Security update for xen

Announcement ID:	SUSE-SU-2017:2450-1
Rating:	important
References:	bsc#1027519 bsc#1032598 bsc#1037413 bsc#1046637 bsc#1047675 bsc#1048920 bsc#1049578 bsc#1051787 bsc#1051788 bsc#1052686 bsc#1056278 bsc#1056281 bsc#1056282
Cross-References:	CVE-2017-10664 CVE-2017-10806 CVE-2017-11334 CVE-2017-11434 CVE-2017-12135 CVE-2017-12137 CVE-2017-12855 CVE-2017-14316 CVE-2017-14317 CVE-2017-14319
CVSS scores:	CVE-2017-10664 ( SUSE ): 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2017-10664 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2017-10664 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2017-10806 ( SUSE ): 5.9 CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H CVE-2017-10806 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2017-10806 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2017-11334 ( SUSE ): 6.2 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2017-11334 ( NVD ): 4.4 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2017-11334 ( NVD ): 4.4 CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2017-11434 ( SUSE ): 8.6 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H CVE-2017-11434 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2017-11434 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2017-12135 ( SUSE ): 7.3 CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:H CVE-2017-12135 ( NVD ): 8.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVE-2017-12137 ( SUSE ): 8.1 CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H CVE-2017-12137 ( NVD ): 8.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVE-2017-12855 ( NVD ): 6.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N CVE-2017-14316 ( SUSE ): 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2017-14316 ( NVD ): 8.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVE-2017-14317 ( SUSE ): 4.4 CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2017-14317 ( NVD ): 5.6 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H CVE-2017-14319 ( SUSE ): 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2017-14319 ( NVD ): 8.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Affected Products:	SLES for SAP Applications 11-SP4 SUSE Linux Enterprise Server 11 SP4 SUSE Linux Enterprise Software Development Kit 11 SP4

An update that solves 10 vulnerabilities and has three security fixes can now be installed.

Description:

This update for xen fixes several issues.

These security issues were fixed:

• CVE-2017-12135: Unbounded recursion in grant table code allowed a malicious guest to crash the host or potentially escalate privileges/leak information (XSA-226, bsc#1051787).
• CVE-2017-12137: Incorrectly-aligned updates to pagetables allowed for privilege escalation (XSA-227, bsc#1051788).
• CVE-2017-11334: The address_space_write_continue function in exec.c allowed local guest OS privileged users to cause a denial of service (out-of-bounds access and guest instance crash) by leveraging use of qemu_map_ram_ptr to access guest ram block area (bsc#1048920).
• CVE-2017-11434: The dhcp_decode function in slirp/bootp.c allowed local guest OS users to cause a denial of service (out-of-bounds read) via a crafted DHCP options string (bsc#1049578).
• CVE-2017-10806: Stack-based buffer overflow in hw/usb/redirect.c allowed local guest OS users to cause a denial of service via vectors related to logging debug messages (bsc#1047675).
• CVE-2017-10664: qemu-nbd did not ignore SIGPIPE, which allowed remote attackers to cause a denial of service (daemon crash) by disconnecting during a server-to-client reply attempt (bsc#1046637).
• CVE-2017-12855: Premature clearing of GTF_writing / GTF_reading lead to potentially leaking sensitive information (XSA-230, bsc#1052686).
• CVE-2017-14316: Missing bound check in function alloc_heap_pages for an internal array allowed attackers using crafted hypercalls to execute arbitrary code within Xen (XSA-231, bsc#1056278)
• CVE-2017-14317: A race in cxenstored may have cause a double-free allowind for DoS of the xenstored daemon (XSA-233, bsc#1056281).
• CVE-2017-14319: An error while handling grant mappings allowed malicious or buggy x86 PV guest to escalate its privileges or crash the hypervisor (XSA-234, bsc#1056282).

This non-security issue was fixed:

• bsc#1032598: Prevent removal of NVME devices
• bsc#1037413: Support for newer intel cpu's, mwait-idle driver and skylake

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise Software Development Kit 11 SP4
  zypper in -t patch sdksp4-xen-13281=1
• SUSE Linux Enterprise Server 11 SP4
  zypper in -t patch slessp4-xen-13281=1
• SLES for SAP Applications 11-SP4
  zypper in -t patch slessp4-xen-13281=1

Package List:

• SUSE Linux Enterprise Software Development Kit 11 SP4 (x86_64 i586)
  • xen-devel-4.4.4_22-61.9.2
• SUSE Linux Enterprise Server 11 SP4 (x86_64 i586)
  • xen-kmp-default-4.4.4_22_3.0.101_108.7-61.9.2
  • xen-libs-4.4.4_22-61.9.2
  • xen-tools-domU-4.4.4_22-61.9.2
• SUSE Linux Enterprise Server 11 SP4 (i586)
  • xen-kmp-pae-4.4.4_22_3.0.101_108.7-61.9.2
• SUSE Linux Enterprise Server 11 SP4 (x86_64)
  • xen-libs-32bit-4.4.4_22-61.9.2
  • xen-tools-4.4.4_22-61.9.2
  • xen-doc-html-4.4.4_22-61.9.2
  • xen-4.4.4_22-61.9.2
• SLES for SAP Applications 11-SP4 (x86_64)
  • xen-4.4.4_22-61.9.2
  • xen-libs-32bit-4.4.4_22-61.9.2
  • xen-kmp-default-4.4.4_22_3.0.101_108.7-61.9.2
  • xen-tools-domU-4.4.4_22-61.9.2
  • xen-tools-4.4.4_22-61.9.2
  • xen-doc-html-4.4.4_22-61.9.2
  • xen-libs-4.4.4_22-61.9.2

References:

• https://www.suse.com/security/cve/CVE-2017-10664.html
• https://www.suse.com/security/cve/CVE-2017-10806.html
• https://www.suse.com/security/cve/CVE-2017-11334.html
• https://www.suse.com/security/cve/CVE-2017-11434.html
• https://www.suse.com/security/cve/CVE-2017-12135.html
• https://www.suse.com/security/cve/CVE-2017-12137.html
• https://www.suse.com/security/cve/CVE-2017-12855.html
• https://www.suse.com/security/cve/CVE-2017-14316.html
• https://www.suse.com/security/cve/CVE-2017-14317.html
• https://www.suse.com/security/cve/CVE-2017-14319.html
• https://bugzilla.suse.com/show_bug.cgi?id=1027519
• https://bugzilla.suse.com/show_bug.cgi?id=1032598
• https://bugzilla.suse.com/show_bug.cgi?id=1037413
• https://bugzilla.suse.com/show_bug.cgi?id=1046637
• https://bugzilla.suse.com/show_bug.cgi?id=1047675
• https://bugzilla.suse.com/show_bug.cgi?id=1048920
• https://bugzilla.suse.com/show_bug.cgi?id=1049578
• https://bugzilla.suse.com/show_bug.cgi?id=1051787
• https://bugzilla.suse.com/show_bug.cgi?id=1051788
• https://bugzilla.suse.com/show_bug.cgi?id=1052686
• https://bugzilla.suse.com/show_bug.cgi?id=1056278
• https://bugzilla.suse.com/show_bug.cgi?id=1056281
• https://bugzilla.suse.com/show_bug.cgi?id=1056282