First published: Tue Apr 14 2020(Updated: )
An issue was discovered in xenoprof in Xen through 4.13.x, allowing guest OS users (without active profiling) to obtain sensitive information about other guests. Unprivileged guests can request to map xenoprof buffers, even if profiling has not been enabled for those guests. These buffers were not scrubbed.
Credit: cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Xen Xen | >=3.2.0<=4.13.0 | |
Xen Xen | =4.13.0-rc1 | |
Xen Xen | =4.13.0-rc2 | |
Debian Debian Linux | =10.0 | |
Fedoraproject Fedora | =30 | |
Fedoraproject Fedora | =31 | |
Fedoraproject Fedora | =32 | |
openSUSE Leap | =15.1 | |
debian/xen | 4.14.6-1 4.14.5+94-ge49571868d-1 4.17.3+10-g091466ba55-1~deb12u1 4.17.3+36-g54dacb5c02-1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID for this issue is CVE-2020-11740.
The title of this vulnerability is 'An issue was discovered in xenoprof in Xen through 4.13.x allowing guest OS users (without active profiling) to obtain sensitive information about other guests.'
This vulnerability allows unprivileged guest OS users to obtain sensitive information about other guests.
The affected software versions include Xen 4.11.3+24- (Ubuntu) and Xen 4.11.4+107-gef32c7afa2-1, 4.14.5+94-ge49571868d-1, 4.17.1+2-gb773c48e36-1, and 4.17.2-1 (Debian).
Yes, the recommended remedy is to update to the specified versions of Xen for Ubuntu (4.11.3+24-) and Debian (4.11.4+107-gef32c7afa2-1, 4.14.5+94-ge49571868d-1, 4.17.1+2-gb773c48e36-1, or 4.17.2-1).