Date: Tue, 15 Dec 2020 12:20:20 +0000 From: Xen.org security team <security@....org> To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org, xen-users@...ts.xen.org, oss-security@...ts.openwall.com CC: Xen.org security team <security-team-members@....org> Subject: Xen Security Advisory 330 v3 (CVE-2020-29485) - oxenstored memory leak in reset_watches -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2020-29485 / XSA-330 version 3 oxenstored memory leak in reset_watches UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= When acting upon a guest XS_RESET_WATCHES request, not all tracking information is freed. IMPACT ====== A guest can cause unbounded memory usage in oxenstored. This can lead to a system-wide DoS. VULNERABLE SYSTEMS ================== All version of Xen since 4.6 are vulnerable. Only systems using the Ocaml Xenstored implementation are vulnerable. Systems using the C Xenstored implementaion are not vulnerable. MITIGATION ========== There are no mitigations. Changing to use of C xenstored would avoid this vulnerability. However, given the other vulnerabilities in both versions of xenstored being reported at this time, changing xenstored implementation is not a recommended approach to mitigation of individual issues. CREDITS ======= This issue was discovered by Edwin Török of Citrix. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. Note that patches for released versions are generally prepared to apply to the stable branches, and may not apply cleanly to the most recent release tarball. Downstreams are encouraged to update to the tip of the stable branch before applying these patches. xsa330.patch Xen 4.12 - xen-unstable xsa330-4.11.patch Xen 4.10 - 4.11 $ sha256sum xsa330* efd95a883f227d63366a745b6007aa0c59cc612573235ba72108c8f89ecef7f3 xsa330.meta 1cda4fd8c91ceb132c5770d90375626521025e078c6ac1b53b68d78815997722 xsa330.patch 87284eaf6df92a78476f49a5587e28e1f5b9ca16ace5ad2e10b4b13abf50e034 xsa330-4.11.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAl/Yqd8MHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZXCMH/i2lw6MRNCz3BFqan9PSE0pWGn1LxMpd/kSV0/eH Y/TjXaCNcvK11d4fc1x8a0Wc3A/bu3uACpFFrcRuWgG5QkMKZRyOkQv7FwW1VaVd u2NGJVetpfiDZhcSorAdS7CCJZEEt+3a7iFjH9cZKVEwZcS5Cq82UVog05MWLE80 pJ5Cid7K/urD1Zu/v3AGWESuaVYwdvwn6RcePVAs8b0sM2osYXBuKeMwOe1bXaBO D5qPLEfLfOgLrXi77ssUzfmfRY6Z+LuQAhfug6Lv/n06Y9lyNXewmYalsnobGQSI FTzWs0QVmFBMY/PEuZv3cRrihTs2ygu9HW7OLO2Bt+VKfcg= =MqjK -----END PGP SIGNATURE----- Download attachment "xsa330.meta" of type "application/octet-stream" (2224 bytes) Download attachment "xsa330.patch" of type "application/octet-stream" (2646 bytes) Download attachment "xsa330-4.11.patch" of type "application/octet-stream" (2642 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.