Memory corruption in xen (Alpine package)



Risk Low
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2018-15470
CWE-ID CWE-119
Exploitation vector Local network
Public exploit N/A
Vulnerable software
Subscribe 		xen (Alpine package)
Operating systems & Components / Operating system package or component

Vendor Alpine Linux Development Team

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Memory corruption

EUVDB-ID: #VU14473

Risk: Low

CVSSv3.1: 5.7 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-15470

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows an adjacent attacker to cause DoS condition on the target system.

The vulnerability exists due to the affected software fails to enforce the quota-maxentity setting. An adjacent attacker can write an excessive number of XenStore entries, trigger unbounded memory usage and cause the service to crash.

Mitigation

Install update from vendor's website.

Vulnerable software versions

xen (Alpine package): 4.7.2-r0 - 4.8.4-r0

CPE2.3 External links

http://git.alpinelinux.org/aports/commit/?id=b1098f74cfa616c0046ba6c5f2d032ac2f1d8e02
http://git.alpinelinux.org/aports/commit/?id=3157c8cf385f659174a6d95a9218bc3281359513
http://git.alpinelinux.org/aports/commit/?id=fa4aef12fe69b28f195024708e67ea7e48e9fca6
http://git.alpinelinux.org/aports/commit/?id=8a2e635d73f2f09c768259b4730dcf3f55d0ed93
http://git.alpinelinux.org/aports/commit/?id=ca1b59327d93bdc40e475877934ab83be23847f1
http://git.alpinelinux.org/aports/commit/?id=74dce6e0451466b8eb5078660886cc226f9704f4


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###