CVE-2020-29486
First published: Tue Dec 15 2020(Updated: )
An issue was discovered in Xen through 4.14.x. Nodes in xenstore have an ownership. In oxenstored, a owner could give a node away. However, node ownership has quota implications. Any guest can run another guest out of quota, or create an unbounded number of nodes owned by dom0, thus running xenstored out of memory A malicious guest administrator can cause a denial of service against a specific guest or against the whole host. All systems using oxenstored are vulnerable. Building and using oxenstored is the default in the upstream Xen distribution, if the Ocaml compiler is available. Systems using C xenstored are not vulnerable.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/xen | 4.11.4+107-gef32c7afa2-1 4.14.6-1 4.14.5+94-ge49571868d-1 4.17.1+2-gb773c48e36-1 4.17.2+55-g0b56bed864-1 | |
| Xen xen-unstable | <=4.14.0 | |
| Debian | =10.0 | |
| Fedora | =32 | |
| Fedora | =33 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2C6M6S3CIMEBACH6O7V4H2VDANMO6TVA/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OBLV6L6Q24PPQ2CRFXDX4Q76KU776GKI/
- https://security.gentoo.org/glsa/202107-30
- https://www.debian.org/security/2020/dsa-4812
- https://xenbits.xenproject.org/xsa/advisory-352.html
- https://xenbits.xen.org/xsa/advisory-352.html
- https://security-tracker.debian.org/tracker/CVE-2020-29486
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OBLV6L6Q24PPQ2CRFXDX4Q76KU776GKI/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2C6M6S3CIMEBACH6O7V4H2VDANMO6TVA/
Frequently Asked Questions
What is the severity of CVE-2020-29486?
CVE-2020-29486 has a high severity due to the potential for denial of service and resource exhaustion in Xen.
How do I fix CVE-2020-29486?
To fix CVE-2020-29486, upgrade to the patched versions of Xen stated in the vulnerability advisory.
What versions of Xen are affected by CVE-2020-29486?
CVE-2020-29486 affects Xen versions up to and including 4.14.0.
What types of systems are impacted by CVE-2020-29486?
CVE-2020-29486 impacts systems using Xen, including Debian and Fedora distributions.
What implications does CVE-2020-29486 have for resource management in Xen?
CVE-2020-29486 allows guests to impact the resource quotas of other guests, potentially leading to service disruptions.
- collector/security-tracker-debian
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/remedy
- agent/references
- agent/severity
- agent/last-modified-date
- agent/weakness
- agent/author
- agent/event
- agent/first-publish-date
- agent/description
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- package-manager/debian
- vendor/xen
- canonical/xen xen-unstable
- version/xen xen-unstable/4.14.0
- vendor/debian
- canonical/debian
- version/debian/10.0
- vendor/fedoraproject
- canonical/fedora
- version/fedora/32
- version/fedora/33