Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2022-2024 and is owned by Tenable, Inc. or an Affiliate thereof.ORACLELINUX_ELSA-2022-9869.NASL
HistoryOct 11, 2022 - 12:00 a.m.

Oracle Linux 9 : qemu-kvm (ELSA-2022-9869)

2022-10-1100:00:00
This script is Copyright (C) 2022-2024 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
11

8 High

AI Score

Confidence

Low

JSON

The remote Oracle Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2022-9869 advisory.

  • A flaw was found in the QXL display device emulation in QEMU. An integer overflow in the cursor_alloc() function can lead to the allocation of a small cursor object followed by a subsequent heap-based buffer overflow. This flaw allows a malicious privileged guest user to crash the QEMU process on the host or potentially execute arbitrary code within the context of the QEMU process. (CVE-2021-4206)

  • A flaw was found in the QXL display device emulation in QEMU. A double fetch of guest controlled values cursor->header.width and cursor->header.height can lead to the allocation of a small cursor object followed by a subsequent heap-based buffer overflow. A malicious privileged guest user could use this flaw to crash the QEMU process on the host or potentially execute arbitrary code within the context of the QEMU process. (CVE-2021-4207)

  • A use-after-free vulnerability was found in the LSI53C895A SCSI Host Bus Adapter emulation of QEMU. The flaw occurs while processing repeated messages to cancel the current SCSI request via the lsi_do_msgout function. This flaw allows a malicious privileged user within the guest to crash the QEMU process on the host, resulting in a denial of service. (CVE-2022-0216)

  • A flaw was found in the virtio-net device of QEMU. This flaw was inadvertently introduced with the fix for CVE-2021-3748, which forgot to unmap the cached virtqueue elements on error, leading to memory leakage and other unexpected results. Affected QEMU version: 6.2.0. (CVE-2022-26353)

Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Oracle Linux Security Advisory ELSA-2022-9869.
##

include('compat.inc');

if (description)
{
  script_id(166003);
  script_version("1.5");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/03/26");

  script_cve_id(
    "CVE-2021-4206",
    "CVE-2021-4207",
    "CVE-2022-0216",
    "CVE-2022-26353"
  );

  script_name(english:"Oracle Linux 9 : qemu-kvm (ELSA-2022-9869)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Oracle Linux host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The remote Oracle Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the
ELSA-2022-9869 advisory.

  - A flaw was found in the QXL display device emulation in QEMU. An integer overflow in the cursor_alloc()
    function can lead to the allocation of a small cursor object followed by a subsequent heap-based buffer
    overflow. This flaw allows a malicious privileged guest user to crash the QEMU process on the host or
    potentially execute arbitrary code within the context of the QEMU process. (CVE-2021-4206)

  - A flaw was found in the QXL display device emulation in QEMU. A double fetch of guest controlled values
    `cursor->header.width` and `cursor->header.height` can lead to the allocation of a small cursor object
    followed by a subsequent heap-based buffer overflow. A malicious privileged guest user could use this flaw
    to crash the QEMU process on the host or potentially execute arbitrary code within the context of the QEMU
    process. (CVE-2021-4207)

  - A use-after-free vulnerability was found in the LSI53C895A SCSI Host Bus Adapter emulation of QEMU. The
    flaw occurs while processing repeated messages to cancel the current SCSI request via the lsi_do_msgout
    function. This flaw allows a malicious privileged user within the guest to crash the QEMU process on the
    host, resulting in a denial of service. (CVE-2022-0216)

  - A flaw was found in the virtio-net device of QEMU. This flaw was inadvertently introduced with the fix for
    CVE-2021-3748, which forgot to unmap the cached virtqueue elements on error, leading to memory leakage and
    other unexpected results. Affected QEMU version: 6.2.0. (CVE-2022-26353)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://linux.oracle.com/errata/ELSA-2022-9869.html");
  script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-4207");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2022/03/16");
  script_set_attribute(attribute:"patch_publication_date", value:"2022/10/10");
  script_set_attribute(attribute:"plugin_publication_date", value:"2022/10/11");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:9");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:qemu-guest-agent");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:qemu-img");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:qemu-kvm");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:qemu-kvm-block-curl");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:qemu-kvm-block-iscsi");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:qemu-kvm-block-rbd");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:qemu-kvm-block-ssh");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:qemu-kvm-common");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:qemu-kvm-core");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:qemu-virtiofsd");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Oracle Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2022-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/local_checks_enabled");

  exit(0);
}


include('rpm.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item('Host/OracleLinux')) audit(AUDIT_OS_NOT, 'Oracle Linux');
var release = get_kb_item("Host/RedHat/release");
if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, 'Oracle Linux');
var os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Oracle Linux');
var os_ver = os_ver[1];
if (! preg(pattern:"^9([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, 'Oracle Linux 9', 'Oracle Linux ' + os_ver);

if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Oracle Linux', cpu);

var pkgs = [
    {'reference':'qemu-guest-agent-6.1.1-4.el9', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'30'},
    {'reference':'qemu-guest-agent-6.1.1-4.el9', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'30'},
    {'reference':'qemu-img-6.1.1-4.el9', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'30'},
    {'reference':'qemu-img-6.1.1-4.el9', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'30'},
    {'reference':'qemu-kvm-6.1.1-4.el9', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'30'},
    {'reference':'qemu-kvm-6.1.1-4.el9', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'30'},
    {'reference':'qemu-kvm-block-curl-6.1.1-4.el9', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'30'},
    {'reference':'qemu-kvm-block-curl-6.1.1-4.el9', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'30'},
    {'reference':'qemu-kvm-block-iscsi-6.1.1-4.el9', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'30'},
    {'reference':'qemu-kvm-block-iscsi-6.1.1-4.el9', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'30'},
    {'reference':'qemu-kvm-block-rbd-6.1.1-4.el9', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'30'},
    {'reference':'qemu-kvm-block-rbd-6.1.1-4.el9', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'30'},
    {'reference':'qemu-kvm-block-ssh-6.1.1-4.el9', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'30'},
    {'reference':'qemu-kvm-block-ssh-6.1.1-4.el9', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'30'},
    {'reference':'qemu-kvm-common-6.1.1-4.el9', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'30'},
    {'reference':'qemu-kvm-common-6.1.1-4.el9', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'30'},
    {'reference':'qemu-kvm-core-6.1.1-4.el9', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'30'},
    {'reference':'qemu-kvm-core-6.1.1-4.el9', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'30'},
    {'reference':'qemu-virtiofsd-6.1.1-4.el9', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'30'},
    {'reference':'qemu-virtiofsd-6.1.1-4.el9', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'30'}
];

var flag = 0;
foreach var package_array ( pkgs ) {
  var reference = NULL;
  var release = NULL;
  var sp = NULL;
  var cpu = NULL;
  var el_string = NULL;
  var rpm_spec_vers_cmp = NULL;
  var epoch = NULL;
  var allowmaj = NULL;
  var exists_check = NULL;
  if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
  if (!empty_or_null(package_array['release'])) release = 'EL' + package_array['release'];
  if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
  if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];
  if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];
  if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
  if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];
  if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];
  if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];
  if (reference && release) {
    if (exists_check) {
        if (rpm_exists(release:release, rpm:exists_check) && rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, require_epoch_match:TRUE, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;
    } else {
        if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, require_epoch_match:TRUE, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;
    }
  }
}

if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'qemu-guest-agent / qemu-img / qemu-kvm / etc');
}
VendorProductVersionCPE
oraclelinuxqemu-imgp-cpe:/a:oracle:linux:qemu-img
oraclelinuxqemu-kvmp-cpe:/a:oracle:linux:qemu-kvm
oraclelinuxqemu-kvm-commonp-cpe:/a:oracle:linux:qemu-kvm-common
oraclelinuxqemu-guest-agentp-cpe:/a:oracle:linux:qemu-guest-agent
oraclelinuxqemu-kvm-block-curlp-cpe:/a:oracle:linux:qemu-kvm-block-curl
oraclelinuxqemu-kvm-block-iscsip-cpe:/a:oracle:linux:qemu-kvm-block-iscsi
oraclelinuxqemu-kvm-block-rbdp-cpe:/a:oracle:linux:qemu-kvm-block-rbd
oraclelinuxqemu-kvm-block-sshp-cpe:/a:oracle:linux:qemu-kvm-block-ssh
oraclelinuxqemu-kvm-corep-cpe:/a:oracle:linux:qemu-kvm-core
oraclelinux9cpe:/o:oracle:linux:9
Rows per page:
1-10 of 111

Related

nessus 58
openvas 39
oraclelinux 14
osv 12
redhat 5
suse 9
almalinux 2
ubuntucve 6
rocky 1
cve 5
prion 5
debiancve 6
f5 2
redhatcve 6
debian 2
ubuntu 2
cbl_mariner 11
veracode 5
alpinelinux 3
cnvd 2
fedora 2
redos 1
gentoo 1
nessus
nessus
Oracle Linux 8 : kvm_utils2 (ELSA-2022-9862)
2022-10-14 00:00:00
EulerOS Virtualization 2.10.1 : qemu (EulerOS-SA-2022-2898)
2022-12-27 00:00:00
EulerOS Virtualization 2.10.0 : qemu (EulerOS-SA-2022-2880)
2022-12-27 00:00:00
openvas
openvas
Huawei EulerOS: Security Advisory for qemu (EulerOS-SA-2022-2898)
2022-12-28 00:00:00
Huawei EulerOS: Security Advisory for qemu (EulerOS-SA-2022-2880)
2022-12-28 00:00:00
openSUSE: Security Advisory for qemu (SUSE-SU-2022:2260-1)
2022-07-05 00:00:00
oraclelinux
oraclelinux
kvm_utils2 security update
2022-10-13 00:00:00
qemu-kvm security update
2022-10-10 00:00:00
virt:ol and virt-devel:ol security, bug fix, and enhancement update
2022-08-05 00:00:00
osv
osv
Moderate: virt:rhel and virt-devel:rhel security, bug fix, and enhancement update
2022-08-02 00:00:00
Moderate: virt:rhel and virt-devel:rhel security, bug fix, and enhancement update
2022-08-02 07:04:52
CVE-2022-26353
2022-03-16 15:15:16
redhat
redhat
(RHSA-2022:5821) Moderate: virt:rhel and virt-devel:rhel security, bug fix, and enhancement update
2022-08-02 07:04:52
(RHSA-2022:5002) Moderate: virt:av and virt-devel:av security and bug fix update
2022-06-13 11:33:46
(RHSA-2021:4112) Moderate: virt:av and virt-devel:av security and bug fix update
2021-11-03 08:25:05
suse
suse
Security update for qemu (important)
2022-07-04 00:00:00
Security update for qemu (important)
2022-07-04 00:00:00
Security update for qemu (important)
2022-10-17 00:00:00
almalinux
almalinux
Moderate: virt:rhel and virt-devel:rhel security, bug fix, and enhancement update
2022-08-02 00:00:00
Moderate: qemu-kvm security and bug fix update
2022-07-01 00:00:00
ubuntucve
ubuntucve
CVE-2022-26353
2022-03-16 00:00:00
CVE-2021-3748
2021-08-31 00:00:00
CVE-2021-4206
2022-04-29 00:00:00
rocky
rocky
virt:rhel and virt-devel:rhel security, bug fix, and enhancement update
2022-08-02 07:04:52
cve
cve
CVE-2022-26353
2022-03-16 15:15:00
CVE-2021-3748
2022-03-23 20:15:00
CVE-2022-0216
2022-08-26 18:15:00
prion
prion
Design/Logic Flaw
2022-03-16 15:15:00
Design/Logic Flaw
2022-03-23 20:15:00
Design/Logic Flaw
2022-08-26 18:15:00
debiancve
debiancve
CVE-2022-26353
2022-03-16 15:15:00
CVE-2021-3748
2022-03-23 20:15:00
CVE-2022-0216
2022-08-26 18:15:00
f5
f5
K63714476 : Linux kernel vulnerabilities CVE-2022-26353 and CVE-2021-3748
2022-04-19 00:00:00
K000133511 : QEMU vulnerability CVE-2022-0216
2023-04-14 00:00:00
redhatcve
redhatcve
CVE-2022-26353
2022-03-11 14:16:08
CVE-2021-3748
2021-08-30 11:14:20
CVE-2021-4206
2022-04-01 10:34:12
debian
debian
[SECURITY] [DSA 5133-1] qemu security update
2022-05-09 20:44:24
[SECURITY] [DLA 2970-1] qemu security update
2022-04-04 13:21:47
ubuntu
ubuntu
QEMU vulnerabilities
2022-06-21 00:00:00
QEMU vulnerabilities
2022-12-12 00:00:00
cbl_mariner
cbl_mariner
CVE-2022-26353 affecting package qemu 6.2.0-18
2024-03-19 17:21:46
CVE-2022-26353 affecting package qemu 6.2.0-2
2022-06-03 17:54:21
CVE-2021-3748 affecting package qemu-kvm 4.2.0-38
2022-05-26 19:04:44
veracode
veracode
Memory Leak
2022-04-27 08:09:27
Denial Of Service (DoS)
2021-10-01 04:59:17
Denial Of Service (DoS)
2022-04-27 11:56:54
alpinelinux
alpinelinux
CVE-2021-3748
2022-03-23 20:15:00
CVE-2021-4206
2022-04-29 17:15:00
CVE-2021-4207
2022-04-29 17:15:00
cnvd
cnvd
QEMU Buffer Overflow Vulnerability (CNVD-2023-80120)
2022-05-24 00:00:00
QEMU Buffer Overflow Vulnerability (CNVD-2023-80119)
2022-05-24 00:00:00
fedora
fedora
[SECURITY] Fedora 36 Update: qemu-6.2.0-14.fc36
2022-08-18 02:05:09
[SECURITY] Fedora 37 Update: qemu-7.0.0-10.fc37
2022-11-10 22:49:15
redos
redos
ROS-20220125-17
2022-01-25 00:00:00
gentoo
gentoo
QEMU: Multiple Vulnerabilities
2022-08-14 00:00:00

8 High

AI Score

Confidence

Low

JSON
Related for ORACLELINUX_ELSA-2022-9869.NASL
nessus58openvas39oraclelinux14osv12redhat5suse9almalinux2ubuntucve6rocky1cve5prion5debiancve6f52redhatcve6debian2ubuntu2cbl_mariner11veracode5alpinelinux3cnvd2fedora2redos1gentoo1