Vulnerability Description
Another race in XENMAPSPACE_grant_table handling Guests are permitted access to certain Xen-owned pages of memory. The majority of such pages remain allocated / associated with a guest for its entire lifetime. Grant table v2 status pages, however, are de-allocated when a guest switches (back) from v2 to v1. Freeing such pages requires that the hypervisor enforce that no parallel request can result in the addition of a mapping of such a page to a guest. That enforcement was missing, allowing guests to retain access to pages that were freed and perhaps re-used for other purposes. Unfortunately, when XSA-379 was being prepared, this similar issue was not noticed.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Xen | Xen | >= 4.0.0 |
| Debian | Debian Linux | 11.0 |
| Fedoraproject | Fedora | 33 |
Related Weaknesses (CWE)
References
- http://www.openwall.com/lists/oss-security/2021/09/08/2Mailing ListThird Party Advisory
- http://xenbits.xen.org/xsa/advisory-384.htmlVendor Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://security.gentoo.org/glsa/202208-23Third Party Advisory
- https://www.debian.org/security/2021/dsa-4977Third Party Advisory
- https://xenbits.xenproject.org/xsa/advisory-384.txtVendor Advisory
- http://www.openwall.com/lists/oss-security/2021/09/08/2Mailing ListThird Party Advisory
- http://xenbits.xen.org/xsa/advisory-384.htmlVendor Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://security.gentoo.org/glsa/202208-23Third Party Advisory
- https://www.debian.org/security/2021/dsa-4977Third Party Advisory
FAQ
What is CVE-2021-28701?
CVE-2021-28701 is a vulnerability with a CVSS score of 7.8 (HIGH). Another race in XENMAPSPACE_grant_table handling Guests are permitted access to certain Xen-owned pages of memory. The majority of such pages remain allocated / associated with a guest for its entire ...
How severe is CVE-2021-28701?
CVE-2021-28701 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-28701?
Check the references section above for vendor advisories and patch information. Affected products include: Xen Xen, Debian Debian Linux, Fedoraproject Fedora.