CVE-2018-19961 — xen - security update

Description

An issue was discovered in Xen through 4.11.x on AMD x86 platforms, possibly allowing guest OS users to gain host OS privileges because TLB flushes do not always occur after IOMMU mapping changes.

How to fix CVE-2018-19961

To remediate CVE-2018-19961, upgrade the affected package to a fixed version below.

Alpine/xen—upgrade to 4.11.1-r0 or later
—upgrade to 4.11.1-1 or later
—upgrade to 4.4.4lts5-0+deb8u1 or later
—upgrade to 4.8.5+shim4.10.2+xsa282-1+deb9u11 or later

Is CVE-2018-19961 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (4)

from 0, < 4.11.1-r0
from 0, < 4.11.1-1
from 0, < 4.4.4lts5-0+deb8u1
from 0, < 4.8.5+shim4.10.2+xsa282-1+deb9u11

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.8	CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

References (2)

ADVISORYsecurity.alpinelinux.org/vuln/CVE-2018-19961
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2018-19961