CVE-2021-28688 - log back

CVE-2021-28688 edited at 06 Apr 2021 19:32:22
Description
- A security issue was found in the Linux kernel before version 5.11.11, as used by Xen. A malicious or buggy frontend driver may be able to cause resource leaks from the corresponding backend driver. This can result in a host-wide Denial of Sevice (DoS).
+ A security issue was found in the Linux kernel before version 5.11.11, as used by Xen. The fix for CVE-2021-26930, a.k.a. XSA-365, includes initialization of pointers such that subsequent cleanup code wouldn't use uninitialized or stale values. This initialization went too far and may under certain conditions also overwrite pointers which are in need of cleaning up. The lack of cleanup would result in leaking persistent grants. The leak in turn would prevent fully cleaning up after a respective guest has died, leaving around zombie domains.
CVE-2021-28688 edited at 31 Mar 2021 08:26:05
Severity
- Unknown
+ Low
Remote
- Unknown
+ Local
Type
- Unknown
+ Denial of service
Description
+ A security issue was found in the Linux kernel before version 5.11.11, as used by Xen. A malicious or buggy frontend driver may be able to cause resource leaks from the corresponding backend driver. This can result in a host-wide Denial of Sevice (DoS).
References
+ https://xenbits.xen.org/xsa/advisory-371.html
+ https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v5.11.11&id=632b046bb6120afe1df1bfa06943bee338dd97db
+ https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v5.10.27&id=3a1ca9bd4f5a647439e82e07b03d072781d9d180
Notes
+ Workaround
+ ==========
+
+ Avoiding the use of persistent grants will avoid the vulnerability. This can be achieved by passing the "feature_persistent=0" module option to the xen-blkback driver.
CVE-2021-28688 created at 31 Mar 2021 08:23:11
Severity
+ Unknown
Remote
+ Unknown
Type
+ Unknown
Description
References
Notes