CentOS 5 : xen (CESA-2016:2963)

high Nessus Plugin ID 95953

Synopsis

The remote CentOS host is missing one or more security updates.

Description

An update for xen is now available for Red Hat Enterprise Linux 5.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Xen is a virtual machine monitor

Security Fix(es) :

* An out of bounds array access issue was found in the Xen virtual machine monitor, built with the QEMU ioport support. It could occur while doing ioport read/write operations, if guest was to supply a 32bit address parameter. A privileged guest user/process could use this flaw to potentially escalate their privileges on a host.
(CVE-2016-9637)

Red Hat would like to thank the Xen project for reporting this issue.

Solution

Update the affected xen packages.

See Also

http://www.nessus.org/u?1cfeb266

Plugin Details

Severity: High

ID: 95953

File Name: centos_RHSA-2016-2963.nasl

Version: 3.10

Type: local

Agent: unix

Published: 12/21/2016

Updated: 1/4/2021

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.5

CVSS v2

Risk Factor: Low

Base Score: 3.7

Temporal Score: 2.7

Vector: CVSS2#AV:L/AC:H/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2016-9637

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:centos:centos:xen-libs, p-cpe:/a:centos:centos:xen-devel, cpe:/o:centos:centos:5, p-cpe:/a:centos:centos:xen

Required KB Items: Host/local_checks_enabled, Host/CentOS/release, Host/CentOS/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 12/20/2016

Vulnerability Publication Date: 2/17/2017

Reference Information

CVE: CVE-2016-9637

RHSA: 2016:2963