Lucene search

K
amazonAmazonALAS2-2023-2061
HistoryMay 25, 2023 - 5:41 p.m.

Medium: qemu

2023-05-2517:41:00
alas.aws.amazon.com
10

8.2 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

7.1 High

AI Score

Confidence

Low

4.6 Medium

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:L/Au:N/C:P/I:P/A:P

0.001 Low

EPSS

Percentile

29.3%

Issue Overview:

A NULL pointer dereference flaw was found in the floppy disk emulator of QEMU. This issue occurs while processing read/write ioport commands if the selected floppy drive is not initialized with a block device. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability. (CVE-2021-20196)

A use-after-free flaw was found in the MegaRAID emulator of QEMU. This issue occurs while processing SCSI I/O requests in the case of an error mptsas_free_request() that does not dequeue the request object ‘req’ from a pending requests queue. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. Versions between 2.10.0 and 5.2.0 are potentially affected. (CVE-2021-3392)

A flaw was found in the USB redirector device (usb-redir) of QEMU. Small USB packets are combined into a single, large transfer request, to reduce the overhead and improve performance. The combined size of the bulk transfer is used to dynamically allocate a variable length array (VLA) on the stack without proper validation. Since the total size is not bounded, a malicious guest could use this flaw to influence the array length and cause the QEMU process to perform an excessive allocation on the stack, resulting in a denial of service. (CVE-2021-3527)

An off-by-one error was found in the SCSI device emulation in QEMU. It could occur while processing MODE SELECT commands in mode_sense_page() if the ‘page’ argument was set to MODE_PAGE_ALLS (0x3f). A malicious guest could use this flaw to potentially crash QEMU, resulting in a denial of service condition. (CVE-2021-3930)

A flaw was found in the QXL display device emulation in QEMU. A double fetch of guest controlled values cursor->header.width and cursor->header.height can lead to the allocation of a small cursor object followed by a subsequent heap-based buffer overflow. A malicious privileged guest user could use this flaw to crash the QEMU process on the host or potentially execute arbitrary code within the context of the QEMU process. (CVE-2021-4207)

An out-of-bounds read flaw was found in the QXL display device emulation in QEMU. The qxl_phys2virt() function does not check the size of the structure pointed to by the guest physical address, potentially reading past the end of the bar space into adjacent pages. A malicious guest user could use this flaw to crash the QEMU process on the host causing a denial of service condition. (CVE-2022-4144)

Affected Packages:

qemu

Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.

Issue Correction:
Run yum update qemu to update your system.

New Packages:

aarch64:  
    qemu-3.1.0-8.amzn2.0.10.aarch64  
    qemu-common-3.1.0-8.amzn2.0.10.aarch64  
    qemu-guest-agent-3.1.0-8.amzn2.0.10.aarch64  
    qemu-img-3.1.0-8.amzn2.0.10.aarch64  
    ivshmem-tools-3.1.0-8.amzn2.0.10.aarch64  
    qemu-block-curl-3.1.0-8.amzn2.0.10.aarch64  
    qemu-block-dmg-3.1.0-8.amzn2.0.10.aarch64  
    qemu-block-iscsi-3.1.0-8.amzn2.0.10.aarch64  
    qemu-block-nfs-3.1.0-8.amzn2.0.10.aarch64  
    qemu-block-rbd-3.1.0-8.amzn2.0.10.aarch64  
    qemu-block-ssh-3.1.0-8.amzn2.0.10.aarch64  
    qemu-audio-alsa-3.1.0-8.amzn2.0.10.aarch64  
    qemu-audio-oss-3.1.0-8.amzn2.0.10.aarch64  
    qemu-audio-pa-3.1.0-8.amzn2.0.10.aarch64  
    qemu-audio-sdl-3.1.0-8.amzn2.0.10.aarch64  
    qemu-ui-curses-3.1.0-8.amzn2.0.10.aarch64  
    qemu-ui-gtk-3.1.0-8.amzn2.0.10.aarch64  
    qemu-ui-sdl-3.1.0-8.amzn2.0.10.aarch64  
    qemu-kvm-3.1.0-8.amzn2.0.10.aarch64  
    qemu-kvm-core-3.1.0-8.amzn2.0.10.aarch64  
    qemu-user-3.1.0-8.amzn2.0.10.aarch64  
    qemu-user-binfmt-3.1.0-8.amzn2.0.10.aarch64  
    qemu-user-static-3.1.0-8.amzn2.0.10.aarch64  
    qemu-system-aarch64-3.1.0-8.amzn2.0.10.aarch64  
    qemu-system-aarch64-core-3.1.0-8.amzn2.0.10.aarch64  
    qemu-system-x86-3.1.0-8.amzn2.0.10.aarch64  
    qemu-system-x86-core-3.1.0-8.amzn2.0.10.aarch64  
    qemu-debuginfo-3.1.0-8.amzn2.0.10.aarch64  
  
i686:  
    qemu-3.1.0-8.amzn2.0.10.i686  
    qemu-common-3.1.0-8.amzn2.0.10.i686  
    qemu-guest-agent-3.1.0-8.amzn2.0.10.i686  
    qemu-img-3.1.0-8.amzn2.0.10.i686  
    ivshmem-tools-3.1.0-8.amzn2.0.10.i686  
    qemu-block-curl-3.1.0-8.amzn2.0.10.i686  
    qemu-block-dmg-3.1.0-8.amzn2.0.10.i686  
    qemu-block-iscsi-3.1.0-8.amzn2.0.10.i686  
    qemu-block-nfs-3.1.0-8.amzn2.0.10.i686  
    qemu-block-ssh-3.1.0-8.amzn2.0.10.i686  
    qemu-audio-alsa-3.1.0-8.amzn2.0.10.i686  
    qemu-audio-oss-3.1.0-8.amzn2.0.10.i686  
    qemu-audio-pa-3.1.0-8.amzn2.0.10.i686  
    qemu-audio-sdl-3.1.0-8.amzn2.0.10.i686  
    qemu-ui-curses-3.1.0-8.amzn2.0.10.i686  
    qemu-ui-gtk-3.1.0-8.amzn2.0.10.i686  
    qemu-ui-sdl-3.1.0-8.amzn2.0.10.i686  
    qemu-kvm-3.1.0-8.amzn2.0.10.i686  
    qemu-kvm-core-3.1.0-8.amzn2.0.10.i686  
    qemu-user-3.1.0-8.amzn2.0.10.i686  
    qemu-user-binfmt-3.1.0-8.amzn2.0.10.i686  
    qemu-user-static-3.1.0-8.amzn2.0.10.i686  
    qemu-system-aarch64-3.1.0-8.amzn2.0.10.i686  
    qemu-system-aarch64-core-3.1.0-8.amzn2.0.10.i686  
    qemu-system-x86-3.1.0-8.amzn2.0.10.i686  
    qemu-system-x86-core-3.1.0-8.amzn2.0.10.i686  
    qemu-debuginfo-3.1.0-8.amzn2.0.10.i686  
  
src:  
    qemu-3.1.0-8.amzn2.0.10.src  
  
x86_64:  
    qemu-3.1.0-8.amzn2.0.10.x86_64  
    qemu-common-3.1.0-8.amzn2.0.10.x86_64  
    qemu-guest-agent-3.1.0-8.amzn2.0.10.x86_64  
    qemu-img-3.1.0-8.amzn2.0.10.x86_64  
    ivshmem-tools-3.1.0-8.amzn2.0.10.x86_64  
    qemu-block-curl-3.1.0-8.amzn2.0.10.x86_64  
    qemu-block-dmg-3.1.0-8.amzn2.0.10.x86_64  
    qemu-block-iscsi-3.1.0-8.amzn2.0.10.x86_64  
    qemu-block-nfs-3.1.0-8.amzn2.0.10.x86_64  
    qemu-block-rbd-3.1.0-8.amzn2.0.10.x86_64  
    qemu-block-ssh-3.1.0-8.amzn2.0.10.x86_64  
    qemu-audio-alsa-3.1.0-8.amzn2.0.10.x86_64  
    qemu-audio-oss-3.1.0-8.amzn2.0.10.x86_64  
    qemu-audio-pa-3.1.0-8.amzn2.0.10.x86_64  
    qemu-audio-sdl-3.1.0-8.amzn2.0.10.x86_64  
    qemu-ui-curses-3.1.0-8.amzn2.0.10.x86_64  
    qemu-ui-gtk-3.1.0-8.amzn2.0.10.x86_64  
    qemu-ui-sdl-3.1.0-8.amzn2.0.10.x86_64  
    qemu-kvm-3.1.0-8.amzn2.0.10.x86_64  
    qemu-kvm-core-3.1.0-8.amzn2.0.10.x86_64  
    qemu-user-3.1.0-8.amzn2.0.10.x86_64  
    qemu-user-binfmt-3.1.0-8.amzn2.0.10.x86_64  
    qemu-user-static-3.1.0-8.amzn2.0.10.x86_64  
    qemu-system-aarch64-3.1.0-8.amzn2.0.10.x86_64  
    qemu-system-aarch64-core-3.1.0-8.amzn2.0.10.x86_64  
    qemu-system-x86-3.1.0-8.amzn2.0.10.x86_64  
    qemu-system-x86-core-3.1.0-8.amzn2.0.10.x86_64  
    qemu-debuginfo-3.1.0-8.amzn2.0.10.x86_64  

Additional References

Red Hat: CVE-2021-20196, CVE-2021-3392, CVE-2021-3527, CVE-2021-3930, CVE-2021-4207, CVE-2022-4144

Mitre: CVE-2021-20196, CVE-2021-3392, CVE-2021-3527, CVE-2021-3930, CVE-2021-4207, CVE-2022-4144

8.2 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

7.1 High

AI Score

Confidence

Low

4.6 Medium

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:L/Au:N/C:P/I:P/A:P

0.001 Low

EPSS

Percentile

29.3%

Related for ALAS2-2023-2061