Security update for xen SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2023:4183-1 Final 1 1 2023-10-24T14:52:38Z current 2023-10-24T14:52:38Z 2023-10-24T14:52:38Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for xen This update for xen fixes the following issues: - CVE-2023-34323: Fixed a potential crash in C Xenstored due to an incorrect assertion (XSA-440) (bsc#1215744). - CVE-2023-34326: Fixed a missing IOMMU TLB flush on x86 AMD systems with IOMMU hardware and PCI passthrough enabled (XSA-442) (bsc#1215746). - CVE-2023-34325: Fixed multiple parsing issues in libfsimage (XSA-443) (bsc#1215747). - CVE-2023-34327, CVE-2023-34328: Fixed multiple issues with AMD x86 debugging functionality for guests (XSA-444) (bsc#1215748). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Image SLES15-SP2-BYOS-Azure-2023-4183,Image SLES15-SP2-HPC-BYOS-Azure-2023-4183,Image SLES15-SP2-SAP-Azure-2023-4183,Image SLES15-SP2-SAP-Azure-LI-BYOS-Production-2023-4183,Image SLES15-SP2-SAP-Azure-VLI-BYOS-Production-2023-4183,Image SLES15-SP2-SAP-BYOS-Azure-2023-4183,Image SLES15-SP2-SAP-BYOS-EC2-HVM-2023-4183,Image SLES15-SP2-SAP-BYOS-GCE-2023-4183,Image SLES15-SP2-SAP-EC2-HVM-2023-4183,Image SLES15-SP2-SAP-GCE-2023-4183,SUSE-2023-4183,SUSE-SLE-Product-HPC-15-SP2-LTSS-2023-4183,SUSE-SLE-Product-SLES-15-SP2-LTSS-2023-4183,SUSE-SLE-Product-SLES_SAP-15-SP2-2023-4183 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2023/suse-su-20234183-1/ Link for SUSE-SU-2023:4183-1 https://lists.suse.com/pipermail/sle-security-updates/2023-October/016831.html E-Mail link for SUSE-SU-2023:4183-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1215744 SUSE Bug 1215744 https://bugzilla.suse.com/1215746 SUSE Bug 1215746 https://bugzilla.suse.com/1215747 SUSE Bug 1215747 https://bugzilla.suse.com/1215748 SUSE Bug 1215748 https://www.suse.com/security/cve/CVE-2023-34323/ SUSE CVE CVE-2023-34323 page https://www.suse.com/security/cve/CVE-2023-34325/ SUSE CVE CVE-2023-34325 page https://www.suse.com/security/cve/CVE-2023-34326/ SUSE CVE CVE-2023-34326 page https://www.suse.com/security/cve/CVE-2023-34327/ SUSE CVE CVE-2023-34327 page https://www.suse.com/security/cve/CVE-2023-34328/ SUSE CVE CVE-2023-34328 page Image SLES15-SP2-BYOS-Azure Image SLES15-SP2-HPC-BYOS-Azure Image SLES15-SP2-SAP-Azure Image SLES15-SP2-SAP-Azure-LI-BYOS-Production Image SLES15-SP2-SAP-Azure-VLI-BYOS-Production Image SLES15-SP2-SAP-BYOS-Azure Image SLES15-SP2-SAP-BYOS-EC2-HVM Image SLES15-SP2-SAP-BYOS-GCE Image SLES15-SP2-SAP-EC2-HVM Image SLES15-SP2-SAP-GCE SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS SUSE Linux Enterprise Server 15 SP2-LTSS SUSE Linux Enterprise Server for SAP Applications 15 SP2 xen-libs-4.13.5_06-150200.3.80.1 xen-tools-domU-4.13.5_06-150200.3.80.1 xen-4.13.5_06-150200.3.80.1 xen-devel-4.13.5_06-150200.3.80.1 xen-doc-html-4.13.5_06-150200.3.80.1 xen-libs-32bit-4.13.5_06-150200.3.80.1 xen-libs-64bit-4.13.5_06-150200.3.80.1 xen-tools-4.13.5_06-150200.3.80.1 xen-tools-xendomains-wait-disk-4.13.5_06-150200.3.80.1 xen-libs-4.13.5_06-150200.3.80.1 as a component of Image SLES15-SP2-BYOS-Azure xen-libs-4.13.5_06-150200.3.80.1 as a component of Image SLES15-SP2-HPC-BYOS-Azure xen-libs-4.13.5_06-150200.3.80.1 as a component of Image SLES15-SP2-SAP-Azure xen-libs-4.13.5_06-150200.3.80.1 as a component of Image SLES15-SP2-SAP-Azure-LI-BYOS-Production xen-libs-4.13.5_06-150200.3.80.1 as a component of Image SLES15-SP2-SAP-Azure-VLI-BYOS-Production xen-libs-4.13.5_06-150200.3.80.1 as a component of Image SLES15-SP2-SAP-BYOS-Azure xen-libs-4.13.5_06-150200.3.80.1 as a component of Image SLES15-SP2-SAP-BYOS-EC2-HVM xen-tools-domU-4.13.5_06-150200.3.80.1 as a component of Image SLES15-SP2-SAP-BYOS-EC2-HVM xen-libs-4.13.5_06-150200.3.80.1 as a component of Image SLES15-SP2-SAP-BYOS-GCE xen-libs-4.13.5_06-150200.3.80.1 as a component of Image SLES15-SP2-SAP-EC2-HVM xen-tools-domU-4.13.5_06-150200.3.80.1 as a component of Image SLES15-SP2-SAP-EC2-HVM xen-libs-4.13.5_06-150200.3.80.1 as a component of Image SLES15-SP2-SAP-GCE xen-4.13.5_06-150200.3.80.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS xen-devel-4.13.5_06-150200.3.80.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS xen-libs-4.13.5_06-150200.3.80.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS xen-tools-4.13.5_06-150200.3.80.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS xen-tools-domU-4.13.5_06-150200.3.80.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS xen-tools-xendomains-wait-disk-4.13.5_06-150200.3.80.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS xen-4.13.5_06-150200.3.80.1 as a component of SUSE Linux Enterprise Server 15 SP2-LTSS xen-devel-4.13.5_06-150200.3.80.1 as a component of SUSE Linux Enterprise Server 15 SP2-LTSS xen-libs-4.13.5_06-150200.3.80.1 as a component of SUSE Linux Enterprise Server 15 SP2-LTSS xen-tools-4.13.5_06-150200.3.80.1 as a component of SUSE Linux Enterprise Server 15 SP2-LTSS xen-tools-domU-4.13.5_06-150200.3.80.1 as a component of SUSE Linux Enterprise Server 15 SP2-LTSS xen-tools-xendomains-wait-disk-4.13.5_06-150200.3.80.1 as a component of SUSE Linux Enterprise Server 15 SP2-LTSS xen-4.13.5_06-150200.3.80.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP2 xen-devel-4.13.5_06-150200.3.80.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP2 xen-libs-4.13.5_06-150200.3.80.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP2 xen-tools-4.13.5_06-150200.3.80.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP2 xen-tools-domU-4.13.5_06-150200.3.80.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP2 xen-tools-xendomains-wait-disk-4.13.5_06-150200.3.80.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP2 When a transaction is committed, C Xenstored will first check the quota is correct before attempting to commit any nodes. It would be possible that accounting is temporarily negative if a node has been removed outside of the transaction. Unfortunately, some versions of C Xenstored are assuming that the quota cannot be negative and are using assert() to confirm it. This will lead to C Xenstored crash when tools are built without -DNDEBUG (this is the default). CVE-2023-34323 Image SLES15-SP2-BYOS-Azure:xen-libs-4.13.5_06-150200.3.80.1 Image SLES15-SP2-HPC-BYOS-Azure:xen-libs-4.13.5_06-150200.3.80.1 Image SLES15-SP2-SAP-Azure-LI-BYOS-Production:xen-libs-4.13.5_06-150200.3.80.1 Image SLES15-SP2-SAP-Azure-VLI-BYOS-Production:xen-libs-4.13.5_06-150200.3.80.1 Image SLES15-SP2-SAP-Azure:xen-libs-4.13.5_06-150200.3.80.1 Image SLES15-SP2-SAP-BYOS-Azure:xen-libs-4.13.5_06-150200.3.80.1 Image SLES15-SP2-SAP-BYOS-EC2-HVM:xen-libs-4.13.5_06-150200.3.80.1 Image SLES15-SP2-SAP-BYOS-EC2-HVM:xen-tools-domU-4.13.5_06-150200.3.80.1 Image SLES15-SP2-SAP-BYOS-GCE:xen-libs-4.13.5_06-150200.3.80.1 Image SLES15-SP2-SAP-EC2-HVM:xen-libs-4.13.5_06-150200.3.80.1 Image SLES15-SP2-SAP-EC2-HVM:xen-tools-domU-4.13.5_06-150200.3.80.1 Image SLES15-SP2-SAP-GCE:xen-libs-4.13.5_06-150200.3.80.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:xen-4.13.5_06-150200.3.80.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:xen-devel-4.13.5_06-150200.3.80.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:xen-libs-4.13.5_06-150200.3.80.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:xen-tools-4.13.5_06-150200.3.80.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:xen-tools-domU-4.13.5_06-150200.3.80.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:xen-tools-xendomains-wait-disk-4.13.5_06-150200.3.80.1 SUSE Linux Enterprise Server 15 SP2-LTSS:xen-4.13.5_06-150200.3.80.1 SUSE Linux Enterprise Server 15 SP2-LTSS:xen-devel-4.13.5_06-150200.3.80.1 SUSE Linux Enterprise Server 15 SP2-LTSS:xen-libs-4.13.5_06-150200.3.80.1 SUSE Linux Enterprise Server 15 SP2-LTSS:xen-tools-4.13.5_06-150200.3.80.1 SUSE Linux Enterprise Server 15 SP2-LTSS:xen-tools-domU-4.13.5_06-150200.3.80.1 SUSE Linux Enterprise Server 15 SP2-LTSS:xen-tools-xendomains-wait-disk-4.13.5_06-150200.3.80.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:xen-4.13.5_06-150200.3.80.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:xen-devel-4.13.5_06-150200.3.80.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:xen-libs-4.13.5_06-150200.3.80.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:xen-tools-4.13.5_06-150200.3.80.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:xen-tools-domU-4.13.5_06-150200.3.80.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:xen-tools-xendomains-wait-disk-4.13.5_06-150200.3.80.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2023/suse-su-20234183-1/ https://www.suse.com/security/cve/CVE-2023-34323.html CVE-2023-34323 https://bugzilla.suse.com/1215744 SUSE Bug 1215744 [This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] libfsimage contains parsing code for several filesystems, most of them based on grub-legacy code. libfsimage is used by pygrub to inspect guest disks. Pygrub runs as the same user as the toolstack (root in a priviledged domain). At least one issue has been reported to the Xen Security Team that allows an attacker to trigger a stack buffer overflow in libfsimage. After further analisys the Xen Security Team is no longer confident in the suitability of libfsimage when run against guest controlled input with super user priviledges. In order to not affect current deployments that rely on pygrub patches are provided in the resolution section of the advisory that allow running pygrub in deprivileged mode. CVE-2023-4949 refers to the original issue in the upstream grub project ("An attacker with local access to a system (either through a disk or external drive) can present a modified XFS partition to grub-legacy in such a way to exploit a memory corruption in grub's XFS file system implementation.") CVE-2023-34325 refers specifically to the vulnerabilities in Xen's copy of libfsimage, which is decended from a very old version of grub. CVE-2023-34325 Image SLES15-SP2-BYOS-Azure:xen-libs-4.13.5_06-150200.3.80.1 Image SLES15-SP2-HPC-BYOS-Azure:xen-libs-4.13.5_06-150200.3.80.1 Image SLES15-SP2-SAP-Azure-LI-BYOS-Production:xen-libs-4.13.5_06-150200.3.80.1 Image SLES15-SP2-SAP-Azure-VLI-BYOS-Production:xen-libs-4.13.5_06-150200.3.80.1 Image SLES15-SP2-SAP-Azure:xen-libs-4.13.5_06-150200.3.80.1 Image SLES15-SP2-SAP-BYOS-Azure:xen-libs-4.13.5_06-150200.3.80.1 Image SLES15-SP2-SAP-BYOS-EC2-HVM:xen-libs-4.13.5_06-150200.3.80.1 Image SLES15-SP2-SAP-BYOS-EC2-HVM:xen-tools-domU-4.13.5_06-150200.3.80.1 Image SLES15-SP2-SAP-BYOS-GCE:xen-libs-4.13.5_06-150200.3.80.1 Image SLES15-SP2-SAP-EC2-HVM:xen-libs-4.13.5_06-150200.3.80.1 Image SLES15-SP2-SAP-EC2-HVM:xen-tools-domU-4.13.5_06-150200.3.80.1 Image SLES15-SP2-SAP-GCE:xen-libs-4.13.5_06-150200.3.80.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:xen-4.13.5_06-150200.3.80.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:xen-devel-4.13.5_06-150200.3.80.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:xen-libs-4.13.5_06-150200.3.80.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:xen-tools-4.13.5_06-150200.3.80.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:xen-tools-domU-4.13.5_06-150200.3.80.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:xen-tools-xendomains-wait-disk-4.13.5_06-150200.3.80.1 SUSE Linux Enterprise Server 15 SP2-LTSS:xen-4.13.5_06-150200.3.80.1 SUSE Linux Enterprise Server 15 SP2-LTSS:xen-devel-4.13.5_06-150200.3.80.1 SUSE Linux Enterprise Server 15 SP2-LTSS:xen-libs-4.13.5_06-150200.3.80.1 SUSE Linux Enterprise Server 15 SP2-LTSS:xen-tools-4.13.5_06-150200.3.80.1 SUSE Linux Enterprise Server 15 SP2-LTSS:xen-tools-domU-4.13.5_06-150200.3.80.1 SUSE Linux Enterprise Server 15 SP2-LTSS:xen-tools-xendomains-wait-disk-4.13.5_06-150200.3.80.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:xen-4.13.5_06-150200.3.80.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:xen-devel-4.13.5_06-150200.3.80.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:xen-libs-4.13.5_06-150200.3.80.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:xen-tools-4.13.5_06-150200.3.80.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:xen-tools-domU-4.13.5_06-150200.3.80.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:xen-tools-xendomains-wait-disk-4.13.5_06-150200.3.80.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2023/suse-su-20234183-1/ https://www.suse.com/security/cve/CVE-2023-34325.html CVE-2023-34325 https://bugzilla.suse.com/1215747 SUSE Bug 1215747 The caching invalidation guidelines from the AMD-Vi specification (48882—Rev 3.07-PUB—Oct 2022) is incorrect on some hardware, as devices will malfunction (see stale DMA mappings) if some fields of the DTE are updated but the IOMMU TLB is not flushed. Such stale DMA mappings can point to memory ranges not owned by the guest, thus allowing access to unindented memory regions. CVE-2023-34326 Image SLES15-SP2-BYOS-Azure:xen-libs-4.13.5_06-150200.3.80.1 Image SLES15-SP2-HPC-BYOS-Azure:xen-libs-4.13.5_06-150200.3.80.1 Image SLES15-SP2-SAP-Azure-LI-BYOS-Production:xen-libs-4.13.5_06-150200.3.80.1 Image SLES15-SP2-SAP-Azure-VLI-BYOS-Production:xen-libs-4.13.5_06-150200.3.80.1 Image SLES15-SP2-SAP-Azure:xen-libs-4.13.5_06-150200.3.80.1 Image SLES15-SP2-SAP-BYOS-Azure:xen-libs-4.13.5_06-150200.3.80.1 Image SLES15-SP2-SAP-BYOS-EC2-HVM:xen-libs-4.13.5_06-150200.3.80.1 Image SLES15-SP2-SAP-BYOS-EC2-HVM:xen-tools-domU-4.13.5_06-150200.3.80.1 Image SLES15-SP2-SAP-BYOS-GCE:xen-libs-4.13.5_06-150200.3.80.1 Image SLES15-SP2-SAP-EC2-HVM:xen-libs-4.13.5_06-150200.3.80.1 Image SLES15-SP2-SAP-EC2-HVM:xen-tools-domU-4.13.5_06-150200.3.80.1 Image SLES15-SP2-SAP-GCE:xen-libs-4.13.5_06-150200.3.80.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:xen-4.13.5_06-150200.3.80.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:xen-devel-4.13.5_06-150200.3.80.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:xen-libs-4.13.5_06-150200.3.80.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:xen-tools-4.13.5_06-150200.3.80.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:xen-tools-domU-4.13.5_06-150200.3.80.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:xen-tools-xendomains-wait-disk-4.13.5_06-150200.3.80.1 SUSE Linux Enterprise Server 15 SP2-LTSS:xen-4.13.5_06-150200.3.80.1 SUSE Linux Enterprise Server 15 SP2-LTSS:xen-devel-4.13.5_06-150200.3.80.1 SUSE Linux Enterprise Server 15 SP2-LTSS:xen-libs-4.13.5_06-150200.3.80.1 SUSE Linux Enterprise Server 15 SP2-LTSS:xen-tools-4.13.5_06-150200.3.80.1 SUSE Linux Enterprise Server 15 SP2-LTSS:xen-tools-domU-4.13.5_06-150200.3.80.1 SUSE Linux Enterprise Server 15 SP2-LTSS:xen-tools-xendomains-wait-disk-4.13.5_06-150200.3.80.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:xen-4.13.5_06-150200.3.80.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:xen-devel-4.13.5_06-150200.3.80.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:xen-libs-4.13.5_06-150200.3.80.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:xen-tools-4.13.5_06-150200.3.80.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:xen-tools-domU-4.13.5_06-150200.3.80.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:xen-tools-xendomains-wait-disk-4.13.5_06-150200.3.80.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2023/suse-su-20234183-1/ https://www.suse.com/security/cve/CVE-2023-34326.html CVE-2023-34326 https://bugzilla.suse.com/1215145 SUSE Bug 1215145 https://bugzilla.suse.com/1215746 SUSE Bug 1215746 [This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] AMD CPUs since ~2014 have extensions to normal x86 debugging functionality. Xen supports guests using these extensions. Unfortunately there are errors in Xen's handling of the guest state, leading to denials of service. 1) CVE-2023-34327 - An HVM vCPU can end up operating in the context of a previous vCPUs debug mask state. 2) CVE-2023-34328 - A PV vCPU can place a breakpoint over the live GDT. This allows the PV vCPU to exploit XSA-156 / CVE-2015-8104 and lock up the CPU entirely. CVE-2023-34327 Image SLES15-SP2-BYOS-Azure:xen-libs-4.13.5_06-150200.3.80.1 Image SLES15-SP2-HPC-BYOS-Azure:xen-libs-4.13.5_06-150200.3.80.1 Image SLES15-SP2-SAP-Azure-LI-BYOS-Production:xen-libs-4.13.5_06-150200.3.80.1 Image SLES15-SP2-SAP-Azure-VLI-BYOS-Production:xen-libs-4.13.5_06-150200.3.80.1 Image SLES15-SP2-SAP-Azure:xen-libs-4.13.5_06-150200.3.80.1 Image SLES15-SP2-SAP-BYOS-Azure:xen-libs-4.13.5_06-150200.3.80.1 Image SLES15-SP2-SAP-BYOS-EC2-HVM:xen-libs-4.13.5_06-150200.3.80.1 Image SLES15-SP2-SAP-BYOS-EC2-HVM:xen-tools-domU-4.13.5_06-150200.3.80.1 Image SLES15-SP2-SAP-BYOS-GCE:xen-libs-4.13.5_06-150200.3.80.1 Image SLES15-SP2-SAP-EC2-HVM:xen-libs-4.13.5_06-150200.3.80.1 Image SLES15-SP2-SAP-EC2-HVM:xen-tools-domU-4.13.5_06-150200.3.80.1 Image SLES15-SP2-SAP-GCE:xen-libs-4.13.5_06-150200.3.80.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:xen-4.13.5_06-150200.3.80.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:xen-devel-4.13.5_06-150200.3.80.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:xen-libs-4.13.5_06-150200.3.80.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:xen-tools-4.13.5_06-150200.3.80.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:xen-tools-domU-4.13.5_06-150200.3.80.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:xen-tools-xendomains-wait-disk-4.13.5_06-150200.3.80.1 SUSE Linux Enterprise Server 15 SP2-LTSS:xen-4.13.5_06-150200.3.80.1 SUSE Linux Enterprise Server 15 SP2-LTSS:xen-devel-4.13.5_06-150200.3.80.1 SUSE Linux Enterprise Server 15 SP2-LTSS:xen-libs-4.13.5_06-150200.3.80.1 SUSE Linux Enterprise Server 15 SP2-LTSS:xen-tools-4.13.5_06-150200.3.80.1 SUSE Linux Enterprise Server 15 SP2-LTSS:xen-tools-domU-4.13.5_06-150200.3.80.1 SUSE Linux Enterprise Server 15 SP2-LTSS:xen-tools-xendomains-wait-disk-4.13.5_06-150200.3.80.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:xen-4.13.5_06-150200.3.80.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:xen-devel-4.13.5_06-150200.3.80.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:xen-libs-4.13.5_06-150200.3.80.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:xen-tools-4.13.5_06-150200.3.80.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:xen-tools-domU-4.13.5_06-150200.3.80.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:xen-tools-xendomains-wait-disk-4.13.5_06-150200.3.80.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2023/suse-su-20234183-1/ https://www.suse.com/security/cve/CVE-2023-34327.html CVE-2023-34327 https://bugzilla.suse.com/1215748 SUSE Bug 1215748 [This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] AMD CPUs since ~2014 have extensions to normal x86 debugging functionality. Xen supports guests using these extensions. Unfortunately there are errors in Xen's handling of the guest state, leading to denials of service. 1) CVE-2023-34327 - An HVM vCPU can end up operating in the context of a previous vCPUs debug mask state. 2) CVE-2023-34328 - A PV vCPU can place a breakpoint over the live GDT. This allows the PV vCPU to exploit XSA-156 / CVE-2015-8104 and lock up the CPU entirely. CVE-2023-34328 Image SLES15-SP2-BYOS-Azure:xen-libs-4.13.5_06-150200.3.80.1 Image SLES15-SP2-HPC-BYOS-Azure:xen-libs-4.13.5_06-150200.3.80.1 Image SLES15-SP2-SAP-Azure-LI-BYOS-Production:xen-libs-4.13.5_06-150200.3.80.1 Image SLES15-SP2-SAP-Azure-VLI-BYOS-Production:xen-libs-4.13.5_06-150200.3.80.1 Image SLES15-SP2-SAP-Azure:xen-libs-4.13.5_06-150200.3.80.1 Image SLES15-SP2-SAP-BYOS-Azure:xen-libs-4.13.5_06-150200.3.80.1 Image SLES15-SP2-SAP-BYOS-EC2-HVM:xen-libs-4.13.5_06-150200.3.80.1 Image SLES15-SP2-SAP-BYOS-EC2-HVM:xen-tools-domU-4.13.5_06-150200.3.80.1 Image SLES15-SP2-SAP-BYOS-GCE:xen-libs-4.13.5_06-150200.3.80.1 Image SLES15-SP2-SAP-EC2-HVM:xen-libs-4.13.5_06-150200.3.80.1 Image SLES15-SP2-SAP-EC2-HVM:xen-tools-domU-4.13.5_06-150200.3.80.1 Image SLES15-SP2-SAP-GCE:xen-libs-4.13.5_06-150200.3.80.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:xen-4.13.5_06-150200.3.80.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:xen-devel-4.13.5_06-150200.3.80.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:xen-libs-4.13.5_06-150200.3.80.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:xen-tools-4.13.5_06-150200.3.80.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:xen-tools-domU-4.13.5_06-150200.3.80.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:xen-tools-xendomains-wait-disk-4.13.5_06-150200.3.80.1 SUSE Linux Enterprise Server 15 SP2-LTSS:xen-4.13.5_06-150200.3.80.1 SUSE Linux Enterprise Server 15 SP2-LTSS:xen-devel-4.13.5_06-150200.3.80.1 SUSE Linux Enterprise Server 15 SP2-LTSS:xen-libs-4.13.5_06-150200.3.80.1 SUSE Linux Enterprise Server 15 SP2-LTSS:xen-tools-4.13.5_06-150200.3.80.1 SUSE Linux Enterprise Server 15 SP2-LTSS:xen-tools-domU-4.13.5_06-150200.3.80.1 SUSE Linux Enterprise Server 15 SP2-LTSS:xen-tools-xendomains-wait-disk-4.13.5_06-150200.3.80.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:xen-4.13.5_06-150200.3.80.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:xen-devel-4.13.5_06-150200.3.80.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:xen-libs-4.13.5_06-150200.3.80.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:xen-tools-4.13.5_06-150200.3.80.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:xen-tools-domU-4.13.5_06-150200.3.80.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:xen-tools-xendomains-wait-disk-4.13.5_06-150200.3.80.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2023/suse-su-20234183-1/ https://www.suse.com/security/cve/CVE-2023-34328.html CVE-2023-34328 https://bugzilla.suse.com/1215748 SUSE Bug 1215748