CVE-2022-42319: 
NixOS vulnerability analysis and mitigation

CVE-2022-42319 is a vulnerability in Xen's Xenstore component discovered by Julien Grall of Amazon and publicly disclosed on November 1, 2022. The vulnerability affects Xen systems version 4.9 and newer running the C variant of Xenstore (xenstored or xenstore-stubdom). Systems using the Ocaml variant of Xenstore (oxenstored) are not affected (Xen Advisory).

When processing a guest request, xenstored allocates temporary memory that is only freed after the request is completely finished, which occurs when the guest reads the response message from the ring page. If a guest deliberately does not read the response, it can prevent xenstored from freeing the temporary memory, leading to memory shortages. The vulnerability has a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H (NVD).

A malicious guest can cause a Denial of Service (DoS) of xenstored, which results in the inability to create new guests or modify the configuration of already running guests (Xen Advisory).

The primary mitigation is to use oxenstored instead of xenstored, which completely avoids the vulnerability. For affected systems, patches have been released for Xen versions 4.13.x through 4.16.x. Various Linux distributions have also released security updates, including Debian (4.14.5+86-g1c354767d5-1) and Fedora (Debian Advisory, Fedora Update).