{
  "threat_severity" : "Moderate",
  "public_date" : "2017-06-20T00:00:00Z",
  "bugzilla" : {
    "description" : "xen: ARM guest disabling interrupt may crash Xen (XSA-223)",
    "id" : "1458877",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1458877"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.7",
    "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H",
    "status" : "draft"
  },
  "details" : [ "Xen through 4.8.x mishandles virtual interrupt injection, which allows guest OS users to cause a denial of service (hypervisor crash), aka XSA-223." ],
  "acknowledgement" : "Red Hat would like to thank the Xen project for reporting this issue. Upstream acknowledges Julien Grall (ARM) as the original reporter.",
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 5",
    "fix_state" : "Will not fix",
    "package_name" : "xen",
    "cpe" : "cpe:/o:redhat:enterprise_linux:5"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2017-10919\nhttps://nvd.nist.gov/vuln/detail/CVE-2017-10919\nhttp://xenbits.xen.org/xsa/advisory-223.html" ],
  "name" : "CVE-2017-10919",
  "mitigation" : {
    "value" : "On systems where the guest kernel is controlled by the host rather than\nguest administrator, running only kernels which do not disable SGI and\nPPI (i.e IRQ < 32) will prevent untrusted guest users from exploiting\nthis issue. However untrusted guest administrators can still trigger it\nunless further steps are taken to prevent them from loading code into\nthe kernel (e.g by disabling loadable modules etc) or from using other\nmechanisms which allow them to run code at kernel privilege.",
    "lang" : "en:us"
  },
  "csaw" : false
}