Neither xenstore implementation does any permissions checks when
reporting a xenstore watch event.
A guest administrator can watch the root xenstored node, which will
cause notifications for every created, modified and deleted key.
A guest administrator can also use the special watches, which will
cause a notification every time a domain is created and destroyed.
Data may include:
- number, type and domids of other VMs
- existence and domids of driver domains
- numbers of virtual interfaces, block devices, vcpus
- existence of virtual framebuffers and their backend style (eg,
existence of VNC service)
- Xen VM UUIDs for other domains
- timing information about domain creation and device setup
- some hints at the backend provisioning of VMs and their devices
The watch events do not contain values stored in xenstore, only key
Created xen tracking bugs for this issue:
Affects: fedora-all [bug 1908091]
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.