2.1 Low
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:L/Au:N/C:P/I:N/A:N
6.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
0.001 Low
EPSS
Percentile
22.9%
Note: Multiple issues are contained in this XSA due to their interactions.
An attacker might be able to infer the contents of arbitrary host memory, including memory assigned to other guests.
Systems running all versions of Xen are affected.
Whether a CPU is potentially vulnerable depends on its microarchitecture. Consult your hardware vendor.
Xen does not have a managed runtime environment, so is not believed to be vulnerable to CVE-2022-0002 irrespective of any hardware susceptibility.
Xen does not have any known gadgets vulnerable to Direct Branch Straight Line Speculation. Therefore, no changes for CVE-2021-26341 are being provided at this time.
The AMD BTI (Spectre v2) protections do not depend on isolating predictions between different privileges, so the fact that Branch History is shared (just like the Branch Target Buffer) is not believed to be relevant to existing mitigations. Therefore, there is no believed impact from Spectre-BHB on AMD hardware.
Patches to mitigate CVE-2022-23960 on affected ARM CPUs are provided.
Intel have recommended not making any changes by default for CVE-2022-0001. Existing Spectre-v2 mitigations on pre-eIBRS hardware are believed to be sufficient. On eIBRS capable hardware, there is uncertainty over the utility of Branch History Injection to an adversary. However, the risk can be removed by using eIBRS in combination with retpoline.
For CVE-2021-26401, AMD have recommended using retpoline in preference to lfence/jmp as previously recommended to mitigate Spectre-v2. This recommendation also mitigates any risk from Branch History Injection.
For both CVE-2022-0001 on Intel, and CVE-2021-26401 on AMD, the suggestion to use retpoline is incompatible with CET Shadow Stacks as implemented in Xen 4.14 and later. The security team has decided that disabling CET Shadow Stacks to work around speculation problems is not a reasonable option for downstreams and end users.
Therefore, patches are also provided to: * Use IBRS on capable AMD hardware. This also mitigates CVE-2021-26401. * Use CET Indirect Branch Tracking on capable Intel hardware. CET-IBT has architectural guarantees about halting speculation, on top of being a hardware mechanism to protect against Call/Jump Oriented Programming attacks.
Both provide CET Shadow Stack compatible mitigations to these issues. A practical consequence of this decision is that CET Shadow Stacks are now considered security supported, upgraded from Tech Preview previously.
Note: CET-IBT patches are incomplete and will be backported at a later date.
2.1 Low
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:L/Au:N/C:P/I:N/A:N
6.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
0.001 Low
EPSS
Percentile
22.9%