[Debian] High CVE: CVE-2020-14394/CVE-2021-20196/.../CVE-2023-3301/CVE-2023-3354 qemu: multiple CVEs
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| StarlingX |
Fix Released
|
High
|
Zhixiong Chi | ||
Bug Description
CVE-2020-14394: https:/
An infinite loop flaw was found in the USB xHCI controller emulation of QEMU while computing the length of the Transfer Request Block (TRB) Ring. This flaw allows a privileged guest user to hang the QEMU process on the host, resulting in a denial of service.
CVE-2021-20196: https:/
A NULL pointer dereference flaw was found in the floppy disk emulator of QEMU. This issue occurs while processing read/write ioport commands if the selected floppy drive is not initialized with a block device. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.
CVE-2021-20203: https:/
An integer overflow issue was found in the vmxnet3 NIC emulator of the QEMU for versions up to v5.2.0. It may occur if a guest was to supply invalid values for rx/tx queue size or other NIC parameters. A privileged guest user may use this flaw to crash the QEMU process on the host resulting in DoS scenario.
CVE-2021-3507: https:/
A heap buffer overflow was found in the floppy disk emulator of QEMU up to 6.0.0 (including). It could occur in fdctrl_
CVE-2021-3930: https:/
An off-by-one error was found in the SCSI device emulation in QEMU. It could occur while processing MODE SELECT commands in mode_sense_page() if the 'page' argument was set to MODE_PAGE_ALLS (0x3f). A malicious guest could use this flaw to potentially crash QEMU, resulting in a denial of service condition.
CVE-2022-0216: https:/
A use-after-free vulnerability was found in the LSI53C895A SCSI Host Bus Adapter emulation of QEMU. The flaw occurs while processing repeated messages to cancel the current SCSI request via the lsi_do_msgout function. This flaw allows a malicious privileged user within the guest to crash the QEMU process on the host, resulting in a denial of service.
CVE-2023-0330: https:/
A vulnerability in the lsi53c895a device affects the latest version of qemu. A DMA-MMIO reentrancy problem may lead to memory corruption bugs like stack overflow or use-after-free.
CVE-2023-1544: https:/
A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. This flaw allows a crafted guest driver to allocate and initialize a huge number of page tables to be used as a ring of descriptors for CQ and async events, potentially leading to an out-of-bounds read and crash of QEMU.
CVE-2023-3180: https:/
A flaw was found in the QEMU virtual crypto device while handling data encryption/
CVE-2023-3301: https:/
A flaw was found in QEMU. The async nature of hot-unplug enables a race scenario where the net device backend is cleared before the virtio-net pci frontend has been unplugged. A malicious guest could use this time window to trigger an assertion and cause a denial of service.
CVE-2023-3354: https:/
A flaw was found in the QEMU built-in VNC server. When a client connects to the VNC server, QEMU checks whether the current number of connections crosses a certain threshold and if so, cleans up the previous connection. If the previous connection happens to be in the handshake phase and fails, QEMU cleans up the connection again, resulting in a NULL pointer dereference issue. This could allow a remote unauthenticated client to cause a denial of service.
Base Score: High
Reference:
qemu_1:
| Changed in starlingx: | |
| assignee: | nobody → Zhixiong Chi (zhixiongchi) |
| status: | Triaged → In Progress |
| OpenStack Infra (hudson-openstack) wrote Fix proposed to virt (master) | #1 |
| OpenStack Infra (hudson-openstack) wrote Fix proposed to tools (master) | #2 |
| OpenStack Infra (hudson-openstack) wrote Fix merged to tools (master) | #3 |
| Changed in starlingx: | |
| status: | In Progress → Fix Released |
| OpenStack Infra (hudson-openstack) wrote Fix merged to virt (master) | #4 |
Fix proposed to branch: master
Review: https:/