CVE-2014-4021
low
CVSS v3
—
CVSS v2
2.7
VIR risk
2.7
Description
Xen 3.2.x through 4.4.x does not properly clean memory pages recovered from guests, which allows local guest OS users to obtain sensitive information via unspecified vectors.
Predictions
Exploit likelihood
20%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2014-4021
Vendor advisory: cve@mitre.org — http://xenbits.xen.org/xsa/advisory-100.html
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| debian | bookworm | fixed | 4.4.1-1 |
| debian | bullseye | fixed | 4.4.1-1 |
| debian | forky | fixed | 4.4.1-1 |
| debian | sid | fixed | 4.4.1-1 |
| debian | trixie | fixed | 4.4.1-1 |
References
- http://linux.oracle.com/errata/ELSA-2014-0926-1.html
- http://linux.oracle.com/errata/ELSA-2014-0926.html
- http://lists.fedoraproject.org/pipermail/package-announce/2014-July/135068.html
- http://lists.fedoraproject.org/pipermail/package-announce/2014-July/135071.html
- http://lists.opensuse.org/opensuse-security-announce/2014-10/msg00002.html
- http://lists.opensuse.org/opensuse-security-announce/2014-10/msg00003.html
- http://secunia.com/advisories/59208
- http://secunia.com/advisories/60027
- http://secunia.com/advisories/60130
- http://secunia.com/advisories/60471
- http://security.gentoo.org/glsa/glsa-201407-03.xml
- http://support.citrix.com/article/CTX140984
- http://www.debian.org/security/2014/dsa-3006
- http://www.securityfocus.com/bid/68070
- http://www.securitytracker.com/id/1030442
- http://xenbits.xen.org/xsa/advisory-100.html
- https://security-tracker.debian.org/tracker/CVE-2014-4021
CWEs
CWE-119
Verify integrity in audit chain (admin only). AS-IS.