製品・ソフトウェアに関する情報

JVN脆弱性詳細

Xen における認可・権限・アクセス制御に関する脆弱性

Title	Xen における認可・権限・アクセス制御に関する脆弱性
Summary	Xen には、認可・権限・アクセス制御に関する脆弱性が存在します。
Possible impacts	サービス運用妨害 (DoS) 状態にされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	June 27, 2018, midnight
Registration Date	Sept. 21, 2018, 5:40 p.m.
Last Update	Sept. 21, 2018, 5:40 p.m.

Affected System

Debian

Debian GNU/Linux

Xen プロジェクト

Xen 4.10.x まで

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2018-12893	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12893
National Vulnerability Database (NVD)
2	CVE-2018-12893	https://nvd.nist.gov/vuln/detail/CVE-2018-12893

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-264	https://jvndb.jvn.jp/ja/cwe/CWE-264.html

ベンダー情報

No	Name	URL
Citrix Knowledge Center
1	CTX235748	https://support.citrix.com/article/CTX235748
Debian Security Advisory
2	DSA-4236	https://www.debian.org/security/2018/dsa-4236
Xen Security Advisory
3	XSA-265	http://xenbits.xen.org/xsa/advisory-265.html

Change Log

No	Changed Details	Date of change
1	[2018年09月21日] 掲載	Sept. 21, 2018, 5:40 p.m.

NVD Vulnerability Information

CVE-2018-12893

Summary	An issue was discovered in Xen through 4.10.x. One of the fixes in XSA-260 added some safety checks to help prevent Xen livelocking with debug exceptions. Unfortunately, due to an oversight, at least one of these safety checks can be triggered by a guest. A malicious PV guest can crash Xen, leading to a Denial of Service. All Xen systems which have applied the XSA-260 fix are vulnerable. Only x86 systems are vulnerable. ARM systems are not vulnerable. Only x86 PV guests can exploit the vulnerability. x86 HVM and PVH guests cannot exploit the vulnerability. An attacker needs to be able to control hardware debugging facilities to exploit the vulnerability, but such permissions are typically available to unprivileged users.
Publication Date	July 3, 2018, 2:29 a.m.
Registration Date	March 1, 2021, 6:51 p.m.
Last Update	Nov. 21, 2024, 12:46 p.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:o:xen:xen:::::::*:x86			4.10.0

Configuration2		or higher	or less	more than	less than
cpe:2.3:o:debian:debian_linux:9.0:::::::*

Related information, measures and tools

No	URL	タグ
1	http://www.openwall.com/lists/oss-security/2018/06/27/11	Mailing List Mitigation Patch Third Party Advisory
2	http://www.openwall.com/lists/oss-security/2018/06/27/11	Mailing List Mitigation Patch Third Party Advisory
3	http://www.securityfocus.com/bid/104572	Third Party Advisory VDB Entry
4	http://www.securityfocus.com/bid/104572	Third Party Advisory VDB Entry
5	http://www.securitytracker.com/id/1041202	Third Party Advisory VDB Entry
6	http://www.securitytracker.com/id/1041202	Third Party Advisory VDB Entry
7	http://xenbits.xen.org/xsa/advisory-265.html	Mitigation Patch Vendor Advisory
8	http://xenbits.xen.org/xsa/advisory-265.html	Mitigation Patch Vendor Advisory
9	https://bugzilla.redhat.com/show_bug.cgi?id=1590979	Issue Tracking Mitigation Third Party Advisory
10	https://bugzilla.redhat.com/show_bug.cgi?id=1590979	Issue Tracking Mitigation Third Party Advisory
11	https://lists.debian.org/debian-lts-announce/2018/11/msg00013.html
12	https://lists.debian.org/debian-lts-announce/2018/11/msg00013.html
13	https://security.gentoo.org/glsa/201810-06
14	https://security.gentoo.org/glsa/201810-06
15	https://support.citrix.com/article/CTX235748	Vendor Advisory
16	https://support.citrix.com/article/CTX235748	Vendor Advisory
17	https://www.debian.org/security/2018/dsa-4236	Third Party Advisory
18	https://www.debian.org/security/2018/dsa-4236	Third Party Advisory

Common Vulnerabilities List