Bug 1061080 – VUL-0: CVE-2017-15589: xen: hypervisor stack leak in x86 I/O intercept code (XSA-239)

Bug 1061080 - (CVE-2017-15589) VUL-0: CVE-2017-15589: xen: hypervisor stack leak in x86 I/O intercept code (XSA-239)

(CVE-2017-15589)
Summary:	VUL-0: CVE-2017-15589: xen: hypervisor stack leak in x86 I/O intercept code ...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/192678/
Whiteboard:	CVSSv3:RedHat:CVE-2017-15589:6.8:(AV:...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2017-09-29 13:41 UTC by Marcus Meissner
Modified:	2021-01-22 09:00 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcus Meissner 2017-09-29 13:41:58 UTC

CRD: 2017-10-12 12:00 UTC

                    Xen Security Advisory XSA-239

            hypervisor stack leak in x86 I/O intercept code

              *** EMBARGOED UNTIL 2017-10-12 12:00 UTC ***

ISSUE DESCRIPTION
=================

Intercepted I/O operations may deal with less than a full machine
word's worth of data.  While read paths had been the subject of earlier
XSAs (and hence have been fixed), at least one write path was found
where the data stored into an internal structure could contain bits
from an uninitialized hypervisor stack slot.  A subsequent emulated
read would then be able to retrieve these bits.

IMPACT
======

A malicious unprivileged x86 HVM guest may be able to obtain sensitive
information from the host or other guests.

VULNERABLE SYSTEMS
==================

All Xen versions are vulnerable.

Only x86 systems are affected.  ARM systems are not affected.

Only HVM guests can leverage this vulnerability.  PV guests cannot
leverage this vulnerability.

MITIGATION
==========

Running only PV guests will avoid this issue.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa239.patch           xen-unstable, Xen 4.9.x, Xen 4.8.x, Xen 4.7.x, Xen 4.6.x
xsa239-4.5.patch       Xen 4.5.x

$ sha256sum xsa239*
eb7971be89199eb3ff510f4f5650fd5a8ec588b9fcb8f89230216fac4214ef21  xsa239.meta
cbe6edb523389dafb738c9ec2c8b9f7bdc2d0d9a761f354164a5b1f688a26b0a  xsa239.patch
527c29118767d4c4da016939ae561844a822275148a24915ef7f59c1cc3a3255  xsa239-4.5.patch
$

Comment 3 Charles Arnold 2017-10-11 14:56:15 UTC

Submitted for,
SUSE:SLE-10-SP3:Update:Test
SUSE:SLE-11-SP1:Update:Teradata
SUSE:SLE-11-SP3:Update
SUSE:SLE-11-SP4:Update
SUSE:SLE-12:Update
SUSE:SLE-12-SP1:Update
SUSE:SLE-12-SP2:Update
SUSE:SLE-12-SP3:Update

Comment 4 Swamp Workflow Management 2017-10-12 07:36:36 UTC

An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2017-10-19.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/63882

Comment 5 Johannes Segitz 2017-10-12 12:52:04 UTC

public

Comment 6 Swamp Workflow Management 2017-10-17 16:17:02 UTC

SUSE-SU-2017:2751-1: An update that solves one vulnerability and has 10 fixes is now available.

Category: security (important)
Bug References: 1027519,1055321,1059777,1061076,1061077,1061080,1061081,1061082,1061084,1061086,1061087
CVE References: CVE-2017-5526
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    xen-4.9.0_14-3.18.1
SUSE Linux Enterprise Server 12-SP3 (src):    xen-4.9.0_14-3.18.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    xen-4.9.0_14-3.18.1

Comment 7 Swamp Workflow Management 2017-10-20 19:08:32 UTC

SUSE-SU-2017:2812-1: An update that fixes 8 vulnerabilities is now available.

Category: security (important)
Bug References: 1059777,1061076,1061080,1061081,1061082,1061084,1061086,1061087
CVE References: CVE-2017-15588,CVE-2017-15589,CVE-2017-15590,CVE-2017-15592,CVE-2017-15593,CVE-2017-15594,CVE-2017-15595,CVE-2017-5526
Sources used:
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    xen-4.2.5_21-45.11.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    xen-4.2.5_21-45.11.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    xen-4.2.5_21-45.11.1

Comment 8 Swamp Workflow Management 2017-10-20 19:10:48 UTC

SUSE-SU-2017:2815-1: An update that solves 8 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1027519,1059777,1061076,1061080,1061081,1061082,1061084,1061086,1061087
CVE References: CVE-2017-15588,CVE-2017-15589,CVE-2017-15590,CVE-2017-15592,CVE-2017-15593,CVE-2017-15594,CVE-2017-15595,CVE-2017-5526
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    xen-4.4.4_24-61.12.1
SUSE Linux Enterprise Server 11-SP4 (src):    xen-4.4.4_24-61.12.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    xen-4.4.4_24-61.12.1

Comment 9 Swamp Workflow Management 2017-10-20 22:12:10 UTC

openSUSE-SU-2017:2821-1: An update that solves 8 vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 1027519,1055321,1059777,1061076,1061077,1061080,1061081,1061082,1061084,1061086,1061087
CVE References: CVE-2017-15588,CVE-2017-15589,CVE-2017-15590,CVE-2017-15592,CVE-2017-15593,CVE-2017-15594,CVE-2017-15595,CVE-2017-5526
Sources used:
openSUSE Leap 42.3 (src):    xen-4.9.0_14-10.1

Comment 10 Swamp Workflow Management 2017-10-26 16:09:50 UTC

SUSE-SU-2017:2856-1: An update that solves 8 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1027519,1059777,1061076,1061080,1061081,1061082,1061084,1061086,1061087
CVE References: CVE-2017-15588,CVE-2017-15589,CVE-2017-15590,CVE-2017-15592,CVE-2017-15593,CVE-2017-15594,CVE-2017-15595,CVE-2017-5526
Sources used:
SUSE Linux Enterprise Server 12-LTSS (src):    xen-4.4.4_24-22.54.1

Comment 11 Swamp Workflow Management 2017-10-27 13:10:28 UTC

SUSE-SU-2017:2864-1: An update that solves 9 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1027519,1057358,1059777,1061076,1061077,1061080,1061081,1061082,1061084,1061086,1061087
CVE References: CVE-2017-15588,CVE-2017-15589,CVE-2017-15590,CVE-2017-15591,CVE-2017-15592,CVE-2017-15593,CVE-2017-15594,CVE-2017-15595,CVE-2017-5526
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    xen-4.7.3_06-43.15.1
SUSE Linux Enterprise Server 12-SP2 (src):    xen-4.7.3_06-43.15.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    xen-4.7.3_06-43.15.1
SUSE Container as a Service Platform ALL (src):    xen-4.7.3_06-43.15.1

Comment 12 Swamp Workflow Management 2017-10-27 19:10:56 UTC

SUSE-SU-2017:2873-1: An update that fixes 9 vulnerabilities is now available.

Category: security (important)
Bug References: 1059777,1061076,1061077,1061080,1061081,1061082,1061084,1061086,1061087
CVE References: CVE-2017-15588,CVE-2017-15589,CVE-2017-15590,CVE-2017-15591,CVE-2017-15592,CVE-2017-15593,CVE-2017-15594,CVE-2017-15595,CVE-2017-5526
Sources used:
SUSE OpenStack Cloud 6 (src):    xen-4.5.5_18-22.31.1
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    xen-4.5.5_18-22.31.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    xen-4.5.5_18-22.31.1

Comment 13 Swamp Workflow Management 2017-11-01 17:10:32 UTC

openSUSE-SU-2017:2916-1: An update that solves 9 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1027519,1057358,1059777,1061076,1061077,1061080,1061081,1061082,1061084,1061086,1061087
CVE References: CVE-2017-15588,CVE-2017-15589,CVE-2017-15590,CVE-2017-15591,CVE-2017-15592,CVE-2017-15593,CVE-2017-15594,CVE-2017-15595,CVE-2017-5526
Sources used:
openSUSE Leap 42.2 (src):    xen-4.7.3_06-11.18.1

Comment 14 Marcus Meissner 2018-02-12 20:55:23 UTC

released