CVE-2015-8104
First published: Thu Nov 05 2015(Updated: )
It was found that a malicious HVM guest administrator can cause DoS, specifically prevent use of physical CPU for significant, perhaps indefinite period. When a benign exception occurs while delivering another benign exception, it is architecturally specified that these would be delivered sequentially. There are, however, cases where this results in an infinite loop inside the CPU, which (in the virtualized case) can be broken only by intercepting delivery of the respective exception. When a guest sets up a hardware breakpoint covering a data structure involved in delivering #DB (Debug Exception), upon completion of the delivery of the first exception another #DB will need to be delivered. The effects slightly differ depending on further guest characteristics: * Guests running in 32-bit mode would be expected to sooner or later encounter another fault due to the stack pointer decreasing during each iteration of the loop. The most likely case would be #PF (Page Fault) due to running into unmapped virtual space. However, an infinite loop cannot be excluded (e.g. when the guest is running with paging disabled). * Guests running in long mode, but not using the IST (Interrupt Stack Table) feature for the IDT entry corresponding to #DB would behave similarly to guests running in 32-bit mode, just that the larger virtual address space allows for a much longer loop. The loop can't, however, be infinite, as eventually the stack pointer would move into non-canonical address space, causing #SS (Stack Fault) instead. * Guests running in long mode and using the IST for the IDT entry corresponding to #DB would enter an infinite loop, as the stack pointer wouldn't change between #DB instances. If a host watchdog (Xen or dom0) is in use, this can lead to a watchdog timeout and consequently a reboot of the host. If another, innocent, guest, is configured with a watchdog, this issue can lead to a reboot of such a guest. A privileged user inside guest could use this flaw to crash the host kernel resulting in DoS. For KVM virtualisation, it only affects the AMD processor support, as for Intel it already intercepts the #DB exception. Upstream KVM patch: ------------------- -> <a href="http://permalink.gmane.org/gmane.linux.kernel/2082332">http://permalink.gmane.org/gmane.linux.kernel/2082332</a> References: ----------- -> <a href="http://www.openwall.com/lists/oss-security/2015/11/10/1">http://www.openwall.com/lists/oss-security/2015/11/10/1</a>
Credit: cve@mitre.org cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Xen XAPI | =4.3.0 | |
| Xen XAPI | =4.3.1 | |
| Xen XAPI | =4.3.2 | |
| Xen XAPI | =4.3.3 | |
| Xen XAPI | =4.3.4 | |
| Xen XAPI | =4.4.0 | |
| Xen XAPI | =4.4.1 | |
| Xen XAPI | =4.4.2 | |
| Xen XAPI | =4.4.3 | |
| Xen XAPI | =4.5.0 | |
| Xen XAPI | =4.5.1 | |
| Xen XAPI | =4.5.2 | |
| Xen XAPI | =4.6.0 | |
| Xen XAPI | =4.6.1 | |
| Xen XAPI | =4.6.2 | |
| Xen XAPI | =4.6.4 | |
| Xen XAPI | =4.6.5 | |
| Oracle Solaris and Zettabyte File System (ZFS) | =11.3 | |
| Oracle VirtualBox | >=4.0.0<=4.0.34 | |
| Oracle VirtualBox | >=4.1.0<=4.1.42 | |
| Oracle VirtualBox | >=4.2.0<=4.2.34 | |
| Oracle VirtualBox | >=4.3.0<=4.3.35 | |
| Oracle VirtualBox | >=5.0.0<=5.0.13 | |
| Linux Kernel | <=4.2.3 | |
| Debian Linux | =7.0 | |
| Debian Linux | =8.0 | |
| Debian Linux | =9.0 | |
| Ubuntu | =12.04 | |
| Ubuntu | =14.04 | |
| Ubuntu | =15.04 | |
| debian/linux | 5.10.223-1 5.10.234-1 6.1.129-1 6.1.128-1 6.12.21-1 6.12.22-1 | |
| debian/virtualbox | 7.0.20-dfsg-1.2 | |
| debian/xen | 4.14.6-1 4.14.5+94-ge49571868d-1 4.17.5+23-ga4e5191dc0-1+deb12u1 4.17.5+23-ga4e5191dc0-1 4.20.0-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=cbdb967af3d54993f5814f1cee0ed311a055377d
- http://lists.fedoraproject.org/pipermail/package-announce/2015-November/172187.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-November/172300.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-November/172435.html
- http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00035.html
- http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00005.html
- http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00026.html
- http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00031.html
- http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00013.html
- http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00015.html
- http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00038.html
- http://lists.opensuse.org/opensuse-updates/2015-12/msg00039.html
- http://lists.opensuse.org/opensuse-updates/2015-12/msg00053.html
- http://rhn.redhat.com/errata/RHSA-2015-2636.html
- http://rhn.redhat.com/errata/RHSA-2015-2645.html
- http://rhn.redhat.com/errata/RHSA-2016-0046.html
- http://support.citrix.com/article/CTX202583
- http://support.citrix.com/article/CTX203879
- http://www.debian.org/security/2015/dsa-3414
- http://www.debian.org/security/2015/dsa-3426
- http://www.debian.org/security/2016/dsa-3454
- http://www.openwall.com/lists/oss-security/2015/11/10/5
- http://www.openwall.com/lists/oss-security/2023/10/10/4
- http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html
- http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html
- http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html
- http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html
- http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html
- http://www.securityfocus.com/bid/77524
- http://www.securityfocus.com/bid/91787
- http://www.securitytracker.com/id/1034105
- http://www.ubuntu.com/usn/USN-2840-1
- http://www.ubuntu.com/usn/USN-2841-1
- http://www.ubuntu.com/usn/USN-2841-2
- http://www.ubuntu.com/usn/USN-2842-1
- http://www.ubuntu.com/usn/USN-2842-2
- http://www.ubuntu.com/usn/USN-2843-1
- http://www.ubuntu.com/usn/USN-2843-2
- http://www.ubuntu.com/usn/USN-2844-1
- http://xenbits.xen.org/xsa/advisory-156.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1278496
- https://github.com/torvalds/linux/commit/cbdb967af3d54993f5814f1cee0ed311a055377d
- https://kb.juniper.net/JSA10783
- https://launchpad.net/bugs/cve/CVE-2015-8104
- http://permalink.gmane.org/gmane.linux.kernel/2082332
- http://www.openwall.com/lists/oss-security/2015/11/10/1
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1090189&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1090189&action=edit
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1090190&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1090190&action=edit
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1090191&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1090191&action=edit
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1090193&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1090193&action=edit
- https://access.redhat.com/support/policy/updates/errata/
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1279691
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1279690
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1278496#c0
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1278496#c10
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1278496#c11
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1278496#c12
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1278496#c13
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1278496#c14
- https://rhn.redhat.com/errata/RHSA-2015-2552.html
- https://rhn.redhat.com/errata/RHSA-2015-2636.html
- https://rhn.redhat.com/errata/RHSA-2015-2645.html
- https://rhn.redhat.com/errata/RHSA-2016-0004.html
- https://rhn.redhat.com/errata/RHSA-2016-0024.html
- https://rhn.redhat.com/errata/RHSA-2016-0046.html
- https://rhn.redhat.com/errata/RHSA-2016-0103.html
- https://lkml.org/lkml/2015/11/10/218
- https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=cbdb967af3d54993f5814f1cee0ed311a055377d
- http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html#AppendixOVIR
- https://security-tracker.debian.org/tracker/CVE-2015-8104
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8104
- https://nvd.nist.gov/vuln/detail/CVE-2015-8104
- https://ubuntu.com/security/CVE-2015-8104
Frequently Asked Questions
What is the severity of CVE-2015-8104?
CVE-2015-8104 has a high severity level due to its potential to cause Denial of Service (DoS) by exploiting the Xen hypervisor.
How do I fix CVE-2015-8104?
To remediate CVE-2015-8104, upgrade to patched versions of the affected Xen hypervisor or related distributions as specified in security advisories.
Which software versions are affected by CVE-2015-8104?
CVE-2015-8104 affects Xen versions from 4.3.0 to 4.6.5 and certain versions of Oracle VM VirtualBox and Debian Linux.
What is the impact of CVE-2015-8104 on system performance?
Exploitation of CVE-2015-8104 can lead to significant performance degradation by preventing the use of physical CPU resources.
Who can exploit CVE-2015-8104?
This vulnerability can be exploited by a malicious HVM guest administrator within the Xen hypervisor environment.
- agent/type
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2015-8104
- agent/author
- agent/severity
- agent/weakness
- collector/mitre-cve
- source/MITRE
- collector/usn-cve
- source/Ubuntu
- agent/references
- agent/remedy
- agent/last-modified-date
- agent/trending
- agent/source
- agent/description
- agent/event
- collector/nvd-api
- agent/software-canonical-lookup-request
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- collector/nvd-index
- agent/softwarecombine
- agent/tags
- collector/security-tracker-debian
- source/Debian
- vendor/xen
- canonical/xen xapi
- version/xen xapi/4.3.0
- version/xen xapi/4.3.1
- version/xen xapi/4.3.2
- version/xen xapi/4.3.3
- version/xen xapi/4.3.4
- version/xen xapi/4.4.0
- version/xen xapi/4.4.1
- version/xen xapi/4.4.2
- version/xen xapi/4.4.3
- version/xen xapi/4.5.0
- version/xen xapi/4.5.1
- version/xen xapi/4.5.2
- version/xen xapi/4.6.0
- version/xen xapi/4.6.1
- version/xen xapi/4.6.2
- version/xen xapi/4.6.4
- version/xen xapi/4.6.5
- vendor/oracle
- canonical/oracle solaris and zettabyte file system (zfs)
- version/oracle solaris and zettabyte file system (zfs)/11.3
- canonical/oracle virtualbox
- version/oracle virtualbox/4.0.0
- version/oracle virtualbox/4.0.34
- version/oracle virtualbox/4.1.0
- version/oracle virtualbox/4.1.42
- version/oracle virtualbox/4.2.0
- version/oracle virtualbox/4.2.34
- version/oracle virtualbox/4.3.0
- version/oracle virtualbox/4.3.35
- version/oracle virtualbox/5.0.0
- version/oracle virtualbox/5.0.13
- vendor/linux
- canonical/linux kernel
- version/linux kernel/4.2.3
- vendor/debian
- canonical/debian linux
- version/debian linux/7.0
- version/debian linux/8.0
- version/debian linux/9.0
- vendor/canonical
- canonical/ubuntu
- version/ubuntu/12.04
- version/ubuntu/14.04
- version/ubuntu/15.04
- package-manager/debian