CVE-2023-34322

2024-01-0517:15:08

Google

osv.dev

xen

migration

l1tf

vulnerability

shadow paging

memory shortage

page tables

cpu

security advisory

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

7 High

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

9.2%

JSON

For migration as well as to work around kernels unaware of L1TF (see
XSA-273), PV guests may be run in shadow paging mode. Since Xen itself
needs to be mapped when PV guests run, Xen and shadowed PV guests run
directly the respective shadow page tables. For 64-bit PV guests this
means running on the shadow of the guest root page table.

In the course of dealing with shortage of memory in the shadow pool
associated with a domain, shadows of page tables may be torn down. This
tearing down may include the shadow root page table that the CPU in
question is presently running on. While a precaution exists to
supposedly prevent the tearing down of the underlying live page table,
the time window covered by that precaution isn’t large enough.

CPENameOperatorVersion
xeneq4.15.1-r0
xeneq4.11.0-r0
xeneq4.14.5+24-g87d90d511c-1
xeneq4.3.0-r8
xeneq4.17.0+46-gaaf74a532c-1
xeneq4.0.1-r3
xeneq4.2.1-r1
xeneq4.16.4-r1
xeneq4.14.3+32-g9de3671772-1~deb11u1
xeneq4.14.4+74-gd7b22226b5-1

Name	Operator	Version
xen	eq	4.15.1-r0
xen	eq	4.11.0-r0
xen	eq	4.14.5+24-g87d90d511c-1
xen	eq	4.3.0-r8
xen	eq	4.17.0+46-gaaf74a532c-1
xen	eq	4.0.1-r3
xen	eq	4.2.1-r1
xen	eq	4.16.4-r1
xen	eq	4.14.3+32-g9de3671772-1~deb11u1
xen	eq	4.14.4+74-gd7b22226b5-1