NVD Vulnerability Detail

CVE-2022-42320

Summary	Xenstore: Guests can get access to Xenstore nodes of deleted domains Access rights of Xenstore nodes are per domid. When a domain is gone, there might be Xenstore nodes left with access rights containing the domid of the removed domain. This is normally no problem, as those access right entries will be corrected when such a node is written later. There is a small time window when a new domain is created, where the access rights of a past domain with the same domid as the new one will be regarded to be still valid, leading to the new domain being able to get access to a node which was meant to be accessible by the removed domain. For this to happen another domain needs to write the node before the newly created domain is being introduced to Xenstore by dom0.
Publication Date	Nov. 1, 2022, 10:15 p.m.
Registration Date	Nov. 2, 2022, 10:01 a.m.
Last Update	Nov. 21, 2024, 4:24 p.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:o:xen:xen:-:::::::*

Related information, measures and tools

No	URL	タグ
1	http://www.openwall.com/lists/oss-security/2022/11/01/7	Mailing List Third Party Advisory
2	http://www.openwall.com/lists/oss-security/2022/11/01/7	Mailing List Third Party Advisory
3	http://xenbits.xen.org/xsa/advisory-417.html	Patch Vendor Advisory
4	http://xenbits.xen.org/xsa/advisory-417.html	Patch Vendor Advisory
5	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YTMITQBGC23MSDHUCAPCVGLMVXIBXQTQ/
6	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YTMITQBGC23MSDHUCAPCVGLMVXIBXQTQ/
7	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YZVXG7OOOXCX6VIPEMLFDPIPUTFAYWPE/
8	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YZVXG7OOOXCX6VIPEMLFDPIPUTFAYWPE/
9	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLI2NPNEH7CNJO3VZGQNOI4M4EWLNKPZ/
10	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLI2NPNEH7CNJO3VZGQNOI4M4EWLNKPZ/
11	https://security.gentoo.org/glsa/202402-07
12	https://security.gentoo.org/glsa/202402-07
13	https://www.debian.org/security/2022/dsa-5272	Third Party Advisory
14	https://www.debian.org/security/2022/dsa-5272	Third Party Advisory
15	https://xenbits.xenproject.org/xsa/advisory-417.txt	Patch Vendor Advisory
16	https://xenbits.xenproject.org/xsa/advisory-417.txt	Patch Vendor Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-459	不完全なクリーンアップ	https://cwe.mitre.org/data/definitions/459.html

JVN Vulnerability Information

Xen プロジェクトの Xen 他複数ベンダの製品における不完全なクリーンアップに関する脆弱性

Title	Xen プロジェクトの Xen 他複数ベンダの製品における不完全なクリーンアップに関する脆弱性
Summary	Xen プロジェクトの Xen 他複数ベンダの製品には、不完全なクリーンアップに関する脆弱性が存在します。
Possible impacts	情報を取得される、情報を改ざんされる、およびサービス運用妨害 (DoS) 状態にされる可能性があります。
Solution	ベンダアドバイザリまたはパッチ情報が公開されています。参考情報を参照して適切な対策を実施してください。
Publication Date	Nov. 1, 2022, midnight
Registration Date	Oct. 31, 2023, 5:18 p.m.
Last Update	Oct. 31, 2023, 5:18 p.m.

Affected System

Debian

Debian GNU/Linux 11.0

Fedora Project

Fedora 35

Fedora 36

Fedora 37

Xen プロジェクト

Xen

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2022-42320	https://www.cve.org/CVERecord?id=CVE-2022-42320
National Vulnerability Database (NVD)
2	CVE-2022-42320	https://nvd.nist.gov/vuln/detail/CVE-2022-42320

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-459	https://cwe.mitre.org/data/definitions/459.html

その他

No	Name	URL
関連文書
1	lists.fedoraproject.org (YTMITQBGC23MSDHUCAPCVGLMVXIBXQTQ)	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YTMITQBGC23MSDHUCAPCVGLMVXIBXQTQ/
2	lists.fedoraproject.org (YZVXG7OOOXCX6VIPEMLFDPIPUTFAYWPE)	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YZVXG7OOOXCX6VIPEMLFDPIPUTFAYWPE/
3	lists.fedoraproject.org (ZLI2NPNEH7CNJO3VZGQNOI4M4EWLNKPZ)	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZLI2NPNEH7CNJO3VZGQNOI4M4EWLNKPZ/
4	www.debian.org (dsa-5272)	https://www.debian.org/security/2022/dsa-5272
5	www.openwall.com (oss-security/2022/11/01/7)	http://www.openwall.com/lists/oss-security/2022/11/01/7
6	xenbits.xen.org (advisory-417)	http://xenbits.xen.org/xsa/advisory-417.html
7	xenbits.xenproject.org (advisory-417.txt)	https://xenbits.xenproject.org/xsa/advisory-417.txt

Change Log

No	Changed Details	Date of change
1	[2023年10月31日] 掲載	Oct. 31, 2023, 5:18 p.m.