CVE-2022-42320

CVE	CVE-2022-42320
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2022-11-01 13:15:00 UTC
Updated	2024-02-04 08:15:00 UTC
Description	Xenstore: Guests can get access to Xenstore nodes of deleted domains Access rights of Xenstore nodes are per domid. When a domain is gone, there might be Xenstore nodes left with access rights containing the domid of the removed domain. This is normally no problem, as those access right entries will be corrected when such a node is written later. There is a small time window when a new domain is created, where the access rights of a past domain with the same domid as the new one will be regarded to be still valid, leading to the new domain being able to get access to a node which was meant to be accessible by the removed domain. For this to happen another domain needs to write the node before the newly created domain is being introduced to Xenstore by dom0.

Problem Types: CWE-459

Type	Vendor	Product	Version	Update	Edition	Language
Operating System	Debian	Debian Linux	11.0	All	All	All
Operating System	Fedoraproject	Fedora	35	All	All	All
Operating System	Fedoraproject	Fedora	36	All	All	All
Operating System	Fedoraproject	Fedora	37	All	All	All
Operating System	Xen	Xen	-	All	All	All

Reference	Source	Link	Tags
[SECURITY] Fedora 37 Update: xen-4.16.2-4.fc37 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
Xen: Multiple Vulnerabilities (GLSA 202402-07) — Gentoo security		security.gentoo.org
XSA-417 - Xen Security Advisories	CONFIRM	xenbits.xen.org
[SECURITY] Fedora 37 Update: xen-4.16.2-4.fc37 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
Debian -- Security Information -- DSA-5272-1 xen	DEBIAN	www.debian.org
oss-security - Xen Security Advisory 417 v2 (CVE-2022-42320) - Xenstore: Guests can get access to Xenstore nodes of deleted domains	MLIST	www.openwall.com
[SECURITY] Fedora 36 Update: xen-4.16.2-3.fc36 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
xenbits.xenproject.org/xsa/advisory-417.txt	MISC	xenbits.xenproject.org
[SECURITY] Fedora 36 Update: xen-4.16.2-3.fc36 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
[SECURITY] Fedora 35 Update: xen-4.15.3-7.fc35 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
[SECURITY] Fedora 35 Update: xen-4.15.3-7.fc35 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

LEGACY: Array

181193 Debian Security Update for xen (DSA 5272-1)
184900 Debian Security Update for xen (CVE-2022-42320)
283293 Fedora Security Update for xen (FEDORA-2022-07438e12df)
283319 Fedora Security Update for xen (FEDORA-2022-99af00f60e)
283430 Fedora Security Update for xen (FEDORA-2022-9f51d13fa3)
390275 Oracle Managed Virtualization (VM) Server for x86 Security Update for xen (OVMSA-2023-0005)
502600 Alpine Linux Security Update for xen
502619 Alpine Linux Security Update for xen
503143 Alpine Linux Security Update for xen
503695 Alpine Linux Security Update for xen
504549 Alpine Linux Security Update for xen
505964 Alpine Linux Security Update for xen
710858 Gentoo Linux Xen Multiple Vulnerabilities (GLSA 202402-07)
752778 SUSE Enterprise Linux Security Update for xen (SUSE-SU-2022:3925-1)
752781 SUSE Enterprise Linux Security Update for xen (SUSE-SU-2022:3928-1)
752792 SUSE Enterprise Linux Security Update for xen (SUSE-SU-2022:3947-1)
752796 SUSE Enterprise Linux Security Update for xen (SUSE-SU-2022:3971-1)
752807 SUSE Enterprise Linux Security Update for xen (SUSE-SU-2022:4007-1)
752887 SUSE Enterprise Linux Security Update for xen (SUSE-SU-2022:4241-1)
752979 SUSE Enterprise Linux Security Update for xen (SUSE-SU-2022:4332-1)