{"containers":{"cna":{"affected":[{"product":"xen","vendor":"Xen","versions":[{"status":"affected","version":"4.12.x"}]},{"product":"xen","vendor":"Xen","versions":[{"lessThan":"4.12","status":"unknown","version":"unspecified","versionType":"custom"},{"lessThan":"unspecified","status":"affected","version":"4.13.x","versionType":"custom"},{"lessThan":"unspecified","status":"unaffected","version":"next of xen-unstable","versionType":"custom"}]}],"credits":[{"lang":"en","value":"{'credit_data': {'description': {'description_data': [{'lang': 'eng', 'value': 'This issue was discovered by Julien Grall of Amazon.'}]}}}"}],"descriptions":[{"lang":"en","value":"xen/arm: No memory limit for dom0less domUs The dom0less feature allows an administrator to create multiple unprivileged domains directly from Xen. Unfortunately, the memory limit from them is not set. This allow a domain to allocate memory beyond what an administrator originally configured."}],"metrics":[{"other":{"content":{"description":{"description_data":[{"lang":"eng","value":"Malicious dom0less guest could drive Xen out of memory and may\nresult to a Denial of Service (DoS) attack affecting the entire\nsystem."}]}},"type":"unknown"}}],"problemTypes":[{"descriptions":[{"description":"unknown","lang":"en","type":"text"}]}],"providerMetadata":{"dateUpdated":"2022-08-14T20:06:06.000Z","orgId":"23aa2041-22e1-471f-9209-9b7396fa234f","shortName":"XEN"},"references":[{"tags":["x_refsource_MISC"],"url":"https://xenbits.xenproject.org/xsa/advisory-383.txt"},{"name":"FEDORA-2021-4f129cc0c1","tags":["vendor-advisory","x_refsource_FEDORA"],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LPRVHW4J4ZCPPOHZEWP5MOJT7XDGFFPJ/"},{"name":"FEDORA-2021-d68ed12e46","tags":["vendor-advisory","x_refsource_FEDORA"],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FZCNPSRPGFCQRYE2BI4D4Q4SCE56ANV2/"},{"name":"DSA-4977","tags":["vendor-advisory","x_refsource_DEBIAN"],"url":"https://www.debian.org/security/2021/dsa-4977"},{"name":"FEDORA-2021-081f9bf5d2","tags":["vendor-advisory","x_refsource_FEDORA"],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2VQCFAPBNGBBAOMJZG6QBREOG5IIDZID/"},{"name":"GLSA-202208-23","tags":["vendor-advisory","x_refsource_GENTOO"],"url":"https://security.gentoo.org/glsa/202208-23"}],"x_legacyV4Record":{"CVE_data_meta":{"ASSIGNER":"security@xen.org","ID":"CVE-2021-28700","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"xen","version":{"version_data":[{"version_value":"4.12.x"}]}},{"product_name":"xen","version":{"version_data":[{"version_affected":"?<","version_value":"4.12"},{"version_affected":">=","version_value":"4.13.x"},{"version_affected":"!>","version_value":"xen-unstable"}]}}]},"vendor_name":"Xen"}]}},"configuration":{"configuration_data":{"description":{"description_data":[{"lang":"eng","value":"Only Arm systems are vulnerable. Only domains created using the\ndom0less feature are affected.\n\nOnly domains created using the dom0less feature can leverage the\nvulnerability.\n\nAll versions of Xen since 4.12 are vulnerable."}]}}},"credit":{"credit_data":{"description":{"description_data":[{"lang":"eng","value":"This issue was discovered by Julien Grall of Amazon."}]}}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"xen/arm: No memory limit for dom0less domUs The dom0less feature allows an administrator to create multiple unprivileged domains directly from Xen. Unfortunately, the memory limit from them is not set. This allow a domain to allocate memory beyond what an administrator originally configured."}]},"impact":{"impact_data":{"description":{"description_data":[{"lang":"eng","value":"Malicious dom0less guest could drive Xen out of memory and may\nresult to a Denial of Service (DoS) attack affecting the entire\nsystem."}]}}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"unknown"}]}]},"references":{"reference_data":[{"name":"https://xenbits.xenproject.org/xsa/advisory-383.txt","refsource":"MISC","url":"https://xenbits.xenproject.org/xsa/advisory-383.txt"},{"name":"FEDORA-2021-4f129cc0c1","refsource":"FEDORA","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LPRVHW4J4ZCPPOHZEWP5MOJT7XDGFFPJ/"},{"name":"FEDORA-2021-d68ed12e46","refsource":"FEDORA","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FZCNPSRPGFCQRYE2BI4D4Q4SCE56ANV2/"},{"name":"DSA-4977","refsource":"DEBIAN","url":"https://www.debian.org/security/2021/dsa-4977"},{"name":"FEDORA-2021-081f9bf5d2","refsource":"FEDORA","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2VQCFAPBNGBBAOMJZG6QBREOG5IIDZID/"},{"name":"GLSA-202208-23","refsource":"GENTOO","url":"https://security.gentoo.org/glsa/202208-23"}]},"workaround":{"workaround_data":{"description":{"description_data":[{"lang":"eng","value":"There is no known mitigation."}]}}}}},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-03T21:47:33.168Z"},"title":"CVE Program Container","references":[{"tags":["x_refsource_MISC","x_transferred"],"url":"https://xenbits.xenproject.org/xsa/advisory-383.txt"},{"name":"FEDORA-2021-4f129cc0c1","tags":["vendor-advisory","x_refsource_FEDORA","x_transferred"],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LPRVHW4J4ZCPPOHZEWP5MOJT7XDGFFPJ/"},{"name":"FEDORA-2021-d68ed12e46","tags":["vendor-advisory","x_refsource_FEDORA","x_transferred"],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FZCNPSRPGFCQRYE2BI4D4Q4SCE56ANV2/"},{"name":"DSA-4977","tags":["vendor-advisory","x_refsource_DEBIAN","x_transferred"],"url":"https://www.debian.org/security/2021/dsa-4977"},{"name":"FEDORA-2021-081f9bf5d2","tags":["vendor-advisory","x_refsource_FEDORA","x_transferred"],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2VQCFAPBNGBBAOMJZG6QBREOG5IIDZID/"},{"name":"GLSA-202208-23","tags":["vendor-advisory","x_refsource_GENTOO","x_transferred"],"url":"https://security.gentoo.org/glsa/202208-23"}]}]},"cveMetadata":{"assignerOrgId":"23aa2041-22e1-471f-9209-9b7396fa234f","assignerShortName":"XEN","cveId":"CVE-2021-28700","datePublished":"2021-08-27T18:15:52.000Z","dateReserved":"2021-03-18T00:00:00.000Z","dateUpdated":"2024-08-03T21:47:33.168Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.1"}