CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
AI Score
Confidence
Low
EPSS
Percentile
39.9%
Issue Overview:
A NULL pointer dereference flaw was found in the floppy disk emulator of QEMU. This issue occurs while processing read/write ioport commands if the selected floppy drive is not initialized with a block device. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability. (CVE-2021-20196)
A use-after-free flaw was found in the MegaRAID emulator of QEMU. This issue occurs while processing SCSI I/O requests in the case of an error mptsas_free_request() that does not dequeue the request object ‘req’ from a pending requests queue. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. Versions between 2.10.0 and 5.2.0 are potentially affected. (CVE-2021-3392)
A flaw was found in the USB redirector device (usb-redir) of QEMU. Small USB packets are combined into a single, large transfer request, to reduce the overhead and improve performance. The combined size of the bulk transfer is used to dynamically allocate a variable length array (VLA) on the stack without proper validation. Since the total size is not bounded, a malicious guest could use this flaw to influence the array length and cause the QEMU process to perform an excessive allocation on the stack, resulting in a denial of service. (CVE-2021-3527)
An off-by-one error was found in the SCSI device emulation in QEMU. It could occur while processing MODE SELECT commands in mode_sense_page() if the ‘page’ argument was set to MODE_PAGE_ALLS (0x3f). A malicious guest could use this flaw to potentially crash QEMU, resulting in a denial of service condition. (CVE-2021-3930)
A flaw was found in the QXL display device emulation in QEMU. A double fetch of guest controlled values cursor->header.width
and cursor->header.height
can lead to the allocation of a small cursor object followed by a subsequent heap-based buffer overflow. A malicious privileged guest user could use this flaw to crash the QEMU process on the host or potentially execute arbitrary code within the context of the QEMU process. (CVE-2021-4207)
An out-of-bounds read flaw was found in the QXL display device emulation in QEMU. The qxl_phys2virt() function does not check the size of the structure pointed to by the guest physical address, potentially reading past the end of the bar space into adjacent pages. A malicious guest user could use this flaw to crash the QEMU process on the host causing a denial of service condition. (CVE-2022-4144)
Affected Packages:
qemu
Note:
This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update qemu to update your system.
New Packages:
aarch64:
qemu-3.1.0-8.amzn2.0.10.aarch64
qemu-common-3.1.0-8.amzn2.0.10.aarch64
qemu-guest-agent-3.1.0-8.amzn2.0.10.aarch64
qemu-img-3.1.0-8.amzn2.0.10.aarch64
ivshmem-tools-3.1.0-8.amzn2.0.10.aarch64
qemu-block-curl-3.1.0-8.amzn2.0.10.aarch64
qemu-block-dmg-3.1.0-8.amzn2.0.10.aarch64
qemu-block-iscsi-3.1.0-8.amzn2.0.10.aarch64
qemu-block-nfs-3.1.0-8.amzn2.0.10.aarch64
qemu-block-rbd-3.1.0-8.amzn2.0.10.aarch64
qemu-block-ssh-3.1.0-8.amzn2.0.10.aarch64
qemu-audio-alsa-3.1.0-8.amzn2.0.10.aarch64
qemu-audio-oss-3.1.0-8.amzn2.0.10.aarch64
qemu-audio-pa-3.1.0-8.amzn2.0.10.aarch64
qemu-audio-sdl-3.1.0-8.amzn2.0.10.aarch64
qemu-ui-curses-3.1.0-8.amzn2.0.10.aarch64
qemu-ui-gtk-3.1.0-8.amzn2.0.10.aarch64
qemu-ui-sdl-3.1.0-8.amzn2.0.10.aarch64
qemu-kvm-3.1.0-8.amzn2.0.10.aarch64
qemu-kvm-core-3.1.0-8.amzn2.0.10.aarch64
qemu-user-3.1.0-8.amzn2.0.10.aarch64
qemu-user-binfmt-3.1.0-8.amzn2.0.10.aarch64
qemu-user-static-3.1.0-8.amzn2.0.10.aarch64
qemu-system-aarch64-3.1.0-8.amzn2.0.10.aarch64
qemu-system-aarch64-core-3.1.0-8.amzn2.0.10.aarch64
qemu-system-x86-3.1.0-8.amzn2.0.10.aarch64
qemu-system-x86-core-3.1.0-8.amzn2.0.10.aarch64
qemu-debuginfo-3.1.0-8.amzn2.0.10.aarch64
i686:
qemu-3.1.0-8.amzn2.0.10.i686
qemu-common-3.1.0-8.amzn2.0.10.i686
qemu-guest-agent-3.1.0-8.amzn2.0.10.i686
qemu-img-3.1.0-8.amzn2.0.10.i686
ivshmem-tools-3.1.0-8.amzn2.0.10.i686
qemu-block-curl-3.1.0-8.amzn2.0.10.i686
qemu-block-dmg-3.1.0-8.amzn2.0.10.i686
qemu-block-iscsi-3.1.0-8.amzn2.0.10.i686
qemu-block-nfs-3.1.0-8.amzn2.0.10.i686
qemu-block-ssh-3.1.0-8.amzn2.0.10.i686
qemu-audio-alsa-3.1.0-8.amzn2.0.10.i686
qemu-audio-oss-3.1.0-8.amzn2.0.10.i686
qemu-audio-pa-3.1.0-8.amzn2.0.10.i686
qemu-audio-sdl-3.1.0-8.amzn2.0.10.i686
qemu-ui-curses-3.1.0-8.amzn2.0.10.i686
qemu-ui-gtk-3.1.0-8.amzn2.0.10.i686
qemu-ui-sdl-3.1.0-8.amzn2.0.10.i686
qemu-kvm-3.1.0-8.amzn2.0.10.i686
qemu-kvm-core-3.1.0-8.amzn2.0.10.i686
qemu-user-3.1.0-8.amzn2.0.10.i686
qemu-user-binfmt-3.1.0-8.amzn2.0.10.i686
qemu-user-static-3.1.0-8.amzn2.0.10.i686
qemu-system-aarch64-3.1.0-8.amzn2.0.10.i686
qemu-system-aarch64-core-3.1.0-8.amzn2.0.10.i686
qemu-system-x86-3.1.0-8.amzn2.0.10.i686
qemu-system-x86-core-3.1.0-8.amzn2.0.10.i686
qemu-debuginfo-3.1.0-8.amzn2.0.10.i686
src:
qemu-3.1.0-8.amzn2.0.10.src
x86_64:
qemu-3.1.0-8.amzn2.0.10.x86_64
qemu-common-3.1.0-8.amzn2.0.10.x86_64
qemu-guest-agent-3.1.0-8.amzn2.0.10.x86_64
qemu-img-3.1.0-8.amzn2.0.10.x86_64
ivshmem-tools-3.1.0-8.amzn2.0.10.x86_64
qemu-block-curl-3.1.0-8.amzn2.0.10.x86_64
qemu-block-dmg-3.1.0-8.amzn2.0.10.x86_64
qemu-block-iscsi-3.1.0-8.amzn2.0.10.x86_64
qemu-block-nfs-3.1.0-8.amzn2.0.10.x86_64
qemu-block-rbd-3.1.0-8.amzn2.0.10.x86_64
qemu-block-ssh-3.1.0-8.amzn2.0.10.x86_64
qemu-audio-alsa-3.1.0-8.amzn2.0.10.x86_64
qemu-audio-oss-3.1.0-8.amzn2.0.10.x86_64
qemu-audio-pa-3.1.0-8.amzn2.0.10.x86_64
qemu-audio-sdl-3.1.0-8.amzn2.0.10.x86_64
qemu-ui-curses-3.1.0-8.amzn2.0.10.x86_64
qemu-ui-gtk-3.1.0-8.amzn2.0.10.x86_64
qemu-ui-sdl-3.1.0-8.amzn2.0.10.x86_64
qemu-kvm-3.1.0-8.amzn2.0.10.x86_64
qemu-kvm-core-3.1.0-8.amzn2.0.10.x86_64
qemu-user-3.1.0-8.amzn2.0.10.x86_64
qemu-user-binfmt-3.1.0-8.amzn2.0.10.x86_64
qemu-user-static-3.1.0-8.amzn2.0.10.x86_64
qemu-system-aarch64-3.1.0-8.amzn2.0.10.x86_64
qemu-system-aarch64-core-3.1.0-8.amzn2.0.10.x86_64
qemu-system-x86-3.1.0-8.amzn2.0.10.x86_64
qemu-system-x86-core-3.1.0-8.amzn2.0.10.x86_64
qemu-debuginfo-3.1.0-8.amzn2.0.10.x86_64
Red Hat: CVE-2021-20196, CVE-2021-3392, CVE-2021-3527, CVE-2021-3930, CVE-2021-4207, CVE-2022-4144
Mitre: CVE-2021-20196, CVE-2021-3392, CVE-2021-3527, CVE-2021-3930, CVE-2021-4207, CVE-2022-4144
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
AI Score
Confidence
Low
EPSS
Percentile
39.9%