CVE-2019-19582
First published: Wed Dec 11 2019(Updated: )
An issue was discovered in Xen through 4.12.x allowing x86 guest OS users to cause a denial of service (infinite loop) because certain bit iteration is mishandled. In a number of places bitmaps are being used by the hypervisor to track certain state. Iteration over all bits involves functions which may misbehave in certain corner cases: On x86 accesses to bitmaps with a compile time known size of 64 may incur undefined behavior, which may in particular result in infinite loops. A malicious guest may cause a hypervisor crash or hang, resulting in a Denial of Service (DoS). All versions of Xen are vulnerable. x86 systems with 64 or more nodes are vulnerable (there might not be any such systems that Xen would run on). x86 systems with less than 64 nodes are not vulnerable.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/xen | 4.11.4+107-gef32c7afa2-1 4.14.6-1 4.14.5+94-ge49571868d-1 4.17.2+76-ge1f9cb16e2-1~deb12u1 4.17.2+76-ge1f9cb16e2-1 | |
| Xen xen-unstable | >=4.8.0<=4.12.1 | |
| Fedora | =31 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00011.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/34HBFTYNMQMWIO2GGK7DB6KV4M6R5YPV/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D5R73AYE53QA32KTMHUVKCX6E52CIS43/
- https://seclists.org/bugtraq/2020/Jan/21
- https://security.gentoo.org/glsa/202003-56
- https://www.debian.org/security/2020/dsa-4602
- https://xenbits.xen.org/xsa/advisory-307.html
- https://security-tracker.debian.org/tracker/CVE-2019-19582
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D5R73AYE53QA32KTMHUVKCX6E52CIS43/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/34HBFTYNMQMWIO2GGK7DB6KV4M6R5YPV/
Frequently Asked Questions
What is the severity of CVE-2019-19582?
CVE-2019-19582 has a severity level of medium, indicating a potential denial of service risk.
How do I fix CVE-2019-19582?
To fix CVE-2019-19582, upgrade the Xen hypervisor to the latest versions or apply all relevant patches.
What versions of Xen are affected by CVE-2019-19582?
CVE-2019-19582 affects Xen versions from 4.8.0 to 4.12.1, as well as specific Debian and Fedora versions.
Can CVE-2019-19582 be exploited remotely?
CVE-2019-19582 requires an attacker to have access to an x86 guest OS for exploitation, which limits its remote attack vector.
What type of attack does CVE-2019-19582 facilitate?
CVE-2019-19582 facilitates a denial of service attack by causing an infinite loop in the hypervisor.
- collector/security-tracker-debian
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/weakness
- agent/remedy
- agent/last-modified-date
- agent/author
- agent/references
- agent/description
- agent/first-publish-date
- agent/event
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- package-manager/debian
- vendor/xen
- canonical/xen xen-unstable
- version/xen xen-unstable/4.8.0
- version/xen xen-unstable/4.12.1
- vendor/fedoraproject
- canonical/fedora
- version/fedora/31