CVE-2022-42325
First published: Tue Nov 01 2022(Updated: )
Xenstore: Guests can create arbitrary number of nodes via transactions T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] In case a node has been created in a transaction and it is later deleted in the same transaction, the transaction will be terminated with an error. As this error is encountered only when handling the deleted node at transaction finalization, the transaction will have been performed partially and without updating the accounting information. This will enable a malicious guest to create arbitrary number of nodes.
Credit: security@xen.org security@xen.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/xen | <=4.11.4+107-gef32c7afa2-1 | 4.14.6-1 4.14.5+94-ge49571868d-1 4.17.1+2-gb773c48e36-1 4.17.2+55-g0b56bed864-1 |
| Xen Xen | >=4.9.0 | |
| Debian Debian Linux | =11.0 | |
| Fedoraproject Fedora | =35 | |
| Fedoraproject Fedora | =36 | |
| Fedoraproject Fedora | =37 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://xenbits.xen.org/xsa/advisory-421.html
- https://security-tracker.debian.org/tracker/CVE-2022-42325
- http://www.openwall.com/lists/oss-security/2022/11/01/11
- http://xenbits.xen.org/xsa/advisory-421.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YTMITQBGC23MSDHUCAPCVGLMVXIBXQTQ/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YZVXG7OOOXCX6VIPEMLFDPIPUTFAYWPE/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZLI2NPNEH7CNJO3VZGQNOI4M4EWLNKPZ/
- https://www.debian.org/security/2022/dsa-5272
- https://xenbits.xenproject.org/xsa/advisory-421.txt
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLI2NPNEH7CNJO3VZGQNOI4M4EWLNKPZ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YZVXG7OOOXCX6VIPEMLFDPIPUTFAYWPE/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YTMITQBGC23MSDHUCAPCVGLMVXIBXQTQ/
- https://security.gentoo.org/glsa/202402-07
Frequently Asked Questions
What is the vulnerability ID?
The vulnerability ID is CVE-2022-42325.
What is the severity of CVE-2022-42325?
The severity of CVE-2022-42325 is medium with a severity value of 5.5.
What software is affected by CVE-2022-42325?
The affected software includes Xen versions 4.14.6-1, 4.14.5+94-ge49571868d-1, 4.17.1+2-gb773c48e36-1, 4.17.2+55-g0b56bed864-1, Debian Xen versions from 4.11.4+107-gef32c7afa2-1, Xen Xen version 4.9.0, Debian Linux version 11.0, Fedora versions 35, 36, and 37.
How can a guest create an arbitrary number of nodes via transactions in Xenstore?
A guest can create an arbitrary number of nodes via transactions in Xenstore by exploiting the vulnerability.
Is there a fix available for CVE-2022-42325?
Yes, there are remedies available for the affected software versions. Please refer to the provided references for more information on how to apply the fixes.
- collector/security-tracker-debian
- collector/nvd-index
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/severity
- agent/weakness
- agent/author
- agent/remedy
- agent/tags
- agent/last-modified-date
- agent/description
- agent/first-publish-date
- agent/event
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- package-manager/debian
- vendor/xen
- canonical/xen xen
- version/xen xen/4.9.0
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/11.0
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/35
- version/fedoraproject fedora/36
- version/fedoraproject fedora/37