Security update for xen SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2020:3088-1 Final 1 1 2020-10-29T12:30:49Z current 2020-10-29T12:30:49Z 2020-10-29T12:30:49Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for xen This update for xen fixes the following issues: - bsc#1177409 - VUL-0: CVE-2020-27673: xen: x86 PV guest INVLPG-like flushes may leave stale TLB entries (XSA-286) - bsc#1177412 - VUL-0: CVE-2020-27672: xen: Race condition in Xen mapping code (XSA-345) - bsc#1177413 - VUL-0: CVE-2020-27671: xen: undue deferral of IOMMU TLB flushes (XSA-346) - bsc#1177414 - VUL-0: CVE-2020-27670: xen: unsafe AMD IOMMU page table updates (XSA-347) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2020-3088,SUSE-OpenStack-Cloud-9-2020-3088,SUSE-OpenStack-Cloud-Crowbar-9-2020-3088,SUSE-SLE-SAP-12-SP4-2020-3088,SUSE-SLE-SERVER-12-SP4-LTSS-2020-3088 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2020/suse-su-20203088-1/ Link for SUSE-SU-2020:3088-1 https://lists.suse.com/pipermail/sle-security-updates/2020-October/007667.html E-Mail link for SUSE-SU-2020:3088-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1177409 SUSE Bug 1177409 https://bugzilla.suse.com/1177412 SUSE Bug 1177412 https://bugzilla.suse.com/1177413 SUSE Bug 1177413 https://bugzilla.suse.com/1177414 SUSE Bug 1177414 https://www.suse.com/security/cve/CVE-2020-27670/ SUSE CVE CVE-2020-27670 page https://www.suse.com/security/cve/CVE-2020-27671/ SUSE CVE CVE-2020-27671 page https://www.suse.com/security/cve/CVE-2020-27672/ SUSE CVE CVE-2020-27672 page https://www.suse.com/security/cve/CVE-2020-27673/ SUSE CVE CVE-2020-27673 page SUSE Linux Enterprise Server 12 SP4-LTSS SUSE Linux Enterprise Server for SAP Applications 12 SP4 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud Crowbar 9 xen-4.11.4_10-2.39.2 xen-devel-4.11.4_10-2.39.2 xen-doc-html-4.11.4_10-2.39.2 xen-libs-4.11.4_10-2.39.2 xen-libs-32bit-4.11.4_10-2.39.2 xen-libs-64bit-4.11.4_10-2.39.2 xen-tools-4.11.4_10-2.39.2 xen-tools-domU-4.11.4_10-2.39.2 xen-4.11.4_10-2.39.2 as a component of SUSE Linux Enterprise Server 12 SP4-LTSS xen-doc-html-4.11.4_10-2.39.2 as a component of SUSE Linux Enterprise Server 12 SP4-LTSS xen-libs-4.11.4_10-2.39.2 as a component of SUSE Linux Enterprise Server 12 SP4-LTSS xen-libs-32bit-4.11.4_10-2.39.2 as a component of SUSE Linux Enterprise Server 12 SP4-LTSS xen-tools-4.11.4_10-2.39.2 as a component of SUSE Linux Enterprise Server 12 SP4-LTSS xen-tools-domU-4.11.4_10-2.39.2 as a component of SUSE Linux Enterprise Server 12 SP4-LTSS xen-4.11.4_10-2.39.2 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP4 xen-doc-html-4.11.4_10-2.39.2 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP4 xen-libs-4.11.4_10-2.39.2 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP4 xen-libs-32bit-4.11.4_10-2.39.2 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP4 xen-tools-4.11.4_10-2.39.2 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP4 xen-tools-domU-4.11.4_10-2.39.2 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP4 xen-4.11.4_10-2.39.2 as a component of SUSE OpenStack Cloud 9 xen-doc-html-4.11.4_10-2.39.2 as a component of SUSE OpenStack Cloud 9 xen-libs-4.11.4_10-2.39.2 as a component of SUSE OpenStack Cloud 9 xen-libs-32bit-4.11.4_10-2.39.2 as a component of SUSE OpenStack Cloud 9 xen-tools-4.11.4_10-2.39.2 as a component of SUSE OpenStack Cloud 9 xen-tools-domU-4.11.4_10-2.39.2 as a component of SUSE OpenStack Cloud 9 xen-4.11.4_10-2.39.2 as a component of SUSE OpenStack Cloud Crowbar 9 xen-doc-html-4.11.4_10-2.39.2 as a component of SUSE OpenStack Cloud Crowbar 9 xen-libs-4.11.4_10-2.39.2 as a component of SUSE OpenStack Cloud Crowbar 9 xen-libs-32bit-4.11.4_10-2.39.2 as a component of SUSE OpenStack Cloud Crowbar 9 xen-tools-4.11.4_10-2.39.2 as a component of SUSE OpenStack Cloud Crowbar 9 xen-tools-domU-4.11.4_10-2.39.2 as a component of SUSE OpenStack Cloud Crowbar 9 An issue was discovered in Xen through 4.14.x allowing x86 guest OS users to cause a denial of service (data corruption), cause a data leak, or possibly gain privileges because an AMD IOMMU page-table entry can be half-updated. CVE-2020-27670 SUSE Linux Enterprise Server 12 SP4-LTSS:xen-4.11.4_10-2.39.2 SUSE Linux Enterprise Server 12 SP4-LTSS:xen-doc-html-4.11.4_10-2.39.2 SUSE Linux Enterprise Server 12 SP4-LTSS:xen-libs-32bit-4.11.4_10-2.39.2 SUSE Linux Enterprise Server 12 SP4-LTSS:xen-libs-4.11.4_10-2.39.2 SUSE Linux Enterprise Server 12 SP4-LTSS:xen-tools-4.11.4_10-2.39.2 SUSE Linux Enterprise Server 12 SP4-LTSS:xen-tools-domU-4.11.4_10-2.39.2 SUSE Linux Enterprise Server for SAP Applications 12 SP4:xen-4.11.4_10-2.39.2 SUSE Linux Enterprise Server for SAP Applications 12 SP4:xen-doc-html-4.11.4_10-2.39.2 SUSE Linux Enterprise Server for SAP Applications 12 SP4:xen-libs-32bit-4.11.4_10-2.39.2 SUSE Linux Enterprise Server for SAP Applications 12 SP4:xen-libs-4.11.4_10-2.39.2 SUSE Linux Enterprise Server for SAP Applications 12 SP4:xen-tools-4.11.4_10-2.39.2 SUSE Linux Enterprise Server for SAP Applications 12 SP4:xen-tools-domU-4.11.4_10-2.39.2 SUSE OpenStack Cloud 9:xen-4.11.4_10-2.39.2 SUSE OpenStack Cloud 9:xen-doc-html-4.11.4_10-2.39.2 SUSE OpenStack Cloud 9:xen-libs-32bit-4.11.4_10-2.39.2 SUSE OpenStack Cloud 9:xen-libs-4.11.4_10-2.39.2 SUSE OpenStack Cloud 9:xen-tools-4.11.4_10-2.39.2 SUSE OpenStack Cloud 9:xen-tools-domU-4.11.4_10-2.39.2 SUSE OpenStack Cloud Crowbar 9:xen-4.11.4_10-2.39.2 SUSE OpenStack Cloud Crowbar 9:xen-doc-html-4.11.4_10-2.39.2 SUSE OpenStack Cloud Crowbar 9:xen-libs-32bit-4.11.4_10-2.39.2 SUSE OpenStack Cloud Crowbar 9:xen-libs-4.11.4_10-2.39.2 SUSE OpenStack Cloud Crowbar 9:xen-tools-4.11.4_10-2.39.2 SUSE OpenStack Cloud Crowbar 9:xen-tools-domU-4.11.4_10-2.39.2 important 6.9 AV:L/AC:M/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2020/suse-su-20203088-1/ https://www.suse.com/security/cve/CVE-2020-27670.html CVE-2020-27670 https://bugzilla.suse.com/1177414 SUSE Bug 1177414 https://bugzilla.suse.com/1178658 SUSE Bug 1178658 https://bugzilla.suse.com/1183925 SUSE Bug 1183925 An issue was discovered in Xen through 4.14.x allowing x86 HVM and PVH guest OS users to cause a denial of service (data corruption), cause a data leak, or possibly gain privileges because coalescing of per-page IOMMU TLB flushes is mishandled. CVE-2020-27671 SUSE Linux Enterprise Server 12 SP4-LTSS:xen-4.11.4_10-2.39.2 SUSE Linux Enterprise Server 12 SP4-LTSS:xen-doc-html-4.11.4_10-2.39.2 SUSE Linux Enterprise Server 12 SP4-LTSS:xen-libs-32bit-4.11.4_10-2.39.2 SUSE Linux Enterprise Server 12 SP4-LTSS:xen-libs-4.11.4_10-2.39.2 SUSE Linux Enterprise Server 12 SP4-LTSS:xen-tools-4.11.4_10-2.39.2 SUSE Linux Enterprise Server 12 SP4-LTSS:xen-tools-domU-4.11.4_10-2.39.2 SUSE Linux Enterprise Server for SAP Applications 12 SP4:xen-4.11.4_10-2.39.2 SUSE Linux Enterprise Server for SAP Applications 12 SP4:xen-doc-html-4.11.4_10-2.39.2 SUSE Linux Enterprise Server for SAP Applications 12 SP4:xen-libs-32bit-4.11.4_10-2.39.2 SUSE Linux Enterprise Server for SAP Applications 12 SP4:xen-libs-4.11.4_10-2.39.2 SUSE Linux Enterprise Server for SAP Applications 12 SP4:xen-tools-4.11.4_10-2.39.2 SUSE Linux Enterprise Server for SAP Applications 12 SP4:xen-tools-domU-4.11.4_10-2.39.2 SUSE OpenStack Cloud 9:xen-4.11.4_10-2.39.2 SUSE OpenStack Cloud 9:xen-doc-html-4.11.4_10-2.39.2 SUSE OpenStack Cloud 9:xen-libs-32bit-4.11.4_10-2.39.2 SUSE OpenStack Cloud 9:xen-libs-4.11.4_10-2.39.2 SUSE OpenStack Cloud 9:xen-tools-4.11.4_10-2.39.2 SUSE OpenStack Cloud 9:xen-tools-domU-4.11.4_10-2.39.2 SUSE OpenStack Cloud Crowbar 9:xen-4.11.4_10-2.39.2 SUSE OpenStack Cloud Crowbar 9:xen-doc-html-4.11.4_10-2.39.2 SUSE OpenStack Cloud Crowbar 9:xen-libs-32bit-4.11.4_10-2.39.2 SUSE OpenStack Cloud Crowbar 9:xen-libs-4.11.4_10-2.39.2 SUSE OpenStack Cloud Crowbar 9:xen-tools-4.11.4_10-2.39.2 SUSE OpenStack Cloud Crowbar 9:xen-tools-domU-4.11.4_10-2.39.2 important 6.9 AV:L/AC:M/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2020/suse-su-20203088-1/ https://www.suse.com/security/cve/CVE-2020-27671.html CVE-2020-27671 https://bugzilla.suse.com/1177413 SUSE Bug 1177413 https://bugzilla.suse.com/1183925 SUSE Bug 1183925 An issue was discovered in Xen through 4.14.x allowing x86 guest OS users to cause a host OS denial of service, achieve data corruption, or possibly gain privileges by exploiting a race condition that leads to a use-after-free involving 2MiB and 1GiB superpages. CVE-2020-27672 SUSE Linux Enterprise Server 12 SP4-LTSS:xen-4.11.4_10-2.39.2 SUSE Linux Enterprise Server 12 SP4-LTSS:xen-doc-html-4.11.4_10-2.39.2 SUSE Linux Enterprise Server 12 SP4-LTSS:xen-libs-32bit-4.11.4_10-2.39.2 SUSE Linux Enterprise Server 12 SP4-LTSS:xen-libs-4.11.4_10-2.39.2 SUSE Linux Enterprise Server 12 SP4-LTSS:xen-tools-4.11.4_10-2.39.2 SUSE Linux Enterprise Server 12 SP4-LTSS:xen-tools-domU-4.11.4_10-2.39.2 SUSE Linux Enterprise Server for SAP Applications 12 SP4:xen-4.11.4_10-2.39.2 SUSE Linux Enterprise Server for SAP Applications 12 SP4:xen-doc-html-4.11.4_10-2.39.2 SUSE Linux Enterprise Server for SAP Applications 12 SP4:xen-libs-32bit-4.11.4_10-2.39.2 SUSE Linux Enterprise Server for SAP Applications 12 SP4:xen-libs-4.11.4_10-2.39.2 SUSE Linux Enterprise Server for SAP Applications 12 SP4:xen-tools-4.11.4_10-2.39.2 SUSE Linux Enterprise Server for SAP Applications 12 SP4:xen-tools-domU-4.11.4_10-2.39.2 SUSE OpenStack Cloud 9:xen-4.11.4_10-2.39.2 SUSE OpenStack Cloud 9:xen-doc-html-4.11.4_10-2.39.2 SUSE OpenStack Cloud 9:xen-libs-32bit-4.11.4_10-2.39.2 SUSE OpenStack Cloud 9:xen-libs-4.11.4_10-2.39.2 SUSE OpenStack Cloud 9:xen-tools-4.11.4_10-2.39.2 SUSE OpenStack Cloud 9:xen-tools-domU-4.11.4_10-2.39.2 SUSE OpenStack Cloud Crowbar 9:xen-4.11.4_10-2.39.2 SUSE OpenStack Cloud Crowbar 9:xen-doc-html-4.11.4_10-2.39.2 SUSE OpenStack Cloud Crowbar 9:xen-libs-32bit-4.11.4_10-2.39.2 SUSE OpenStack Cloud Crowbar 9:xen-libs-4.11.4_10-2.39.2 SUSE OpenStack Cloud Crowbar 9:xen-tools-4.11.4_10-2.39.2 SUSE OpenStack Cloud Crowbar 9:xen-tools-domU-4.11.4_10-2.39.2 important 6.9 AV:L/AC:M/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2020/suse-su-20203088-1/ https://www.suse.com/security/cve/CVE-2020-27672.html CVE-2020-27672 https://bugzilla.suse.com/1177412 SUSE Bug 1177412 https://bugzilla.suse.com/1178658 SUSE Bug 1178658 https://bugzilla.suse.com/1183925 SUSE Bug 1183925 An issue was discovered in the Linux kernel through 5.9.1, as used with Xen through 4.14.x. Guest OS users can cause a denial of service (host OS hang) via a high rate of events to dom0, aka CID-e99502f76271. CVE-2020-27673 SUSE Linux Enterprise Server 12 SP4-LTSS:xen-4.11.4_10-2.39.2 SUSE Linux Enterprise Server 12 SP4-LTSS:xen-doc-html-4.11.4_10-2.39.2 SUSE Linux Enterprise Server 12 SP4-LTSS:xen-libs-32bit-4.11.4_10-2.39.2 SUSE Linux Enterprise Server 12 SP4-LTSS:xen-libs-4.11.4_10-2.39.2 SUSE Linux Enterprise Server 12 SP4-LTSS:xen-tools-4.11.4_10-2.39.2 SUSE Linux Enterprise Server 12 SP4-LTSS:xen-tools-domU-4.11.4_10-2.39.2 SUSE Linux Enterprise Server for SAP Applications 12 SP4:xen-4.11.4_10-2.39.2 SUSE Linux Enterprise Server for SAP Applications 12 SP4:xen-doc-html-4.11.4_10-2.39.2 SUSE Linux Enterprise Server for SAP Applications 12 SP4:xen-libs-32bit-4.11.4_10-2.39.2 SUSE Linux Enterprise Server for SAP Applications 12 SP4:xen-libs-4.11.4_10-2.39.2 SUSE Linux Enterprise Server for SAP Applications 12 SP4:xen-tools-4.11.4_10-2.39.2 SUSE Linux Enterprise Server for SAP Applications 12 SP4:xen-tools-domU-4.11.4_10-2.39.2 SUSE OpenStack Cloud 9:xen-4.11.4_10-2.39.2 SUSE OpenStack Cloud 9:xen-doc-html-4.11.4_10-2.39.2 SUSE OpenStack Cloud 9:xen-libs-32bit-4.11.4_10-2.39.2 SUSE OpenStack Cloud 9:xen-libs-4.11.4_10-2.39.2 SUSE OpenStack Cloud 9:xen-tools-4.11.4_10-2.39.2 SUSE OpenStack Cloud 9:xen-tools-domU-4.11.4_10-2.39.2 SUSE OpenStack Cloud Crowbar 9:xen-4.11.4_10-2.39.2 SUSE OpenStack Cloud Crowbar 9:xen-doc-html-4.11.4_10-2.39.2 SUSE OpenStack Cloud Crowbar 9:xen-libs-32bit-4.11.4_10-2.39.2 SUSE OpenStack Cloud Crowbar 9:xen-libs-4.11.4_10-2.39.2 SUSE OpenStack Cloud Crowbar 9:xen-tools-4.11.4_10-2.39.2 SUSE OpenStack Cloud Crowbar 9:xen-tools-domU-4.11.4_10-2.39.2 moderate 4.9 AV:L/AC:L/Au:N/C:N/I:N/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2020/suse-su-20203088-1/ https://www.suse.com/security/cve/CVE-2020-27673.html CVE-2020-27673 https://bugzilla.suse.com/1177411 SUSE Bug 1177411 https://bugzilla.suse.com/1184583 SUSE Bug 1184583