Denial of Service Vulnerability in Xenstore Affects Xen Project
CVE-2022-42311

6.5MEDIUM

Key Information:

Vendor: Xen Project
Status: Xen Project
Vendor: CVE Published:; 1 November 2022

What is CVE-2022-42311?

Xenstore can be exploited by malicious guests, leading to significant memory depletion and consequently a Denial of Service. Attackers can trigger memory saturation through various methods: repeatedly issuing requests without reading responses, creating excessive watch events, crafting numerous nodes with maximum size limitations, and accessing many nodes simultaneously within transactions. This capability poses a considerable risk, as it can lead to xenstored being overwhelmed and inaccessible, disrupting services reliant on this component.

Affected Version(s)

xen consult Xen advisory XSA-326

References

https://xenbits.xenproject.org/xsa/advisory-326.txt

http://xenbits.xen.org/xsa/advisory-326.html

https://www.debian.org/security/2022/dsa-5272

vendor-advisory

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Nov 1, 2022
Vulnerability Reserved
Oct 3, 2022

Credit

{'credit_data': {'description': {'description_data': [{'lang': 'eng', 'value': 'This issue was discovered by Julien Grall of Amazon.'}]}}}