-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

            Xen Security Advisory CVE-2022-33749 / XSA-413
                               version 2

                       XAPI open file limit DoS

UPDATES IN VERSION 2
====================

Public release.

ISSUE DESCRIPTION
=================

It is possible for an unauthenticated client on the network to cause
XAPI to hit its file-descriptor limit. This causes XAPI to be unable
to accept new requests for other (trusted) clients, and blocks XAPI
from carrying out any tasks that require the opening of file
descriptors.

IMPACT
======

An attacker is capable of blocking connections to the XAPI HTTP
interface, and also interrupt ongoing operations, causing a XAPI
toolstack Denial of Service.  Such DoS would also affect any guests
that require toolstack actions.

VULNERABLE SYSTEMS
==================

All versions of XAPI are vulnerable.

Systems which are not using the XAPI toolstack are not vulnerable.

MITIGATION
==========

Not exposing to untrusted clients the network interface XAPI is
listening on will prevent the issue.

RESOLUTION
==========

Applying the attached patches resolves this issue.

xsa413/xsa413-*.patch         Xapi master

$ sha256sum xsa413*/*
63f72af7a92944700318add5cc200160ff7f834b6d304dd22441fa2de74c7b83  xsa413/xsa413-1.patch
6fbcbfb1915ebc4a726374d94e050406d8f1d52c3cb9afc06bcf7cec9e5a19c8  xsa413/xsa413-2.patch
c41de04ff2b63756e693c6c75ec4d7206a88db06c1da0b263c9d0644da90ef8b  xsa413/xsa413-3.patch
6ee2dc09f6c5f64ce9627e9b4e314237817f7c0c2eebe30a2c83709d1faf0050  xsa413/xsa413-4.patch
360a5099ece45118488706acd76b6da3ca8e6f107cee24586dbf6ec7f5858aeb  xsa413/xsa413-5.patch
cc79e086affcfd784ab8cd38e1d0acd6adb241c24141f3409161e417cc314b28  xsa413/xsa413-6.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmNFTAEMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZmIMH/RBAGOrAi8NI7BBeGHwMW7WqyMfT6mTVUFkb2z9z
ZFtvPFvim5AobCUpAKFtUAWpSQoUEEPyTO83C2VDe9jQC37mRo/qAduX7wj8oaJv
Dq+QFECP95bsfmu0SwKYL7ZW+3lLxDVwtp88z4P/H/U0VYqG+bNrR569znBbn0wL
p7EKQG5A4PS0nLg8ehnxjwuKCn0dCgUIZibh3AIMOUDTFY/apVeDFbX7bKIoQgLV
/0B18MevryxqSRe3QpL2WW/kRGLLKF7i5SA7nAbOPMzPWHOLNDZb+b+Hq7/eYwzI
a2+6yUcBkWAqyi9M3fXkhslySA/WqLdPXBIkd47zZS9rIuU=
=Ih6z
-----END PGP SIGNATURE-----