1189376 – (CVE-2021-28697) VUL-0: CVE-2021-28697: xen: grant table v2 status pages may remain accessible after de-allocation. (XSA-379)

Bug 1189376 (CVE-2021-28697) - VUL-0: CVE-2021-28697: xen: grant table v2 status pages may remain accessible after de-allocation. (XSA-379)

Summary: VUL-0: CVE-2021-28697: xen: grant table v2 status pages may remain accessible...

Status:	RESOLVED FIXED

Alias:	CVE-2021-28697

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/306945/
Whiteboard:	CVSSv3.1:SUSE:CVE-2021-28697:7.4:(AV:...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2021-08-12 08:39 UTC by Gianluca Gabrielli
Modified:	2024-05-03 11:36 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Patches updated to fix a typo in a comment. (1.91 KB, patch) 2021-08-25 12:12 UTC, Gianluca Gabrielli	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Gianluca Gabrielli 2021-08-12 08:39:20 UTC

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

            Xen Security Advisory CVE-2021-28697 / XSA-379

 grant table v2 status pages may remain accessible after de-allocation

              *** EMBARGOED UNTIL 2021-08-25 12:00 UTC ***

ISSUE DESCRIPTION
=================

Guest get permitted access to certain Xen-owned pages of memory.  The
majority of such pages remain allocated / associated with a guest for
its entire lifetime.  Grant table v2 status pages, however, get
de-allocated when a guest switched (back) from v2 to v1.  The freeing
of such pages requires that the hypervisor know where in the guest
these pages were mapped.  The hypervisor tracks only one use within
guest space, but racing requests from the guest to insert mappings of
these pages may result in any of them to become mapped in multiple
locations.  Upon switching back from v2 to v1, the guest would then
retain access to a page that was freed and perhaps re-used for other
purposes.

IMPACT
======

A malicious guest may be able to elevate its privileges to that of the
host, cause host or guest Denial of Service (DoS), or cause information
leaks.

VULNERABLE SYSTEMS
==================

All Xen versions from 4.0 onwards are affected.  Xen versions 3.4 and
older are not affected.

Only x86 HVM and PVH guests permitted to use grant table version 2
interfaces can leverage this vulnerability.  x86 PV guests cannot
leverage this vulnerability.  On Arm, grant table v2 use is explicitly
unsupported.

MITIGATION
==========

Running only PV guests will avoid this vulnerability.

Suppressing use of grant table v2 interfaces for HVM or PVH guests will
also avoid this vulnerability.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

Note that patches for released versions are generally prepared to
apply to the stable branches, and may not apply cleanly to the most
recent release tarball.  Downstreams are encouraged to update to the
tip of the stable branch before applying these patches.

xsa379.patch           xen-unstable
xsa379-4.15.patch      Xen 4.15.x
xsa379-4.14.patch      Xen 4.14.x - 4.13.x
xsa379-4.12.patch      Xen 4.12.x - 4.11.x

$ sha256sum xsa379*
bdda4cb431301551336388ff7300a6ae95bb75af8fcae09cfb12c22a91d399d9  xsa379.meta
d7ffac2f05758bda097a09b33d5617181f77ec1b3d9bc9ecd1dabb2a00628637  xsa379.patch
6b997ed97a708acd7ab3ef39ac60282ffab3b0479133966cb08456f2b4cefb59  xsa379-4.12.patch
78551c3734bd63086ec9e47aef8f577ff52b231dbd4e648dd8c25963e90cde84  xsa379-4.14.patch
49bf80483e1c79a22da76dd7e84ec1071e548033bd11c93150d94bc6445f09d0  xsa379-4.15.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or PV-guest-only mitigations described
above (or others which are substantially similar) is permitted during
the embargo, even on public-facing systems with untrusted guest users
and administrators.

HOWEVER, deployment of the grant table v2 disabling mitigation described
above is NOT permitted during the embargo on public-facing systems with
untrusted guest users and administrators.  This is because such a
configuration change is recognizable by the affected guests.

AND: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmET77UMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZEVYH/RWhtSCkzcIXXCNxlFofQLUN2N2zv0xIFBJTZQ7f
aqtiZ7UY4/9EeOmlV1I0WrEiTbfk2c3UFR+27OyZcjsNlavAGShKsGdHCJ9FNUsa
U0NtVvhY2cNV4OhlJZkHfOk+SqmNSRuCKfoOUQ6SmjnlhBzTe14Rs0qjZxO87SIY
f1einmUEMG6LBTxCu2SGYqD9ZnvkQublXH4KRQSU2ovnEIpuQb2AwwUIkzKhEFU0
6COMNDgjMxLKdwq0CF3GJRqbPPN7lgkuTBb28JeL4/6ydzYCVjwz4JC6m1qI9UNr
qEoGv6ewN5tlzi/4btKgThEe1+2wle4OdAn9REtTRaEMr0Q=
=53j/
-----END PGP SIGNATURE-----

Comment 3 Gianluca Gabrielli 2021-08-12 08:40:47 UTC

Created attachment 851709 [details]
Upstream patches

Comment 4 Gianluca Gabrielli 2021-08-20 13:12:25 UTC

Xen packages from all the codestreams seem to be affected.

Comment 7 Gianluca Gabrielli 2021-08-25 12:08:16 UTC

This is now public

Comment 8 Gianluca Gabrielli 2021-08-25 12:12:40 UTC

Created attachment 852028 [details]
Patches updated to fix a typo in a comment.

Comment 11 Swamp Workflow Management 2021-09-02 13:25:54 UTC

# maintenance_jira_update_notice
SUSE-SU-2021:2923-1: An update that solves 11 vulnerabilities and has 7 fixes is now available.

Category: security (important)
Bug References: 1027519,1176189,1179246,1183243,1183877,1185682,1186428,1186429,1186433,1186434,1187406,1188050,1189373,1189376,1189378,1189380,1189381,1189882
CVE References: CVE-2021-0089,CVE-2021-28690,CVE-2021-28692,CVE-2021-28693,CVE-2021-28694,CVE-2021-28695,CVE-2021-28696,CVE-2021-28697,CVE-2021-28698,CVE-2021-28699,CVE-2021-28700
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Server Applications 15-SP3 (src):    xen-4.14.2_04-3.9.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    xen-4.14.2_04-3.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 12 Swamp Workflow Management 2021-09-02 13:39:40 UTC

# maintenance_jira_update_notice
SUSE-SU-2021:2922-1: An update that solves 11 vulnerabilities and has 9 fixes is now available.

Category: security (important)
Bug References: 1027519,1137251,1176189,1179148,1179246,1180491,1181989,1183877,1185682,1186428,1186429,1186433,1186434,1188050,1189373,1189376,1189378,1189380,1189381,1189882
CVE References: CVE-2021-0089,CVE-2021-28690,CVE-2021-28692,CVE-2021-28693,CVE-2021-28694,CVE-2021-28695,CVE-2021-28696,CVE-2021-28697,CVE-2021-28698,CVE-2021-28699,CVE-2021-28700
JIRA References: 
Sources used:
SUSE MicroOS 5.0 (src):    xen-4.13.3_02-3.34.1
SUSE Linux Enterprise Module for Server Applications 15-SP2 (src):    xen-4.13.3_02-3.34.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    xen-4.13.3_02-3.34.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 13 Swamp Workflow Management 2021-09-02 13:43:31 UTC

# maintenance_jira_update_notice
SUSE-SU-2021:2924-1: An update that solves 15 vulnerabilities and has 6 fixes is now available.

Category: security (important)
Bug References: 1027519,1179246,1180491,1180846,1182654,1183243,1185682,1186428,1186429,1186433,1186434,1187369,1187376,1187378,1188050,1189373,1189376,1189378,1189380,1189381,1189882
CVE References: CVE-2021-0089,CVE-2021-20255,CVE-2021-28690,CVE-2021-28692,CVE-2021-28693,CVE-2021-28694,CVE-2021-28695,CVE-2021-28696,CVE-2021-28697,CVE-2021-28698,CVE-2021-28699,CVE-2021-28700,CVE-2021-3592,CVE-2021-3594,CVE-2021-3595
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    xen-4.12.4_12-3.49.1
SUSE Linux Enterprise Server 12-SP5 (src):    xen-4.12.4_12-3.49.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 14 Swamp Workflow Management 2021-09-02 13:47:59 UTC

# maintenance_jira_update_notice
openSUSE-SU-2021:2923-1: An update that solves 11 vulnerabilities and has 7 fixes is now available.

Category: security (important)
Bug References: 1027519,1176189,1179246,1183243,1183877,1185682,1186428,1186429,1186433,1186434,1187406,1188050,1189373,1189376,1189378,1189380,1189381,1189882
CVE References: CVE-2021-0089,CVE-2021-28690,CVE-2021-28692,CVE-2021-28693,CVE-2021-28694,CVE-2021-28695,CVE-2021-28696,CVE-2021-28697,CVE-2021-28698,CVE-2021-28699,CVE-2021-28700
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    xen-4.14.2_04-3.9.1

Comment 15 Swamp Workflow Management 2021-09-02 16:26:42 UTC

# maintenance_jira_update_notice
SUSE-SU-2021:2925-1: An update that solves 11 vulnerabilities and has 7 fixes is now available.

Category: security (important)
Bug References: 1027519,1179148,1179246,1180491,1180846,1181989,1183243,1186428,1186429,1186433,1186434,1188050,1189373,1189376,1189378,1189380,1189381,1189882
CVE References: CVE-2021-0089,CVE-2021-28690,CVE-2021-28692,CVE-2021-28693,CVE-2021-28694,CVE-2021-28695,CVE-2021-28696,CVE-2021-28697,CVE-2021-28698,CVE-2021-28699,CVE-2021-28700
JIRA References: 
Sources used:
SUSE Manager Server 4.0 (src):    xen-4.12.4_12-3.52.1
SUSE Manager Retail Branch Server 4.0 (src):    xen-4.12.4_12-3.52.1
SUSE Manager Proxy 4.0 (src):    xen-4.12.4_12-3.52.1
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    xen-4.12.4_12-3.52.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    xen-4.12.4_12-3.52.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    xen-4.12.4_12-3.52.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    xen-4.12.4_12-3.52.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    xen-4.12.4_12-3.52.1
SUSE Enterprise Storage 6 (src):    xen-4.12.4_12-3.52.1
SUSE CaaS Platform 4.0 (src):    xen-4.12.4_12-3.52.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 16 Swamp Workflow Management 2021-09-03 13:40:14 UTC

# maintenance_jira_update_notice
SUSE-SU-2021:2943-1: An update that fixes 9 vulnerabilities is now available.

Category: security (important)
Bug References: 1186429,1186433,1186434,1189373,1189376,1189378,1189380,1189882
CVE References: CVE-2021-0089,CVE-2021-28690,CVE-2021-28692,CVE-2021-28694,CVE-2021-28695,CVE-2021-28696,CVE-2021-28697,CVE-2021-28698,CVE-2021-28699
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15 (src):    xen-4.10.4_26-3.61.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    xen-4.10.4_26-3.61.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    xen-4.10.4_26-3.61.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 17 Swamp Workflow Management 2021-09-03 16:30:13 UTC

# maintenance_jira_update_notice
SUSE-SU-2021:2955-1: An update that fixes 14 vulnerabilities is now available.

Category: security (important)
Bug References: 1181254,1182654,1186429,1186433,1186434,1187369,1187376,1187378,1189373,1189376,1189378,1189380,1189882
CVE References: CVE-2021-0089,CVE-2021-20255,CVE-2021-28690,CVE-2021-28692,CVE-2021-28694,CVE-2021-28695,CVE-2021-28696,CVE-2021-28697,CVE-2021-28698,CVE-2021-28699,CVE-2021-3308,CVE-2021-3592,CVE-2021-3594,CVE-2021-3595
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    xen-4.11.4_20-2.60.1
SUSE OpenStack Cloud 9 (src):    xen-4.11.4_20-2.60.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    xen-4.11.4_20-2.60.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    xen-4.11.4_20-2.60.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 18 Swamp Workflow Management 2021-09-06 13:17:45 UTC

# maintenance_jira_update_notice
SUSE-SU-2021:2957-1: An update that fixes 13 vulnerabilities is now available.

Category: security (important)
Bug References: 1182654,1186429,1186433,1186434,1187369,1187376,1187378,1189373,1189376,1189378,1189380,1189882
CVE References: CVE-2021-0089,CVE-2021-20255,CVE-2021-28690,CVE-2021-28692,CVE-2021-28694,CVE-2021-28695,CVE-2021-28696,CVE-2021-28697,CVE-2021-28698,CVE-2021-28699,CVE-2021-3592,CVE-2021-3594,CVE-2021-3595
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    xen-4.9.4_20-3.91.1
SUSE OpenStack Cloud 8 (src):    xen-4.9.4_20-3.91.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    xen-4.9.4_20-3.91.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    xen-4.9.4_20-3.91.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    xen-4.9.4_20-3.91.1
HPE Helion Openstack 8 (src):    xen-4.9.4_20-3.91.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 19 Swamp Workflow Management 2021-09-07 13:34:25 UTC

# maintenance_jira_update_notice
openSUSE-SU-2021:1236-1: An update that solves 11 vulnerabilities and has 9 fixes is now available.

Category: security (important)
Bug References: 1027519,1137251,1176189,1179148,1179246,1180491,1181989,1183877,1185682,1186428,1186429,1186433,1186434,1188050,1189373,1189376,1189378,1189380,1189381,1189882
CVE References: CVE-2021-0089,CVE-2021-28690,CVE-2021-28692,CVE-2021-28693,CVE-2021-28694,CVE-2021-28695,CVE-2021-28696,CVE-2021-28697,CVE-2021-28698,CVE-2021-28699,CVE-2021-28700
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    xen-4.13.3_02-lp152.2.27.1

Comment 21 Swamp Workflow Management 2021-10-07 22:17:37 UTC

SUSE-SU-2021:3322-1: An update that fixes 13 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1182654,1186429,1186433,1186434,1187369,1187376,1187378,1189373,1189376,1189378,1189632,1189882
CVE References: CVE-2021-0089,CVE-2021-20255,CVE-2021-28690,CVE-2021-28692,CVE-2021-28694,CVE-2021-28695,CVE-2021-28696,CVE-2021-28697,CVE-2021-28698,CVE-2021-28701,CVE-2021-3592,CVE-2021-3594,CVE-2021-3595
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 12-SP2-BCL (src):    xen-4.7.6_16-43.79.5

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 23 Swamp Workflow Management 2021-12-01 21:07:23 UTC

SUSE-SU-2021:14848-1: An update that fixes 17 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1182654,1186013,1186429,1186433,1186434,1187369,1187376,1187378,1189150,1189376,1189378,1189632,1192526,1192554,1192555,1192559
CVE References: CVE-2021-0089,CVE-2021-20255,CVE-2021-28690,CVE-2021-28692,CVE-2021-28697,CVE-2021-28698,CVE-2021-28701,CVE-2021-28703,CVE-2021-28705,CVE-2021-28706,CVE-2021-28709,CVE-2021-3527,CVE-2021-3592,CVE-2021-3594,CVE-2021-3595,CVE-2021-3682,CVE-2021-3930
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 11-SP4-LTSS (src):    xen-4.4.4_50-61.67.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    xen-4.4.4_50-61.67.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 28 Charles Arnold 2022-08-17 17:20:35 UTC

Submissions complete.

Comment 29 Charles Arnold 2022-11-02 15:14:29 UTC

(In reply to Charles Arnold from comment #28)
> Submissions complete.

Clearing needinfo.

Comment 31 Carlos López 2024-05-03 11:36:25 UTC

Done, closing.