Security update for xen SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2024:3586-1 Final 1 1 2024-10-10T11:29:45Z current 2024-10-10T11:29:45Z 2024-10-10T11:29:45Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for xen This update for xen fixes the following issues: Security fixes: - CVE-2024-31145: Fixed error handling in x86 IOMMU identity mapping (XSA-460) (bsc#1228574) - CVE-2024-31146: Fixed PCI device pass-through with shared resources (XSA-461) (bsc#1228575) - CVE-2024-45817: Fixed Deadlock in vlapic_error() (XSA-462) (bsc#1230366) Other fixes: - Upstream bug fixes (bsc#1027519) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Image SLES12-SP5-EC2-BYOS-2024-3586,Image SLES12-SP5-EC2-ECS-On-Demand-2024-3586,Image SLES12-SP5-EC2-On-Demand-2024-3586,Image SLES12-SP5-EC2-SAP-BYOS-2024-3586,Image SLES12-SP5-EC2-SAP-On-Demand-2024-3586,SUSE-2024-3586,SUSE-SLE-SDK-12-SP5-2024-3586,SUSE-SLE-SERVER-12-SP5-2024-3586 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2024/suse-su-20243586-1/ Link for SUSE-SU-2024:3586-1 https://lists.suse.com/pipermail/sle-security-updates/2024-October/019585.html E-Mail link for SUSE-SU-2024:3586-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1027519 SUSE Bug 1027519 https://bugzilla.suse.com/1228574 SUSE Bug 1228574 https://bugzilla.suse.com/1228575 SUSE Bug 1228575 https://bugzilla.suse.com/1230366 SUSE Bug 1230366 https://www.suse.com/security/cve/CVE-2024-31145/ SUSE CVE CVE-2024-31145 page https://www.suse.com/security/cve/CVE-2024-31146/ SUSE CVE CVE-2024-31146 page https://www.suse.com/security/cve/CVE-2024-45817/ SUSE CVE CVE-2024-45817 page Image SLES12-SP5-EC2-BYOS Image SLES12-SP5-EC2-ECS-On-Demand Image SLES12-SP5-EC2-On-Demand Image SLES12-SP5-EC2-SAP-BYOS Image SLES12-SP5-EC2-SAP-On-Demand SUSE Linux Enterprise Server 12 SP5 SUSE Linux Enterprise Server for SAP Applications 12 SP5 SUSE Linux Enterprise Software Development Kit 12 SP5 xen-libs-4.12.4_56-3.121.1 xen-tools-domU-4.12.4_56-3.121.1 xen-4.12.4_56-3.121.1 xen-devel-4.12.4_56-3.121.1 xen-doc-html-4.12.4_56-3.121.1 xen-libs-32bit-4.12.4_56-3.121.1 xen-libs-64bit-4.12.4_56-3.121.1 xen-tools-4.12.4_56-3.121.1 xen-libs-4.12.4_56-3.121.1 as a component of Image SLES12-SP5-EC2-BYOS xen-tools-domU-4.12.4_56-3.121.1 as a component of Image SLES12-SP5-EC2-BYOS xen-libs-4.12.4_56-3.121.1 as a component of Image SLES12-SP5-EC2-ECS-On-Demand xen-tools-domU-4.12.4_56-3.121.1 as a component of Image SLES12-SP5-EC2-ECS-On-Demand xen-libs-4.12.4_56-3.121.1 as a component of Image SLES12-SP5-EC2-On-Demand xen-tools-domU-4.12.4_56-3.121.1 as a component of Image SLES12-SP5-EC2-On-Demand xen-libs-4.12.4_56-3.121.1 as a component of Image SLES12-SP5-EC2-SAP-BYOS xen-tools-domU-4.12.4_56-3.121.1 as a component of Image SLES12-SP5-EC2-SAP-BYOS xen-libs-4.12.4_56-3.121.1 as a component of Image SLES12-SP5-EC2-SAP-On-Demand xen-tools-domU-4.12.4_56-3.121.1 as a component of Image SLES12-SP5-EC2-SAP-On-Demand xen-4.12.4_56-3.121.1 as a component of SUSE Linux Enterprise Server 12 SP5 xen-doc-html-4.12.4_56-3.121.1 as a component of SUSE Linux Enterprise Server 12 SP5 xen-libs-4.12.4_56-3.121.1 as a component of SUSE Linux Enterprise Server 12 SP5 xen-libs-32bit-4.12.4_56-3.121.1 as a component of SUSE Linux Enterprise Server 12 SP5 xen-tools-4.12.4_56-3.121.1 as a component of SUSE Linux Enterprise Server 12 SP5 xen-tools-domU-4.12.4_56-3.121.1 as a component of SUSE Linux Enterprise Server 12 SP5 xen-4.12.4_56-3.121.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 xen-doc-html-4.12.4_56-3.121.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 xen-libs-4.12.4_56-3.121.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 xen-libs-32bit-4.12.4_56-3.121.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 xen-tools-4.12.4_56-3.121.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 xen-tools-domU-4.12.4_56-3.121.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 xen-devel-4.12.4_56-3.121.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP5 Certain PCI devices in a system might be assigned Reserved Memory Regions (specified via Reserved Memory Region Reporting, "RMRR") for Intel VT-d or Unity Mapping ranges for AMD-Vi. These are typically used for platform tasks such as legacy USB emulation. Since the precise purpose of these regions is unknown, once a device associated with such a region is active, the mappings of these regions need to remain continuouly accessible by the device. In the logic establishing these mappings, error handling was flawed, resulting in such mappings to potentially remain in place when they should have been removed again. Respective guests would then gain access to memory regions which they aren't supposed to have access to. CVE-2024-31145 Image SLES12-SP5-EC2-BYOS:xen-libs-4.12.4_56-3.121.1 Image SLES12-SP5-EC2-BYOS:xen-tools-domU-4.12.4_56-3.121.1 Image SLES12-SP5-EC2-ECS-On-Demand:xen-libs-4.12.4_56-3.121.1 Image SLES12-SP5-EC2-ECS-On-Demand:xen-tools-domU-4.12.4_56-3.121.1 Image SLES12-SP5-EC2-On-Demand:xen-libs-4.12.4_56-3.121.1 Image SLES12-SP5-EC2-On-Demand:xen-tools-domU-4.12.4_56-3.121.1 Image SLES12-SP5-EC2-SAP-BYOS:xen-libs-4.12.4_56-3.121.1 Image SLES12-SP5-EC2-SAP-BYOS:xen-tools-domU-4.12.4_56-3.121.1 Image SLES12-SP5-EC2-SAP-On-Demand:xen-libs-4.12.4_56-3.121.1 Image SLES12-SP5-EC2-SAP-On-Demand:xen-tools-domU-4.12.4_56-3.121.1 SUSE Linux Enterprise Server 12 SP5:xen-4.12.4_56-3.121.1 SUSE Linux Enterprise Server 12 SP5:xen-doc-html-4.12.4_56-3.121.1 SUSE Linux Enterprise Server 12 SP5:xen-libs-32bit-4.12.4_56-3.121.1 SUSE Linux Enterprise Server 12 SP5:xen-libs-4.12.4_56-3.121.1 SUSE Linux Enterprise Server 12 SP5:xen-tools-4.12.4_56-3.121.1 SUSE Linux Enterprise Server 12 SP5:xen-tools-domU-4.12.4_56-3.121.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:xen-4.12.4_56-3.121.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:xen-doc-html-4.12.4_56-3.121.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:xen-libs-32bit-4.12.4_56-3.121.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:xen-libs-4.12.4_56-3.121.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:xen-tools-4.12.4_56-3.121.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:xen-tools-domU-4.12.4_56-3.121.1 SUSE Linux Enterprise Software Development Kit 12 SP5:xen-devel-4.12.4_56-3.121.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20243586-1/ https://www.suse.com/security/cve/CVE-2024-31145.html CVE-2024-31145 https://bugzilla.suse.com/1228574 SUSE Bug 1228574 When multiple devices share resources and one of them is to be passed through to a guest, security of the entire system and of respective guests individually cannot really be guaranteed without knowing internals of any of the involved guests. Therefore such a configuration cannot really be security-supported, yet making that explicit was so far missing. Resources the sharing of which is known to be problematic include, but are not limited to - - PCI Base Address Registers (BARs) of multiple devices mapping to the same page (4k on x86), - - INTx lines. CVE-2024-31146 Image SLES12-SP5-EC2-BYOS:xen-libs-4.12.4_56-3.121.1 Image SLES12-SP5-EC2-BYOS:xen-tools-domU-4.12.4_56-3.121.1 Image SLES12-SP5-EC2-ECS-On-Demand:xen-libs-4.12.4_56-3.121.1 Image SLES12-SP5-EC2-ECS-On-Demand:xen-tools-domU-4.12.4_56-3.121.1 Image SLES12-SP5-EC2-On-Demand:xen-libs-4.12.4_56-3.121.1 Image SLES12-SP5-EC2-On-Demand:xen-tools-domU-4.12.4_56-3.121.1 Image SLES12-SP5-EC2-SAP-BYOS:xen-libs-4.12.4_56-3.121.1 Image SLES12-SP5-EC2-SAP-BYOS:xen-tools-domU-4.12.4_56-3.121.1 Image SLES12-SP5-EC2-SAP-On-Demand:xen-libs-4.12.4_56-3.121.1 Image SLES12-SP5-EC2-SAP-On-Demand:xen-tools-domU-4.12.4_56-3.121.1 SUSE Linux Enterprise Server 12 SP5:xen-4.12.4_56-3.121.1 SUSE Linux Enterprise Server 12 SP5:xen-doc-html-4.12.4_56-3.121.1 SUSE Linux Enterprise Server 12 SP5:xen-libs-32bit-4.12.4_56-3.121.1 SUSE Linux Enterprise Server 12 SP5:xen-libs-4.12.4_56-3.121.1 SUSE Linux Enterprise Server 12 SP5:xen-tools-4.12.4_56-3.121.1 SUSE Linux Enterprise Server 12 SP5:xen-tools-domU-4.12.4_56-3.121.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:xen-4.12.4_56-3.121.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:xen-doc-html-4.12.4_56-3.121.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:xen-libs-32bit-4.12.4_56-3.121.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:xen-libs-4.12.4_56-3.121.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:xen-tools-4.12.4_56-3.121.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:xen-tools-domU-4.12.4_56-3.121.1 SUSE Linux Enterprise Software Development Kit 12 SP5:xen-devel-4.12.4_56-3.121.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20243586-1/ https://www.suse.com/security/cve/CVE-2024-31146.html CVE-2024-31146 https://bugzilla.suse.com/1228575 SUSE Bug 1228575 In x86's APIC (Advanced Programmable Interrupt Controller) architecture, error conditions are reported in a status register. Furthermore, the OS can opt to receive an interrupt when a new error occurs. It is possible to configure the error interrupt with an illegal vector, which generates an error when an error interrupt is raised. This case causes Xen to recurse through vlapic_error(). The recursion itself is bounded; errors accumulate in the the status register and only generate an interrupt when a new status bit becomes set. However, the lock protecting this state in Xen will try to be taken recursively, and deadlock. CVE-2024-45817 Image SLES12-SP5-EC2-BYOS:xen-libs-4.12.4_56-3.121.1 Image SLES12-SP5-EC2-BYOS:xen-tools-domU-4.12.4_56-3.121.1 Image SLES12-SP5-EC2-ECS-On-Demand:xen-libs-4.12.4_56-3.121.1 Image SLES12-SP5-EC2-ECS-On-Demand:xen-tools-domU-4.12.4_56-3.121.1 Image SLES12-SP5-EC2-On-Demand:xen-libs-4.12.4_56-3.121.1 Image SLES12-SP5-EC2-On-Demand:xen-tools-domU-4.12.4_56-3.121.1 Image SLES12-SP5-EC2-SAP-BYOS:xen-libs-4.12.4_56-3.121.1 Image SLES12-SP5-EC2-SAP-BYOS:xen-tools-domU-4.12.4_56-3.121.1 Image SLES12-SP5-EC2-SAP-On-Demand:xen-libs-4.12.4_56-3.121.1 Image SLES12-SP5-EC2-SAP-On-Demand:xen-tools-domU-4.12.4_56-3.121.1 SUSE Linux Enterprise Server 12 SP5:xen-4.12.4_56-3.121.1 SUSE Linux Enterprise Server 12 SP5:xen-doc-html-4.12.4_56-3.121.1 SUSE Linux Enterprise Server 12 SP5:xen-libs-32bit-4.12.4_56-3.121.1 SUSE Linux Enterprise Server 12 SP5:xen-libs-4.12.4_56-3.121.1 SUSE Linux Enterprise Server 12 SP5:xen-tools-4.12.4_56-3.121.1 SUSE Linux Enterprise Server 12 SP5:xen-tools-domU-4.12.4_56-3.121.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:xen-4.12.4_56-3.121.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:xen-doc-html-4.12.4_56-3.121.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:xen-libs-32bit-4.12.4_56-3.121.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:xen-libs-4.12.4_56-3.121.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:xen-tools-4.12.4_56-3.121.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:xen-tools-domU-4.12.4_56-3.121.1 SUSE Linux Enterprise Software Development Kit 12 SP5:xen-devel-4.12.4_56-3.121.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20243586-1/ https://www.suse.com/security/cve/CVE-2024-45817.html CVE-2024-45817 https://bugzilla.suse.com/1230366 SUSE Bug 1230366