7.8

CVE-2021-28709

EPSS 0.09%
Veröffentlicht 24.11.2021 02:15:06
Zuletzt bearbeitet 21.11.2024 06:00:11
Quelle security@xen.org
Teams Watchlist Login
Unerledigt Login

issues with partially successful P2M updates on x86 T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] x86 HVM and PVH guests may be started in populate-on-demand (PoD) mode, to provide a way for them to later easily have more memory assigned. Guests are permitted to control certain P2M aspects of individual pages via hypercalls. These hypercalls may act on ranges of pages specified via page orders (resulting in a power-of-2 number of pages). In some cases the hypervisor carries out the requests by splitting them into smaller chunks. Error handling in certain PoD cases has been insufficient in that in particular partial success of some operations was not properly accounted for. There are two code paths affected - page removal (CVE-2021-28705) and insertion of new pages (CVE-2021-28709). (We provide one patch which combines the fix to both issues.)

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 8

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Xen ≫ Xen HwPlatformx86 Version >= 3.4.0 <= 4.12.4

Xen ≫ Xen HwPlatformx86 Version >= 4.13.0 <= 4.13.4

Xen ≫ Xen HwPlatformx86 Version >= 4.14.0 <= 4.14.3

Xen ≫ Xen Version4.15.0 HwPlatformx86

Xen ≫ Xen Version4.15.1 HwPlatformx86

Fedoraproject ≫ Fedora Version34

Fedoraproject ≫ Fedora Version35

Debian ≫ Debian Linux Version11.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.09%	0.257

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.8	1.8	5.9	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	6.9	3.4	10	AV:L/AC:M/Au:N/C:C/I:C/A:C

CWE-755 Improper Handling of Exceptional Conditions

The product does not handle or incorrectly handles an exceptional condition.

https://www.debian.org/security/2021/dsa-5017

Third Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I7ZGWVVRI4XY2XSTBI3XEMWBXPDVX6OT/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PXUI4VMD52CH3T7YXAG3J2JW7ZNN3SXF/

https://security.gentoo.org/glsa/202402-07

https://xenbits.xenproject.org/xsa/advisory-389.txt

Patch

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2021-28709

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-28709

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-28709

EUVD