Vulnerability Description
The PCI backend driver in Xen, when running on an x86 system and using Linux 3.1.x through 4.3.x as the driver domain, allows local guest administrators to generate a continuous stream of WARN messages and cause a denial of service (disk consumption) by leveraging a system with access to a passed-through MSI or MSI-X capable physical PCI device and XEN_PCI_OP_enable_msi operations, aka "Linux pciback missing sanity checks."
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Xen | Xen | 3.1.3 |
| Canonical | Ubuntu Linux | 12.04 |
| Debian | Debian Linux | 6.0 |
| Novell | Suse Linux Enterprise Debuginfo | 11 |
| Novell | Suse Linux Enterprise Real Time Extension | 11 |
Related Weaknesses (CWE)
References
- http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00094.html
- http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00045.html
- http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00059.htmlThird Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2016-07/msg00005.htmlThird Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00000.htmlThird Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00044.html
- http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00055.html
- http://www.debian.org/security/2016/dsa-3434
- http://www.securityfocus.com/bid/79546Third Party AdvisoryVDB Entry
- http://www.securitytracker.com/id/1034480Third Party AdvisoryVDB Entry
- http://xenbits.xen.org/xsa/advisory-157.htmlVendor Advisory
- https://security.gentoo.org/glsa/201604-03
- http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00094.html
- http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00045.html
- http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00059.htmlThird Party Advisory
FAQ
What is CVE-2015-8552?
CVE-2015-8552 is a vulnerability with a CVSS score of 4.4 (MEDIUM). The PCI backend driver in Xen, when running on an x86 system and using Linux 3.1.x through 4.3.x as the driver domain, allows local guest administrators to generate a continuous stream of WARN message...
How severe is CVE-2015-8552?
CVE-2015-8552 has been rated MEDIUM with a CVSS base score of 4.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2015-8552?
Check the references section above for vendor advisories and patch information. Affected products include: Xen Xen, Canonical Ubuntu Linux, Debian Debian Linux, Novell Suse Linux Enterprise Debuginfo, Novell Suse Linux Enterprise Real Time Extension.