Security Bulletin: Vulnerabilities in Qemu affect PowerKVM

Summary

PowerKVM is affected by vulnerabilities in Qemu. IBM has now addressed these vulnerabilities.

Vulnerability Details

CVEID: CVE-2016-6835**
DESCRIPTION:** QEMU is vulnerable to a denial of service, caused by a buffer-over-read issue in vmxnet_tx_pkt_parse_headers function in hw/net/vmxnet_tx_pkt.c. By leveraging failure to check IP header length, a local authenticated attacker could exploit this vulnerability to cause the application to crash.
CVSS Base Score: 4.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/120024 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2016-6834**
DESCRIPTION:** QEMU is vulnerable to a denial of service, caused by an eror in net_tx_pkt_do_sw_fragmentation function in hw/net/net_tx_pkt.c. By using a zero length for the current fragment length, a local authenticated attacker could exploit this vulnerability to cause the application to enter into an infinite loop.
CVSS Base Score: 4.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/120023 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2016-6833**
DESCRIPTION:** QEMU is vulnerable to a denial of service, caused by a use-after-free issue in vmxnet3_io_bar0_write function in hw/net/vmxnet3.c. By leveraging failure to check if the device is active, a local authenticated attacker could exploit this vulnerability to cause the application to crash.
CVSS Base Score: 4.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/120022 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2016-6490**
DESCRIPTION:** QEMU is vulnerable to a denial of service, caused by an error in virtqueue_map_desc function in hw/virtio/virtio.c. By using a zero length for the descriptor buffer, a local authenticated attacker could exploit this vulnerability to cause the application to enter into an infinite loop.
CVSS Base Score: 4.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/120021 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2016-9106**
DESCRIPTION:** QEMU is vulnerable to a denial of service, caused by memory leak issue in v9fs_write function in hw/9pfs/9p.c. By leveraging failure to free an IO vector, a local authenticated attacker could exploit this vulnerability to consume all available memory resources.
CVSS Base Score: 6
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/120032 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H)

CVEID: CVE-2016-9105**
DESCRIPTION:** QEMU is vulnerable to a denial of service, caused by a memory leak issue in v9fs_link function in hw/9pfs/9p.c. By using vectors involving a reference to the source fid object, a local authenticated attacker could exploit this vulnerability to cause the application to crash.
CVSS Base Score: 6
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/119925 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H)

CVEID: CVE-2016-9104**
DESCRIPTION:** QEMU is vulnerable to a denial of service, caused by multiple integer overflows in the v9fs_xattr_read and v9fs_xattr_write functions in hw/9pfs/9p.c. By sending a specially-crafted offset, a local authenticated attacker could exploit this vulnerability to cause the application to crash.
CVSS Base Score: 4.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/119923 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2016-9103**
DESCRIPTION:** QEMU could allow a local authenticated attacker to obtain sensitive information, caused by a flaw in v9fs_xattrcreate function in hw/9pfs/9p.c. By reading xattribute values before writing to them, an attacker could exploit this vulnerability to obtain sensitive host heap memory information.
CVSS Base Score: 6
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/119921 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N)

CVEID: CVE-2016-9102**
DESCRIPTION:** Qemu is vulnerable to a denial of service, caused by a memory leak issue in v9fs_xattrcreate function in hw/9pfs/9p.c. By sending a large number of Txattrcreate messages with the same fid number, a local authenticated attacker could exploit this vulnerability to cause the application to crash.
CVSS Base Score: 6
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/119920 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H)

CVEID: CVE-2016-9101**
DESCRIPTION:** QEMU is vulnerable to a denial of service, caused by a memory leak in hw/net/eepro100.c. By repeatedly unplugging an i8255x (PRO100) NIC device, a local authenticated attacker could exploit this vulnerability to cause the application to crash.
CVSS Base Score: 6
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/119916 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H)

CVEID: CVE-2016-8578**
DESCRIPTION:** QEMU, (aka Quick Emulator), is vulnerable to a denial of service, caused by a NULL pointer dereference in the v9fs_iov_vunmarshal function. By sending an empty string parameter to a 9P operation, a local attacker with admin privileges could exploit this vulnerability to cause the QEMU process to crash.
CVSS Base Score: 6
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/119188 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H)

CVEID: CVE-2016-8577**
DESCRIPTION:** QEMU, (aka Quick Emulator), is vulnerable to a denial of service, caused by multiple memory leaks in the v9fs_read function. By using vectors related to an I/O read operation, a local attacker with admin privileges could exploit this vulnerability to consume all available memory resources.
CVSS Base Score: 6
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/119187 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H)

CVEID: CVE-2016-8576**
DESCRIPTION:** QEMU, (aka Quick Emulator), is vulnerable to a denial of service, caused by an error in the xhci_ring_fetch function. By failing to limit the number of link Transfer Request Blocks (TRB) to process, a local attacker with admin privileges could exploit this vulnerability to cause the application to enter into an infinite loop and the QEMU process to crash.
CVSS Base Score: 6
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/119186 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H)

CVEID: CVE-2016-2841**
DESCRIPTION:** Qemu, emulator built with the NE2000 NIC emulation support, is vulnerable to a denial of service, caused by an error when receiving packets over the network. An authenticated attacker could exploit this vulnerability to cause the Qemu to crash.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/111283 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2016-2538**
DESCRIPTION:** Qemu, emulator built with the USB Net device emulation support, is vulnerable to a denial of service, caused by an integer overflow when processing remote NDIS control message packets. An attacker could exploit this vulnerability to cause the Qemu process to crash.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/110926 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2016-2392**
DESCRIPTION:** Qemu, built with the USB Net device emulation support, is vulnerable to a denial of service, caused by a NULL pointer dereference when handling the remote NDIS control message. By sending NDIS control message packets, a remote authenticated attacker could exploit this vulnerability to cause the Qemu process to crash.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/110684 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2016-2391**
DESCRIPTION:** Qemu, built with the USB OHCI emulation support, is vulnerable to a denial of service, caused by a NULL pointer dereference when OHCI transitions to a OHCI_USB_OPERATIONAL state. A remote authenticated attacker could exploit this vulnerability to create multiple eof timers and cause the Qemu process to crash.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/110685 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2016-9916**
DESCRIPTION:** QEMU is vulnerable to a denial of service, caused by a memory leak in hw/9pfs/9p-proxy.c. By leveraging a missing cleanup operation in the proxy backend, a local authenticated attacker could exploit this vulnerability to cause a host memory consumption and application crash.
CVSS Base Score: 6.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/120182 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H)

CVEID: CVE-2016-9915**
DESCRIPTION:** QEMU is vulnerable to a denial of service, caused by a memory leak in hw/9pfs/9p-handle.c. By leveraging a missing cleanup operation in the handle backend, a local authenticated attacker could exploit this vulnerability to cause a host memory consumption and application crash.
CVSS Base Score: 6.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/120183 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H)

CVEID: CVE-2016-9914**
DESCRIPTION:** QEMU is vulnerable to a denial of service, caused by a memory leak in hw/9pfs/9p.c. By leveraging a missing cleanup operation in FileOperations, a local authenticated attacker could exploit this vulnerability to cause a host memory consumption and application crash.
CVSS Base Score: 6.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/120184 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H)

CVEID: CVE-2016-9913**
DESCRIPTION:** QEMU is vulnerable to a denial of service, caused by a memory leak in v9fs_device_unrealize_common function in hw/9pfs/9p.c. By using vectors involving the order of resource cleanup, a local authenticated attacker could exploit this vulnerability to cause a host memory consumption and application crash.
CVSS Base Score: 6.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/120185 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H)

CVEID: CVE-2016-9776**
DESCRIPTION:** QEMU, built with the ColdFire Fast Ethernet Controller emulator support, is vulnerable to a denial of service. By receiving packets in ‘mcf_fec_receive’, a local authenticated attacker could exploit this vulnerability to cause the application to crash.
CVSS Base Score: 5.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/120188 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2016-2198**
DESCRIPTION:** Qemu, built with the USB EHCI emulation support, is vulnerable to a denial of service, caused by a NULL pointer dereference when attempting to write to EHCI capabilities registers. A remote authenticated attacker could exploit this vulnerability to cause the Qemu process to crash.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/110655 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2016-2197**
DESCRIPTION:** Qemu, built with the IDE AHCI emulation support, is vulnerable to a denial of service, caused by a NULL pointer dereference when unmapping the Frame Information Structure(FIS) & Command List Block(CLB) entries. A remote authenticated attacker could exploit this vulnerability to cause the Qemu process to crash.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/110650 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2016-1981**
DESCRIPTION:** Qemu, built with the e1000 NIC emulation support, is vulnerable to a denial of service, caused by an error when processing data. A remote authenticated attacker could exploit this vulnerability using transmit or receive descriptors to cause the application to enter into an infinite loop.
CVSS Base Score: 3.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/110649 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2015-8818**
DESCRIPTION:** Qemu, built to use address_space_translate to map an address to a MemoryRegionSection, is vulnerable to a denial of service, when doing pci_dma_read/write calls. A remote authenticated attacker from within the local network could exploit this vulnerability to cause the guest instance to crash.
CVSS Base Score: 4.6
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/111188 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L)

CVEID: CVE-2015-8817**
DESCRIPTION:** Qemu, built to use address_space_translate to map an address to a MemoryRegionSection, is vulnerable to a denial of service, when doing pci_dma_read/write calls. A remote authenticated attacker from within the local network could exploit this vulnerability to cause the guest instance to crash.
CVSS Base Score: 4.6
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/111187 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L)

CVEID: CVE-2015-8745**
DESCRIPTION:** Qemu, built with a VMWARE VMXNET3 paravirtual NIC emulator support, is vulnerable to a denial of service, caused by an error while reading Interrupt Mask Registers(IMR). A remote authenticated attacker could exploit this vulnerability to cause the process instance to crash.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/109364 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2015-8744**
DESCRIPTION:** Qemu, built with a VMWARE VMXNET3 paravirtual NIC emulator support, is vulnerable to a denial of service, caused by the improper handling of packets. By sending Layer-2 packets smaller than 22 bytes, a remote authenticated attacker could exploit this vulnerability to cause the application to crash.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/109365 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2015-8743**
DESCRIPTION:** Qemu, built with the NE2000 device emulation support, could allow a remote attacker to bypass security restrictions, caused by an out-of-bounds read or write error while performing ioport r/w operations. An authenticated attacker could exploit this vulnerability to leak or corrupt Qemu memory bytes.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/109366 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)

CVEID: CVE-2016-9923**
DESCRIPTION:** QEMU, built with the ‘chardev’ backend support, is vulnerable to a denial of service, caused by use after free issue. By hotplugging and unplugging the device, a local authenticated attacker could exploit this vulnerability to cause the application to crash.
CVSS Base Score: 6.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/120147 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H)

CVEID: CVE-2016-9921**
DESCRIPTION:** QEMU, built with the Cirrus CLGD 54xx VGA Emulator support, is vulnerable to a denial of service, caused by a divide by zero issue. By changing cirrus graphics mode to VGA, a local authenticated attacker could exploit this vulnerability to cause the application to crash.
CVSS Base Score: 6.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/120146 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H)

CVEID: CVE-2016-9911**
DESCRIPTION:** QEMU, built with the USB EHCI Emulation support, is vulnerable to a denial of service, caused by memory leak. By sending a specially-crafted packet data to ‘ehci_init_transfer’, a local authenticated attacker could exploit this vulnerability to leak host memory.
CVSS Base Score: 6.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/120144 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H)

CVEID: CVE-2016-9907**
DESCRIPTION:** QEMU is vulnerable to a denial of service, caused by memory leak issue in the USB redirector usb-guest support. By destroying the USB redirector in ‘usbredir_handle_destroy’, a local authenticated attacker could exploit this vulnerability to leak host memory.
CVSS Base Score: 6.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/120142 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H)

CVEID: CVE-2016-7995**
DESCRIPTION:** QEMU is vulnerable to a denial of service, caused by a memory leak issue in ehci_process_itd function in hw/usb/hcd-ehci.c. By using a large number of crafted buffer page select (PG) indexes, a local authenticated attacker could exploit this vulnerability to cause the application to crash.
CVSS Base Score: 6
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/120007 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H)

CVEID: CVE-2016-7466**
DESCRIPTION:** QEMU is vulnerable to a denial of service, caused by a memory leak issue in usb_xhci_exit function in hw/usb/hcd-xhci.c. By repeatedly unplugging a USB device, a local authenticated attacker could exploit this vulnerability to cause the application to crash.
CVSS Base Score: 6
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/120005 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H)

CVEID: CVE-2016-7422**
DESCRIPTION:** QEMU is vulnerable to a denial of service, caused by a NULL pointer dereference issue in virtqueue_map_desc function in hw/virtio/virtio.c. By using a large I/O descriptor buffer length value, a local authenticated attacker could exploit this vulnerability to cause the application to crash.
CVSS Base Score: 4.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/120004 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2016-7421**
DESCRIPTION:** QEMU is vulnerable to a denial of service, caused by an error in pvscsi_ring_pop_req_descr function in hw/scsi/vmw_pvscsi.c. By leveraging failure to limit process IO loop to the ring size, a local authenticated attacker could exploit this vulnerability to cause the application to enter into an infinite loop.
CVSS Base Score: 4.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/120003 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2016-7170**
DESCRIPTION:** QEMU is vulnerable to a denial of service, caused by out-of-bounds write isue in vmsvga_fifo_run function in hw/display/vmware_vga.c. A local authenticated attacker could exploit this vulnerability using vectors related to cursor.mask[] and cursor.image[] array sizes when processing a DEFINE_CURSOR svga command to cause the application to crash.
CVSS Base Score: 4.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/120002 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2016-7156**
DESCRIPTION:** QEMU is vulnerable to a denial of service, caused by an error in pvscsi_convert_sglist function in hw/scsi/vmw_pvscsi.c. By leveraging an incorrect cast, a local authenticated attacker could exploit this vulnerability to cause the application to enter into an infinite loop.
CVSS Base Score: 4.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/120000 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2016-7155**
DESCRIPTION:** QEMU is vulnerable to a denial of service, caused by an out-of-bounds access issue in hw/scsi/vmw_pvscsi.c. By using a specially-crafted page count for descriptor rings, a local authenticated attacker could exploit this vulnerability to cause the application to crash.
CVSS Base Score: 4.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/119999 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2016-7116**
DESCRIPTION:** QEMU could allow a remote attacker to traverse directories on the system, caused by an error in hw/9pfs/9p.c. A local authenticated attacker could send a specially-crafted request containing “dot dot” sequences (/…/) to access host files on the system.
CVSS Base Score: 4.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/119998 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N)

CVEID: CVE-2016-6888**
DESCRIPTION:** QEMU is vulnerable to a denial of service, caused by an integer overflow in the net_tx_pkt_init function in hw/net/net_tx_pkt.c. A local authenticated attacker could exploit this vulnerability using the maximum fragmentation count to cause the application to crash.
CVSS Base Score: 4.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/119997 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2016-6836**
DESCRIPTION:** QEMU could allow a local authenticated attacker to obtain sensitive information, caused by a flaw in vmxnet3_complete_packet function in hw/net/vmxnet3.c. By leveraging failure to initialize the txcq_descr object, an attacker could exploit this vulnerability to obtain sensitive host memory information.
CVSS Base Score: 6
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/120025 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N)

Affected Products and Versions

PowerKVM 2.1 and PowerKVM 3.1

Remediation/Fixes

Customers can update PowerKVM systems by using “yum update”.

Fix images are made available via Fix Central. For version 3.1, see https://ibm.biz/BdHggw. This issue is addressed starting with v3.1.0.2 update 7.

Workarounds and Mitigations

Customers using v2.1 can work around the problem by upgrading to the fixed version of v3.1.