CVE-2022-42310
First published: Tue Nov 01 2022(Updated: )
Xenstore: Guests can create orphaned Xenstore nodes By creating multiple nodes inside a transaction resulting in an error, a malicious guest can create orphaned nodes in the Xenstore data base, as the cleanup after the error will not remove all nodes already created. When the transaction is committed after this situation, nodes without a valid parent can be made permanent in the data base.
Credit: security@xen.org security@xen.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/xen | <=4.11.4+107-gef32c7afa2-1 | 4.14.6-1 4.14.5+94-ge49571868d-1 4.17.1+2-gb773c48e36-1 4.17.2+55-g0b56bed864-1 |
| Xen Xen | >=4.9.0<4.13.0 | |
| Debian Debian Linux | =11.0 | |
| Fedoraproject Fedora | =35 | |
| Fedoraproject Fedora | =36 | |
| Fedoraproject Fedora | =37 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://xenbits.xen.org/xsa/advisory-415.html
- https://security-tracker.debian.org/tracker/CVE-2022-42310
- http://www.openwall.com/lists/oss-security/2022/11/01/5
- http://xenbits.xen.org/xsa/advisory-415.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YTMITQBGC23MSDHUCAPCVGLMVXIBXQTQ/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YZVXG7OOOXCX6VIPEMLFDPIPUTFAYWPE/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZLI2NPNEH7CNJO3VZGQNOI4M4EWLNKPZ/
- https://www.debian.org/security/2022/dsa-5272
- https://xenbits.xenproject.org/xsa/advisory-415.txt
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLI2NPNEH7CNJO3VZGQNOI4M4EWLNKPZ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YZVXG7OOOXCX6VIPEMLFDPIPUTFAYWPE/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YTMITQBGC23MSDHUCAPCVGLMVXIBXQTQ/
- https://security.gentoo.org/glsa/202402-07
Frequently Asked Questions
What is the severity of CVE-2022-42310?
The severity of CVE-2022-42310 is medium with a severity value of 5.5.
How can a guest create orphaned Xenstore nodes using CVE-2022-42310?
By creating multiple nodes inside a transaction resulting in an error, a malicious guest can create orphaned nodes in the Xenstore database.
What is the affected software for CVE-2022-42310?
The affected software includes Xen (versions 4.14.6-1, 4.14.5+94-ge49571868d-1, 4.17.1+2-gb773c48e36-1, 4.17.2+55-g0b56bed864-1) on Debian, Xen (versions 4.9.0 to 4.13.0) on Xen, Debian Linux (version 11.0) on Debian, and Fedora (versions 35, 36, 37) on Fedora.
How do I fix CVE-2022-42310 on Debian?
To fix CVE-2022-42310 on Debian, upgrade Xen to version 4.14.6-1, 4.14.5+94-ge49571868d-1, 4.17.1+2-gb773c48e36-1, or 4.17.2+55-g0b56bed864-1.
Where can I find more information about CVE-2022-42310?
You can find more information about CVE-2022-42310 at the following references: [Xenbits Xen Advisory-415](https://xenbits.xen.org/xsa/advisory-415.html), [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2022-42310), [Openwall OSS-Security Mailing List](http://www.openwall.com/lists/oss-security/2022/11/01/5).
- collector/security-tracker-debian
- collector/nvd-index
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/severity
- agent/weakness
- agent/author
- agent/remedy
- agent/tags
- agent/last-modified-date
- agent/description
- agent/first-publish-date
- agent/event
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- package-manager/debian
- vendor/xen
- canonical/xen xen
- version/xen xen/4.9.0
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/11.0
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/35
- version/fedoraproject fedora/36
- version/fedoraproject fedora/37