Bugzilla – Bug 1215145
VUL-0: CVE-2023-34322: xen: top-level shadow reference dropped too early for 64-bit PV guests (XSA-438)
Last modified: 2024-05-30 14:38:01 UTC
Public now: https://xenbits.xen.org/xsa/advisory-438.html -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2023-34322 / XSA-438 version 2 top-level shadow reference dropped too early for 64-bit PV guests UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= For migration as well as to work around kernels unaware of L1TF (see XSA-273), PV guests may be run in shadow paging mode. Since Xen itself needs to be mapped when PV guests run, Xen and shadowed PV guests run directly the respective shadow page tables. For 64-bit PV guests this means running on the shadow of the guest root page table. In the course of dealing with shortage of memory in the shadow pool associated with a domain, shadows of page tables may be torn down. This tearing down may include the shadow root page table that the CPU in question is presently running on. While a precaution exists to supposedly prevent the tearing down of the underlying live page table, the time window covered by that precaution isn't large enough. IMPACT ====== Privilege escalation, Denial of Service (DoS) affecting the entire host, and information leaks all cannot be ruled out. VULNERABLE SYSTEMS ================== All Xen versions from at least 3.2 onwards are vulnerable. Earlier versions have not been inspected. Only x86 systems are vulnerable. Only 64-bit PV guests can leverage the vulnerability, and only when running in shadow mode. Shadow mode would be in use when migrating guests or as a workaround for XSA-273 (L1TF). MITIGATION ========== Running only HVM or PVH guests will avoid the vulnerability. Running PV guests in the PV shim will also avoid the vulnerability. CREDITS ======= This issue was discovered by Tim Deegan, and Jan Beulich of SUSE. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. Note that patches for released versions are generally prepared to apply to the stable branches, and may not apply cleanly to the most recent release tarball. Downstreams are encouraged to update to the tip of the stable branch before applying these patches. xsa438.patch xen-unstable xsa438-4.17.patch Xen 4.17.x xsa438-4.16.patch Xen 4.16.x xsa438-4.15.patch Xen 4.15.x $ sha256sum xsa438* f30067fa3732fb52042b14a2836b610c29af47461425f1a1ccec21cb8a5a48b1 xsa438.patch a2e7d7c12ea19fb95e2d825fda5f7d0124cbb5c4a369cb58ab6036d266b7e297 xsa438-4.15.patch eb75fbeb4aa635d6104c12acd5f7311e477f7c159f2ec4eca8a345327a9aee24 xsa438-4.16.patch f3a305c86124e48b9afa14f3ba76b81d1f5d8d472e2412ae3d014305c749a86a xsa438-4.17.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmUKuSAMHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZtL0IAL3mXsj7Q5Xfu/Tof0a1ie7TnpvZ2qXxzoLlyiFR Vra9gs83Nw7n45yXFFVLSzTjmz2bCbCmUowPp6TxF9Nawt0JocbF80JpYKEojEko 6B2BAdUFhPXtx1D6NruzG2gVr5qn/eNJjIIos0o7tzxtBPLKX9qzLh3FmZK5BJm2 HyKMLIEZuVipb3Qtb+avUDHvLjee6p4eaaWOk08g3sSWhtSfwxlS4IF9j1G2Oejj QKZ1XILCP8miXmuUZJ/L/7CzFvOm+DKNVFZYhFT0fjDWk3vNhtLcBv5s36Z65gKK MvKe7owffmclQLWjOekYNm8dG5gQ/OkWRAPbxiwRMegT22g= =L3du -----END PGP SIGNATURE-----
SUSE-SU-2023:3832-1: An update that solves two vulnerabilities can now be installed. Category: security (important) Bug References: 1215145, 1215474 CVE References: CVE-2023-20588, CVE-2023-34322 Sources used: openSUSE Leap 15.4 (src): xen-4.16.5_04-150400.4.34.1 SUSE Linux Enterprise Micro for Rancher 5.3 (src): xen-4.16.5_04-150400.4.34.1 SUSE Linux Enterprise Micro 5.3 (src): xen-4.16.5_04-150400.4.34.1 SUSE Linux Enterprise Micro for Rancher 5.4 (src): xen-4.16.5_04-150400.4.34.1 SUSE Linux Enterprise Micro 5.4 (src): xen-4.16.5_04-150400.4.34.1 Basesystem Module 15-SP4 (src): xen-4.16.5_04-150400.4.34.1 Server Applications Module 15-SP4 (src): xen-4.16.5_04-150400.4.34.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:3831-1: An update that solves two vulnerabilities can now be installed. Category: security (important) Bug References: 1215145, 1215474 CVE References: CVE-2023-20588, CVE-2023-34322 Sources used: openSUSE Leap 15.5 (src): xen-4.17.2_04-150500.3.9.1 Basesystem Module 15-SP5 (src): xen-4.17.2_04-150500.3.9.1 Server Applications Module 15-SP5 (src): xen-4.17.2_04-150500.3.9.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:3895-1: An update that solves four vulnerabilities can now be installed. Category: security (important) Bug References: 1213616, 1214083, 1215145, 1215474 CVE References: CVE-2022-40982, CVE-2023-20588, CVE-2023-20593, CVE-2023-34322 Sources used: SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): xen-4.13.5_04-150200.3.77.1 SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): xen-4.13.5_04-150200.3.77.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): xen-4.13.5_04-150200.3.77.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:3894-1: An update that solves four vulnerabilities can now be installed. Category: security (important) Bug References: 1213616, 1214083, 1215145, 1215474 CVE References: CVE-2022-40982, CVE-2023-20588, CVE-2023-20593, CVE-2023-34322 Sources used: SUSE Linux Enterprise Software Development Kit 12 SP5 (src): xen-4.12.4_38-3.94.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): xen-4.12.4_38-3.94.1 SUSE Linux Enterprise High Performance Computing 12 SP5 (src): xen-4.12.4_38-3.94.1 SUSE Linux Enterprise Server 12 SP5 (src): xen-4.12.4_38-3.94.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:3903-1: An update that solves three vulnerabilities can now be installed. Category: security (important) Bug References: 1213616, 1215145, 1215474 CVE References: CVE-2023-20588, CVE-2023-20593, CVE-2023-34322 Sources used: SUSE Linux Enterprise Micro 5.1 (src): xen-4.14.6_04-150300.3.54.1 SUSE Linux Enterprise Micro 5.2 (src): xen-4.14.6_04-150300.3.54.1 SUSE Linux Enterprise Micro for Rancher 5.2 (src): xen-4.14.6_04-150300.3.54.1 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): xen-4.14.6_04-150300.3.54.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): xen-4.14.6_04-150300.3.54.1 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): xen-4.14.6_04-150300.3.54.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): xen-4.14.6_04-150300.3.54.1 SUSE Manager Proxy 4.2 (src): xen-4.14.6_04-150300.3.54.1 SUSE Manager Retail Branch Server 4.2 (src): xen-4.14.6_04-150300.3.54.1 SUSE Manager Server 4.2 (src): xen-4.14.6_04-150300.3.54.1 SUSE Enterprise Storage 7.1 (src): xen-4.14.6_04-150300.3.54.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:3902-1: An update that solves four vulnerabilities can now be installed. Category: security (important) Bug References: 1213616, 1214083, 1215145, 1215474 CVE References: CVE-2022-40982, CVE-2023-20588, CVE-2023-20593, CVE-2023-34322 Sources used: SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): xen-4.12.4_38-150100.3.92.1 SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): xen-4.12.4_38-150100.3.92.1 SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): xen-4.12.4_38-150100.3.92.1 SUSE CaaS Platform 4.0 (src): xen-4.12.4_38-150100.3.92.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Submission done.
SUSE-SU-2023:4476-1: An update that solves eight vulnerabilities can now be installed. Category: security (important) Bug References: 1027519, 1215145, 1215474, 1215746, 1215747, 1215748, 1216654, 1216807 CVE References: CVE-2023-20588, CVE-2023-34322, CVE-2023-34325, CVE-2023-34326, CVE-2023-34327, CVE-2023-34328, CVE-2023-46835, CVE-2023-46836 Sources used: openSUSE Leap 15.4 (src): xen-4.16.5_08-150400.4.40.1 SUSE Linux Enterprise Micro for Rancher 5.3 (src): xen-4.16.5_08-150400.4.40.1 SUSE Linux Enterprise Micro 5.3 (src): xen-4.16.5_08-150400.4.40.1 SUSE Linux Enterprise Micro for Rancher 5.4 (src): xen-4.16.5_08-150400.4.40.1 SUSE Linux Enterprise Micro 5.4 (src): xen-4.16.5_08-150400.4.40.1 Basesystem Module 15-SP4 (src): xen-4.16.5_08-150400.4.40.1 Server Applications Module 15-SP4 (src): xen-4.16.5_08-150400.4.40.1 openSUSE Leap Micro 5.3 (src): xen-4.16.5_08-150400.4.40.1 openSUSE Leap Micro 5.4 (src): xen-4.16.5_08-150400.4.40.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:4475-1: An update that solves eight vulnerabilities can now be installed. Category: security (important) Bug References: 1027519, 1215145, 1215474, 1215746, 1215747, 1215748, 1216654, 1216807 CVE References: CVE-2023-20588, CVE-2023-34322, CVE-2023-34325, CVE-2023-34326, CVE-2023-34327, CVE-2023-34328, CVE-2023-46835, CVE-2023-46836 Sources used: openSUSE Leap 15.5 (src): xen-4.17.2_08-150500.3.15.1 SUSE Linux Enterprise Micro 5.5 (src): xen-4.17.2_08-150500.3.15.1 Basesystem Module 15-SP5 (src): xen-4.17.2_08-150500.3.15.1 Server Applications Module 15-SP5 (src): xen-4.17.2_08-150500.3.15.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.