{ "CVE_data_meta": { "ASSIGNER": "security@xen.org", "ID": "CVE-2021-28690", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "xen", "version": { "version_data": [ { "version_affected": "?<", "version_value": "4.12" }, { "version_affected": ">=", "version_value": "4.13.x" }, { "version_affected": "!>", "version_value": "xen-unstable" } ] } }, { "product_name": "xen", "version": { "version_data": [ { "version_value": "4.12.x" } ] } }, { "product_name": "xen", "version": { "version_data": [ { "version_value": "4.11.x" } ] } } ] }, "vendor_name": "Xen" } ] } }, "configuration": { "configuration_data": { "description": { "description_data": [ { "lang": "eng", "value": "See XSA-305 for details of susceptibility to TAA.\n\nOnly systems which are susceptible to TAA and have the XSA-305 fix are\nvulnerable. Only systems which support S3 suspend/resume are vulnerable.\n\nThe vulnerability is only exposed if S3 suspend/resume is used." } ] } } }, "credit": { "credit_data": { "description": { "description_data": [ { "lang": "eng", "value": "This issue was discovered by Andrew Cooper of Citrix." } ] } } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "x86: TSX Async Abort protections not restored after S3 This issue relates to the TSX Async Abort speculative security vulnerability. Please see https://xenbits.xen.org/xsa/advisory-305.html for details. Mitigating TAA by disabling TSX (the default and preferred option) requires selecting a non-default setting in MSR_TSX_CTRL. This setting isn't restored after S3 suspend." } ] }, "impact": { "impact_data": { "description": { "description_data": [ { "lang": "eng", "value": "After using S3 suspend at least once, CPU0 remains vulnerable to TAA.\n\nThis is an information leak. For full details of the impact, see\nXSA-305." } ] } } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "unknown" } ] } ] }, "references": { "reference_data": [ { "url": "https://xenbits.xenproject.org/xsa/advisory-377.txt", "refsource": "MISC", "name": "https://xenbits.xenproject.org/xsa/advisory-377.txt" }, { "refsource": "GENTOO", "name": "GLSA-202107-30", "url": "https://security.gentoo.org/glsa/202107-30" } ] }, "workaround": { "workaround_data": { "description": { "description_data": [ { "lang": "eng", "value": "Not using S3 suspend/resume avoids the vulnerability." } ] } } } }