ID OPENVAS:1361412562310850862 Type openvas Reporter Copyright (C) 2015 Greenbone Networks GmbH Modified 2017-12-08T00:00:00
Description
Check the version of qemu
###############################################################################
# OpenVAS Vulnerability Test
# $Id: gb_suse_2015_1519_1.nasl 8046 2017-12-08 08:48:56Z santu $
#
# SuSE Update for qemu SUSE-SU-2015:1519-1 (qemu)
#
# Authors:
# System Generated Check
#
# Copyright:
# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# (or any later version), as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################
if(description)
{
script_oid("1.3.6.1.4.1.25623.1.0.850862");
script_version("$Revision: 8046 $");
script_tag(name:"last_modification", value:"$Date: 2017-12-08 09:48:56 +0100 (Fri, 08 Dec 2017) $");
script_tag(name:"creation_date", value:"2015-10-15 12:23:43 +0200 (Thu, 15 Oct 2015)");
script_cve_id("CVE-2015-3209", "CVE-2015-4037");
script_tag(name:"cvss_base", value:"7.5");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_tag(name:"qod_type", value:"package");
script_name("SuSE Update for qemu SUSE-SU-2015:1519-1 (qemu)");
script_tag(name: "summary", value: "Check the version of qemu");
script_tag(name: "vuldetect", value: "Get the installed version with the help of detect NVT and check if the version is vulnerable or not.");
script_tag(name: "insight", value: "
qemu was updated to fix two security issues and augments one non-security
bug fix.
The following vulnerabilities were fixed:
* CVE-2015-3209: heap overflow in qemu pcnet controller allowing guest to
host escape (XSA-135) (bsc#932770)
* CVE-2015-4037: Avoid predictable directory name for smb config
(bsc#932267)
The fix for the following non-security bug was improved:
* bsc#893892: Use improved upstream patch for display issue affecting
installs of SLES 11 VMs on SLES 12");
script_tag(name: "affected", value: "qemu on SUSE Linux Enterprise Desktop 12");
script_tag(name: "solution", value: "Please Install the Updated Packages.");
script_xref(name: "SUSE-SU", value: "2015:1519_1");
script_tag(name:"solution_type", value:"VendorFix");
script_category(ACT_GATHER_INFO);
script_copyright("Copyright (C) 2015 Greenbone Networks GmbH");
script_family("SuSE Local Security Checks");
script_dependencies("gather-package-list.nasl");
script_mandatory_keys("ssh/login/suse", "ssh/login/rpms");
exit(0);
}
include("revisions-lib.inc");
include("pkg-lib-rpm.inc");
release = get_kb_item("ssh/login/release");
res = "";
if(release == NULL){
exit(0);
}
if(release == "SLED12.0SP0")
{
if ((res = isrpmvuln(pkg:"qemu", rpm:"qemu~2.0.2~48.4.1", rls:"SLED12.0SP0")) != NULL)
{
security_message(data:res);
exit(0);
}
if ((res = isrpmvuln(pkg:"qemu-block-curl", rpm:"qemu-block-curl~2.0.2~48.4.1", rls:"SLED12.0SP0")) != NULL)
{
security_message(data:res);
exit(0);
}
if ((res = isrpmvuln(pkg:"qemu-block-curl-debuginfo", rpm:"qemu-block-curl-debuginfo~2.0.2~48.4.1", rls:"SLED12.0SP0")) != NULL)
{
security_message(data:res);
exit(0);
}
if ((res = isrpmvuln(pkg:"qemu-debugsource", rpm:"qemu-debugsource~2.0.2~48.4.1", rls:"SLED12.0SP0")) != NULL)
{
security_message(data:res);
exit(0);
}
if ((res = isrpmvuln(pkg:"qemu-kvm", rpm:"qemu-kvm~2.0.2~48.4.1", rls:"SLED12.0SP0")) != NULL)
{
security_message(data:res);
exit(0);
}
if ((res = isrpmvuln(pkg:"qemu-tools", rpm:"qemu-tools~2.0.2~48.4.1", rls:"SLED12.0SP0")) != NULL)
{
security_message(data:res);
exit(0);
}
if ((res = isrpmvuln(pkg:"qemu-tools-debuginfo", rpm:"qemu-tools-debuginfo~2.0.2~48.4.1", rls:"SLED12.0SP0")) != NULL)
{
security_message(data:res);
exit(0);
}
if ((res = isrpmvuln(pkg:"qemu-x86", rpm:"qemu-x86~2.0.2~48.4.1", rls:"SLED12.0SP0")) != NULL)
{
security_message(data:res);
exit(0);
}
if ((res = isrpmvuln(pkg:"qemu-x86-debuginfo", rpm:"qemu-x86-debuginfo~2.0.2~48.4.1", rls:"SLED12.0SP0")) != NULL)
{
security_message(data:res);
exit(0);
}
if ((res = isrpmvuln(pkg:"qemu-ipxe", rpm:"qemu-ipxe~1.0.0~48.4.1", rls:"SLED12.0SP0")) != NULL)
{
security_message(data:res);
exit(0);
}
if ((res = isrpmvuln(pkg:"qemu-seabios", rpm:"qemu-seabios~1.7.4~48.4.1", rls:"SLED12.0SP0")) != NULL)
{
security_message(data:res);
exit(0);
}
if ((res = isrpmvuln(pkg:"qemu-sgabios-8", rpm:"qemu-sgabios-8~48.4.1", rls:"SLED12.0SP0")) != NULL)
{
security_message(data:res);
exit(0);
}
if ((res = isrpmvuln(pkg:"qemu-vgabios", rpm:"qemu-vgabios~1.7.4~48.4.1", rls:"SLED12.0SP0")) != NULL)
{
security_message(data:res);
exit(0);
}
if (__pkg_match) exit(99); # Not vulnerable.
exit(0);
}
{"id": "OPENVAS:1361412562310850862", "bulletinFamily": "scanner", "title": "SuSE Update for qemu SUSE-SU-2015:1519-1 (qemu)", "description": "Check the version of qemu", "published": "2015-10-15T00:00:00", "modified": "2017-12-08T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310850862", "reporter": "Copyright (C) 2015 Greenbone Networks GmbH", "references": ["2015:1519_1"], "cvelist": ["CVE-2015-4037", "CVE-2015-3209"], "type": "openvas", "lastseen": "2017-12-12T11:15:28", "history": [{"bulletin": {"bulletinFamily": "scanner", "cvelist": ["CVE-2015-4037", "CVE-2015-3209"], "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "Check the version of qemu", "edition": 1, "enchantments": {}, "hash": "77b7fd556d6742042923b1f32678328d441e928ec3e6835bf1bd83c3ebade6fa", "hashmap": [{"hash": "f1f6ba73ac687468d4c9b5fa6eeca3d0", "key": "pluginID"}, {"hash": "c9c472afab0fcb66982d0008ee7d4099", "key": "href"}, {"hash": "e5d275b3ebd62646b78320753699e02e", "key": "cvss"}, {"hash": "b97832d09ae4c91fdffb66747630f61e", "key": "sourceData"}, {"hash": "9540d42155abfa15dcf6c1147830b922", "key": "description"}, {"hash": "cef2f51ca68178cc378b97521d4e951b", "key": "modified"}, {"hash": "47c1f692ea47a21f716dad07043ade01", "key": "type"}, {"hash": "49f0a07035ad79964ced679f310578d1", "key": "cvelist"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "71a40666da62ba38d22539c8277870c7", "key": "naslFamily"}, {"hash": "e82095d5f3ede215ff38dcae1f5c7b05", "key": "title"}, {"hash": "092308648d96cd05406a07d3e278adb0", "key": "published"}, {"hash": "1e898993712db5cf9f9a110102684025", "key": "reporter"}, {"hash": "ce0063a6660369d52e447030b795ef12", "key": "references"}], "history": [], "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310850862", "id": "OPENVAS:1361412562310850862", "lastseen": "2017-07-02T21:11:38", "modified": "2017-05-22T00:00:00", "naslFamily": "SuSE Local Security Checks", "objectVersion": "1.3", "pluginID": "1361412562310850862", "published": "2015-10-15T00:00:00", "references": ["http://lists.opensuse.org/opensuse-security-announce/2015-09/msg00015.html", "2015:1519_1"], "reporter": "Copyright (C) 2015 Greenbone Networks GmbH", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# SuSE Update for qemu SUSE-SU-2015:1519-1 (qemu)\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.850862\");\n script_version(\"$Revision: 6183 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-05-22 11:03:43 +0200 (Mon, 22 May 2017) $\");\n script_tag(name:\"creation_date\", value:\"2015-10-15 12:23:43 +0200 (Thu, 15 Oct 2015)\");\n script_cve_id(\"CVE-2015-3209\", \"CVE-2015-4037\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"SuSE Update for qemu SUSE-SU-2015:1519-1 (qemu)\");\n script_tag(name: \"summary\", value: \"Check the version of qemu\");\n script_tag(name: \"vuldetect\", value: \"Get the installed version with the help of detect NVT and check if the version is vulnerable or not.\");\n script_tag(name: \"insight\", value: \"\n qemu was updated to fix two security issues and augments one non-security\n bug fix.\n\n The following vulnerabilities were fixed:\n\n * CVE-2015-3209: heap overflow in qemu pcnet controller allowing guest to\n host escape (XSA-135) (bsc#932770)\n * CVE-2015-4037: Avoid predictable directory name for smb config\n (bsc#932267)\n\n The fix for the following non-security bug was improved:\n\n * bsc#893892: Use improved upstream patch for display issue affecting\n installs of SLES 11 VMs on SLES 12\");\n script_tag(name: \"affected\", value: \"qemu on SUSE Linux Enterprise Desktop 12\");\n script_tag(name: \"solution\", value: \"Please Install the Updated Packages.\");\n script_xref(name: \"SUSE-SU\", value: \"2015:1519_1\");\n script_xref(name: \"URL\" , value: \"http://lists.opensuse.org/opensuse-security-announce/2015-09/msg00015.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"HostDetails/OS/cpe:/o:suse:linux_enterprise_desktop\", \"login/SSH/success\", \"ssh/login/release\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"SLED12.0SP0\")\n{\n\n if ((res = isrpmvuln(pkg:\"qemu\", rpm:\"qemu~2.0.2~48.4.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"qemu-block-curl\", rpm:\"qemu-block-curl~2.0.2~48.4.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"qemu-block-curl-debuginfo\", rpm:\"qemu-block-curl-debuginfo~2.0.2~48.4.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"qemu-debugsource\", rpm:\"qemu-debugsource~2.0.2~48.4.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"qemu-kvm\", rpm:\"qemu-kvm~2.0.2~48.4.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"qemu-tools\", rpm:\"qemu-tools~2.0.2~48.4.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"qemu-tools-debuginfo\", rpm:\"qemu-tools-debuginfo~2.0.2~48.4.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"qemu-x86\", rpm:\"qemu-x86~2.0.2~48.4.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"qemu-x86-debuginfo\", rpm:\"qemu-x86-debuginfo~2.0.2~48.4.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"qemu-ipxe\", rpm:\"qemu-ipxe~1.0.0~48.4.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"qemu-seabios\", rpm:\"qemu-seabios~1.7.4~48.4.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"qemu-sgabios-8\", rpm:\"qemu-sgabios-8~48.4.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"qemu-vgabios\", rpm:\"qemu-vgabios~1.7.4~48.4.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "title": "SuSE Update for qemu SUSE-SU-2015:1519-1 (qemu)", "type": "openvas", "viewCount": 0}, "differentElements": ["modified", "sourceData"], "edition": 1, "lastseen": "2017-07-02T21:11:38"}, {"bulletin": {"bulletinFamily": "scanner", "cvelist": ["CVE-2015-4037", "CVE-2015-3209"], "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "Check the version of qemu", "edition": 2, "enchantments": {}, "hash": "560c2c00d913891dbe44c764489567486339feff5e43f33059c6a27f845ed684", "hashmap": [{"hash": "f1f6ba73ac687468d4c9b5fa6eeca3d0", "key": "pluginID"}, {"hash": "c9c472afab0fcb66982d0008ee7d4099", "key": "href"}, {"hash": "e5d275b3ebd62646b78320753699e02e", "key": "cvss"}, {"hash": "9540d42155abfa15dcf6c1147830b922", "key": "description"}, {"hash": "47c1f692ea47a21f716dad07043ade01", "key": "type"}, {"hash": "49f0a07035ad79964ced679f310578d1", "key": "cvelist"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "71a40666da62ba38d22539c8277870c7", "key": "naslFamily"}, {"hash": "e82095d5f3ede215ff38dcae1f5c7b05", "key": "title"}, {"hash": "092308648d96cd05406a07d3e278adb0", "key": "published"}, {"hash": "1e898993712db5cf9f9a110102684025", "key": "reporter"}, {"hash": "39b0358b492c33a0e1b628a705c661b4", "key": "sourceData"}, {"hash": "bf6febede5ca68e35fdf4a0f47b4ef18", "key": "modified"}, {"hash": "ce0063a6660369d52e447030b795ef12", "key": "references"}], "history": [], "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310850862", "id": "OPENVAS:1361412562310850862", "lastseen": "2017-07-26T08:52:06", "modified": "2017-07-11T00:00:00", "naslFamily": "SuSE Local Security Checks", "objectVersion": "1.3", "pluginID": "1361412562310850862", "published": "2015-10-15T00:00:00", "references": ["http://lists.opensuse.org/opensuse-security-announce/2015-09/msg00015.html", "2015:1519_1"], "reporter": "Copyright (C) 2015 Greenbone Networks GmbH", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# SuSE Update for qemu SUSE-SU-2015:1519-1 (qemu)\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.850862\");\n script_version(\"$Revision: 6675 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-11 15:54:28 +0200 (Tue, 11 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2015-10-15 12:23:43 +0200 (Thu, 15 Oct 2015)\");\n script_cve_id(\"CVE-2015-3209\", \"CVE-2015-4037\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"SuSE Update for qemu SUSE-SU-2015:1519-1 (qemu)\");\n script_tag(name: \"summary\", value: \"Check the version of qemu\");\n script_tag(name: \"vuldetect\", value: \"Get the installed version with the help of detect NVT and check if the version is vulnerable or not.\");\n script_tag(name: \"insight\", value: \"\n qemu was updated to fix two security issues and augments one non-security\n bug fix.\n\n The following vulnerabilities were fixed:\n\n * CVE-2015-3209: heap overflow in qemu pcnet controller allowing guest to\n host escape (XSA-135) (bsc#932770)\n * CVE-2015-4037: Avoid predictable directory name for smb config\n (bsc#932267)\n\n The fix for the following non-security bug was improved:\n\n * bsc#893892: Use improved upstream patch for display issue affecting\n installs of SLES 11 VMs on SLES 12\");\n script_tag(name: \"affected\", value: \"qemu on SUSE Linux Enterprise Desktop 12\");\n script_tag(name: \"solution\", value: \"Please Install the Updated Packages.\");\n script_xref(name: \"SUSE-SU\", value: \"2015:1519_1\");\n script_xref(name: \"URL\" , value: \"http://lists.opensuse.org/opensuse-security-announce/2015-09/msg00015.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"SLED12.0SP0\")\n{\n\n if ((res = isrpmvuln(pkg:\"qemu\", rpm:\"qemu~2.0.2~48.4.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"qemu-block-curl\", rpm:\"qemu-block-curl~2.0.2~48.4.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"qemu-block-curl-debuginfo\", rpm:\"qemu-block-curl-debuginfo~2.0.2~48.4.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"qemu-debugsource\", rpm:\"qemu-debugsource~2.0.2~48.4.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"qemu-kvm\", rpm:\"qemu-kvm~2.0.2~48.4.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"qemu-tools\", rpm:\"qemu-tools~2.0.2~48.4.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"qemu-tools-debuginfo\", rpm:\"qemu-tools-debuginfo~2.0.2~48.4.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"qemu-x86\", rpm:\"qemu-x86~2.0.2~48.4.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"qemu-x86-debuginfo\", rpm:\"qemu-x86-debuginfo~2.0.2~48.4.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"qemu-ipxe\", rpm:\"qemu-ipxe~1.0.0~48.4.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"qemu-seabios\", rpm:\"qemu-seabios~1.7.4~48.4.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"qemu-sgabios-8\", rpm:\"qemu-sgabios-8~48.4.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"qemu-vgabios\", rpm:\"qemu-vgabios~1.7.4~48.4.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "title": "SuSE Update for qemu SUSE-SU-2015:1519-1 (qemu)", "type": "openvas", "viewCount": 0}, "differentElements": ["references", "modified", "sourceData"], "edition": 2, "lastseen": "2017-07-26T08:52:06"}], "edition": 3, "hashmap": [{"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "cvelist", "hash": "49f0a07035ad79964ced679f310578d1"}, {"key": "cvss", "hash": "e5d275b3ebd62646b78320753699e02e"}, {"key": "description", "hash": "9540d42155abfa15dcf6c1147830b922"}, {"key": "href", "hash": "c9c472afab0fcb66982d0008ee7d4099"}, {"key": "modified", "hash": "5b848d2648e1ab5e5f72990b21e1966c"}, {"key": "naslFamily", "hash": "71a40666da62ba38d22539c8277870c7"}, {"key": "pluginID", "hash": "f1f6ba73ac687468d4c9b5fa6eeca3d0"}, {"key": "published", "hash": "092308648d96cd05406a07d3e278adb0"}, {"key": "references", "hash": "8c6638e312e22181a80e9c8b74bd6fc1"}, {"key": "reporter", "hash": "1e898993712db5cf9f9a110102684025"}, {"key": "sourceData", "hash": "bb196a5a977dbcadcfba4e3edac6413d"}, {"key": "title", "hash": "e82095d5f3ede215ff38dcae1f5c7b05"}, {"key": "type", "hash": "47c1f692ea47a21f716dad07043ade01"}], "hash": "9650516d3e21c1b06be188f66c6052a30af3d6951587464678ddff6b0a51af8c", "viewCount": 0, "enchantments": {"vulnersScore": 7.5}, "objectVersion": "1.3", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_suse_2015_1519_1.nasl 8046 2017-12-08 08:48:56Z santu $\n#\n# SuSE Update for qemu SUSE-SU-2015:1519-1 (qemu)\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.850862\");\n script_version(\"$Revision: 8046 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-08 09:48:56 +0100 (Fri, 08 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2015-10-15 12:23:43 +0200 (Thu, 15 Oct 2015)\");\n script_cve_id(\"CVE-2015-3209\", \"CVE-2015-4037\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"SuSE Update for qemu SUSE-SU-2015:1519-1 (qemu)\");\n script_tag(name: \"summary\", value: \"Check the version of qemu\");\n script_tag(name: \"vuldetect\", value: \"Get the installed version with the help of detect NVT and check if the version is vulnerable or not.\");\n script_tag(name: \"insight\", value: \"\n qemu was updated to fix two security issues and augments one non-security\n bug fix.\n\n The following vulnerabilities were fixed:\n\n * CVE-2015-3209: heap overflow in qemu pcnet controller allowing guest to\n host escape (XSA-135) (bsc#932770)\n * CVE-2015-4037: Avoid predictable directory name for smb config\n (bsc#932267)\n\n The fix for the following non-security bug was improved:\n\n * bsc#893892: Use improved upstream patch for display issue affecting\n installs of SLES 11 VMs on SLES 12\");\n script_tag(name: \"affected\", value: \"qemu on SUSE Linux Enterprise Desktop 12\");\n script_tag(name: \"solution\", value: \"Please Install the Updated Packages.\");\n script_xref(name: \"SUSE-SU\", value: \"2015:1519_1\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"SLED12.0SP0\")\n{\n\n if ((res = isrpmvuln(pkg:\"qemu\", rpm:\"qemu~2.0.2~48.4.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"qemu-block-curl\", rpm:\"qemu-block-curl~2.0.2~48.4.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"qemu-block-curl-debuginfo\", rpm:\"qemu-block-curl-debuginfo~2.0.2~48.4.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"qemu-debugsource\", rpm:\"qemu-debugsource~2.0.2~48.4.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"qemu-kvm\", rpm:\"qemu-kvm~2.0.2~48.4.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"qemu-tools\", rpm:\"qemu-tools~2.0.2~48.4.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"qemu-tools-debuginfo\", rpm:\"qemu-tools-debuginfo~2.0.2~48.4.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"qemu-x86\", rpm:\"qemu-x86~2.0.2~48.4.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"qemu-x86-debuginfo\", rpm:\"qemu-x86-debuginfo~2.0.2~48.4.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"qemu-ipxe\", rpm:\"qemu-ipxe~1.0.0~48.4.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"qemu-seabios\", rpm:\"qemu-seabios~1.7.4~48.4.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"qemu-sgabios-8\", rpm:\"qemu-sgabios-8~48.4.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"qemu-vgabios\", rpm:\"qemu-vgabios~1.7.4~48.4.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "naslFamily": "SuSE Local Security Checks", "pluginID": "1361412562310850862"}
{"result": {"cve": [{"id": "CVE-2015-4037", "type": "cve", "title": "CVE-2015-4037", "description": "The slirp_smb function in net/slirp.c in QEMU 2.3.0 and earlier creates temporary files with predictable names, which allows local users to cause a denial of service (instantiation failure) by creating /tmp/qemu-smb.*-* files before the program.", "published": "2015-08-26T15:59:05", "cvss": {"score": 1.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4037", "cvelist": ["CVE-2015-4037"], "lastseen": "2017-04-18T15:57:02"}, {"id": "CVE-2015-3209", "type": "cve", "title": "CVE-2015-3209", "description": "Heap-based buffer overflow in the PCNET controller in QEMU allows remote attackers to execute arbitrary code by sending a packet with TXSTATUS_STARTPACKET set and then a crafted packet with TXSTATUS_DEVICEOWNS set.", "published": "2015-06-15T11:59:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3209", "cvelist": ["CVE-2015-3209"], "lastseen": "2018-01-05T11:51:39"}], "nessus": [{"id": "FEDORA_2015-9599.NASL", "type": "nessus", "title": "Fedora 21 : qemu-2.1.3-8.fc21 (2015-9599)", "description": "- User interface freezes when entering space character in Xfig (bz #1151253)\n\n - CVE-2015-4037: insecure temporary file use in /net/slirp.c (bz #1222894)\n\n - Backport {Haswell,Broadwell}-noTSX cpu models (bz #1213053)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2015-06-22T00:00:00", "cvss": {"score": 1.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=84307", "cvelist": ["CVE-2015-4037"], "lastseen": "2017-10-29T13:38:23"}, {"id": "FEDORA_2015-9601.NASL", "type": "nessus", "title": "Fedora 22 : qemu-2.3.0-5.fc22 (2015-9601)", "description": "- CVE-2015-4037: insecure temporary file use in /net/slirp.c (bz #1222894)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2015-06-12T00:00:00", "cvss": {"score": 1.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=84131", "cvelist": ["CVE-2015-4037"], "lastseen": "2017-10-29T13:36:22"}, {"id": "SUSE_SU-2015-1519-1.NASL", "type": "nessus", "title": "SUSE SLED12 / SLES12 Security Update : qemu (SUSE-SU-2015:1519-1)", "description": "qemu was updated to fix two security issues and augments one non-security bug fix.\n\nThe following vulnerabilities were fixed :\n\n - CVE-2015-3209: heap overflow in qemu pcnet controller allowing guest to host escape (XSA-135) (bsc#932770)\n\n - CVE-2015-4037: Avoid predictable directory name for smb config (bsc#932267)\n\nThe fix for the following non-security bug was improved :\n\n - bsc#893892: Use improved upstream patch for display issue affecting installs of SLES 11 VMs on SLES 12\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2015-09-11T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=85902", "cvelist": ["CVE-2015-4037", "CVE-2015-3209"], "lastseen": "2017-10-29T13:32:57"}, {"id": "DEBIAN_DSA-3285.NASL", "type": "nessus", "title": "Debian DSA-3285-1 : qemu-kvm - security update", "description": "Several vulnerabilities were discovered in qemu-kvm, a full virtualization solution on x86 hardware.\n\n - CVE-2015-3209 Matt Tait of Google's Project Zero security team discovered a flaw in the way QEMU's AMD PCnet Ethernet emulation handles multi-TMD packets with a length above 4096 bytes. A privileged guest user in a guest with an AMD PCNet ethernet card enabled can potentially use this flaw to execute arbitrary code on the host with the privileges of the hosting QEMU process.\n\n - CVE-2015-4037 Kurt Seifried of Red Hat Product Security discovered that QEMU's user mode networking stack uses predictable temporary file names when the -smb option is used. An unprivileged user can use this flaw to cause a denial of service.", "published": "2015-06-15T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=84168", "cvelist": ["CVE-2015-4037", "CVE-2015-3209"], "lastseen": "2017-10-29T13:34:04"}, {"id": "SUSE_SU-2015-1152-1.NASL", "type": "nessus", "title": "SUSE SLED11 / SLES11 Security Update : KVM (SUSE-SU-2015:1152-1)", "description": "KVM was updated to fix two security issues :\n\nCVE-2015-3209: Heap overflow in qemu pcnet controller allowing guest to host escape. (bsc#932770)\n\nCVE-2015-4037: Predictable directory names for smb configuration.\n(bsc#932267)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2015-06-29T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=84443", "cvelist": ["CVE-2015-4037", "CVE-2015-3209"], "lastseen": "2017-10-29T13:42:32"}, {"id": "UBUNTU_USN-2630-1.NASL", "type": "nessus", "title": "Ubuntu 12.04 LTS / 14.04 LTS / 14.10 / 15.04 : qemu, qemu-kvm vulnerabilities (USN-2630-1)", "description": "Matt Tait discovered that QEMU incorrectly handled the virtual PCNET driver. A malicious guest could use this issue to cause a denial of service, or possibly execute arbitrary code on the host as the user running the QEMU process. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile. (CVE-2015-3209)\n\nKurt Seifried discovered that QEMU incorrectly handled certain temporary files. A local attacker could use this issue to cause a denial of service. (CVE-2015-4037)\n\nJan Beulich discovered that the QEMU Xen code incorrectly restricted write access to the host MSI message data field. A malicious guest could use this issue to cause a denial of service. This issue only applied to Ubuntu 14.04 LTS, Ubuntu 14.10 and Ubuntu 15.04.\n(CVE-2015-4103)\n\nJan Beulich discovered that the QEMU Xen code incorrectly restricted access to the PCI MSI mask bits. A malicious guest could use this issue to cause a denial of service. This issue only applied to Ubuntu 14.04 LTS, Ubuntu 14.10 and Ubuntu 15.04. (CVE-2015-4104)\n\nJan Beulich discovered that the QEMU Xen code incorrectly handled MSI-X error messages. A malicious guest could use this issue to cause a denial of service. This issue only applied to Ubuntu 14.04 LTS, Ubuntu 14.10 and Ubuntu 15.04. (CVE-2015-4105)\n\nJan Beulich discovered that the QEMU Xen code incorrectly restricted write access to the PCI config space. A malicious guest could use this issue to cause a denial of service, obtain sensitive information, or possibly execute arbitrary code. This issue only applied to Ubuntu 14.04 LTS, Ubuntu 14.10 and Ubuntu 15.04. (CVE-2015-4106).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2015-06-11T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=84118", "cvelist": ["CVE-2015-4105", "CVE-2015-4103", "CVE-2015-4037", "CVE-2015-4104", "CVE-2015-3209", "CVE-2015-4106"], "lastseen": "2017-10-29T13:35:30"}, {"id": "DEBIAN_DSA-3284.NASL", "type": "nessus", "title": "Debian DSA-3284-1 : qemu - security update", "description": "Several vulnerabilities were discovered in qemu, a fast processor emulator.\n\n - CVE-2015-3209 Matt Tait of Google's Project Zero security team discovered a flaw in the way QEMU's AMD PCnet Ethernet emulation handles multi-TMD packets with a length above 4096 bytes. A privileged guest user in a guest with an AMD PCNet ethernet card enabled can potentially use this flaw to execute arbitrary code on the host with the privileges of the hosting QEMU process.\n\n - CVE-2015-4037 Kurt Seifried of Red Hat Product Security discovered that QEMU's user mode networking stack uses predictable temporary file names when the -smb option is used. An unprivileged user can use this flaw to cause a denial of service.\n\n - CVE-2015-4103 Jan Beulich of SUSE discovered that the QEMU Xen code does not properly restrict write access to the host MSI message data field, allowing a malicious guest to cause a denial of service.\n\n - CVE-2015-4104 Jan Beulich of SUSE discovered that the QEMU Xen code does not properly restrict access to PCI MSI mask bits, allowing a malicious guest to cause a denial of service.\n\n - CVE-2015-4105 Jan Beulich of SUSE reported that the QEMU Xen code enables logging for PCI MSI-X pass-through error messages, allowing a malicious guest to cause a denial of service.\n\n - CVE-2015-4106 Jan Beulich of SUSE discovered that the QEMU Xen code does not properly restrict write access to the PCI config space for certain PCI pass-through devices, allowing a malicious guest to cause a denial of service, obtain sensitive information or potentially execute arbitrary code.", "published": "2015-06-15T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=84167", "cvelist": ["CVE-2015-4105", "CVE-2015-4103", "CVE-2015-4037", "CVE-2015-4104", "CVE-2015-3209", "CVE-2015-4106"], "lastseen": "2017-10-29T13:44:18"}, {"id": "OPENSUSE-2015-730.NASL", "type": "nessus", "title": "openSUSE Security Update : xen (openSUSE-2015-730)", "description": "Xen was updated to fix 6 security issues.\n\nThese security issues were fixed :\n\n - CVE-2014-0222: Validate L2 table size to avoid integer overflows (bsc#877642).\n\n - CVE-2015-4037: Insecure temporary file use in /net/slirp.c (bsc#932267).\n\n - CVE-2015-7835: Uncontrolled creation of large page mappings by PV guests (bsc#950367).\n\n - CVE-2015-7969: Leak of per-domain profiling-related vcpu pointer array (DoS) (bsc#950705 bsc#950703).\n\n - CVE-2015-7971: Some pmu and profiling hypercalls log without rate limiting (bsc#950706).\n\n - CVE-2015-7972: Populate-on-demand balloon size inaccuracy can crash guests (bsc#951845).", "published": "2015-11-20T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=86961", "cvelist": ["CVE-2015-7969", "CVE-2015-7971", "CVE-2015-7972", "CVE-2015-7835", "CVE-2014-0222", "CVE-2015-4037"], "lastseen": "2017-10-29T13:34:58"}, {"id": "SUSE_SU-2015-1952-1.NASL", "type": "nessus", "title": "SUSE SLES11 Security Update : xen (SUSE-SU-2015:1952-1)", "description": "xen was updated to fix eight security issues.\n\nThese security issues were fixed :\n\n - CVE-2015-4037: The slirp_smb function in net/slirp.c created temporary files with predictable names, which allowed local users to cause a denial of service (instantiation failure) by creating /tmp/qemu-smb.*-* files before the program (bsc#932267).\n\n - CVE-2014-0222: Integer overflow in the qcow_open function allowed remote attackers to cause a denial of service (crash) via a large L2 table in a QCOW version 1 image (bsc#877642).\n\n - CVE-2015-7835: Uncontrolled creation of large page mappings by PV guests (bsc#950367).\n\n - CVE-2015-5239: Integer overflow in vnc_client_read() and protocol_client_msg() (bsc#944463).\n\n - CVE-2015-6815: With e1000 NIC emulation support it was possible to enter an infinite loop (bsc#944697).\n\n - CVE-2015-7969: Leak of main per-domain vcpu pointer array leading to denial of service (bsc#950703).\n\n - CVE-2015-7969: Leak of per-domain profiling- related vcpu pointer array leading to denial of service (bsc#950705).\n\n - CVE-2015-7971: Some pmu and profiling hypercalls log without rate limiting (bsc#950706).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2015-11-13T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=86865", "cvelist": ["CVE-2015-7969", "CVE-2015-7971", "CVE-2015-7835", "CVE-2014-0222", "CVE-2015-4037", "CVE-2015-6815", "CVE-2015-5239"], "lastseen": "2017-10-29T13:40:06"}, {"id": "SUSE_SU-2015-1894-1.NASL", "type": "nessus", "title": "SUSE SLED11 / SLES11 Security Update : xen (SUSE-SU-2015:1894-1)", "description": "xen was updated to version 4.4.3 to fix nine security issues.\n\nThese security issues were fixed :\n\n - CVE-2015-4037: The slirp_smb function in net/slirp.c created temporary files with predictable names, which allowed local users to cause a denial of service (instantiation failure) by creating /tmp/qemu-smb.*-* files before the program (bsc#932267).\n\n - CVE-2014-0222: Integer overflow in the qcow_open function allowed remote attackers to cause a denial of service (crash) via a large L2 table in a QCOW version 1 image (bsc#877642).\n\n - CVE-2015-7835: Uncontrolled creation of large page mappings by PV guests (bsc#950367).\n\n - CVE-2015-7311: libxl in Xen did not properly handle the readonly flag on disks when using the qemu-xen device model, which allowed local guest users to write to a read-only disk image (bsc#947165).\n\n - CVE-2015-5239: Integer overflow in vnc_client_read() and protocol_client_msg() (bsc#944463).\n\n - CVE-2015-6815: With e1000 NIC emulation support it was possible to enter an infinite loop (bsc#944697).\n\n - CVE-2015-7969: Leak of main per-domain vcpu pointer array leading to denial of service (bsc#950703).\n\n - CVE-2015-7969: Leak of per-domain profiling- related vcpu pointer array leading to denial of service (bsc#950705).\n\n - CVE-2015-7971: Some pmu and profiling hypercalls log without rate limiting (bsc#950706).\n\nThe update package also includes non-security fixes. See advisory for details.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2015-11-05T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=86753", "cvelist": ["CVE-2015-7969", "CVE-2015-7971", "CVE-2015-7835", "CVE-2014-0222", "CVE-2015-7311", "CVE-2015-4037", "CVE-2015-6815", "CVE-2015-5239"], "lastseen": "2017-12-28T23:07:05"}], "openvas": [{"id": "OPENVAS:1361412562310850828", "type": "openvas", "title": "SuSE Update for KVM SUSE-SU-2015:1152-1 (KVM)", "description": "Check the version of KVM", "published": "2015-10-13T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310850828", "cvelist": ["CVE-2015-4037", "CVE-2015-3209"], "lastseen": "2017-12-12T11:15:33"}, {"id": "OPENVAS:703285", "type": "openvas", "title": "Debian Security Advisory DSA 3285-1 (qemu-kvm - security update)", "description": "Several vulnerabilities were discovered\nin qemu-kvm, a full virtualization solution on x86 hardware.\n\nCVE-2015-3209 \nMatt Tait of Google", "published": "2015-06-13T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=703285", "cvelist": ["CVE-2015-4037", "CVE-2015-3209"], "lastseen": "2017-07-24T12:52:49"}, {"id": "OPENVAS:1361412562310869680", "type": "openvas", "title": "Fedora Update for qemu FEDORA-2015-9601", "description": "Check the version of qemu", "published": "2015-07-07T00:00:00", "cvss": {"score": 7.7, "vector": "AV:ADJACENT_NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310869680", "cvelist": ["CVE-2015-4037", "CVE-2015-3456"], "lastseen": "2017-07-25T10:52:37"}, {"id": "OPENVAS:1361412562310703285", "type": "openvas", "title": "Debian Security Advisory DSA 3285-1 (qemu-kvm - security update)", "description": "Several vulnerabilities were discovered\nin qemu-kvm, a full virtualization solution on x86 hardware.\n\nCVE-2015-3209 \nMatt Tait of Google", "published": "2015-06-13T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310703285", "cvelist": ["CVE-2015-4037", "CVE-2015-3209"], "lastseen": "2018-04-06T11:25:54"}, {"id": "OPENVAS:1361412562310869461", "type": "openvas", "title": "Fedora Update for qemu FEDORA-2015-9599", "description": "Check the version of qemu", "published": "2015-06-21T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310869461", "cvelist": ["CVE-2014-8106", "CVE-2015-1779", "CVE-2015-4037", "CVE-2015-3456", "CVE-2014-7840"], "lastseen": "2017-07-25T10:53:15"}, {"id": "OPENVAS:1361412562310842235", "type": "openvas", "title": "Ubuntu Update for qemu USN-2630-1", "description": "Check the version of qemu", "published": "2015-06-11T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310842235", "cvelist": ["CVE-2015-4105", "CVE-2015-4103", "CVE-2015-4037", "CVE-2015-4104", "CVE-2015-3209", "CVE-2015-4106"], "lastseen": "2017-12-04T11:24:28"}, {"id": "OPENVAS:1361412562310703284", "type": "openvas", "title": "Debian Security Advisory DSA 3284-1 (qemu - security update)", "description": "Several vulnerabilities were discovered\nin qemu, a fast processor emulator.\n\nCVE-2015-3209 \nMatt Tait of Google", "published": "2015-06-13T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310703284", "cvelist": ["CVE-2015-4105", "CVE-2015-4103", "CVE-2015-4037", "CVE-2015-4104", "CVE-2015-3209", "CVE-2015-4106"], "lastseen": "2018-04-06T11:27:41"}, {"id": "OPENVAS:703284", "type": "openvas", "title": "Debian Security Advisory DSA 3284-1 (qemu - security update)", "description": "Several vulnerabilities were discovered\nin qemu, a fast processor emulator.\n\nCVE-2015-3209 \nMatt Tait of Google", "published": "2015-06-13T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=703284", "cvelist": ["CVE-2015-4105", "CVE-2015-4103", "CVE-2015-4037", "CVE-2015-4104", "CVE-2015-3209", "CVE-2015-4106"], "lastseen": "2017-07-24T12:53:20"}, {"id": "OPENVAS:1361412562310869896", "type": "openvas", "title": "Fedora Update for qemu FEDORA-2015-13402", "description": "Check the version of qemu", "published": "2015-08-20T00:00:00", "cvss": {"score": 7.7, "vector": "AV:ADJACENT_NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310869896", "cvelist": ["CVE-2015-3214", "CVE-2015-5158", "CVE-2015-5166", "CVE-2015-4037", "CVE-2015-3456", "CVE-2015-5745", "CVE-2015-5154", "CVE-2015-3209", "CVE-2015-5165"], "lastseen": "2017-07-25T10:52:57"}, {"id": "OPENVAS:1361412562310130069", "type": "openvas", "title": "Mageia Linux Local Check: mgasa-2015-0310", "description": "Mageia Linux Local Security Checks mgasa-2015-0310", "published": "2015-10-15T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310130069", "cvelist": ["CVE-2015-4105", "CVE-2015-4103", "CVE-2015-3214", "CVE-2015-4037", "CVE-2015-5745", "CVE-2015-4104", "CVE-2015-5154", "CVE-2015-3209", "CVE-2015-4106"], "lastseen": "2017-07-24T12:53:42"}], "suse": [{"id": "SUSE-SU-2015:1152-1", "type": "suse", "title": "Security update for KVM (important)", "description": "KVM was updated to fix two security issues:\n\n * CVE-2015-3209: Heap overflow in qemu pcnet controller allowing guest\n to host escape. (bsc#932770)\n * CVE-2015-4037: Predictable directory names for smb configuration.\n (bsc#932267)\n\n Security Issues:\n\n * CVE-2015-3209\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3209\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3209</a>>\n\n", "published": "2015-06-26T15:08:01", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00027.html", "cvelist": ["CVE-2015-4037", "CVE-2015-3209"], "lastseen": "2016-09-04T11:50:35"}, {"id": "SUSE-SU-2015:1519-1", "type": "suse", "title": "Security update for qemu (important)", "description": "qemu was updated to fix two security issues and augments one non-security\n bug fix.\n\n The following vulnerabilities were fixed:\n\n * CVE-2015-3209: heap overflow in qemu pcnet controller allowing guest to\n host escape (XSA-135) (bsc#932770)\n * CVE-2015-4037: Avoid predictable directory name for smb config\n (bsc#932267)\n\n The fix for the following non-security bug was improved:\n\n * bsc#893892: Use improved upstream patch for display issue affecting\n installs of SLES 11 VMs on SLES 12\n\n", "published": "2015-09-09T18:13:21", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2015-09/msg00015.html", "cvelist": ["CVE-2015-4037", "CVE-2015-3209"], "lastseen": "2016-09-04T11:39:29"}, {"id": "SUSE-SU-2015:1952-1", "type": "suse", "title": "Security update for xen (important)", "description": "xen was updated to fix eight security issues.\n\n These security issues were fixed:\n - CVE-2015-4037: The slirp_smb function in net/slirp.c created temporary\n files with predictable names, which allowed local users to cause a\n denial of service (instantiation failure) by creating /tmp/qemu-smb.*-*\n files before the program (bsc#932267).\n - CVE-2014-0222: Integer overflow in the qcow_open function allowed remote\n attackers to cause a denial of service (crash) via a large L2 table in a\n QCOW version 1 image (bsc#877642).\n - CVE-2015-7835: Uncontrolled creation of large page mappings by PV guests\n (bsc#950367).\n - CVE-2015-5239: Integer overflow in vnc_client_read() and\n protocol_client_msg() (bsc#944463).\n - CVE-2015-6815: With e1000 NIC emulation support it was possible to enter\n an infinite loop (bsc#944697).\n - CVE-2015-7969: Leak of main per-domain vcpu pointer array leading to\n denial of service (bsc#950703).\n - CVE-2015-7969: Leak of per-domain profiling- related vcpu pointer array\n leading to denial of service (bsc#950705).\n - CVE-2015-7971: Some pmu and profiling hypercalls log without rate\n limiting (bsc#950706).\n\n", "published": "2015-11-10T18:10:12", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00016.html", "cvelist": ["CVE-2015-7969", "CVE-2015-7971", "CVE-2015-7835", "CVE-2014-0222", "CVE-2015-4037", "CVE-2015-6815", "CVE-2015-5239"], "lastseen": "2016-09-04T11:40:21"}, {"id": "SUSE-SU-2015:1853-1", "type": "suse", "title": "Security update for xen (important)", "description": "xen was updated to fix nine security issues.\n\n These security issues were fixed:\n - CVE-2015-4037: The slirp_smb function in net/slirp.c created temporary\n files with predictable names, which allowed local users to cause a\n denial of service (instantiation failure) by creating /tmp/qemu-smb.*-*\n files before the program (bsc#932267).\n - CVE-2014-0222: Integer overflow in the qcow_open function allowed remote\n attackers to cause a denial of service (crash) via a large L2 table in a\n QCOW version 1 image (bsc#877642).\n - CVE-2015-7835: Uncontrolled creation of large page mappings by PV guests\n (bsc#950367).\n - CVE-2015-7311: libxl in Xen did not properly handle the readonly flag on\n disks when using the qemu-xen device model, which allowed local guest\n users to write to a read-only disk image (bsc#947165).\n - CVE-2015-5239: Integer overflow in vnc_client_read() and\n protocol_client_msg() (bsc#944463).\n - CVE-2015-6815: With e1000 NIC emulation support it was possible to enter\n an infinite loop (bsc#944697).\n - CVE-2015-7969: Leak of main per-domain vcpu pointer array leading to\n denial of service (bsc#950703).\n - CVE-2015-7969: Leak of per-domain profiling- related vcpu pointer array\n leading to denial of service (bsc#950705).\n - CVE-2015-7971: Some pmu and profiling hypercalls log without rate\n limiting (bsc#950706).\n\n These non-security issues were fixed:\n - bsc#907514: Bus fatal error: SLES 12 sudden reboot has been observed\n - bsc#910258: SLES12 Xen host crashes with FATAL NMI after shutdown of\n guest with VT-d NIC\n - bsc#918984: Bus fatal error: SLES11-SP4 sudden reboot has been observed\n - bsc#923967: Partner-L3: Bus fatal error: SLES11-SP3 sudden reboot has\n been observed\n - bsc#941074: Device 51728 could not be connected. Hotplug scripts not\n working\n\n", "published": "2015-10-30T17:13:49", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2015-10/msg00026.html", "cvelist": ["CVE-2015-7969", "CVE-2015-7971", "CVE-2015-7835", "CVE-2014-0222", "CVE-2015-7311", "CVE-2015-4037", "CVE-2015-6815", "CVE-2015-5239"], "lastseen": "2016-09-04T12:46:24"}, {"id": "SUSE-SU-2015:1908-1", "type": "suse", "title": "Security update for xen (important)", "description": "xen was updated to version 4.4.3 to fix nine security issues.\n\n These security issues were fixed:\n - CVE-2015-4037: The slirp_smb function in net/slirp.c created temporary\n files with predictable names, which allowed local users to cause a\n denial of service (instantiation failure) by creating /tmp/qemu-smb.*-*\n files before the program (bsc#932267).\n - CVE-2014-0222: Integer overflow in the qcow_open function allowed remote\n attackers to cause a denial of service (crash) via a large L2 table in a\n QCOW version 1 image (bsc#877642).\n - CVE-2015-7835: Uncontrolled creation of large page mappings by PV guests\n (bsc#950367).\n - CVE-2015-7311: libxl in Xen did not properly handle the readonly flag on\n disks when using the qemu-xen device model, which allowed local guest\n users to write to a read-only disk image (bsc#947165).\n - CVE-2015-5239: Integer overflow in vnc_client_read() and\n protocol_client_msg() (bsc#944463).\n - CVE-2015-6815: With e1000 NIC emulation support it was possible to enter\n an infinite loop (bsc#944697).\n - CVE-2015-7969: Leak of main per-domain vcpu pointer array leading to\n denial of service (bsc#950703).\n - CVE-2015-7969: Leak of per-domain profiling- related vcpu pointer array\n leading to denial of service (bsc#950705).\n - CVE-2015-7971: Some pmu and profiling hypercalls log without rate\n limiting (bsc#950706).\n\n These non-security issues were fixed:\n - bsc#907514: Bus fatal error: SLES 12 sudden reboot has been observed\n - bsc#910258: SLES12 Xen host crashes with FATAL NMI after shutdown of\n guest with VT-d NIC\n - bsc#918984: Bus fatal error: SLES11-SP4 sudden reboot has been observed\n - bsc#923967: Partner-L3: Bus fatal error: SLES11-SP3 sudden reboot has\n been observed\n - bnc#901488: Intel ixgbe driver assigns rx/tx queues per core resulting\n in irq problems on servers with a large amount of CPU cores\n - bsc#945167: Running command: xl pci-assignable-add 03:10.1 secondly show\n errors\n - bsc#949138: Setting vcpu affinity under Xen causes libvirtd abort\n\n", "published": "2015-11-04T17:13:16", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00011.html", "cvelist": ["CVE-2015-7969", "CVE-2015-7971", "CVE-2015-7835", "CVE-2014-0222", "CVE-2015-7311", "CVE-2015-4037", "CVE-2015-6815", "CVE-2015-5239"], "lastseen": "2016-09-04T11:56:09"}, {"id": "SUSE-SU-2015:1894-1", "type": "suse", "title": "Security update for xen (important)", "description": "xen was updated to version 4.4.3 to fix nine security issues.\n\n These security issues were fixed:\n - CVE-2015-4037: The slirp_smb function in net/slirp.c created temporary\n files with predictable names, which allowed local users to cause a\n denial of service (instantiation failure) by creating /tmp/qemu-smb.*-*\n files before the program (bsc#932267).\n - CVE-2014-0222: Integer overflow in the qcow_open function allowed remote\n attackers to cause a denial of service (crash) via a large L2 table in a\n QCOW version 1 image (bsc#877642).\n - CVE-2015-7835: Uncontrolled creation of large page mappings by PV guests\n (bsc#950367).\n - CVE-2015-7311: libxl in Xen did not properly handle the readonly flag on\n disks when using the qemu-xen device model, which allowed local guest\n users to write to a read-only disk image (bsc#947165).\n - CVE-2015-5239: Integer overflow in vnc_client_read() and\n protocol_client_msg() (bsc#944463).\n - CVE-2015-6815: With e1000 NIC emulation support it was possible to enter\n an infinite loop (bsc#944697).\n - CVE-2015-7969: Leak of main per-domain vcpu pointer array leading to\n denial of service (bsc#950703).\n - CVE-2015-7969: Leak of per-domain profiling- related vcpu pointer array\n leading to denial of service (bsc#950705).\n - CVE-2015-7971: Some pmu and profiling hypercalls log without rate\n limiting (bsc#950706).\n\n These non-security issues were fixed:\n - bsc#907514: Bus fatal error: SLES 12 sudden reboot has been observed\n - bsc#910258: SLES12 Xen host crashes with FATAL NMI after shutdown of\n guest with VT-d NIC\n - bsc#918984: Bus fatal error: SLES11-SP4 sudden reboot has been observed\n - bsc#923967: Partner-L3: Bus fatal error: SLES11-SP3 sudden reboot has\n been observed\n - bnc#901488: Intel ixgbe driver assigns rx/tx queues per core resulting\n in irq problems on servers with a large amount of CPU cores\n - bsc#945167: Running command: xl pci-assignable-add 03:10.1 secondly show\n errors\n - bsc#949138: Setting vcpu affinity under Xen causes libvirtd abort\n - bsc#949549: xm create hangs when maxmen value is enclosed in quotes\n\n", "published": "2015-11-03T11:12:06", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00005.html", "cvelist": ["CVE-2015-7969", "CVE-2015-7971", "CVE-2015-7835", "CVE-2014-0222", "CVE-2015-7311", "CVE-2015-4037", "CVE-2015-6815", "CVE-2015-5239"], "lastseen": "2016-09-04T11:21:42"}, {"id": "SUSE-SU-2016:0658-1", "type": "suse", "title": "Security update for Xen (important)", "description": "Xen was updated to fix the following vulnerabilities:\n\n * CVE-2014-0222: Qcow1 L2 table size integer overflows (bsc#877642)\n * CVE-2015-4037: Insecure temporary file use in /net/slirp.c\n (bsc#932267)\n * CVE-2015-5239: Integer overflow in vnc_client_read() and\n protocol_client_msg() (bsc#944463)\n * CVE-2015-7504: Heap buffer overflow vulnerability in pcnet emulator\n (XSA-162, bsc#956411)\n * CVE-2015-7971: Some pmu and profiling hypercalls log without rate\n limiting (XSA-152, bsc#950706)\n * CVE-2015-8104: Guest to host DoS by triggering an infinite loop in\n microcode via #DB exception (bsc#954405)\n * CVE-2015-5307: Guest to host DOS by intercepting #AC (XSA-156,\n bsc#953527)\n * CVE-2015-8339: XENMEM_exchange error handling issues (XSA-159,\n bsc#956408)\n * CVE-2015-8340: XENMEM_exchange error handling issues (XSA-159,\n bsc#956408)\n * CVE-2015-7512: Buffer overflow in pcnet's non-loopback mode\n (bsc#962360)\n * CVE-2015-8550: Paravirtualized drivers incautious about shared\n memory contents (XSA-155, bsc#957988)\n * CVE-2015-8504: Avoid floating point exception in vnc support\n (bsc#958493)\n * CVE-2015-8555: Information leak in legacy x86 FPU/XMM initialization\n (XSA-165, bsc#958009)\n * Ioreq handling possibly susceptible to multiple read issue (XSA-166,\n bsc#958523)\n\n Security Issues:\n\n * CVE-2014-0222\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0222\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0222</a>>\n * CVE-2015-4037\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4037\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4037</a>>\n * CVE-2015-5239\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5239\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5239</a>>\n * CVE-2015-7504\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7504\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7504</a>>\n * CVE-2015-7971\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7971\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7971</a>>\n * CVE-2015-8104\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8104\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8104</a>>\n * CVE-2015-5307\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5307\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5307</a>>\n * CVE-2015-8339\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8339\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8339</a>>\n * CVE-2015-8340\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8340\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8340</a>>\n * CVE-2015-7512\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7512\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7512</a>>\n * CVE-2015-8550\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8550\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8550</a>>\n * CVE-2015-8504\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8504\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8504</a>>\n * CVE-2015-8555\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8555\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8555</a>>\n\n", "published": "2016-03-04T22:13:56", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00013.html", "cvelist": ["CVE-2015-8340", "CVE-2015-7971", "CVE-2015-8339", "CVE-2014-0222", "CVE-2015-4037", "CVE-2015-7504", "CVE-2015-5307", "CVE-2015-7512", "CVE-2015-8550", "CVE-2015-8555", "CVE-2015-8504", "CVE-2015-5239", "CVE-2015-8104"], "lastseen": "2016-09-04T12:35:28"}, {"id": "OPENSUSE-SU-2015:2003-1", "type": "suse", "title": "Security update for xen (important)", "description": "xen was updated to fix 12 security issues.\n\n These security issues were fixed:\n - CVE-2015-7972: Populate-on-demand balloon size inaccuracy can crash\n guests (bsc#951845).\n - CVE-2015-7969: Leak of main per-domain vcpu pointer array (DoS)\n (bsc#950703).\n - CVE-2015-7969: Leak of per-domain profiling-related vcpu pointer array\n (DoS) (bsc#950705).\n - CVE-2015-7971: Some pmu and profiling hypercalls log without rate\n limiting (bsc#950706).\n - CVE-2015-4037: Insecure temporary file use in /net/slirp.c (bsc#932267).\n - CVE-2014-0222: Validate L2 table size to avoid integer overflows\n (bsc#877642).\n - CVE-2015-7835: Uncontrolled creation of large page mappings by PV guests\n (bsc#950367).\n - CVE-2015-7311: libxl fails to honour readonly flag on disks with\n qemu-xen (bsc#947165).\n - CVE-2015-5165: QEMU leak of uninitialized heap memory in rtl8139 device\n model (bsc#939712).\n - CVE-2015-5166: Use after free in QEMU/Xen block unplug protocol\n (bsc#939709).\n - CVE-2015-5154: Host code execution via IDE subsystem CD-ROM (bsc#938344).\n - CVE-2015-3259: xl command line config handling stack overflow\n (bsc#935634).\n\n These non-security issues were fixed:\n - bsc#907514: Bus fatal error and sles12 sudden reboot has been observed\n - bsc#910258: SLES12 Xen host crashes with FATAL NMI after shutdown of\n guest with VT-d NIC\n - bsc#918984: Bus fatal error and sles11-SP4 sudden reboot has been\n observed\n - bsc#923967: Partner-L3: Bus fatal error and sles11-SP3 sudden reboot has\n been observed\n - bsc#901488: Intel ixgbe driver assigns rx/tx queues per core resulting\n in irq problems on servers with a large amount of CPU cores\n - bsc#945167: Running command xl pci-assignable-add 03:10.1 secondly show\n errors\n - bsc#949138: Setting vcpu affinity under Xen causes libvirtd abort\n - bsc#944463: VUL-0: CVE-2015-5239: qemu-kvm: Integer overflow in\n vnc_client_read() and protocol_client_msg()\n - bsc#944697: VUL-1: CVE-2015-6815: qemu: net: e1000: infinite loop issue\n - bsc#925466: Kdump does not work in a XEN environment\n\n", "published": "2015-11-17T11:10:33", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00023.html", "cvelist": ["CVE-2015-7969", "CVE-2015-5166", "CVE-2015-7971", "CVE-2015-7972", "CVE-2015-7835", "CVE-2014-0222", "CVE-2015-3259", "CVE-2015-7311", "CVE-2015-4037", "CVE-2015-6815", "CVE-2015-5239", "CVE-2015-5154", "CVE-2015-5165"], "lastseen": "2016-09-04T11:45:47"}, {"id": "OPENSUSE-SU-2015:1964-1", "type": "suse", "title": "Security update for xen (important)", "description": "xen was updated to fix 13 security issues.\n\n These security issues were fixed:\n - CVE-2015-7972: Populate-on-demand balloon size inaccuracy can crash\n guests (bsc#951845).\n - CVE-2015-7969: Leak of main per-domain vcpu pointer array (DoS)\n (bsc#950703).\n - CVE-2015-7969: Leak of per-domain profiling-related vcpu pointer array\n (DoS) (bsc#950705).\n - CVE-2015-7971: Some pmu and profiling hypercalls log without rate\n limiting (bsc#950706).\n - CVE-2015-4037: Insecure temporary file use in /net/slirp.c (bsc#932267).\n - CVE-2014-0222: Validate L2 table size to avoid integer overflows\n (bsc#877642).\n - CVE-2015-7835: Uncontrolled creation of large page mappings by PV guests\n (bsc#950367).\n - CVE-2015-7311: libxl fails to honour readonly flag on disks with\n qemu-xen (bsc#947165).\n - CVE-2015-5165: QEMU leak of uninitialized heap memory in rtl8139 device\n model (bsc#939712).\n - CVE-2015-5166: Use after free in QEMU/Xen block unplug protocol\n (bsc#939709).\n - CVE-2015-5239: Integer overflow in vnc_client_read() and\n protocol_client_msg() (bsc#944463).\n - CVE-2015-6815: e1000: infinite loop issue (bsc#944697).\n - CVE-2015-5154: Host code execution via IDE subsystem CD-ROM (bsc#938344).\n\n This non-security issues was fixed:\n - bsc#941074: VmError: Device 51728 (vbd) could not be connected. Hotplug\n scripts not working.\n\n", "published": "2015-11-12T12:10:04", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00018.html", "cvelist": ["CVE-2015-7969", "CVE-2015-5166", "CVE-2015-7971", "CVE-2015-7972", "CVE-2015-7835", "CVE-2014-0222", "CVE-2015-7311", "CVE-2015-4037", "CVE-2015-6815", "CVE-2015-5239", "CVE-2015-5154", "CVE-2015-5165"], "lastseen": "2016-09-04T11:39:50"}, {"id": "SUSE-SU-2015:1426-1", "type": "suse", "title": "Security update for kvm (important)", "description": "kvm was updated to fix two security issues.\n\n The following vulnerabilities were fixed:\n\n - CVE-2015-5154: Host code execution via IDE subsystem CD-ROM (bsc#938344).\n - CVE-2015-3209: Fix buffer overflow in pcnet emulation (bsc#932770).\n\n", "published": "2015-08-21T18:13:47", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2015-08/msg00020.html", "cvelist": ["CVE-2015-5154", "CVE-2015-3209"], "lastseen": "2016-09-04T12:46:50"}], "debian": [{"id": "DSA-3285", "type": "debian", "title": "qemu-kvm -- security update", "description": "Several vulnerabilities were discovered in qemu-kvm, a full virtualization solution on x86 hardware.\n\n * [CVE-2015-3209](<https://security-tracker.debian.org/tracker/CVE-2015-3209>)\n\nMatt Tait of Google's Project Zero security team discovered a flaw in the way QEMU's AMD PCnet Ethernet emulation handles multi-TMD packets with a length above 4096 bytes. A privileged guest user in a guest with an AMD PCNet ethernet card enabled can potentially use this flaw to execute arbitrary code on the host with the privileges of the hosting QEMU process.\n\n * [CVE-2015-4037](<https://security-tracker.debian.org/tracker/CVE-2015-4037>)\n\nKurt Seifried of Red Hat Product Security discovered that QEMU's user mode networking stack uses predictable temporary file names when the -smb option is used. An unprivileged user can use this flaw to cause a denial of service.\n\nFor the oldstable distribution (wheezy), these problems have been fixed in version 1.1.2+dfsg-6+deb7u8.\n\nWe recommend that you upgrade your qemu-kvm packages.", "published": "2015-06-13T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://www.debian.org/security/dsa-3285", "cvelist": ["CVE-2015-4037", "CVE-2015-3209"], "lastseen": "2016-09-02T18:29:52"}, {"id": "DSA-3284", "type": "debian", "title": "qemu -- security update", "description": "Several vulnerabilities were discovered in qemu, a fast processor emulator.\n\n * [CVE-2015-3209](<https://security-tracker.debian.org/tracker/CVE-2015-3209>)\n\nMatt Tait of Google's Project Zero security team discovered a flaw in the way QEMU's AMD PCnet Ethernet emulation handles multi-TMD packets with a length above 4096 bytes. A privileged guest user in a guest with an AMD PCNet ethernet card enabled can potentially use this flaw to execute arbitrary code on the host with the privileges of the hosting QEMU process.\n\n * [CVE-2015-4037](<https://security-tracker.debian.org/tracker/CVE-2015-4037>)\n\nKurt Seifried of Red Hat Product Security discovered that QEMU's user mode networking stack uses predictable temporary file names when the -smb option is used. An unprivileged user can use this flaw to cause a denial of service.\n\n * [CVE-2015-4103](<https://security-tracker.debian.org/tracker/CVE-2015-4103>)\n\nJan Beulich of SUSE discovered that the QEMU Xen code does not properly restrict write access to the host MSI message data field, allowing a malicious guest to cause a denial of service.\n\n * [CVE-2015-4104](<https://security-tracker.debian.org/tracker/CVE-2015-4104>)\n\nJan Beulich of SUSE discovered that the QEMU Xen code does not properly restrict access to PCI MSI mask bits, allowing a malicious guest to cause a denial of service.\n\n * [CVE-2015-4105](<https://security-tracker.debian.org/tracker/CVE-2015-4105>)\n\nJan Beulich of SUSE reported that the QEMU Xen code enables logging for PCI MSI-X pass-through error messages, allowing a malicious guest to cause a denial of service.\n\n * [CVE-2015-4106](<https://security-tracker.debian.org/tracker/CVE-2015-4106>)\n\nJan Beulich of SUSE discovered that the QEMU Xen code does not properly restrict write access to the PCI config space for certain PCI pass-through devices, allowing a malicious guest to cause a denial of service, obtain sensitive information or potentially execute arbitrary code.\n\nFor the oldstable distribution (wheezy), these problems have been fixed in version 1.1.2+dfsg-6a+deb7u8. Only [CVE-2015-3209](<https://security-tracker.debian.org/tracker/CVE-2015-3209>) and [CVE-2015-4037](<https://security-tracker.debian.org/tracker/CVE-2015-4037>) affect oldstable.\n\nFor the stable distribution (jessie), these problems have been fixed in version 1:2.1+dfsg-12+deb8u1.\n\nFor the unstable distribution (sid), these problems have been fixed in version 1:2.3+dfsg-6.\n\nWe recommend that you upgrade your qemu packages.", "published": "2015-06-13T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "http://www.debian.org/security/dsa-3284", "cvelist": ["CVE-2015-4105", "CVE-2015-4103", "CVE-2015-4037", "CVE-2015-4104", "CVE-2015-3209", "CVE-2015-4106"], "lastseen": "2016-09-02T18:33:02"}, {"id": "DSA-3286", "type": "debian", "title": "xen -- security update", "description": "Multiple security issues have been found in the Xen virtualisation solution:\n\n * [CVE-2015-3209](<https://security-tracker.debian.org/tracker/CVE-2015-3209>)\n\nMatt Tait discovered a flaw in the way QEMU's AMD PCnet Ethernet emulation handles multi-TMD packets with a length above 4096 bytes. A privileged guest user in a guest with an AMD PCNet ethernet card enabled can potentially use this flaw to execute arbitrary code on the host with the privileges of the hosting QEMU process.\n\n * [CVE-2015-4103](<https://security-tracker.debian.org/tracker/CVE-2015-4103>)\n\nJan Beulich discovered that the QEMU Xen code does not properly restrict write access to the host MSI message data field, allowing a malicious guest to cause a denial of service.\n\n * [CVE-2015-4104](<https://security-tracker.debian.org/tracker/CVE-2015-4104>)\n\nJan Beulich discovered that the QEMU Xen code does not properly restrict access to PCI MSI mask bits, allowing a malicious guest to cause a denial of service.\n\n * [CVE-2015-4105](<https://security-tracker.debian.org/tracker/CVE-2015-4105>)\n\nJan Beulich reported that the QEMU Xen code enables logging for PCI MSI-X pass-through error messages, allowing a malicious guest to cause a denial of service.\n\n * [CVE-2015-4106](<https://security-tracker.debian.org/tracker/CVE-2015-4106>)\n\nJan Beulich discovered that the QEMU Xen code does not properly restrict write access to the PCI config space for certain PCI pass-through devices, allowing a malicious guest to cause a denial of service, obtain sensitive information or potentially execute arbitrary code.\n\n * [CVE-2015-4163](<https://security-tracker.debian.org/tracker/CVE-2015-4163>)\n\nJan Beulich discovered that a missing version check in the GNTTABOP_swap_grant_ref hypercall handler may result in denial of service. This only applies to Debian stable/jessie.\n\n * [CVE-2015-4164](<https://security-tracker.debian.org/tracker/CVE-2015-4164>)\n\nAndrew Cooper discovered a vulnerability in the iret hypercall handler, which may result in denial of service.\n\nFor the oldstable distribution (wheezy), these problems have been fixed in version 4.1.4-3+deb7u8. \n\nFor the stable distribution (jessie), these problems have been fixed in version 4.4.1-9+deb8u1. [CVE-2015-3209](<https://security-tracker.debian.org/tracker/CVE-2015-3209>), [CVE-2015-4103](<https://security-tracker.debian.org/tracker/CVE-2015-4103>), [CVE-2015-4104](<https://security-tracker.debian.org/tracker/CVE-2015-4104>), [CVE-2015-4105](<https://security-tracker.debian.org/tracker/CVE-2015-4105>) and [CVE-2015-4106](<https://security-tracker.debian.org/tracker/CVE-2015-4106>) don't affect the Xen package in stable jessie, it uses the standard qemu package and has already been fixed in DSA-3284-1.\n\nFor the unstable distribution (sid), these problems will be fixed soon.\n\nWe recommend that you upgrade your xen packages.", "published": "2015-06-13T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "http://www.debian.org/security/dsa-3286", "cvelist": ["CVE-2015-4105", "CVE-2015-4103", "CVE-2015-4164", "CVE-2015-4163", "CVE-2015-4104", "CVE-2015-3209", "CVE-2015-4106"], "lastseen": "2016-09-02T18:28:53"}], "ubuntu": [{"id": "USN-2630-1", "type": "ubuntu", "title": "QEMU vulnerabilities", "description": "Matt Tait discovered that QEMU incorrectly handled the virtual PCNET driver. A malicious guest could use this issue to cause a denial of service, or possibly execute arbitrary code on the host as the user running the QEMU process. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile. (CVE-2015-3209)\n\nKurt Seifried discovered that QEMU incorrectly handled certain temporary files. A local attacker could use this issue to cause a denial of service. (CVE-2015-4037)\n\nJan Beulich discovered that the QEMU Xen code incorrectly restricted write access to the host MSI message data field. A malicious guest could use this issue to cause a denial of service. This issue only applied to Ubuntu 14.04 LTS, Ubuntu 14.10 and Ubuntu 15.04. (CVE-2015-4103)\n\nJan Beulich discovered that the QEMU Xen code incorrectly restricted access to the PCI MSI mask bits. A malicious guest could use this issue to cause a denial of service. This issue only applied to Ubuntu 14.04 LTS, Ubuntu 14.10 and Ubuntu 15.04. (CVE-2015-4104)\n\nJan Beulich discovered that the QEMU Xen code incorrectly handled MSI-X error messages. A malicious guest could use this issue to cause a denial of service. This issue only applied to Ubuntu 14.04 LTS, Ubuntu 14.10 and Ubuntu 15.04. (CVE-2015-4105)\n\nJan Beulich discovered that the QEMU Xen code incorrectly restricted write access to the PCI config space. A malicious guest could use this issue to cause a denial of service, obtain sensitive information, or possibly execute arbitrary code. This issue only applied to Ubuntu 14.04 LTS, Ubuntu 14.10 and Ubuntu 15.04. (CVE-2015-4106)", "published": "2015-06-10T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://usn.ubuntu.com/2630-1/", "cvelist": ["CVE-2015-4105", "CVE-2015-4103", "CVE-2015-4037", "CVE-2015-4104", "CVE-2015-3209", "CVE-2015-4106"], "lastseen": "2018-03-29T18:20:27"}], "freebsd": [{"id": "ACD5D037-1C33-11E5-BE9C-6805CA1D3BB1", "type": "freebsd", "title": "qemu -- Heap overflow in QEMU PCNET controller, allowing guest to host escape (CVE-2015-3209)", "description": "\nThe QEMU security team reports:\n\nA guest which has access to an emulated PCNET network\n\t device (e.g. with \"model=pcnet\" in their VIF configuration)\n\t can exploit this vulnerability to take over the qemu\n\t process elevating its privilege to that of the qemu\n\t process.\n\n", "published": "2015-04-10T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://vuxml.freebsd.org/freebsd/acd5d037-1c33-11e5-be9c-6805ca1d3bb1.html", "cvelist": ["CVE-2015-3209"], "lastseen": "2016-09-26T17:24:18"}], "redhat": [{"id": "RHSA-2015:1189", "type": "redhat", "title": "(RHSA-2015:1189) Important: kvm security update", "description": "KVM (Kernel-based Virtual Machine) is a full virtualization solution for\nLinux on AMD64 and Intel 64 systems.\n\nA flaw was found in the way QEMU's AMD PCnet Ethernet emulation handled\nmulti-TMD packets with a length above 4096 bytes. A privileged guest user\nin a guest with an AMD PCNet ethernet card enabled could potentially use\nthis flaw to execute arbitrary code on the host with the privileges of the\nhosting QEMU process. (CVE-2015-3209)\n\nRed Hat would like to thank Matt Tait of Google's Project Zero security\nteam for reporting this issue.\n\nAll kvm users are advised to upgrade to these updated packages, which\ncontain a backported patch to correct this issue. Note: The procedure in\nthe Solution section must be performed before this update will take effect.\n", "published": "2015-06-25T04:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://access.redhat.com/errata/RHSA-2015:1189", "cvelist": ["CVE-2015-3209"], "lastseen": "2017-09-09T07:19:40"}, {"id": "RHSA-2015:1088", "type": "redhat", "title": "(RHSA-2015:1088) Important: qemu-kvm-rhev security update", "description": "KVM (Kernel-based Virtual Machine) is a full virtualization solution for\nLinux on AMD64 and Intel 64 systems. The qemu-kvm-rhev package provides the\nuser-space component for running virtual machines using KVM.\n\nA flaw was found in the way QEMU's AMD PCnet Ethernet emulation handled\nmulti-TMD packets with a length above 4096 bytes. A privileged guest user\nin a guest with an AMD PCNet ethernet card enabled could potentially use\nthis flaw to execute arbitrary code on the host with the privileges of the\nhosting QEMU process. (CVE-2015-3209)\n\nRed Hat would like to thank Matt Tait of Google's Project Zero security\nteam for reporting this issue.\n\nAll qemu-kvm-rhev users are advised to upgrade to these updated packages,\nwhich contain a backported patch to correct this issue. After installing\nthis update, shut down all running virtual machines. Once all virtual\nmachines have shut down, start them again for this update to take effect.\n", "published": "2015-06-10T04:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://access.redhat.com/errata/RHSA-2015:1088", "cvelist": ["CVE-2015-3209"], "lastseen": "2017-03-10T07:18:27"}, {"id": "RHSA-2015:1087", "type": "redhat", "title": "(RHSA-2015:1087) Important: qemu-kvm security update", "description": "KVM (Kernel-based Virtual Machine) is a full virtualization solution for\nLinux on AMD64 and Intel 64 systems. The qemu-kvm package provides the\nuser-space component for running virtual machines using KVM.\n\nA flaw was found in the way QEMU's AMD PCnet Ethernet emulation handled\nmulti-TMD packets with a length above 4096 bytes. A privileged guest user\nin a guest with an AMD PCNet ethernet card enabled could potentially use\nthis flaw to execute arbitrary code on the host with the privileges of the\nhosting QEMU process. (CVE-2015-3209)\n\nRed Hat would like to thank Matt Tait of Google's Project Zero security\nteam for reporting this issue.\n\nAll qemu-kvm users are advised to upgrade to these updated packages, which\ncontain a backported patch to correct this issue. After installing this\nupdate, shut down all running virtual machines. Once all virtual machines\nhave shut down, start them again for this update to take effect.\n", "published": "2015-06-10T04:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://access.redhat.com/errata/RHSA-2015:1087", "cvelist": ["CVE-2015-3209"], "lastseen": "2017-03-05T09:18:30"}, {"id": "RHSA-2015:1089", "type": "redhat", "title": "(RHSA-2015:1089) Important: qemu-kvm-rhev security update", "description": "KVM (Kernel-based Virtual Machine) is a full virtualization solution for\nLinux on AMD64 and Intel 64 systems. The qemu-kvm-rhev package provides the\nuser-space component for running virtual machines using KVM.\n\nA flaw was found in the way QEMU's AMD PCnet Ethernet emulation handled\nmulti-TMD packets with a length above 4096 bytes. A privileged guest user\nin a guest with an AMD PCNet ethernet card enabled could potentially use\nthis flaw to execute arbitrary code on the host with the privileges of the\nhosting QEMU process. (CVE-2015-3209)\n\nRed Hat would like to thank Matt Tait of Google's Project Zero security\nteam for reporting this issue.\n\nAll qemu-kvm-rhev users are advised to upgrade to these updated packages,\nwhich contain a backported patch to correct this issue. After installing\nthis update, shut down all running virtual machines. Once all virtual\nmachines have shut down, start them again for this update to take effect.", "published": "2015-06-10T18:50:31", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://access.redhat.com/errata/RHSA-2015:1089", "cvelist": ["CVE-2015-3209"], "lastseen": "2017-03-10T07:18:25"}], "centos": [{"id": "CESA-2015:1189", "type": "centos", "title": "kmod, kvm security update", "description": "**CentOS Errata and Security Advisory** CESA-2015:1189\n\n\nKVM (Kernel-based Virtual Machine) is a full virtualization solution for\nLinux on AMD64 and Intel 64 systems.\n\nA flaw was found in the way QEMU's AMD PCnet Ethernet emulation handled\nmulti-TMD packets with a length above 4096 bytes. A privileged guest user\nin a guest with an AMD PCNet ethernet card enabled could potentially use\nthis flaw to execute arbitrary code on the host with the privileges of the\nhosting QEMU process. (CVE-2015-3209)\n\nRed Hat would like to thank Matt Tait of Google's Project Zero security\nteam for reporting this issue.\n\nAll kvm users are advised to upgrade to these updated packages, which\ncontain a backported patch to correct this issue. Note: The procedure in\nthe Solution section must be performed before this update will take effect.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2015-June/021224.html\n\n**Affected packages:**\nkmod-kvm\nkmod-kvm-debug\nkvm\nkvm-qemu-img\nkvm-tools\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2015-1189.html", "published": "2015-06-26T12:05:54", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://lists.centos.org/pipermail/centos-announce/2015-June/021224.html", "cvelist": ["CVE-2015-3209"], "lastseen": "2017-10-03T18:25:02"}, {"id": "CESA-2015:1087", "type": "centos", "title": "qemu security update", "description": "**CentOS Errata and Security Advisory** CESA-2015:1087\n\n\nKVM (Kernel-based Virtual Machine) is a full virtualization solution for\nLinux on AMD64 and Intel 64 systems. The qemu-kvm package provides the\nuser-space component for running virtual machines using KVM.\n\nA flaw was found in the way QEMU's AMD PCnet Ethernet emulation handled\nmulti-TMD packets with a length above 4096 bytes. A privileged guest user\nin a guest with an AMD PCNet ethernet card enabled could potentially use\nthis flaw to execute arbitrary code on the host with the privileges of the\nhosting QEMU process. (CVE-2015-3209)\n\nRed Hat would like to thank Matt Tait of Google's Project Zero security\nteam for reporting this issue.\n\nAll qemu-kvm users are advised to upgrade to these updated packages, which\ncontain a backported patch to correct this issue. After installing this\nupdate, shut down all running virtual machines. Once all virtual machines\nhave shut down, start them again for this update to take effect.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2015-June/021168.html\n\n**Affected packages:**\nqemu-guest-agent\nqemu-img\nqemu-kvm\nqemu-kvm-tools\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2015-1087.html", "published": "2015-06-10T15:32:54", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://lists.centos.org/pipermail/centos-announce/2015-June/021168.html", "cvelist": ["CVE-2015-3209"], "lastseen": "2017-10-03T18:24:43"}], "oraclelinux": [{"id": "ELSA-2015-1189", "type": "oraclelinux", "title": "kvm security update", "description": "[kvm-83-273.0.1.el5]\n- Added kvm-add-oracle-workaround-for-libvirt-bug.patch\n- Added kvm-Introduce-oel-machine-type.patch\n[kvm-83.273.el5]\n- kvm-pcnet-Properly-handle-TX-requests-during-Link-Fail.patch [bz#1225896]\n- kvm-pcnet-fix-Negative-array-index-read.patch [bz#1225896]\n- kvm-pcnet-force-the-buffer-access-to-be-in-bounds-during.patch [bz#1225896]\n- Resolves: bz#1225896\n (EMBARGOED CVE-2015-3209 kvm: qemu: pcnet: multi-tmd buffer overflow in the tx path [rhel-5.11.z)", "published": "2015-06-25T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://linux.oracle.com/errata/ELSA-2015-1189.html", "cvelist": ["CVE-2015-3209"], "lastseen": "2016-09-04T11:16:08"}, {"id": "ELSA-2015-1087", "type": "oraclelinux", "title": "qemu-kvm security update", "description": "[0.12.1.2-2.448.el6_6.4]\n- kvm-pcnet-fix-Negative-array-index-read.patch [bz#1225886]\n- kvm-pcnet-force-the-buffer-access-to-be-in-bounds-during.patch [bz#1225886]\n- Resolves: bz#1225886\n (EMBARGOED CVE-2015-3209 qemu-kvm: qemu: pcnet: multi-tmd buffer overflow in the tx path [rhel-6.6.z])", "published": "2015-06-10T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://linux.oracle.com/errata/ELSA-2015-1087.html", "cvelist": ["CVE-2015-3209"], "lastseen": "2016-09-04T11:16:39"}], "xen": [{"id": "XSA-135", "type": "xen", "title": "Heap overflow in QEMU PCNET controller, allowing guest->host escape", "description": "#### ISSUE DESCRIPTION\nThe QEMU security team has predisclosed the following advisory:\n pcnet_transmit loads a transmit-frame descriptor from the guest into the /tmd/ local variable to recover a length field, a status field and a guest-physical location of the associated frame buffer. If the status field indicates that the frame buffer is ready to be sent out (i.e. by setting the TXSTATUS_DEVICEOWNS, TXSTATUS_STARTPACKET and TXSTATUS_ENDPACKET bits on the status field), the PCNET device controller pulls in the frame from the guest-physical location to s->buffer (which is 4096 bytes long), and then transmits the frame.\n Because of the layout of the transmit-frame descriptor, it is not possible to send the PCNET device controller a frame of length > 4096, but it /is/ possible to send the PCNET device controller a frame that is marked as TXSTATUS_STARTPACKET, but not TXSTATUS_ENDPACKET. If we do this - and the PCNET controller is configured via the XMTRL CSR to support split-frame processing - then the pcnet_transmit functions loops round, pulling a second transmit frame descriptor from the guest. If this second transmit frame descriptor sets the TXSTATUS_DEVICEOWNS and doesn't set the TXSTATUS_STARTPACKET bits, this frame is appended to the s->buffer field.\n An attacker can then exploit this vulnerability by sending a first packet of length 4096 to the device controller, and a second frame containing N-bytes to trigger an N-byte heap overflow.\n On 64-bit QEMU, a 24-byte overflow allows the guest to take control of the phys_mem_write function pointer in the PCNetState_st structure, and this is called when trying to flush the updated transmit frame descriptor back to the guest. By specifying the content of the second transmit frame, the attacker therefore gets reliable fully-chosen control of the host instruction pointer, allowing them to take control of the host.\n#### IMPACT\nA guest which has access to an emulated PCNET network device (e.g. with "model=pcnet" in their VIF configuration) can exploit this vulnerability to take over the qemu process elevating its privilege to that of the qemu process.\n#### VULNERABLE SYSTEMS\nAll Xen systems running x86 HVM guests without stubdomains which have been configured to use the PCNET emulated driver model are vulnerable.\nThe default configuration is NOT vulnerable (because it does not emulate PCNET NICs).\nSystems running only PV guests are NOT vulnerable.\nSystems using qemu-dm stubdomain device models (for example, by specifying "device_model_stubdomain_override=1" in xl's domain configuration files) are NOT vulnerable.\nBoth the traditional "qemu-xen" or upstream qemu device models are potentially vulnerable.\nARM systems are NOT vulnerable.\n", "published": "2015-06-10T13:10:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://xenbits.xen.org/xsa/advisory-135.html", "cvelist": ["CVE-2015-3209"], "lastseen": "2016-04-01T21:57:16"}], "gentoo": [{"id": "GLSA-201510-02", "type": "gentoo", "title": "QEMU: Arbitrary code execution", "description": "### Background\n\nQEMU is a generic and open source machine emulator and virtualizer.\n\n### Description\n\nHeap-based buffer overflow has been found in QEMU\u2019s PCNET controller.\n\n### Impact\n\nA remote attacker could execute arbitrary code via a specially crafted packets. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll QEMU users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=app-emulation/qemu-2.3.0-r4\"", "published": "2015-10-31T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://security.gentoo.org/glsa/201510-02", "cvelist": ["CVE-2015-3214", "CVE-2015-5158", "CVE-2015-5154", "CVE-2015-3209"], "lastseen": "2016-09-06T19:46:37"}, {"id": "GLSA-201604-03", "type": "gentoo", "title": "Xen: Multiple vulnerabilities", "description": "### Background\n\nXen is a bare-metal hypervisor.\n\n### Description\n\nMultiple vulnerabilities have been discovered in Xen. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nA local attacker could possibly cause a Denial of Service condition or obtain sensitive information. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll Xen 4.5 users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=app-emulation/xen-4.5.2-r5\"\n \n\nAll Xen 4.6 users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=app-emulation/xen-4.6.0-r9\"\n \n\nAll Xen tools 4.5 users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=app-emulation/xen-tools-4.5.2-r5\"\n \n\nAll Xen tools 4.6 users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=app-emulation/xen-tools-4.6.0-r9\"\n \n\nAll Xen pvgrub users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=app-emulation/xen-pvgrub-4.6.0\"", "published": "2016-04-05T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://security.gentoo.org/glsa/201604-03", "cvelist": ["CVE-2015-4105", "CVE-2015-4103", "CVE-2015-8551", "CVE-2012-6034", "CVE-2015-7969", "CVE-2015-7813", "CVE-2015-8340", "CVE-2012-3494", "CVE-2015-7971", "CVE-2015-7972", "CVE-2015-3340", "CVE-2015-8339", "CVE-2015-7835", "CVE-2016-2270", "CVE-2012-4535", "CVE-2012-4411", "CVE-2012-4539", "CVE-2015-3259", "CVE-2015-7311", "CVE-2012-3495", "CVE-2012-3498", "CVE-2015-7970", "CVE-2015-7504", "CVE-2015-3456", "CVE-2012-6030", "CVE-2012-3515", "CVE-2015-4164", "CVE-2015-8550", "CVE-2015-7814", "CVE-2015-8554", "CVE-2015-7812", "CVE-2012-3497", "CVE-2012-6035", "CVE-2012-6031", "CVE-2012-6033", "CVE-2012-4537", "CVE-2012-4538", "CVE-2015-4163", "CVE-2015-2151", "CVE-2015-8555", "CVE-2015-4104", "CVE-2012-3496", "CVE-2015-7871", "CVE-2012-6032", "CVE-2012-4536", "CVE-2012-6036", "CVE-2015-8341", "CVE-2016-2271", "CVE-2015-8552", "CVE-2015-5154", "CVE-2015-3209", "CVE-2015-4106"], "lastseen": "2016-09-06T19:46:33"}], "f5": [{"id": "F5:K63519101", "type": "f5", "title": "Multiple QEMU vulnerabilities", "description": "\nF5 Product Development has assigned IDs 572590, 572592, 572596, 572597, and 572599 (BIG-IP) to this vulnerability. Additionally, [BIG-IP iHealth](<http://www.f5.com/support/support-tools/big-ip-ihealth/>) may list Heuristic H63519101 on the **Diagnostics** > **Identified** > **Low** screen.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct | Versions known to be vulnerable | Versions known to be not vulnerable | Severity | Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM | 12.0.0 \n11.0.0 - 11.6.1 | 12.1.0 \n10.1.0 - 10.2.4 | Low | vCMP \nBIG-IP AAM | 12.0.0 \n11.4.0 - 11.6.1 | 12.1.0 | Low | vCMP \nBIG-IP AFM | 12.0.0 \n11.3.0 - 11.6.1 | 12.1.0 | Low | vCMP \nBIG-IP Analytics | 12.0.0 \n11.0.0 - 11.6.1 | 12.1.0 | Low | vCMP \nBIG-IP APM | 12.0.0 \n11.0.0 - 11.6.1 | 12.1.0 \n10.1.0 - 10.2.4 | Low | vCMP \nBIG-IP ASM | 12.0.0 \n11.0.0 - 11.6.1 | 12.1.0 \n10.1.0 - 10.2.4 | Low | vCMP \nBIG-IP DNS | 12.0.0 | 12.1.0 | Low | vCMP \nBIG-IP Edge Gateway | 11.0.0 - 11.3.0 | 10.1.0 - 10.2.4 | Low | vCMP \nBIG-IP GTM | 11.0.0 - 11.6.1 | 10.1.0 - 10.2.4 | Low | vCMP \nBIG-IP Link Controller | 12.0.0 \n11.0.0 - 11.6.1 | 12.1.0 \n10.1.0 - 10.2.4 | Low | vCMP \nBIG-IP PEM | 12.0.0 \n11.3.0 - 11.6.1 | 12.1.0 | Low | vCMP \nBIG-IP PSM | 11.0.0 - 11.4.1 | 10.1.0 - 10.2.4 | Low | vCMP \nBIG-IP WebAccelerator | 11.0.0 - 11.3.0 | 10.1.0 - 10.2.4 | Low | vCMP \nBIG-IP WOM | 11.0.0 - 11.3.0 | 10.1.0 - 10.2.4 | Low | vCMP \nARX | None | 6.0.0 - 6.4.0 | Not vulnerable | None \nEnterprise Manager | None | 3.0.0 - 3.1.1 | Not vulnerable | None \nFirePass | None | 7.0.0 \n6.0.0 - 6.1.0 | Not vulnerable | None \nBIG-IQ Cloud | None | 4.0.0 - 4.5.0 | Not vulnerable | None \nBIG-IQ Device | None | 4.2.0 - 4.5.0 | Not vulnerable | None \nBIG-IQ Security | None | 4.0.0 - 4.5.0 | Not vulnerable | None \nBIG-IQ ADC | None | 4.5.0 | Not vulnerable | None \nBIG-IQ Centralized Management | None | 4.6.0 | Not vulnerable | None \nBIG-IQ Cloud and Orchestration | None | 1.0.0 | Not vulnerable | None \nLineRate | None | 2.5.0 - 2.6.1 | Not vulnerable | None \nF5 WebSafe | None | 1.0.0 | Not vulnerable | None \nTraffix SDC | None | 4.0.0 - 4.4.0 \n3.3.2 - 3.5.1 | Not vulnerable | None\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the** Versions known to be not vulnerable **column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nMitigation\n\nNone\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n", "published": "2016-02-16T19:39:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://support.f5.com/csp/article/K63519101", "cvelist": ["CVE-2014-8106", "CVE-2015-7504", "CVE-2015-7512", "CVE-2015-5279", "CVE-2007-1320", "CVE-2015-3209", "CVE-2015-5165"], "lastseen": "2017-11-16T02:57:58"}, {"id": "SOL63519101", "type": "f5", "title": "SOL63519101 - Multiple QEMU vulnerabilities", "description": "Vulnerability Recommended Actions\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the** Versions known to be not vulnerable **column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nF5 responds to vulnerabilities in accordance with the **Severity** values published in the previous table. The **Severity** values and other security vulnerability parameters are defined in SOL4602: Overview of the F5 security vulnerability response policy.\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4918: Overview of the F5 critical issue hotfix policy\n * SOL167: Downloading software and firmware from F5\n", "published": "2016-02-16T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://support.f5.com/kb/en-us/solutions/public/k/63/sol63519101.html", "cvelist": ["CVE-2014-8106", "CVE-2015-7504", "CVE-2015-7512", "CVE-2015-5279", "CVE-2007-1320", "CVE-2015-3209", "CVE-2015-5165"], "lastseen": "2016-11-09T00:09:49"}]}}
