Input validation error in xen (Alpine package)
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2020-29480 |
| CWE-ID | CWE-20 |
| Exploitation vector | Local |
| Public exploit | N/A |
| Vulnerable software |
IBM Systems Director Server applications / Other server solutions xen (Alpine package) Operating systems & Components / Operating system package or component |
| Vendor |
IBM Corporation Alpine Linux Development Team |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Input validation error
EUVDB-ID: #VU49130
Risk: Low
CVSSv4.0: 1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2020-29480
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a local privileged user to gain access to sensitive information.
An issue was discovered in Xen through 4.14.x. Neither xenstore implementation does any permission checks when reporting a xenstore watch event. A guest administrator can watch the root xenstored node, which will cause notifications for every created, modified, and deleted key. A guest administrator can also use the special watches, which will cause a notification every time a domain is created and destroyed. Data may include: number, type, and domids of other VMs; existence and domids of driver domains; numbers of virtual interfaces, block devices, vcpus; existence of virtual framebuffers and their backend style (e.g., existence of VNC service); Xen VM UUIDs for other domains; timing information about domain creation and device setup; and some hints at the backend provisioning of VMs and their devices. The watch events do not contain values stored in xenstore, only key names. A guest administrator can observe non-sensitive domain and device lifecycle events relating to other guests. This information allows some insight into overall system configuration (including the number and general nature of other guests), and configuration of other guests (including the number and general nature of other guests' devices). This information might be commercially interesting or might make other attacks easier. There is not believed to be exposure of sensitive data. Specifically, there is no exposure of VNC passwords, port numbers, pathnames in host and guest filesystems, cryptographic keys, or within-guest data.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Systems Director: 6.3.2.2
xen (Alpine package): 1.42
xen (Alpine package): 1.1.7-0ubuntu1 - 1.2.3-0ubuntu2.7
xen (Alpine package): 3.0.8-1 - 3.0.13-1
xen (Alpine package): 2:1.3.2-2ubuntu0.1
xen (Alpine package): 1:6.2.3-5
xen (Alpine package): 0.11-4
xen (Alpine package): 3.2.21-1
xen (Alpine package): 1.88-1
xen (Alpine package): 0.2.3.2-1
xen (Alpine package): 0.101 - 0.102ubuntu1
xen (Alpine package): 0.1.0-0ubuntu1 - 0.1.5-0ubuntu1
xen (Alpine package): 3.1-1 - 3.1-2
xen (Alpine package): 1.3.1-1 - 1.3.1-2
xen (Alpine package): 3.1-1
xen (Alpine package): 0.18.1.1-9ubuntu1
xen (Alpine package): 4.63-15
xen (Alpine package): 3.1.6.1-1
xen (Alpine package): 2.55-2 - 2.72-1
xen (Alpine package): 2.2.0.3-2ubuntu5
xen (Alpine package): 3.5.11.2003.06.04-3
xen (Alpine package): 5.4-2ubuntu1
xen (Alpine package): 5.4b-1
xen (Alpine package): 0.15
xen (Alpine package): 0.18ubuntu0.2 - 0.32
xen (Alpine package): 0.3.6.0amd12 - 1.12.9
xen (Alpine package): 1.9.9-3 - 1.9.10-1
xen (Alpine package): 0.48-4
xen (Alpine package): 0.9b-20040421-1 - 1.1-20120215-2
xen (Alpine package): 0.16 - 0.35
xen (Alpine package): 0.2 - 0.9
xen (Alpine package): 0.4
xen (Alpine package): 2.5.3 - 2.17.5ubuntu1
xen (Alpine package): 3.4.0-1
xen (Alpine package): 0.14-1 - 0.15-2
xen (Alpine package): 2014.1-3
xen (Alpine package): 24.0-0ubuntu1
xen (Alpine package): 0.5.2-0ubuntu1 - 1.2.5ubuntu1daily13.06.14-0ubuntu1
xen (Alpine package): 3.0-0ubuntu1
xen (Alpine package): 1.5.2 - 1.6.2
xen (Alpine package): 0.1.8 - 1.0.75
xen (Alpine package): 1.20.0 - 2.18.2
xen (Alpine package): 20081029ubuntu63 - 20101020ubuntu468
xen (Alpine package): 0.74 - 9.20160115
xen (Alpine package): 0.2.12 - 1.5.49
xen (Alpine package): 1.8.8-2ubuntu1
xen (Alpine package): 0.2.8-8 - 0.2.11-1
xen (Alpine package): 0.3 - 1.8.42
xen (Alpine package): 5.3.28-3 - 5.3.28-4
xen (Alpine package): 1.5
xen (Alpine package): 0.4.5 - 0.5.8-2.2
xen (Alpine package): 0.2.11-1build1
xen (Alpine package): 0.63
xen (Alpine package): 0.3.1-0ubuntu1 - 0.10.0-3
xen (Alpine package): 0.13-1 - 0.22.1-2
xen (Alpine package): 2.1.0-2 - 2.1.26.dfsg1-14
xen (Alpine package): 0.5.16-3.5ubuntu1 - 0.5.17-6
xen (Alpine package): 1.3-1 - 1.3-3
xen (Alpine package): 5.11-1 - 7.35.0-1
xen (Alpine package): 1.3.9-17 - 2.0.3-2
xen (Alpine package): 0.1.2-1 - 0.2.6-1ubuntu1
xen (Alpine package): 1.0.47-2 - 1.0.64-0ubuntu1
xen (Alpine package): 2.1-3-dfsg-1 - 2.1-3-dfsg-2
xen (Alpine package): 0.100-3
xen (Alpine package): 2:1.0.6-2ubuntu7 - 2:1.6.4-1
xen (Alpine package): 0.8 - 9ubuntu2
xen (Alpine package): 3.0pl1-50 - 3.0pl1-119
xen (Alpine package): 1.0.0-0ubuntu1 - 1.0.0-0ubuntu2
xen (Alpine package): expression - 7.1.1-1
xen (Alpine package): 2.8.13-7 - 2.8.13-10
xen (Alpine package): 2.4.2-16 - 2.7-1
xen (Alpine package): 0.92-0ubuntu3 - 0.98-1
xen (Alpine package): 4.5.7-1 - 8.20-3ubuntu4
xen (Alpine package): 0.2.10-3 - 0.4.6-3
xen (Alpine package): 1.5 - 1.141
xen (Alpine package): 1:0.8.6-0ubuntu4 - 1:0.9.7.6-0ubuntu2
xen (Alpine package): 0.3ubuntu7 - 0.3ubuntu15.2
xen (Alpine package): 1.2.12-1ubuntu1 - 1.2.12-1
xen (Alpine package): 0.7-svn20050721 - 1.4.29-1
xen (Alpine package): 2.8.12.1-1.6 - 3.9.0-1
xen (Alpine package): 1.0.5-2 - 1.0.8-3
xen (Alpine package): 0.25-0ubuntu1 - 0.25-0ubuntu3
xen (Alpine package): 0.9-0ubuntu1 - 0.12-0ubuntu1
xen (Alpine package): 1.4.4
xen (Alpine package): 2.2.15-1
xen (Alpine package): 1.4.2
xen (Alpine package): 4.8.9
xen (Alpine package): 3.0.4
xen (Alpine package): 2.1.0
xen (Alpine package): 1.4.17
xen (Alpine package): 2.2.0b2
xen (Alpine package): r12.0 nil
xen (Alpine package): 3.0
xen (Alpine package):
xen (Alpine package): before 4.14.1-r0
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_systems_director:6.3.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:alpine:xen_alpine_package:1.42:*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:xen_alpine_package:1.1.7-0ubuntu1:*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:xen_alpine_package:1.2.0-0ubuntu1:*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:xen_alpine_package:1.2.1-0ubuntu1:*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:xen_alpine_package:3.0.8-1:*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:xen_alpine_package:3.0.13-1:*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:xen_alpine_package:2:1.3.2-2ubuntu0.1:*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:xen_alpine_package:1:6.2.3-5:*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:xen_alpine_package:0.11-4:*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:xen_alpine_package:3.2.21-1:*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:xen_alpine_package:1.88-1:*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:xen_alpine_package:0.2.3.2-1:*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:xen_alpine_package:0.101:*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:xen_alpine_package:0.1.0-0ubuntu1:*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:xen_alpine_package:3.1-1:*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:xen_alpine_package:1.3.1-1:*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:xen_alpine_package:3.1-1:*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:xen_alpine_package:0.18.1.1-9ubuntu1:*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:xen_alpine_package:4.63-15:*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:xen_alpine_package:3.1.6.1-1:*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:xen_alpine_package:2.55-2:*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:xen_alpine_package:2.2.0.3-2ubuntu5:*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:xen_alpine_package:3.5.11.2003.06.04-3:*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:xen_alpine_package:5.4-2ubuntu1:*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:xen_alpine_package:5.4b-1:*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:xen_alpine_package:0.15:*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:xen_alpine_package:0.18ubuntu0.2:*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:xen_alpine_package:0.3.6.0amd12:*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:xen_alpine_package:1.9.9-3:*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:xen_alpine_package:0.48-4:*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:xen_alpine_package:0.9b-20040421-1:*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:xen_alpine_package:0.16:*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:xen_alpine_package:0.2:*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:xen_alpine_package:0.4:*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:xen_alpine_package:2.5.3:*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:xen_alpine_package:3.4.0-1:*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:xen_alpine_package:0.14-1:*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:xen_alpine_package:2014.1-3:*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:xen_alpine_package:24.0-0ubuntu1:*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:xen_alpine_package:0.5.2-0ubuntu1:*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:xen_alpine_package:3.0-0ubuntu1:*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:xen_alpine_package:1.5.2:*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:xen_alpine_package:0.1.8:*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:xen_alpine_package:1.20.0:*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:xen_alpine_package:20081029ubuntu63:*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:xen_alpine_package:0.74:*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:xen_alpine_package:0.2.12:*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:xen_alpine_package:1.8.8-2ubuntu1:*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:xen_alpine_package:0.2.8-8:*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:xen_alpine_package:0.3:*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:xen_alpine_package:5.3.28-3:*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:xen_alpine_package:1.5:*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:xen_alpine_package:0.4.5:*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:xen_alpine_package:0.2.11-1build1:*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:xen_alpine_package:0.63:*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:xen_alpine_package:0.3.1-0ubuntu1:*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:xen_alpine_package:0.13-1:*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:xen_alpine_package:2.1.0-2:*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:xen_alpine_package:0.5.16-3.5ubuntu1:*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:xen_alpine_package:1.3-1:*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:xen_alpine_package:5.11-1:*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:xen_alpine_package:1.3.9-17:*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:xen_alpine_package:0.1.2-1:*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:xen_alpine_package:1.0.47-2:*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:xen_alpine_package:2.1-3-dfsg-1:*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:xen_alpine_package:0.100-3:*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:xen_alpine_package:2:1.0.6-2ubuntu7:*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:xen_alpine_package:0.8:*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:xen_alpine_package:3.0pl1-50:*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:xen_alpine_package:1.0.0-0ubuntu1:*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:xen_alpine_package:expression:*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:xen_alpine_package:2.8.13-7:*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:xen_alpine_package:2.4.2-16:*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:xen_alpine_package:0.92-0ubuntu3:*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:xen_alpine_package:4.5.7-1:*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:xen_alpine_package:0.2.10-3:*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:xen_alpine_package:1.5:*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:xen_alpine_package:1:0.8.6-0ubuntu4:*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:xen_alpine_package:0.3ubuntu7:*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:xen_alpine_package:1.2.12-1ubuntu1:*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:xen_alpine_package:0.7-svn20050721:*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:xen_alpine_package:2.8.12.1-1.6:*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:xen_alpine_package:1.0.5-2:*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:xen_alpine_package:0.25-0ubuntu1:*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:xen_alpine_package:0.9-0ubuntu1:*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:xen_alpine_package:1.4.4:*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:xen_alpine_package:2.2.15-1:*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:xen_alpine_package:1.4.2:*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:xen_alpine_package:4.8.9:*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:xen_alpine_package:3.0.4:*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:xen_alpine_package:2.1.0:*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:xen_alpine_package:1.4.17:*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:xen_alpine_package:2.2.0b2:*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:xen_alpine_package:r12.0 nil:*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:xen_alpine_package:3.0:*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:xen_alpine_package::*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:xen_alpine_package:*:*:*:*:*:alpine_linux:*:3.12
https://git.alpinelinux.org/aports/commit/?id=1f5fe5eb0e0bb4588f6b1b8b4e1563293acbb087
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
