CVE-2017-7995

Description

Xen PV guest before Xen 4.3 checked access permissions to MMIO ranges only after accessing them, allowing host PCI device space memory reads, leading to information disclosure. This is an error in the get_user function. NOTE: the upstream Xen Project considers versions before 4.5.x to be EOL.

CVSS Metrics

• v3.0•LOW•Score: 3.8CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
• v2.0•LOW•Score: 1.7AV:L/AC:L/Au:S/C:P/I:N/A:N

EPSS Trends

Current EPSS score: 0.10%• Percentile: 27%

Techniques & Countermeasures

• CWE-200•Exposure of Sensitive Information to an Unauthorized Actor

  The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Affected Systems

• novell•suse_linux_enterprise_point_of_sale

  11.0:sp3

• novell•suse_linux_enterprise_server

  11.0:sp3

• suse•manager

  2.1

• suse•manager_proxy

  2.1

• suse•openstack_cloud

  5

• xen•xen

  ≤ 4.2.5

References (3)

• http://www.securityfocus.com/bid/98314
• https://bugzilla.suse.com/show_bug.cgi?id=1033948
• http://lists.opensuse.org/opensuse-security-announce/2017-05/msg00005.html