CVE-2017-15589

Description

An issue was discovered in Xen through 4.9.x allowing x86 HVM guest OS users to obtain sensitive information from the host OS (or an arbitrary guest OS) because intercepted I/O operations can cause a write of data from uninitialized hypervisor stack memory.

How to fix CVE-2017-15589

To remediate CVE-2017-15589, upgrade the affected package to a fixed version below.

Alpine/xen—upgrade to 4.9.0-r6 or later
—upgrade to 4.8.2+xsa245-0+deb9u1 or later

Is CVE-2017-15589 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 4.9.0-r6
from 0, < 4.8.2+xsa245-0+deb9u1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

References (2)

ADVISORYsecurity.alpinelinux.org/vuln/CVE-2017-15589
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2017-15589