Xen through 4.14.x allows guest OS administrators to obtain sensitive information (such as AES keys from outside the guest) via a side-channel attack on a power/energy monitoring interface, aka a "Platypus" attack. NOTE: there is only one logically independent fix: to change the access control for each such interface in Xen.
Created xen tracking bugs for this issue: Affects: fedora-all [bug 1897146]
Acknowledgments: Name: the Xen project
External References: https://xenbits.xen.org/xsa/advisory-351.html
Statement: This flaw has been rated as having a security impact of Moderate, and is not currently planned to be addressed in future updates of Red Hat Enterprise Linux 5. Red Hat Enterprise Linux 5 is now in the Extended Life Phase of the support and maintenance life cycle. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.
Upstream fixes: --- arm: https://xenbits.xen.org/xsa/xsa351-arm.patch arm-4.11: https://xenbits.xen.org/xsa/xsa351-arm-4.11.patch --- x86-4.11-1: https://xenbits.xen.org/xsa/xsa351-x86-4.11-1.patch x86-4.11-2: https://xenbits.xen.org/xsa/xsa351-x86-4.11-2.patch --- x86-4.12-1: https://xenbits.xen.org/xsa/xsa351-x86-4.12-1.patch x86-4.12-2: https://xenbits.xen.org/xsa/xsa351-x86-4.12-2.patch --- x86-4.13-1: https://xenbits.xen.org/xsa/xsa351-x86-4.13-1.patch x86-4.13-2: https://xenbits.xen.org/xsa/xsa351-x86-4.13-2.patch --- x86-4.14-1: https://xenbits.xen.org/xsa/xsa351-x86-4.14-1.patch x86-4.14-2: https://xenbits.xen.org/xsa/xsa351-x86-4.14-2.patch
Mitigation: There is no known mitigation for this flaw apart from applying the patch.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-28368