vulnerabilities is now available.

Category: security (important)
Bug References: 1199965,1199966,1200549,1201394,1201469
CVE References: CVE-2022-21123,CVE-2022-21125,CVE-2022-21166,CVE-2022-23816,CVE-2022-23825,CVE-2022-26362,CVE-2022-26363,CVE-2022-26364,CVE-2022-29900,CVE-2022-33745
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15 (src):    xen-4.10.4_36-150000.3.77.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    xen-4.10.4_36-150000.3.77.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    xen-4.10.4_36-150000.3.77.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 15 Swamp Workflow Management 2022-07-29 19:21:14 UTC

SUSE-SU-2022:2599-1: An update that fixes 10 vulnerabilities is now available.

Category: security (important)
Bug References: 1027519,1199965,1199966,1200549,1201394,1201469
CVE References: CVE-2022-21123,CVE-2022-21125,CVE-2022-21166,CVE-2022-23816,CVE-2022-23825,CVE-2022-26362,CVE-2022-26363,CVE-2022-26364,CVE-2022-29900,CVE-2022-33745
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    xen-4.14.5_04-150300.3.32.1
SUSE Linux Enterprise Module for Server Applications 15-SP3 (src):    xen-4.14.5_04-150300.3.32.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    xen-4.14.5_04-150300.3.32.1
SUSE Linux Enterprise Micro 5.2 (src):    xen-4.14.5_04-150300.3.32.1
SUSE Linux Enterprise Micro 5.1 (src):    xen-4.14.5_04-150300.3.32.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 16 Swamp Workflow Management 2022-07-29 19:23:09 UTC

SUSE-SU-2022:2600-1: An update that fixes 10 vulnerabilities is now available.

Category: security (important)
Bug References: 1199965,1199966,1200549,1201394,1201469
CVE References: CVE-2022-21123,CVE-2022-21125,CVE-2022-21166,CVE-2022-23816,CVE-2022-23825,CVE-2022-26362,CVE-2022-26363,CVE-2022-26364,CVE-2022-29900,CVE-2022-33745
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    xen-4.12.4_26-150100.3.75.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    xen-4.12.4_26-150100.3.75.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    xen-4.12.4_26-150100.3.75.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    xen-4.12.4_26-150100.3.75.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    xen-4.12.4_26-150100.3.75.1
SUSE Enterprise Storage 6 (src):    xen-4.12.4_26-150100.3.75.1
SUSE CaaS Platform 4.0 (src):    xen-4.12.4_26-150100.3.75.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 18 Charles Arnold 2022-08-17 17:18:48 UTC

Submissions complete.

Comment 19 Swamp Workflow Management 2022-09-01 15:39:22 UTC

SUSE-SU-2022:2599-2: An update that fixes 10 vulnerabilities is now available.

Category: security (important)
Bug References: 1027519,1199965,1199966,1200549,1201394,1201469
CVE References: CVE-2022-21123,CVE-2022-21125,CVE-2022-21166,CVE-2022-23816,CVE-2022-23825,CVE-2022-26362,CVE-2022-26363,CVE-2022-26364,CVE-2022-29900,CVE-2022-33745
JIRA References: 
Sources used:
openSUSE Leap Micro 5.2 (src):    xen-4.14.5_04-150300.3.32.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 21 Swamp Workflow Management 2022-10-19 22:22:26 UTC

SUSE-SU-2022:3665-1: An update that solves 8 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1027519,1167608,1185104,1197081,1200762,1201394,1201631,1203806,1203807
CVE References: CVE-2021-28689,CVE-2022-26365,CVE-2022-33740,CVE-2022-33741,CVE-2022-33742,CVE-2022-33745,CVE-2022-33746,CVE-2022-33748
JIRA References: 
Sources used:
openSUSE Leap Micro 5.2 (src):    xen-4.14.5_06-150300.3.35.1
openSUSE Leap 15.3 (src):    xen-4.14.5_06-150300.3.35.1
SUSE Linux Enterprise Module for Server Applications 15-SP3 (src):    xen-4.14.5_06-150300.3.35.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    xen-4.14.5_06-150300.3.35.1
SUSE Linux Enterprise Micro 5.2 (src):    xen-4.14.5_06-150300.3.35.1
SUSE Linux Enterprise Micro 5.1 (src):    xen-4.14.5_06-150300.3.35.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.