CVE-2017-17045
high
CVSS v3
8.8
CVSS v2
7.2
VIR risk
8.8
Description
An issue was discovered in Xen through 4.9.x allowing HVM guest OS users to gain privileges on the host OS, obtain sensitive information, or cause a denial of service (BUG and host OS crash) by leveraging the mishandling of Populate on Demand (PoD) Physical-to-Machine (P2M) errors.
Predictions
Exploit likelihood
82%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2017-17045
Vendor advisory: cve@mitre.org — https://xenbits.xen.org/xsa/advisory-247.html
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| debian | bookworm | fixed | 4.8.2+xsa245-0+deb9u1 |
| debian | bullseye | fixed | 4.8.2+xsa245-0+deb9u1 |
| debian | forky | fixed | 4.8.2+xsa245-0+deb9u1 |
| debian | sid | fixed | 4.8.2+xsa245-0+deb9u1 |
| debian | trixie | fixed | 4.8.2+xsa245-0+deb9u1 |
References
- http://www.securityfocus.com/bid/102013
- http://www.securityfocus.com/bid/102129
- http://www.securitytracker.com/id/1039879
- https://lists.debian.org/debian-lts-announce/2018/01/msg00003.html
- https://lists.debian.org/debian-lts-announce/2018/10/msg00021.html
- https://security.gentoo.org/glsa/201801-14
- https://support.citrix.com/article/CTX230138
- https://xenbits.xen.org/xsa/advisory-247.html
- https://security-tracker.debian.org/tracker/CVE-2017-17045
CWEs
CWE-416
Verify integrity in audit chain (admin only). AS-IS.