CVE-2024-45819: 
NixOS vulnerability analysis and mitigation

CVE-2024-45819 (XSA-464) is a vulnerability in Xen's libxl component that affects the ACPI table construction for PVH guests. The vulnerability was discovered by Jason Andryuk of AMD and publicly disclosed on November 12, 2024. The issue affects Xen versions 4.8 and onwards, specifically impacting x86 systems running PVH guests (Xen Advisory).

The vulnerability occurs during the construction of ACPI tables by the toolstack for PVH guests. While the tables are initially built in local memory and then copied to guest memory, the excess allocated space retains its prior contents instead of being cleared. This creates a potential information leak vector. The vulnerability has been assigned a CVSS 3.1 base score of 5.5 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N (NVD).

An unprivileged guest may gain unauthorized access to sensitive information pertaining to the host, control domain, or other guests. The vulnerability specifically affects PVH guests, while HVM and PV guests are not directly impacted. Additionally, PV guests running inside the PVH shim cannot leverage this vulnerability as they cannot architecturally access the leaked data (Xen Advisory, OSS Security).

As a temporary mitigation, administrators can avoid the vulnerability by running only PV or HVM guests. For a permanent fix, system administrators should apply the provided patch (xsa464.patch) to their Xen installations. The patch has been prepared for stable branches, though it may require adjustments when applying to the most recent release tarball (Xen Advisory).