{"id": "RHSA-2017:0328", "type": "redhat", "bulletinFamily": "unix", "title": "(RHSA-2017:0328) Important: qemu-kvm-rhev security update", "description": "KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm-rhev packages provide the user-space component for running virtual machines that use KVM in environments managed by Red Hat products.\n\nSecurity Fix(es):\n\n* Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA emulator support is vulnerable to an out-of-bounds access issue. It could occur while copying VGA data via bitblt copy in backward mode. A privileged user inside a guest could use this flaw to crash the QEMU process resulting in DoS or potentially execute arbitrary code on the host with privileges of QEMU process on the host. (CVE-2017-2615)\n\n* Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA Emulator support is vulnerable to an out-of-bounds access issue. The issue could occur while copying VGA data in cirrus_bitblt_cputovideo. A privileged user inside guest could use this flaw to crash the QEMU process OR potentially execute arbitrary code on host with privileges of the QEMU process. (CVE-2017-2620)\n\nRed Hat would like to thank Wjjzhang (Tencent.com Inc.) and Li Qiang (360.cn Inc.) for reporting CVE-2017-2615.", "published": "2017-02-28T04:06:44", "modified": "2018-03-19T16:26:34", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "href": "https://access.redhat.com/errata/RHSA-2017:0328", "reporter": "RedHat", "references": [], "cvelist": ["CVE-2017-2615", "CVE-2017-2620"], "lastseen": "2019-08-13T18:46:48", "viewCount": 12, "enchantments": {"score": {"value": 7.6, "vector": "NONE", "modified": "2019-08-13T18:46:48", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-2620", "CVE-2017-2615"]}, {"type": "f5", "idList": ["F5:K41242221"]}, {"type": "centos", "idList": ["CESA-2017:0396", "CESA-2017:0309", "CESA-2017:0352", "CESA-2017:0454"]}, {"type": "citrix", "idList": ["CTX220771"]}, {"type": "oraclelinux", "idList": ["ELSA-2017-0621", "ELSA-2017-0352", "ELSA-2017-0396", "ELSA-2017-0454", "ELSA-2017-0309", "ELSA-2017-1856"]}, {"type": "redhat", "idList": ["RHSA-2017:0332", "RHSA-2017:0329", "RHSA-2017:0454", "RHSA-2017:0334", "RHSA-2017:0333", "RHSA-2017:0330", "RHSA-2017:0352", "RHSA-2017:0396", "RHSA-2017:0331", "RHSA-2017:0350"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310140173", "OPENVAS:1361412562311220171038", "OPENVAS:1361412562311220171037", "OPENVAS:1361412562310882678", "OPENVAS:1361412562310890842", "OPENVAS:1361412562310871769", "OPENVAS:1361412562310890845", "OPENVAS:1361412562310882671", "OPENVAS:1361412562310872454", "OPENVAS:1361412562310851522"]}, {"type": "nessus", "idList": ["CENTOS_RHSA-2017-0396.NASL", "CITRIX_XENSERVER_CTX220771.NASL", "VIRTUOZZO_VZLSA-2017-0454.NASL", "ORACLELINUX_ELSA-2017-0396.NASL", "REDHAT-RHSA-2017-0396.NASL", "EULEROS_SA-2017-1037.NASL", "VIRTUOZZO_VZLSA-2017-0396.NASL", "ORACLELINUX_ELSA-2017-0454.NASL", "CENTOS_RHSA-2017-0454.NASL", "EULEROS_SA-2017-1038.NASL"]}, {"type": "suse", "idList": ["SUSE-SU-2017:1135-1", "SUSE-SU-2017:0571-1", "SUSE-SU-2017:0661-1", "OPENSUSE-SU-2017:0665-1"]}, {"type": "debian", "idList": ["DEBIAN:DLA-845-1:D7636", "DEBIAN:DLA-842-1:6B5AC"]}, {"type": "gentoo", "idList": ["GLSA-201702-27", "GLSA-201703-07"]}, {"type": "xen", "idList": ["XSA-209", "XSA-208"]}, {"type": "freebsd", "idList": ["8CBD9C08-F8B9-11E6-AE1B-002590263BF5", "A73ABA9A-EFFE-11E6-AE1B-002590263BF5"]}, {"type": "fedora", "idList": ["FEDORA:8EE9A605A344", "FEDORA:007EE62B4039"]}], "modified": "2019-08-13T18:46:48", "rev": 2}, "vulnersScore": 7.6}, "affectedPackage": [{"OS": "RedHat", "OSVersion": "7", "arch": "src", "packageName": "qemu-kvm-rhev", "packageVersion": "2.6.0-28.el7_3.6", "packageFilename": "qemu-kvm-rhev-2.6.0-28.el7_3.6.src.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "arch": "x86_64", "packageName": "qemu-kvm-common-rhev", "packageVersion": "2.6.0-28.el7_3.6", "packageFilename": "qemu-kvm-common-rhev-2.6.0-28.el7_3.6.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "arch": "x86_64", "packageName": "qemu-kvm-rhev", "packageVersion": "2.6.0-28.el7_3.6", "packageFilename": "qemu-kvm-rhev-2.6.0-28.el7_3.6.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "arch": "x86_64", "packageName": "qemu-kvm-rhev-debuginfo", "packageVersion": "2.6.0-28.el7_3.6", "packageFilename": "qemu-kvm-rhev-debuginfo-2.6.0-28.el7_3.6.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "arch": "x86_64", "packageName": "qemu-kvm-tools-rhev", "packageVersion": "2.6.0-28.el7_3.6", "packageFilename": "qemu-kvm-tools-rhev-2.6.0-28.el7_3.6.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "arch": "x86_64", "packageName": "qemu-img-rhev", "packageVersion": "2.6.0-28.el7_3.6", "packageFilename": "qemu-img-rhev-2.6.0-28.el7_3.6.x86_64.rpm", "operator": "lt"}]}

{"cve": [{"lastseen": "2020-12-09T20:13:30", "description": "Quick emulator (QEMU) before 2.8 built with the Cirrus CLGD 54xx VGA Emulator support is vulnerable to an out-of-bounds access issue. The issue could occur while copying VGA data in cirrus_bitblt_cputovideo. A privileged user inside guest could use this flaw to crash the QEMU process OR potentially execute arbitrary code on host with privileges of the QEMU process.", "edition": 6, "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.9, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 6.0}, "published": "2018-07-27T19:29:00", "title": "CVE-2017-2620", "type": "cve", "cwe": ["CWE-125", "CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-2620"], "modified": "2018-09-07T10:29:00", "cpe": ["cpe:/o:redhat:enterprise_linux_server_eus:7.4", "cpe:/o:redhat:enterprise_linux_server_aus:7.3", "cpe:/a:redhat:openstack:7.0", "cpe:/a:redhat:openstack:9.0", "cpe:/o:redhat:enterprise_linux_desktop:6.0", "cpe:/a:redhat:openstack:6.0", "cpe:/a:citrix:xenserver:6.0.2", "cpe:/o:redhat:enterprise_linux_server_eus:7.3", "cpe:/a:redhat:openstack:5.0", "cpe:/o:redhat:enterprise_linux_server:7.0", "cpe:/o:redhat:enterprise_linux_server_eus:7.5", "cpe:/a:redhat:openstack:8.0", "cpe:/o:xen:xen:4.7.1", "cpe:/o:redhat:enterprise_linux_server_aus:7.4", "cpe:/a:citrix:xenserver:7.0", "cpe:/o:redhat:enterprise_linux_workstation:7.0", "cpe:/a:citrix:xenserver:6.5", "cpe:/o:debian:debian_linux:7.0", "cpe:/a:redhat:openstack:10.0", "cpe:/o:redhat:enterprise_linux_desktop:7.0", "cpe:/o:redhat:enterprise_linux_workstation:6.0", "cpe:/o:redhat:enterprise_linux_server:6.0", "cpe:/a:citrix:xenserver:6.2.0", "cpe:/a:citrix:xenserver:7.1"], "id": "CVE-2017-2620", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-2620", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:redhat:openstack:5.0:*:*:*:*:*:*:*", "cpe:2.3:o:xen:xen:4.7.1:r2:*:*:*:*:*:*", "cpe:2.3:a:citrix:xenserver:6.0.2:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_aus:7.3:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_eus:7.4:*:*:*:*:*:*:*", "cpe:2.3:a:citrix:xenserver:7.1:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*", "cpe:2.3:a:citrix:xenserver:6.5:sp1:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*", "cpe:2.3:o:xen:xen:4.7.1:r3:*:*:*:*:*:*", "cpe:2.3:o:xen:xen:4.7.1:r4:*:*:*:*:*:*", "cpe:2.3:a:redhat:openstack:10.0:*:*:*:*:*:*:*", "cpe:2.3:a:redhat:openstack:9.0:*:*:*:*:*:*:*", "cpe:2.3:o:xen:xen:4.7.1:r1:*:*:*:*:*:*", "cpe:2.3:o:xen:xen:4.7.1:r7:*:*:*:*:*:*", "cpe:2.3:a:redhat:openstack:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*", "cpe:2.3:a:redhat:openstack:8.0:*:*:*:*:*:*:*", "cpe:2.3:a:citrix:xenserver:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_eus:7.3:*:*:*:*:*:*:*", "cpe:2.3:a:redhat:openstack:6.0:*:*:*:*:*:*:*", "cpe:2.3:o:xen:xen:4.7.1:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_eus:7.5:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_aus:7.4:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:xen:xen:4.7.1:r6:*:*:*:*:*:*", "cpe:2.3:o:xen:xen:4.7.1:r5:*:*:*:*:*:*", "cpe:2.3:a:citrix:xenserver:6.2.0:sp1:*:*:*:*:*:*"]}, {"lastseen": "2020-12-09T20:13:30", "description": "Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA emulator support is vulnerable to an out-of-bounds access issue. It could occur while copying VGA data via bitblt copy in backward mode. A privileged user inside a guest could use this flaw to crash the QEMU process resulting in DoS or potentially execute arbitrary code on the host with privileges of QEMU process on the host.", "edition": 5, "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.1, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 6.0}, "published": "2018-07-03T01:29:00", "title": "CVE-2017-2615", "type": "cve", "cwe": ["CWE-125", "CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-2615"], "modified": "2018-09-07T10:29:00", "cpe": ["cpe:/o:redhat:enterprise_linux_server_eus:7.4", "cpe:/a:qemu:qemu:2.8.0", "cpe:/o:redhat:enterprise_linux_server_aus:7.3", "cpe:/a:redhat:openstack:7.0", "cpe:/a:redhat:openstack:9.0", "cpe:/o:redhat:enterprise_linux_desktop:6.0", "cpe:/a:redhat:openstack:6.0", "cpe:/a:citrix:xenserver:6.0.2", "cpe:/o:redhat:enterprise_linux_server_eus:7.3", "cpe:/a:redhat:openstack:5.0", "cpe:/o:redhat:enterprise_linux_server:7.0", "cpe:/o:redhat:enterprise_linux_server_eus:7.5", "cpe:/a:redhat:openstack:8.0", "cpe:/o:xen:xen:4.7.1", "cpe:/o:redhat:enterprise_linux_server_aus:7.4", "cpe:/a:citrix:xenserver:7.0", "cpe:/o:redhat:enterprise_linux_workstation:7.0", "cpe:/a:citrix:xenserver:6.5", "cpe:/o:debian:debian_linux:7.0", "cpe:/a:redhat:openstack:10.0", "cpe:/o:redhat:enterprise_linux_desktop:7.0", "cpe:/o:redhat:enterprise_linux_workstation:6.0", "cpe:/o:redhat:enterprise_linux_server:6.0", "cpe:/a:citrix:xenserver:6.2.0", "cpe:/a:citrix:xenserver:7.1"], "id": "CVE-2017-2615", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-2615", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:redhat:openstack:5.0:*:*:*:*:*:*:*", "cpe:2.3:o:xen:xen:4.7.1:r2:*:*:*:*:*:*", "cpe:2.3:a:citrix:xenserver:6.0.2:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_aus:7.3:*:*:*:*:*:*:*", "cpe:2.3:a:qemu:qemu:2.8.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_eus:7.4:*:*:*:*:*:*:*", "cpe:2.3:a:citrix:xenserver:7.1:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*", "cpe:2.3:a:citrix:xenserver:6.5:sp1:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*", "cpe:2.3:o:xen:xen:4.7.1:r3:*:*:*:*:*:*", "cpe:2.3:o:xen:xen:4.7.1:r4:*:*:*:*:*:*", "cpe:2.3:a:redhat:openstack:10.0:*:*:*:*:*:*:*", "cpe:2.3:a:redhat:openstack:9.0:*:*:*:*:*:*:*", "cpe:2.3:o:xen:xen:4.7.1:r1:*:*:*:*:*:*", "cpe:2.3:a:redhat:openstack:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*", "cpe:2.3:a:redhat:openstack:8.0:*:*:*:*:*:*:*", "cpe:2.3:a:citrix:xenserver:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_eus:7.3:*:*:*:*:*:*:*", "cpe:2.3:a:redhat:openstack:6.0:*:*:*:*:*:*:*", "cpe:2.3:o:xen:xen:4.7.1:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_eus:7.5:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_aus:7.4:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*", "cpe:2.3:a:citrix:xenserver:6.2.0:sp1:*:*:*:*:*:*"]}], "f5": [{"lastseen": "2020-04-06T22:39:57", "bulletinFamily": "software", "cvelist": ["CVE-2017-2615"], "description": "\nF5 Product Development has evaluated the currently supported releases for potential vulnerability, and no F5 products were found to be vulnerable.\n\nNone\n\n * [K51812227: Understanding Security Advisory versioning](<https://support.f5.com/csp/article/K51812227>)\n * [K41942608: Overview of AskF5 Security Advisory articles](<https://support.f5.com/csp/article/K41942608>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n", "edition": 1, "modified": "2018-10-01T21:08:00", "published": "2018-10-01T21:08:00", "id": "F5:K41242221", "href": "https://support.f5.com/csp/article/K41242221", "title": "QEMU vulnerability CVE-2017-2615", "type": "f5", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "citrix": [{"lastseen": "2020-11-18T15:29:37", "bulletinFamily": "software", "cvelist": ["CVE-2017-2615", "CVE-2017-2620"], "description": "<section class=\"article-content\" data-swapid=\"ArticleContent\">\n<div class=\"content-block\" data-swapid=\"ContentBlock\"><div>\n<div>\n<!--googleoff: all-->\n<h2 id=\"DescriptionofProblem\"> Description of Problem</h2>\n<!--googleon: all-->\n<div>\n<div>\n<div>\n<p>Two security issues have been identified within Citrix XenServer. These issues could, if exploited, allow the administrator of an HVM guest VM to compromise the host.</p>\n<p>The following vulnerabilities have been addressed:</p>\n<ul>\n<li>CVE-2017-2615 (High): QEMU: oob access in cirrus bitblt copy</li>\n<li>CVE-2017-2620 (High): QEMU: cirrus_bitblt_cputovideo does not check if memory region is safe</li>\n</ul>\n</div>\n</div>\n</div>\n<!--googleoff: all-->\n<hr/>\n</div>\n<div>\n<!--googleoff: all-->\n<h2 id=\"MitigatingFactors\"> Mitigating Factors</h2>\n<!--googleon: all-->\n<div>\n<div>\n<div>\n<p>Customers using only PV guest VMs are not affected by this vulnerability.</p>\n<p>Customers using only VMs that use the std-vga graphics emulation are not affected by this vulnerability.</p>\n</div>\n</div>\n</div>\n<!--googleoff: all-->\n<hr/>\n</div>\n<div>\n<!--googleoff: all-->\n<h2 id=\"WhatCustomersShouldDo\"> What Customers Should Do</h2>\n<!--googleon: all-->\n<div>\n<div>\n<div>\n<p>Hotfixes have been released to address these issues. Citrix recommends that affected customers install these hotfixes, which can be downloaded from the following locations:</p>\n<p>Citrix XenServer 7.0: CTX220760 \u2013 <a href=\"https://support.citrix.com/article/CTX220760\">https://support.citrix.com/article/CTX220760</a></p>\n<p>Citrix XenServer 6.5 SP1: CTX220759 \u2013 <a href=\"https://support.citrix.com/article/CTX220759\">https://support.citrix.com/article/CTX220759</a></p>\n<p>Citrix XenServer 6.2 SP1: CTX220758 \u2013 <a href=\"https://support.citrix.com/article/CTX220758\">https://support.citrix.com/article/CTX220758</a></p>\n<p>Citrix XenServer 6.0.2 Common Criteria: CTX220757\u2013 <a href=\"https://support.citrix.com/article/CTX220757\">https://support.citrix.com/article/CTX220757</a></p>\n</div>\n</div>\n</div>\n<!--googleoff: all-->\n<hr/>\n</div>\n<div>\n<!--googleoff: all-->\n<h2 id=\"WhatCitrixIsDoing\"> What Citrix Is Doing</h2>\n<!--googleon: all-->\n<div>\n<div>\n<div>\n<div>\n<div>\n<p>Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at <u> <a href=\"http://support.citrix.com/\">http://support.citrix.com/</a></u>.</p>\n</div>\n</div>\n</div>\n</div>\n</div>\n<!--googleoff: all-->\n<hr/>\n</div>\n<div>\n<!--googleoff: all-->\n<h2 id=\"ObtainingSupportonThisIssue\"> Obtaining Support on This Issue</h2>\n<!--googleon: all-->\n<div>\n<div>\n<div>\n<div>\n<div>\n<p>If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at <u> <a href=\"https://www.citrix.com/support/open-a-support-case.html\">https://www.citrix.com/support/open-a-support-case.html</a></u>. </p>\n</div>\n</div>\n</div>\n</div>\n</div>\n<!--googleoff: all-->\n<hr/>\n</div>\n<div>\n<!--googleoff: all-->\n<h2 id=\"ReportingSecurityVulnerabilities\"> Reporting Security Vulnerabilities</h2>\n<!--googleon: all-->\n<div>\n<div>\n<div>\n<div>\n<div>\n<p>Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For guidance on how to report security-related issues to Citrix, please see the following document: CTX081743 \u2013 <a href=\"http://support.citrix.com/article/CTX081743\">Reporting Security Issues to Citrix</a></p>\n</div>\n</div>\n</div>\n</div>\n</div>\n<!--googleoff: all-->\n<hr/>\n</div>\n<div>\n<!--googleoff: all-->\n<h2 id=\"Changelog\"> Changelog</h2>\n<!--googleon: all-->\n<div>\n<div>\n<div>\n<table border=\"1\" cellpadding=\"1\" cellspacing=\"0\" width=\"100%\">\n<tbody>\n<tr>\n<td>Date </td>\n<td>Change</td>\n</tr>\n<tr>\n<td>21st February 2017</td>\n<td>Initial publishing</td>\n</tr>\n</tbody>\n</table>\n</div>\n</div>\n</div>\n<!--googleoff: all-->\n<hr/>\n</div>\n</div></div>\n</section>", "edition": 2, "modified": "2017-02-21T05:00:00", "published": "2017-02-21T05:00:00", "id": "CTX220771", "href": "https://support.citrix.com/article/CTX220771", "title": "Citrix XenServer Multiple Security Updates", "type": "citrix", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "centos": [{"lastseen": "2020-12-08T03:36:57", "bulletinFamily": "unix", "cvelist": ["CVE-2017-2615", "CVE-2017-2620"], "description": "**CentOS Errata and Security Advisory** CESA-2017:0396\n\n\nKernel-based Virtual Machine (KVM) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM.\n\nSecurity Fix(es):\n\n* Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA emulator support is vulnerable to an out-of-bounds access issue. It could occur while copying VGA data via bitblt copy in backward mode. A privileged user inside a guest could use this flaw to crash the QEMU process resulting in DoS or potentially execute arbitrary code on the host with privileges of QEMU process on the host. (CVE-2017-2615)\n\n* Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA Emulator support is vulnerable to an out-of-bounds access issue. The issue could occur while copying VGA data in cirrus_bitblt_cputovideo. A privileged user inside guest could use this flaw to crash the QEMU process OR potentially execute arbitrary code on host with privileges of the QEMU process. (CVE-2017-2620)\n\nRed Hat would like to thank Wjjzhang (Tencent.com Inc.) and Li Qiang (360.cn Inc.) for reporting CVE-2017-2615.\n\nBug Fix(es):\n\n* When using the virtio-blk driver on a guest virtual machine with no space on the virtual hard drive, the guest terminated unexpectedly with a \"block I/O error in device\" message and the qemu-kvm process exited with a segmentation fault. This update fixes how the system_reset QEMU signal is handled in the above scenario. As a result, if a guest crashes due to no space left on the device, qemu-kvm continues running and the guest can be reset as expected. (BZ#1420049)\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2017-March/034359.html\n\n**Affected packages:**\nqemu-img\nqemu-kvm\nqemu-kvm-common\nqemu-kvm-tools\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2017-0396.html", "edition": 5, "modified": "2017-03-03T13:27:17", "published": "2017-03-03T13:27:17", "id": "CESA-2017:0396", "href": "http://lists.centos.org/pipermail/centos-announce/2017-March/034359.html", "title": "qemu security update", "type": "centos", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-12-08T03:37:35", "bulletinFamily": "unix", "cvelist": ["CVE-2017-2615", "CVE-2017-2620"], "description": "**CentOS Errata and Security Advisory** CESA-2017:0454\n\n\nKVM (for Kernel-based Virtual Machine) is a full virtualization solution for\nLinux on x86 hardware. Using KVM, one can run multiple virtual machines running\nunmodified Linux or Windows images. Each virtual machine has private virtualized\nhardware: a network card, disk, graphics adapter, etc.\n\nSecurity Fix(es):\n\n* Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA emulator support is\nvulnerable to an out-of-bounds access issue. It could occur while copying VGA\ndata via bitblt copy in backward mode. A privileged user inside a guest could\nuse this flaw to crash the QEMU process resulting in DoS or potentially execute\narbitrary code on the host with privileges of QEMU process on the host.\n(CVE-2017-2615)\n\n* Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA Emulator support is\nvulnerable to an out-of-bounds access issue. The issue could occur while copying\nVGA data in cirrus_bitblt_cputovideo. A privileged user inside guest could use\nthis flaw to crash the QEMU process OR potentially execute arbitrary code on\nhost with privileges of the QEMU process. (CVE-2017-2620)\n\nRed Hat would like to thank Wjjzhang (Tencent.com Inc.) and Li Qiang (360.cn\nInc.) for reporting CVE-2017-2615.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2017-March/034363.html\n\n**Affected packages:**\nkmod-kvm\nkmod-kvm-debug\nkvm\nkvm-qemu-img\nkvm-tools\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2017-0454.html", "edition": 5, "modified": "2017-03-08T18:33:47", "published": "2017-03-08T18:33:47", "id": "CESA-2017:0454", "href": "http://lists.centos.org/pipermail/centos-announce/2017-March/034363.html", "title": "kmod, kvm security update", "type": "centos", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-12-08T03:35:51", "bulletinFamily": "unix", "cvelist": ["CVE-2017-2620"], "description": "**CentOS Errata and Security Advisory** CESA-2017:0352\n\n\nKernel-based Virtual Machine (KVM) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM.\n\nSecurity Fix(es):\n\n* Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA Emulator support is vulnerable to an out-of-bounds access issue. The issue could occur while copying VGA data in cirrus_bitblt_cputovideo. A privileged user inside guest could use this flaw to crash the QEMU process OR potentially execute arbitrary code on host with privileges of the QEMU process. (CVE-2017-2620)\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2017-March/034332.html\n\n**Affected packages:**\nqemu-guest-agent\nqemu-img\nqemu-kvm\nqemu-kvm-tools\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2017-0352.html", "edition": 5, "modified": "2017-03-01T12:08:31", "published": "2017-03-01T12:08:31", "id": "CESA-2017:0352", "href": "http://lists.centos.org/pipermail/centos-announce/2017-March/034332.html", "title": "qemu security update", "type": "centos", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-12-08T03:34:49", "bulletinFamily": "unix", "cvelist": ["CVE-2017-2615", "CVE-2016-2857"], "description": "**CentOS Errata and Security Advisory** CESA-2017:0309\n\n\nKernel-based Virtual Machine (KVM) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM.\n\nSecurity Fix(es):\n\n* Quick emulator (Qemu) built with the Cirrus CLGD 54xx VGA emulator support is vulnerable to an out-of-bounds access issue. It could occur while copying VGA data via bitblt copy in backward mode. A privileged user inside a guest could use this flaw to crash the Qemu process resulting in DoS or potentially execute arbitrary code on the host with privileges of Qemu process on the host. (CVE-2017-2615)\n\n* An out-of-bounds read-access flaw was found in the QEMU emulator built with IP checksum routines. The flaw could occur when computing a TCP/UDP packet's checksum, because a QEMU function used the packet's payload length without checking against the data buffer's size. A user inside a guest could use this flaw to crash the QEMU process (denial of service). (CVE-2016-2857)\n\nRed Hat would like to thank Wjjzhang (Tencent.com Inc.) Li Qiang (360.cn Inc.) for reporting CVE-2017-2615 and Ling Liu (Qihoo 360 Inc.) for reporting CVE-2016-2857.\n\nThis update also fixes the following bug:\n\n* Previously, rebooting a guest virtual machine more than 128 times in a short period of time caused the guest to shut down instead of rebooting, because the virtqueue was not cleaned properly. This update ensures that the virtqueue is cleaned more reliably, which prevents the described problem from occurring. (BZ#1408389)\n\nAll qemu-kvm users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, shut down all running virtual machines. Once all virtual machines have shut down, start them again for this update to take effect.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2017-February/034325.html\n\n**Affected packages:**\nqemu-guest-agent\nqemu-img\nqemu-kvm\nqemu-kvm-tools\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2017-0309.html", "edition": 5, "modified": "2017-02-24T20:51:12", "published": "2017-02-24T20:51:12", "id": "CESA-2017:0309", "href": "http://lists.centos.org/pipermail/centos-announce/2017-February/034325.html", "title": "qemu security update", "type": "centos", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "oraclelinux": [{"lastseen": "2019-05-29T18:35:56", "bulletinFamily": "unix", "cvelist": ["CVE-2017-2615", "CVE-2017-2620"], "description": "[83-277.0.1.el5_11]\n- Added kvm-add-oracle-workaround-for-libvirt-bug.patch\n- Added kvm-Introduce-oel-machine-type.patch\n[83-277.el5_11]\n- kvm-Fix-hardware-accelerated-video-to-video-copy-on-Cirr.patch [bz#1421564]\n- kvm-cirrus_vga-fix-division-by-0-for-color-expansion-rop.patch [bz#1421564]\n- kvm-cirrus-fix-blit-region-check.patch [bz#1421564]\n- kvm-cirrus-don-t-overflow-CirrusVGAState-cirrus_bltbuf.patch [bz#1421564]\n- kvm-cirrus_vga-fix-off-by-one-in-blit_region_is_unsafe.patch [bz#1421564]\n- kvm-display-cirrus-check-vga-bits-per-pixel-bpp-value.patch [bz#1421564]\n- kvm-display-cirrus-ignore-source-pitch-value-as-needed-i.patch [bz#1421564]\n- kvm-cirrus-handle-negative-pitch-in-cirrus_invalidate_re.patch [bz#1421564]\n- kvm-cirrus-allow-zero-source-pitch-in-pattern-fill-rops.patch [bz#1421564]\n- kvm-cirrus-fix-blit-address-mask-handling.patch [bz#1421564]\n- kvm-cirrus-fix-oob-access-issue-CVE-2017-2615.patch [bz#1421564]\n- kvm-cirrus-fix-patterncopy-checks.patch [bz#1421564]\n- kvm-Revert-cirrus-allow-zero-source-pitch-in-pattern-fil.patch [bz#1421564]\n- kvm-cirrus-add-blit_is_unsafe-call-to-cirrus_bitblt_cput.patch [bz#1421564]\n- Resolves: bz#1421564\n (CVE-2017-2615 kvm: Qemu: display: cirrus: oob access while doing bitblt copy backward mode [rhel-5.11.z])", "edition": 3, "modified": "2017-03-07T00:00:00", "published": "2017-03-07T00:00:00", "id": "ELSA-2017-0454", "href": "http://linux.oracle.com/errata/ELSA-2017-0454.html", "title": "kvm security update", "type": "oraclelinux", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:40", "bulletinFamily": "unix", "cvelist": ["CVE-2017-2615", "CVE-2017-2620"], "description": "[1.5.3-126.el7_3.5]\n- kvm-cirrus-fix-patterncopy-checks.patch [bz#1420490]\n- kvm-Revert-cirrus-allow-zero-source-pitch-in-pattern-fil.patch [bz#1420490]\n- kvm-cirrus-add-blit_is_unsafe-call-to-cirrus_bitblt_cput.patch [bz#1420490]\n- Resolves: bz#1420490\n (EMBARGOED CVE-2017-2620 qemu-kvm: Qemu: display: cirrus: potential arbitrary code execution via cirrus_bitblt_cputovideo [rhel-7.3.z])\n[1.5.3-126.el7_3.4]\n- kvm-virtio-blk-Release-s-rq-queue-at-system_reset.patch [bz#1420049]\n- kvm-cirrus_vga-fix-off-by-one-in-blit_region_is_unsafe.patch [bz#1418232]\n- kvm-display-cirrus-check-vga-bits-per-pixel-bpp-value.patch [bz#1418232]\n- kvm-display-cirrus-ignore-source-pitch-value-as-needed-i.patch [bz#1418232]\n- kvm-cirrus-handle-negative-pitch-in-cirrus_invalidate_re.patch [bz#1418232]\n- kvm-cirrus-allow-zero-source-pitch-in-pattern-fill-rops.patch [bz#1418232]\n- kvm-cirrus-fix-blit-address-mask-handling.patch [bz#1418232]\n- kvm-cirrus-fix-oob-access-issue-CVE-2017-2615.patch [bz#1418232]\n- Resolves: bz#1418232\n (CVE-2017-2615 qemu-kvm: Qemu: display: cirrus: oob access while doing bitblt copy backward mode [rhel-7.3.z])\n- Resolves: bz#1420049\n (system_reset should clear pending request for error (virtio-blk))", "edition": 3, "modified": "2017-03-02T00:00:00", "published": "2017-03-02T00:00:00", "id": "ELSA-2017-0396", "href": "http://linux.oracle.com/errata/ELSA-2017-0396.html", "title": "qemu-kvm security and bug fix update", "type": "oraclelinux", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:39:16", "bulletinFamily": "unix", "cvelist": ["CVE-2016-5403", "CVE-2017-2615", "CVE-2016-3712", "CVE-2016-3710", "CVE-2017-2620", "CVE-2016-2857"], "description": "[0.12.1.2-2.503.el6]\n- kvm-cirrus-fix-patterncopy-checks.patch [bz#1420487 bz#1420489]\n- kvm-Revert-cirrus-allow-zero-source-pitch-in-pattern-fil.patch [bz#1420487 bz#1420489]\n- kvm-cirrus-add-blit_is_unsafe-call-to-cirrus_bitblt_cput.patch [bz#1420487 bz#1420489]\n- Resolves: bz#1420487\n (EMBARGOED CVE-2017-2620 qemu-kvm: Qemu: display: cirrus: potential arbitrary code execution via cirrus_bitblt_cputovideo [rhel-6.9])\n- Resolves: bz#1420489\n (EMBARGOED CVE-2017-2620 qemu-kvm-rhev: Qemu: display: cirrus: potential arbitrary code execution via cirrus_bitblt_cputovideo [rhel-6.9])\n[0.12.1.2-2.502.el6]\n- kvm-cirrus_vga-fix-division-by-0-for-color-expansion-rop.patch [bz#1418231 bz#1419417]\n- kvm-cirrus_vga-fix-off-by-one-in-blit_region_is_unsafe.patch [bz#1418231 bz#1419417]\n- kvm-display-cirrus-check-vga-bits-per-pixel-bpp-value.patch [bz#1418231 bz#1419417]\n- kvm-display-cirrus-ignore-source-pitch-value-as-needed-i.patch [bz#1418231 bz#1419417]\n- kvm-cirrus-handle-negative-pitch-in-cirrus_invalidate_re.patch [bz#1418231 bz#1419417]\n- kvm-cirrus-allow-zero-source-pitch-in-pattern-fill-rops.patch [bz#1418231 bz#1419417]\n- kvm-cirrus-fix-blit-address-mask-handling.patch [bz#1418231 bz#1419417]\n- kvm-cirrus-fix-oob-access-issue-CVE-2017-2615.patch [bz#1418231 bz#1419417]\n- Resolves: bz#1418231\n (CVE-2017-2615 qemu-kvm: Qemu: display: cirrus: oob access while doing bitblt copy backward mode [rhel-6.9])\n- Resolves: bz#1419417\n (CVE-2017-2615 qemu-kvm-rhev: Qemu: display: cirrus: oob access while doing bitblt copy backward mode [rhel-6.9])\n[0.12.1.2-2.501.el6]\n- kvm-Revert-iotests-Use-_img_info.patch [bz#1405882]\n- kvm-Revert-block-commit-speed-is-an-optional-parameter.patch [bz#1405882]\n- kvm-Revert-iotests-Disable-086.patch [bz#1405882]\n- kvm-Revert-iotests-Fix-049-s-reference-output.patch [bz#1405882]\n- kvm-Revert-iotests-Fix-026-s-reference-output.patch [bz#1405882]\n- kvm-Revert-qcow2-Support-exact-L1-table-growth.patch [bz#1405882]\n- kvm-Revert-qcow2-Free-allocated-L2-cluster-on-error.patch [bz#1405882]\n- kvm-net-check-packet-payload-length.patch [bz#1398214]\n- Resolves: bz#1398214\n (CVE-2016-2857 qemu-kvm: Qemu: net: out of bounds read in net_checksum_calculate() [rhel-6.9])\n- Reverts: bz#1405882\n (test cases 026 030 049 086 and 095 of qemu-iotests fail for qcow2 with qemu-kvm-rhev-0.12.1.2-2.498.el6)\n[0.12.1.2-2.500.el6]\n- kvm-qcow2-Free-allocated-L2-cluster-on-error.patch [bz#1405882]\n- kvm-qcow2-Support-exact-L1-table-growth.patch [bz#1405882]\n- kvm-iotests-Fix-026-s-reference-output.patch [bz#1405882]\n- kvm-iotests-Fix-049-s-reference-output.patch [bz#1405882]\n- kvm-iotests-Disable-086.patch [bz#1405882]\n- kvm-block-commit-speed-is-an-optional-parameter.patch [bz#1405882]\n- kvm-iotests-Use-_img_info.patch [bz#1405882]\n- Resolves: bz#1405882\n (test cases 026 030 049 086 and 095 of qemu-iotests fail for qcow2 with qemu-kvm-rhev-0.12.1.2-2.498.el6)\n[0.12.1.2-2.499.el6]\n- kvm-rename-qemu_aio_context-to-match-upstream.patch [bz#876993]\n- kvm-block-stop-relying-on-io_flush-in-bdrv_drain_all.patch [bz#876993]\n- kvm-block-add-bdrv_drain.patch [bz#876993]\n- kvm-block-avoid-very-long-pauses-at-the-end-of-mirroring.patch [bz#876993]\n- Resolves: bz#876993\n (qemu-kvm: vms become non-responsive during migrate disk load from 2 domains to a 3ed)\n[0.12.1.2-2.498.el6]\n- kvm-virtio-introduce-virtqueue_unmap_sg.patch [bz#1392520]\n- kvm-virtio-introduce-virtqueue_discard.patch [bz#1392520]\n- kvm-virtio-decrement-vq-inuse-in-virtqueue_discard.patch [bz#1392520]\n- kvm-balloon-fix-segfault-and-harden-the-stats-queue.patch [bz#1392520]\n- kvm-virtio-balloon-discard-virtqueue-element-on-reset.patch [bz#1392520]\n- kvm-virtio-zero-vq-inuse-in-virtio_reset.patch [bz#1392520]\n- kvm-PATCH-1-4-e1000-pre-initialize-RAH-RAL-registers.patch [bz#1300626]\n- kvm-net-update-nic-info-during-device-reset.patch [bz#1300626]\n- kvm-net-e1000-update-network-information-when-macaddr-is.patch [bz#1300626]\n- kvm-net-rtl8139-update-network-information-when-macaddr-.patch [bz#1300626]\n- Resolves: bz#1300626\n (e1000/rtl8139: qemu mac address can not be changed via set the hardware address in guest)\n- Resolves: bz#1392520\n ([RHEL6.9] KVM guest shuts itself down after 128th reboot)\n[0.12.1.2-2.497.el6]\n- kvm-vmstate-fix-breakage-by-7e72abc382b700a72549e8147bde.patch [bz#1294941]\n- Resolves: bz#1294941\n (QEMU crash on snapshot revert when using Cirrus)\n[0.12.1.2-2.496.el6]\n- kvm-virtio-blk-Release-s-rq-queue-at-system_reset.patch [bz#1361490]\n- kvm-virtio-scsi-Prevent-assertion-on-missed-events.patch [bz#1333697]\n- Resolves: bz#1333697\n (qemu-kvm: /builddir/build/BUILD/qemu-kvm-0.12.1.2/hw/virtio-scsi.c:724: virtio_scsi_push_event: Assertion event == 0 failed)\n- Resolves: bz#1361490\n (system_reset should clear pending request for error (virtio-blk))\n[0.12.1.2-2.495.el6]\n- kvm-qemu-img-add-support-for-fully-allocated-images.patch [bz#1297653]\n- kvm-qemu-img-fix-usage-instruction-for-qemu-img-convert.patch [bz#1297653]\n- kvm-target-i386-warns-users-when-CPU-threads-1-for-non-I.patch [bz#1292678 bz#1320066]\n- Resolves: bz#1292678\n (Qemu should report error when cmdline set threads=2 in amd host)\n- Resolves: bz#1297653\n (qemu-img convert cant create a fully allocated image passed a -S 0 option)\n- Resolves: bz#1320066\n (Qemu should not report error when cmdline set threads=2 in Intel host)\n[0.12.1.2-2.494.el6]\n- kvm-rtl8139-flush-queued-packets-when-RxBufPtr-is-writte.patch [bz#1356924]\n- kvm-block-Detect-unaligned-length-in-bdrv_qiov_is_aligne.patch [bz#1321862]\n- kvm-ide-fix-halted-IO-segfault-at-reset.patch [bz#1281713]\n- kvm-atapi-fix-halted-DMA-reset.patch [bz#1281713]\n- Resolves: bz#1281713\n (system_reset should clear pending request for error (IDE))\n- Resolves: bz#1321862\n (Backport 'block: Detect unaligned length in bdrv_qiov_is_aligned()')\n- Resolves: bz#1356924\n (rtl8139 driver hangs in widows guests)\n[0.12.1.2-2.493.el6]\n- kvm-virtio-error-out-if-guest-exceeds-virtqueue-size.patch [bz#1359725]\n- Resolves: bz#1359725\n (CVE-2016-5403 qemu-kvm: Qemu: virtio: unbounded memory allocation on host via guest leading to DoS [rhel-6.9])\n[0.12.1.2-2.492.el6]\n- kvm-Add-vga.h-unmodified-from-Linux.patch [bz#1331408]\n- kvm-vga.h-remove-unused-stuff-and-reformat.patch [bz#1331408]\n- kvm-vga-use-constants-from-vga.h.patch [bz#1331408]\n- kvm-vga-Remove-some-should-be-done-in-BIOS-comments.patch [bz#1331408]\n- kvm-vga-fix-banked-access-bounds-checking-CVE-2016-3710.patch [bz#1331408]\n- kvm-vga-add-vbe_enabled-helper.patch [bz#1331408]\n- kvm-vga-factor-out-vga-register-setup.patch [bz#1331408]\n- kvm-vga-update-vga-register-setup-on-vbe-changes.patch [bz#1331408]\n- kvm-vga-make-sure-vga-register-setup-for-vbe-stays-intac.patch [bz#1331408]\n- kvm-vga-add-sr_vbe-register-set.patch [bz#1331408 bz#1346981]\n- Resolves: bz#1331408\n (CVE-2016-3710 qemu-kvm: qemu: incorrect banked access bounds checking in vga module [rhel-6.9])\n- Resolves: bz#1346981\n (Regression from CVE-2016-3712: windows installer fails to start)", "edition": 5, "modified": "2017-03-27T00:00:00", "published": "2017-03-27T00:00:00", "id": "ELSA-2017-0621", "href": "http://linux.oracle.com/errata/ELSA-2017-0621.html", "title": "qemu-kvm security and bug fix update", "type": "oraclelinux", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:26", "bulletinFamily": "unix", "cvelist": ["CVE-2017-2620"], "description": "[0.12.1.2-2.491.el6_8.7]\n- kvm-cirrus-fix-patterncopy-checks.patch [bz#1420486 bz#1420488]\n- kvm-Revert-cirrus-allow-zero-source-pitch-in-pattern-fil.patch [bz#1420486 bz#1420488]\n- kvm-cirrus-add-blit_is_unsafe-call-to-cirrus_bitblt_cput.patch [bz#1420486 bz#1420488]\n- Resolves: bz#1420486\n (EMBARGOED CVE-2017-2620 qemu-kvm: Qemu: display: cirrus: potential arbitrary code execution via cirrus_bitblt_cputovideo [rhel-6.8.z])\n- Resolves: bz#1420488\n (EMBARGOED CVE-2017-2620 qemu-kvm-rhev: Qemu: display: cirrus: potential arbitrary code execution via cirrus_bitblt_cputovideo [rhel-6.8.z])", "edition": 3, "modified": "2017-03-01T00:00:00", "published": "2017-03-01T00:00:00", "id": "ELSA-2017-0352", "href": "http://linux.oracle.com/errata/ELSA-2017-0352.html", "title": "qemu-kvm security update", "type": "oraclelinux", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:18", "bulletinFamily": "unix", "cvelist": ["CVE-2017-2615", "CVE-2016-2857"], "description": "[0.12.1.2-2.491.el6_8.6]\n- kvm-cirrus_vga-fix-division-by-0-for-color-expansion-rop.patch [bz#1418230 bz#1419416]\n- kvm-cirrus_vga-fix-off-by-one-in-blit_region_is_unsafe.patch [bz#1418230 bz#1419416]\n- kvm-display-cirrus-check-vga-bits-per-pixel-bpp-value.patch [bz#1418230 bz#1419416]\n- kvm-display-cirrus-ignore-source-pitch-value-as-needed-i.patch [bz#1418230 bz#1419416]\n- kvm-cirrus-handle-negative-pitch-in-cirrus_invalidate_re.patch [bz#1418230 bz#1419416]\n- kvm-cirrus-allow-zero-source-pitch-in-pattern-fill-rops.patch [bz#1418230 bz#1419416]\n- kvm-cirrus-fix-blit-address-mask-handling.patch [bz#1418230 bz#1419416]\n- kvm-cirrus-fix-oob-access-issue-CVE-2017-2615.patch [bz#1418230 bz#1419416]\n- Resolves: bz#1418230\n (CVE-2017-2615 qemu-kvm: Qemu: display: cirrus: oob access while doing bitblt copy backward mode [rhel-6.8.z])\n- Resolves: bz#1419416\n (CVE-2017-2615 qemu-kvm-rhev: Qemu: display: cirrus: oob access while doing bitblt copy backward mode [rhel-6.8.z])\n[0.12.1.2-2.491.el6_8.5]\n- kvm-net-check-packet-payload-length.patch [bz#1398213]\n- Resolves: bz#1398213\n (CVE-2016-2857 qemu-kvm: Qemu: net: out of bounds read in net_checksum_calculate() [rhel-6.8.z])\n[0.12.1.2-2.491.el6.4]\n- kvm-virtio-introduce-virtqueue_unmap_sg.patch [bz#1408389]\n- kvm-virtio-introduce-virtqueue_discard.patch [bz#1408389]\n- kvm-virtio-decrement-vq-inuse-in-virtqueue_discard.patch [bz#1408389]\n- kvm-balloon-fix-segfault-and-harden-the-stats-queue.patch [bz#1408389]\n- kvm-virtio-balloon-discard-virtqueue-element-on-reset.patch [bz#1408389]\n- kvm-virtio-zero-vq-inuse-in-virtio_reset.patch [bz#1408389]\n- Resolves: bz#1408389\n ([RHEL6.8.z] KVM guest shuts itself down after 128th reboot)", "edition": 5, "modified": "2017-02-23T00:00:00", "published": "2017-02-23T00:00:00", "id": "ELSA-2017-0309", "href": "http://linux.oracle.com/errata/ELSA-2017-0309.html", "title": "qemu-kvm security and bug fix update", "type": "oraclelinux", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:38:09", "bulletinFamily": "unix", "cvelist": ["CVE-2017-2615", "CVE-2015-5225", "CVE-2017-5898", "CVE-2017-2633", "CVE-2016-4020", "CVE-2017-2620", "CVE-2016-2857", "CVE-2017-9524", "CVE-2016-9603"], "description": "[1.5.3-141.el7]\n- kvm-Fix-memory-slot-page-alignment-logic-bug-1455745.patch [bz#1455745]\n- kvm-Do-not-hang-on-full-PTY.patch [bz#1452067]\n- kvm-serial-fixing-vmstate-for-save-restore.patch [bz#1452067]\n- kvm-serial-reinstate-watch-after-migration.patch [bz#1452067]\n- kvm-nbd-Fully-initialize-client-in-case-of-failed-negoti.patch [bz#1451614]\n- kvm-nbd-Fix-regression-on-resiliency-to-port-scan.patch [bz#1451614]\n- Resolves: bz#1451614\n (CVE-2017-9524 qemu-kvm: segment fault when private user nmap qemu-nbd server [rhel-7.4])\n- Resolves: bz#1452067\n (migration can confuse serial port user)\n- Resolves: bz#1455745\n (Backport fix for broken logic thats supposed to ensure memory slots are page aligned)\n[1.5.3-140.el7]\n- kvm-spice-fix-spice_chr_add_watch-pre-condition.patch [bz#1456983]\n- Resolves: bz#1456983\n (Character device regression due to missing patch)\n[1.5.3-139.el7]\n- kvm-char-change-qemu_chr_fe_add_watch-to-return-unsigned.patch [bz#1451470]\n- Resolves: bz#1451470\n (RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop)\n[1.5.3-138.el7]\n- kvm-char-serial-cosmetic-fixes.patch [bz#1451470]\n- kvm-char-serial-Use-generic-Fifo8.patch [bz#1451470]\n- kvm-char-serial-serial_ioport_write-Factor-out-common-co.patch [bz#1451470]\n- kvm-char-serial-fix-copy-paste-error-fifo8_is_full-vs-em.patch [bz#1451470]\n- kvm-char-serial-Fix-emptyness-check.patch [bz#1451470]\n- kvm-char-serial-Fix-emptyness-handling.patch [bz#1451470]\n- kvm-serial-poll-the-serial-console-with-G_IO_HUP.patch [bz#1451470]\n- kvm-serial-change-retry-logic-to-avoid-concurrency.patch [bz#1451470]\n- kvm-qemu-char-ignore-flow-control-if-a-PTY-s-slave-is-no.patch [bz#1451470]\n- kvm-serial-check-if-backed-by-a-physical-serial-port-at-.patch [bz#1451470]\n- kvm-serial-reset-thri_pending-on-IER-writes-with-THRI-0.patch [bz#1451470]\n- kvm-serial-clean-up-THRE-TEMT-handling.patch [bz#1451470]\n- kvm-serial-update-LSR-on-enabling-disabling-FIFOs.patch [bz#1451470]\n- kvm-serial-only-resample-THR-interrupt-on-rising-edge-of.patch [bz#1451470]\n- kvm-serial-make-tsr_retry-unsigned.patch [bz#1451470]\n- kvm-serial-simplify-tsr_retry-reset.patch [bz#1451470]\n- kvm-serial-separate-serial_xmit-and-serial_watch_cb.patch [bz#1451470]\n- kvm-serial-remove-watch-on-reset.patch [bz#1451470]\n- Resolves: bz#1451470\n (RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop)\n[1.5.3-137.el7]\n- kvm-ide-fix-halted-IO-segfault-at-reset.patch [bz#1299875]\n- Resolves: bz#1299875\n (system_reset should clear pending request for error (IDE))\n[1.5.3-136.el7]\n- kvm-target-i386-get-set-migrate-XSAVES-state.patch [bz#1327593]\n- kvm-Removing-texi2html-from-build-requirements.patch [bz#1440987]\n- kvm-Disable-build-of-32bit-packages.patch [bz#1441778]\n- kvm-Add-sample-images-to-srpm.patch [bz#1436280]\n- Resolves: bz#1327593\n ([Intel 7.4 FEAT] KVM Enable the XSAVEC, XSAVES and XRSTORS instructions)\n- Resolves: bz#1436280\n (sample images for qemu-iotests are missing in the SRPM)\n- Resolves: bz#1440987\n (Remove texi2html build dependancy from RPM)\n- Resolves: bz#1441778\n (Stop building qemu-img for 32bit architectures.)\n[1.5.3-135.el7]\n- kvm-fix-cirrus_vga-fix-OOB-read-case-qemu-Segmentation-f.patch [bz#1430060]\n- kvm-cirrus-vnc-zap-bitblit-support-from-console-code.patch [bz#1430060]\n- kvm-cirrus-add-option-to-disable-blitter.patch [bz#1430060]\n- kvm-cirrus-fix-cirrus_invalidate_region.patch [bz#1430060]\n- kvm-cirrus-stop-passing-around-dst-pointers-in-the-blitt.patch [bz#1430060]\n- kvm-cirrus-stop-passing-around-src-pointers-in-the-blitt.patch [bz#1430060]\n- kvm-cirrus-fix-off-by-one-in-cirrus_bitblt_rop_bkwd_tran.patch [bz#1430060]\n- Resolves: bz#1430060\n (CVE-2016-9603 qemu-kvm: Qemu: cirrus: heap buffer overflow via vnc connection [rhel-7.4])\n[1.5.3-134.el7]\n- kvm-ui-vnc-introduce-VNC_DIRTY_PIXELS_PER_BIT-macro.patch [bz#1377977]\n- kvm-ui-vnc-derive-cmp_bytes-from-VNC_DIRTY_PIXELS_PER_BI.patch [bz#1377977]\n- kvm-ui-vnc-optimize-dirty-bitmap-tracking.patch [bz#1377977]\n- kvm-ui-vnc-optimize-setting-in-vnc_dpy_update.patch [bz#1377977]\n- kvm-ui-vnc-fix-vmware-VGA-incompatiblities.patch [bz#1377977]\n- kvm-ui-vnc-fix-potential-memory-corruption-issues.patch [bz#1377977]\n- kvm-vnc-fix-memory-corruption-CVE-2015-5225.patch [bz#1377977]\n- kvm-vnc-fix-overflow-in-vnc_update_stats.patch [bz#1377977]\n- kvm-i386-kvmvapic-initialise-imm32-variable.patch [bz#1335751]\n- kvm-qemu-iotests-Filter-out-actual-image-size-in-067.patch [bz#1427176]\n- vm-qcow2-Don-t-rely-on-free_cluster_index-in-alloc_ref2.patch [bz#1427176]\n- kvm-qemu-iotests-Fix-core-dump-suppression-in-test-039.patch [bz#1427176]\n- kvm-qemu-io-Add-sigraise-command.patch [bz#1427176]\n- kvm-iotests-Filter-for-Killed-in-qemu-io-output.patch [bz#1427176]\n- kvm-iotests-Fix-test-039.patch [bz#1427176]\n- kvm-blkdebug-Add-bdrv_truncate.patch [bz#1427176]\n- kvm-vhdx-Fix-zero-fill-iov-length.patch [bz#1427176]\n- kvm-qemu-iotests-Disable-030-040-041.patch [bz#1427176]\n- kvm-x86-add-AVX512_VPOPCNTDQ-features.patch [bz#1415830]\n- kvm-usb-ccid-check-ccid-apdu-length.patch [bz#1419818]\n- kvm-usb-ccid-better-bulk_out-error-handling.patch [bz#1419818]\n- kvm-usb-ccid-move-header-size-check.patch [bz#1419818]\n- kvm-usb-ccid-add-check-message-size-checks.patch [bz#1419818]\n- kvm-spec-Update-rdma-build-dependency.patch [bz#1433920]\n- Resolves: bz#1335751\n (CVE-2016-4020 qemu-kvm: Qemu: i386: leakage of stack memory to guest in kvmvapic.c [rhel-7.4])\n- Resolves: bz#1377977\n (qemu-kvm coredump in vnc_raw_send_framebuffer_update [rhel-7.4])\n- Resolves: bz#1415830\n ([Intel 7.4 FEAT] Enable vpopcntdq for KNM - qemu/kvm)\n- Resolves: bz#1419818\n (CVE-2017-5898 qemu-kvm: Qemu: usb: integer overflow in emulated_apdu_from_guest [rhel-7.4])\n- Resolves: bz#1427176\n (test cases of qemu-iotests failed)\n- Resolves: bz#1433920\n (Switch from librdmacm-devel to rdma-core-devel)\n[1.5.3-133.el7]\n- kvm-target-i386-add-Ivy-Bridge-CPU-model.patch [bz#1368375]\n- kvm-x86-add-AVX512_4VNNIW-and-AVX512_4FMAPS-features.patch [bz#1382122]\n- kvm-target-i386-kvm_cpu_fill_host-Kill-unused-code.patch [bz#1382122]\n- kvm-target-i386-kvm_cpu_fill_host-No-need-to-check-level.patch [bz#1382122]\n- kvm-target-i386-kvm_cpu_fill_host-No-need-to-check-CPU-v.patch [bz#1382122]\n- kvm-target-i386-kvm_cpu_fill_host-No-need-to-check-xleve.patch [bz#1382122]\n- kvm-target-i386-kvm_cpu_fill_host-Set-all-feature-words-.patch [bz#1382122]\n- kvm-target-i386-kvm_cpu_fill_host-Fill-feature-words-in-.patch [bz#1382122]\n- kvm-target-i386-kvm_check_features_against_host-Kill-fea.patch [bz#1382122]\n- kvm-target-i386-Make-TCG-feature-filtering-more-readable.patch [bz#1382122]\n- kvm-target-i386-Filter-FEAT_7_0_EBX-TCG-features-too.patch [bz#1382122]\n- kvm-target-i386-Filter-KVM-and-0xC0000001-features-on-TC.patch [bz#1382122]\n- kvm-target-i386-Define-TCG_-_FEATURES-earlier-in-cpu.c.patch [bz#1382122]\n- kvm-target-i386-Loop-based-copying-and-setting-unsetting.patch [bz#1382122]\n- kvm-target-i386-Loop-based-feature-word-filtering-in-TCG.patch [bz#1382122]\n- kvm-spice-remove-spice-experimental.h-include.patch [bz#1430606]\n- kvm-spice-replace-use-of-deprecated-API.patch [bz#1430606]\n- Resolves: bz#1368375\n ([Intel 7.4 Bug] qemu-kvm does not support '-cpu IvyBridge')\n- Resolves: bz#1382122\n ([Intel 7.4 FEAT] KVM Enable the avx512_4vnniw, avx512_4fmaps instructions in qemu)\n- Resolves: bz#1430606\n (Cant build qemu-kvm with newer spice packages)\n[1.5.3-132.el7]\n- kvm-cirrus-fix-patterncopy-checks.patch [bz#1420492]\n- kvm-Revert-cirrus-allow-zero-source-pitch-in-pattern-fil.patch [bz#1420492]\n- kvm-cirrus-add-blit_is_unsafe-call-to-cirrus_bitblt_cput.patch [bz#1420492]\n- Resolves: bz#1420492\n (EMBARGOED CVE-2017-2620 qemu-kvm: Qemu: display: cirrus: potential arbitrary code execution via cirrus_bitblt_cputovideo [rhel-7.4])\n[1.5.3-131.el7]\n- kvm-memory-Allow-access-only-upto-the-maximum-alignment-.patch [bz#1342768]\n- kvm-virtio-blk-Release-s-rq-queue-at-system_reset.patch [bz#1361488]\n- kvm-cirrus_vga-fix-off-by-one-in-blit_region_is_unsafe.patch [bz#1418233]\n- kvm-display-cirrus-check-vga-bits-per-pixel-bpp-value.patch [bz#1418233]\n- kvm-display-cirrus-ignore-source-pitch-value-as-needed-i.patch [bz#1418233]\n- kvm-cirrus-handle-negative-pitch-in-cirrus_invalidate_re.patch [bz#1418233]\n- kvm-cirrus-allow-zero-source-pitch-in-pattern-fill-rops.patch [bz#1418233]\n- kvm-cirrus-fix-blit-address-mask-handling.patch [bz#1418233]\n- kvm-cirrus-fix-oob-access-issue-CVE-2017-2615.patch [bz#1418233]\n- kvm-HMP-Fix-user-manual-typo-of-__com.redhat_qxl_screend.patch [bz#1419898]\n- kvm-HMP-Fix-documentation-of-__com.redhat.drive_add.patch [bz#1419898]\n- Resolves: bz#1342768\n ([Intel 7.4 Bug] qemu-kvm crashes with Linux kernel 4.6.0 or above)\n- Resolves: bz#1361488\n (system_reset should clear pending request for error (virtio-blk))\n- Resolves: bz#1418233\n (CVE-2017-2615 qemu-kvm: Qemu: display: cirrus: oob access while doing bitblt copy backward mode [rhel-7.4])\n- Resolves: bz#1419898\n (Documentation inaccurate for __com.redhat_qxl_screendump and __com.redhat_drive_add)\n[1.5.3-130.el7]\n- kvm-gluster-correctly-propagate-errors.patch [bz#1151859]\n- kvm-gluster-Correctly-propagate-errors-when-volume-isn-t.patch [bz#1151859]\n- kvm-block-gluster-add-support-for-selecting-debug-loggin.patch [bz#1151859]\n- Resolves: bz#1151859\n ([RFE] Allow the libgfapi logging level to be controlled.)\n[1.5.3-129.el7]\n- kvm-Update-qemu-kvm-package-Summary-and-Description.patch [bz#1378541]\n- kvm-vl-Don-t-silently-change-topology-when-all-smp-optio.patch [bz#1375507]\n- kvm-net-check-packet-payload-length.patch [bz#1398218]\n- kvm-qxl-Only-emit-QXL_INTERRUPT_CLIENT_MONITORS_CONFIG-o.patch [bz#1342489]\n- Resolves: bz#1342489\n (Flickering Fedora 24 Login Screen on RHEL 7)\n- Resolves: bz#1375507\n ('threads' option is overwritten if both 'sockets' and 'cores' is set on -smp)\n- Resolves: bz#1378541\n (QEMU: update package summary and description)\n- Resolves: bz#1398218\n (CVE-2016-2857 qemu-kvm: Qemu: net: out of bounds read in net_checksum_calculate() [rhel-7.4])\n[1.5.3-128.el7]\n- kvm-virtio-introduce-virtqueue_unmap_sg.patch [bz#1377968]\n- kvm-virtio-introduce-virtqueue_discard.patch [bz#1377968]\n- kvm-virtio-decrement-vq-inuse-in-virtqueue_discard.patch [bz#1377968]\n- kvm-balloon-fix-segfault-and-harden-the-stats-queue.patch [bz#1377968]\n- kvm-virtio-balloon-discard-virtqueue-element-on-reset.patch [bz#1377968]\n- kvm-virtio-zero-vq-inuse-in-virtio_reset.patch [bz#1377968]\n- kvm-virtio-add-virtqueue_rewind.patch [bz#1377968]\n- kvm-virtio-balloon-fix-stats-vq-migration.patch [bz#1377968]\n- Resolves: bz#1377968\n ([RHEL7.3] KVM guest shuts itself down after 128th reboot)\n[1.5.3-127.el7]\n- kvm-hw-i386-regenerate-checked-in-AML-payload-RHEL-only.patch [bz#1377087]\n- kvm-ide-fix-halted-IO-segfault-at-reset.patch [bz#1377087]\n- Resolves: bz#1377087\n (shutdown rhel 5.11 guest failed and stop at 'system halted')", "edition": 5, "modified": "2017-08-07T00:00:00", "published": "2017-08-07T00:00:00", "id": "ELSA-2017-1856", "href": "http://linux.oracle.com/errata/ELSA-2017-1856.html", "title": "qemu-kvm security, bug fix, and enhancement update", "type": "oraclelinux", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "redhat": [{"lastseen": "2019-08-13T18:44:35", "bulletinFamily": "unix", "cvelist": ["CVE-2017-2615", "CVE-2017-2620"], "description": "KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm-rhev packages provide the user-space component for running virtual machines that use KVM in environments managed by Red Hat products.\n\nSecurity Fix(es):\n\n* Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA emulator support is vulnerable to an out-of-bounds access issue. It could occur while copying VGA data via bitblt copy in backward mode. A privileged user inside a guest could use this flaw to crash the QEMU process resulting in DoS or potentially execute arbitrary code on the host with privileges of QEMU process on the host. (CVE-2017-2615)\n\n* Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA Emulator support is vulnerable to an out-of-bounds access issue. The issue could occur while copying VGA data in cirrus_bitblt_cputovideo. A privileged user inside guest could use this flaw to crash the QEMU process OR potentially execute arbitrary code on host with privileges of the QEMU process. (CVE-2017-2620)\n\nRed Hat would like to thank Wjjzhang (Tencent.com Inc.) and Li Qiang (360.cn Inc.) for reporting CVE-2017-2615.", "modified": "2018-03-19T16:27:43", "published": "2017-02-28T04:06:47", "id": "RHSA-2017:0329", "href": "https://access.redhat.com/errata/RHSA-2017:0329", "type": "redhat", "title": "(RHSA-2017:0329) Important: qemu-kvm-rhev security update", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:46:37", "bulletinFamily": "unix", "cvelist": ["CVE-2017-2615", "CVE-2017-2620"], "description": "KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm-rhev packages provide the user-space component for running virtual machines that use KVM in environments managed by Red Hat products.\n\nSecurity Fix(es):\n\n* Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA emulator support is vulnerable to an out-of-bounds access issue. It could occur while copying VGA data via bitblt copy in backward mode. A privileged user inside a guest could use this flaw to crash the QEMU process resulting in DoS or potentially execute arbitrary code on the host with privileges of QEMU process on the host. (CVE-2017-2615)\n\n* Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA Emulator support is vulnerable to an out-of-bounds access issue. The issue could occur while copying VGA data in cirrus_bitblt_cputovideo. A privileged user inside guest could use this flaw to crash the QEMU process OR potentially execute arbitrary code on host with privileges of the QEMU process. (CVE-2017-2620)\n\nRed Hat would like to thank Wjjzhang (Tencent.com Inc.) and Li Qiang (360.cn Inc.) for reporting CVE-2017-2615.", "modified": "2018-03-19T16:27:26", "published": "2017-02-28T04:06:51", "id": "RHSA-2017:0330", "href": "https://access.redhat.com/errata/RHSA-2017:0330", "type": "redhat", "title": "(RHSA-2017:0330) Important: qemu-kvm-rhev security update", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:45:36", "bulletinFamily": "unix", "cvelist": ["CVE-2017-2615", "CVE-2017-2620"], "description": "KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm-rhev packages provide the user-space component for running virtual machines that use KVM in environments managed by Red Hat products.\n\nSecurity Fix(es):\n\n* Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA emulator support is vulnerable to an out-of-bounds access issue. It could occur while copying VGA data via bitblt copy in backward mode. A privileged user inside a guest could use this flaw to crash the QEMU process resulting in DoS or potentially execute arbitrary code on the host with privileges of QEMU process on the host. (CVE-2017-2615)\n\n* Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA Emulator support is vulnerable to an out-of-bounds access issue. The issue could occur while copying VGA data in cirrus_bitblt_cputovideo. A privileged user inside guest could use this flaw to crash the QEMU process OR potentially execute arbitrary code on host with privileges of the QEMU process. (CVE-2017-2620)\n\nRed Hat would like to thank Wjjzhang (Tencent.com Inc.) and Li Qiang (360.cn Inc.) for reporting CVE-2017-2615.", "modified": "2018-03-19T16:26:43", "published": "2017-02-28T04:07:01", "id": "RHSA-2017:0333", "href": "https://access.redhat.com/errata/RHSA-2017:0333", "type": "redhat", "title": "(RHSA-2017:0333) Important: qemu-kvm-rhev security update", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:47:07", "bulletinFamily": "unix", "cvelist": ["CVE-2017-2615", "CVE-2017-2620"], "description": "KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm-rhev packages provide the user-space component for running virtual machines that use KVM in environments managed by Red Hat products.\n\nSecurity Fix(es):\n\n* Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA emulator support is vulnerable to an out-of-bounds access issue. It could occur while copying VGA data via bitblt copy in backward mode. A privileged user inside a guest could use this flaw to crash the QEMU process resulting in DoS or potentially execute arbitrary code on the host with privileges of QEMU process on the host. (CVE-2017-2615)\n\n* Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA Emulator support is vulnerable to an out-of-bounds access issue. The issue could occur while copying VGA data in cirrus_bitblt_cputovideo. A privileged user inside guest could use this flaw to crash the QEMU process OR potentially execute arbitrary code on host with privileges of the QEMU process. (CVE-2017-2620)\n\nRed Hat would like to thank Wjjzhang (Tencent.com Inc.) and Li Qiang (360.cn Inc.) for reporting CVE-2017-2615.", "modified": "2018-03-19T16:27:06", "published": "2017-02-28T04:06:59", "id": "RHSA-2017:0332", "href": "https://access.redhat.com/errata/RHSA-2017:0332", "type": "redhat", "title": "(RHSA-2017:0332) Important: qemu-kvm-rhev security update", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:46:08", "bulletinFamily": "unix", "cvelist": ["CVE-2017-2615", "CVE-2017-2620"], "description": "KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm-rhev packages provide the user-space component for running virtual machines that use KVM in environments managed by Red Hat products.\n\nSecurity Fix(es):\n\n* Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA emulator support is vulnerable to an out-of-bounds access issue. It could occur while copying VGA data via bitblt copy in backward mode. A privileged user inside a guest could use this flaw to crash the QEMU process resulting in DoS or potentially execute arbitrary code on the host with privileges of QEMU process on the host. (CVE-2017-2615)\n\n* Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA Emulator support is vulnerable to an out-of-bounds access issue. The issue could occur while copying VGA data in cirrus_bitblt_cputovideo. A privileged user inside guest could use this flaw to crash the QEMU process OR potentially execute arbitrary code on host with privileges of the QEMU process. (CVE-2017-2620)\n\nRed Hat would like to thank Wjjzhang (Tencent.com Inc.) and Li Qiang (360.cn Inc.) for reporting CVE-2017-2615.", "modified": "2018-03-19T16:27:18", "published": "2017-02-28T04:06:55", "id": "RHSA-2017:0331", "href": "https://access.redhat.com/errata/RHSA-2017:0331", "type": "redhat", "title": "(RHSA-2017:0331) Important: qemu-kvm-rhev security update", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:45:24", "bulletinFamily": "unix", "cvelist": ["CVE-2017-2615", "CVE-2017-2620"], "description": "KVM (for Kernel-based Virtual Machine) is a full virtualization solution for\nLinux on x86 hardware. Using KVM, one can run multiple virtual machines running\nunmodified Linux or Windows images. Each virtual machine has private virtualized\nhardware: a network card, disk, graphics adapter, etc.\n\nSecurity Fix(es):\n\n* Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA emulator support is\nvulnerable to an out-of-bounds access issue. It could occur while copying VGA\ndata via bitblt copy in backward mode. A privileged user inside a guest could\nuse this flaw to crash the QEMU process resulting in DoS or potentially execute\narbitrary code on the host with privileges of QEMU process on the host.\n(CVE-2017-2615)\n\n* Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA Emulator support is\nvulnerable to an out-of-bounds access issue. The issue could occur while copying\nVGA data in cirrus_bitblt_cputovideo. A privileged user inside guest could use\nthis flaw to crash the QEMU process OR potentially execute arbitrary code on\nhost with privileges of the QEMU process. (CVE-2017-2620)\n\nRed Hat would like to thank Wjjzhang (Tencent.com Inc.) and Li Qiang (360.cn\nInc.) for reporting CVE-2017-2615.\n", "modified": "2017-09-08T11:49:10", "published": "2017-03-07T05:00:00", "id": "RHSA-2017:0454", "href": "https://access.redhat.com/errata/RHSA-2017:0454", "type": "redhat", "title": "(RHSA-2017:0454) Important: kvm security update", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:47:11", "bulletinFamily": "unix", "cvelist": ["CVE-2017-2615", "CVE-2017-2620"], "description": "Kernel-based Virtual Machine (KVM) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM.\n\nSecurity Fix(es):\n\n* Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA emulator support is vulnerable to an out-of-bounds access issue. It could occur while copying VGA data via bitblt copy in backward mode. A privileged user inside a guest could use this flaw to crash the QEMU process resulting in DoS or potentially execute arbitrary code on the host with privileges of QEMU process on the host. (CVE-2017-2615)\n\n* Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA Emulator support is vulnerable to an out-of-bounds access issue. The issue could occur while copying VGA data in cirrus_bitblt_cputovideo. A privileged user inside guest could use this flaw to crash the QEMU process OR potentially execute arbitrary code on host with privileges of the QEMU process. (CVE-2017-2620)\n\nRed Hat would like to thank Wjjzhang (Tencent.com Inc.) and Li Qiang (360.cn Inc.) for reporting CVE-2017-2615.\n\nBug Fix(es):\n\n* When using the virtio-blk driver on a guest virtual machine with no space on the virtual hard drive, the guest terminated unexpectedly with a \"block I/O error in device\" message and the qemu-kvm process exited with a segmentation fault. This update fixes how the system_reset QEMU signal is handled in the above scenario. As a result, if a guest crashes due to no space left on the device, qemu-kvm continues running and the guest can be reset as expected. (BZ#1420049)", "modified": "2018-04-12T03:31:39", "published": "2017-03-02T20:22:52", "id": "RHSA-2017:0396", "href": "https://access.redhat.com/errata/RHSA-2017:0396", "type": "redhat", "title": "(RHSA-2017:0396) Important: qemu-kvm security and bug fix update", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:46:11", "bulletinFamily": "unix", "cvelist": ["CVE-2016-2857", "CVE-2017-2615", "CVE-2017-2620"], "description": "KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm-rhev packages provide the user-space component for running virtual machines that use KVM in environments managed by Red Hat products.\n\nSecurity Fix(es):\n\n* Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA emulator support is vulnerable to an out-of-bounds access issue. It could occur while copying VGA data via bitblt copy in backward mode. A privileged user inside a guest could use this flaw to crash the QEMU process resulting in DoS or potentially execute arbitrary code on the host with privileges of QEMU process on the host. (CVE-2017-2615)\n\n* Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA Emulator support is vulnerable to an out-of-bounds access issue. The issue could occur while copying VGA data in cirrus_bitblt_cputovideo. A privileged user inside guest could use this flaw to crash the QEMU process OR potentially execute arbitrary code on host with privileges of the QEMU process. (CVE-2017-2620)\n\n* An out-of-bounds read-access flaw was found in the QEMU emulator built with IP checksum routines. The flaw could occur when computing a TCP/UDP packet's checksum, because a QEMU function used the packet's payload length without checking against the data buffer's size. A user inside a guest could use this flaw to crash the QEMU process (denial of service). (CVE-2016-2857)\n\nRed Hat would like to thank Wjjzhang (Tencent.com Inc.) and Li Qiang (360.cn Inc.) for reporting CVE-2017-2615 and Ling Liu (Qihoo 360 Inc.) for reporting CVE-2016-2857.", "modified": "2018-06-07T02:48:00", "published": "2017-02-28T04:07:05", "id": "RHSA-2017:0334", "href": "https://access.redhat.com/errata/RHSA-2017:0334", "type": "redhat", "title": "(RHSA-2017:0334) Important: qemu-kvm-rhev security update", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:45:02", "bulletinFamily": "unix", "cvelist": ["CVE-2016-2857", "CVE-2017-2615", "CVE-2017-2620"], "description": "KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm-rhev packages provide the user-space component for running virtual machines that use KVM in environments managed by Red Hat products.\n\nSecurity Fix(es):\n\n* Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA emulator support is vulnerable to an out-of-bounds access issue. It could occur while copying VGA data via bitblt copy in backward mode. A privileged user inside a guest could use this flaw to crash the QEMU process resulting in DoS or potentially execute arbitrary code on the host with privileges of QEMU process on the host. (CVE-2017-2615)\n\n* Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA Emulator support is vulnerable to an out-of-bounds access issue. The issue could occur while copying VGA data in cirrus_bitblt_cputovideo. A privileged user inside guest could use this flaw to crash the QEMU process OR potentially execute arbitrary code on host with privileges of the QEMU process. (CVE-2017-2620)\n\n* An out-of-bounds read-access flaw was found in the QEMU emulator built with IP checksum routines. The flaw could occur when computing a TCP/UDP packet's checksum, because a QEMU function used the packet's payload length without checking against the data buffer's size. A user inside a guest could use this flaw to crash the QEMU process (denial of service). (CVE-2016-2857)\n\nRed Hat would like to thank Wjjzhang (Tencent.com Inc.) and Li Qiang (360.cn Inc.) for reporting CVE-2017-2615 and Ling Liu (Qihoo 360 Inc.) for reporting CVE-2016-2857.\n\nBug Fix(es):\n\n* Prior to this update, after migrating a guest virtual machine on the little-endian variant of IBM Power Systems and resetting the guest, the guest boot process failed with a \"tcmalloc: large alloc\" error message. This update fixes the bug, and the described problem no longer occurs. (BZ#1420456)\n\n* The qemu-kvm-rhev package depends on the usbredir and libcacard packages. However, on the little-endian variant of IBM Power Systems, smartcard use is not supported and usbredir and libcacard are thus only available in the Optional channel. As a consequence, qemu-kvm-rhev was previously not installable on these systems if the Optional channel was not available for the user. This update removes usbredir and libcacard as dependencies of qemu-kvm-rhev on little-endian IBM Power Systems, and qemu-kvm-rhev can now be installed as expected in the described scenario. (BZ#1420428)", "modified": "2018-04-26T01:30:17", "published": "2017-03-01T12:52:23", "id": "RHSA-2017:0350", "href": "https://access.redhat.com/errata/RHSA-2017:0350", "type": "redhat", "title": "(RHSA-2017:0350) Important: qemu-kvm-rhev security and bug fix update", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:45:03", "bulletinFamily": "unix", "cvelist": ["CVE-2017-2620"], "description": "Kernel-based Virtual Machine (KVM) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM.\n\nSecurity Fix(es):\n\n* Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA Emulator support is vulnerable to an out-of-bounds access issue. The issue could occur while copying VGA data in cirrus_bitblt_cputovideo. A privileged user inside guest could use this flaw to crash the QEMU process OR potentially execute arbitrary code on host with privileges of the QEMU process. (CVE-2017-2620)", "modified": "2018-06-06T20:24:27", "published": "2017-03-01T13:42:26", "id": "RHSA-2017:0352", "href": "https://access.redhat.com/errata/RHSA-2017:0352", "type": "redhat", "title": "(RHSA-2017:0352) Important: qemu-kvm security update", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2021-01-06T09:31:01", "description": "An update for qemu-kvm is now available for Red Hat Enterprise Linux\n7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nKernel-based Virtual Machine (KVM) is a full virtualization solution\nfor Linux on a variety of architectures. The qemu-kvm packages provide\nthe user-space component for running virtual machines that use KVM.\n\nSecurity Fix(es) :\n\n* Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA emulator\nsupport is vulnerable to an out-of-bounds access issue. It could occur\nwhile copying VGA data via bitblt copy in backward mode. A privileged\nuser inside a guest could use this flaw to crash the QEMU process\nresulting in DoS or potentially execute arbitrary code on the host\nwith privileges of QEMU process on the host. (CVE-2017-2615)\n\n* Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA Emulator\nsupport is vulnerable to an out-of-bounds access issue. The issue\ncould occur while copying VGA data in cirrus_bitblt_cputovideo. A\nprivileged user inside guest could use this flaw to crash the QEMU\nprocess OR potentially execute arbitrary code on host with privileges\nof the QEMU process. (CVE-2017-2620)\n\nRed Hat would like to thank Wjjzhang (Tencent.com Inc.) and Li Qiang\n(360.cn Inc.) for reporting CVE-2017-2615.\n\nBug Fix(es) :\n\n* When using the virtio-blk driver on a guest virtual machine with no\nspace on the virtual hard drive, the guest terminated unexpectedly\nwith a 'block I/O error in device' message and the qemu-kvm process\nexited with a segmentation fault. This update fixes how the\nsystem_reset QEMU signal is handled in the above scenario. As a\nresult, if a guest crashes due to no space left on the device,\nqemu-kvm continues running and the guest can be reset as expected.\n(BZ#1420049)", "edition": 31, "cvss3": {"score": 9.9, "vector": "AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"}, "published": "2017-03-06T00:00:00", "title": "CentOS 7 : qemu-kvm (CESA-2017:0396)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-2615", "CVE-2017-2620"], "modified": "2017-03-06T00:00:00", "cpe": ["cpe:/o:centos:centos:7", "p-cpe:/a:centos:centos:qemu-kvm", "p-cpe:/a:centos:centos:qemu-kvm-common", "p-cpe:/a:centos:centos:qemu-img", "p-cpe:/a:centos:centos:qemu-kvm-tools"], "id": "CENTOS_RHSA-2017-0396.NASL", "href": "https://www.tenable.com/plugins/nessus/97528", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2017:0396 and \n# CentOS Errata and Security Advisory 2017:0396 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(97528);\n script_version(\"3.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2017-2615\", \"CVE-2017-2620\");\n script_xref(name:\"RHSA\", value:\"2017:0396\");\n script_xref(name:\"IAVB\", value:\"2017-B-0024\");\n\n script_name(english:\"CentOS 7 : qemu-kvm (CESA-2017:0396)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for qemu-kvm is now available for Red Hat Enterprise Linux\n7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nKernel-based Virtual Machine (KVM) is a full virtualization solution\nfor Linux on a variety of architectures. The qemu-kvm packages provide\nthe user-space component for running virtual machines that use KVM.\n\nSecurity Fix(es) :\n\n* Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA emulator\nsupport is vulnerable to an out-of-bounds access issue. It could occur\nwhile copying VGA data via bitblt copy in backward mode. A privileged\nuser inside a guest could use this flaw to crash the QEMU process\nresulting in DoS or potentially execute arbitrary code on the host\nwith privileges of QEMU process on the host. (CVE-2017-2615)\n\n* Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA Emulator\nsupport is vulnerable to an out-of-bounds access issue. The issue\ncould occur while copying VGA data in cirrus_bitblt_cputovideo. A\nprivileged user inside guest could use this flaw to crash the QEMU\nprocess OR potentially execute arbitrary code on host with privileges\nof the QEMU process. (CVE-2017-2620)\n\nRed Hat would like to thank Wjjzhang (Tencent.com Inc.) and Li Qiang\n(360.cn Inc.) for reporting CVE-2017-2615.\n\nBug Fix(es) :\n\n* When using the virtio-blk driver on a guest virtual machine with no\nspace on the virtual hard drive, the guest terminated unexpectedly\nwith a 'block I/O error in device' message and the qemu-kvm process\nexited with a segmentation fault. This update fixes how the\nsystem_reset QEMU signal is handled in the above scenario. As a\nresult, if a guest crashes due to no space left on the device,\nqemu-kvm continues running and the guest can be reset as expected.\n(BZ#1420049)\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2017-March/022321.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?30ed98b0\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected qemu-kvm packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-2615\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:qemu-img\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:qemu-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:qemu-kvm-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:qemu-kvm-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/07/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/06\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/CentOS/release\");\nif (isnull(release) || \"CentOS\" >!< release) audit(AUDIT_OS_NOT, \"CentOS\");\nos_ver = pregmatch(pattern: \"CentOS(?: Linux)? release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"CentOS\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"CentOS 7.x\", \"CentOS \" + os_ver);\n\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"qemu-img-1.5.3-126.el7_3.5\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"qemu-kvm-1.5.3-126.el7_3.5\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"qemu-kvm-common-1.5.3-126.el7_3.5\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"qemu-kvm-tools-1.5.3-126.el7_3.5\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"qemu-img / qemu-kvm / qemu-kvm-common / qemu-kvm-tools\");\n}\n", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-01-06T09:14:13", "description": "An update for qemu-kvm is now available for Red Hat Enterprise Linux\n7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nKernel-based Virtual Machine (KVM) is a full virtualization solution\nfor Linux on a variety of architectures. The qemu-kvm packages provide\nthe user-space component for running virtual machines that use KVM.\n\nSecurity Fix(es) :\n\n* Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA emulator\nsupport is vulnerable to an out-of-bounds access issue. It could occur\nwhile copying VGA data via bitblt copy in backward mode. A privileged\nuser inside a guest could use this flaw to crash the QEMU process\nresulting in DoS or potentially execute arbitrary code on the host\nwith privileges of QEMU process on the host. (CVE-2017-2615)\n\n* Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA Emulator\nsupport is vulnerable to an out-of-bounds access issue. The issue\ncould occur while copying VGA data in cirrus_bitblt_cputovideo. A\nprivileged user inside guest could use this flaw to crash the QEMU\nprocess OR potentially execute arbitrary code on host with privileges\nof the QEMU process. (CVE-2017-2620)\n\nRed Hat would like to thank Wjjzhang (Tencent.com Inc.) and Li Qiang\n(360.cn Inc.) for reporting CVE-2017-2615.\n\nBug Fix(es) :\n\n* When using the virtio-blk driver on a guest virtual machine with no\nspace on the virtual hard drive, the guest terminated unexpectedly\nwith a 'block I/O error in device' message and the qemu-kvm process\nexited with a segmentation fault. This update fixes how the\nsystem_reset QEMU signal is handled in the above scenario. As a\nresult, if a guest crashes due to no space left on the device,\nqemu-kvm continues running and the guest can be reset as expected.\n(BZ#1420049)\n\nNote that Tenable Network Security has attempted to extract the\npreceding description block directly from the corresponding Red Hat\nsecurity advisory. Virtuozzo provides no description for VZLSA\nadvisories. Tenable has attempted to automatically clean and format\nit as much as possible without introducing additional issues.", "edition": 52, "cvss3": {"score": 9.1, "vector": "AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"}, "published": "2017-07-13T00:00:00", "title": "Virtuozzo 7 : qemu-img / qemu-kvm / qemu-kvm-common / etc (VZLSA-2017-0396)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-2615", "CVE-2017-2620"], "modified": "2017-07-13T00:00:00", "cpe": ["p-cpe:/a:virtuozzo:virtuozzo:qemu-img", "cpe:/o:virtuozzo:virtuozzo:7", "p-cpe:/a:virtuozzo:virtuozzo:qemu-kvm", "p-cpe:/a:virtuozzo:virtuozzo:qemu-kvm-tools", "p-cpe:/a:virtuozzo:virtuozzo:qemu-kvm-common"], "id": "VIRTUOZZO_VZLSA-2017-0396.NASL", "href": "https://www.tenable.com/plugins/nessus/101433", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(101433);\n script_version(\"1.57\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\n \"CVE-2017-2615\",\n \"CVE-2017-2620\"\n );\n script_xref(name:\"IAVB\", value:\"2017-B-0024\");\n\n script_name(english:\"Virtuozzo 7 : qemu-img / qemu-kvm / qemu-kvm-common / etc (VZLSA-2017-0396)\");\n script_summary(english:\"Checks the rpm output for the updated package.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Virtuozzo host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update for qemu-kvm is now available for Red Hat Enterprise Linux\n7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nKernel-based Virtual Machine (KVM) is a full virtualization solution\nfor Linux on a variety of architectures. The qemu-kvm packages provide\nthe user-space component for running virtual machines that use KVM.\n\nSecurity Fix(es) :\n\n* Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA emulator\nsupport is vulnerable to an out-of-bounds access issue. It could occur\nwhile copying VGA data via bitblt copy in backward mode. A privileged\nuser inside a guest could use this flaw to crash the QEMU process\nresulting in DoS or potentially execute arbitrary code on the host\nwith privileges of QEMU process on the host. (CVE-2017-2615)\n\n* Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA Emulator\nsupport is vulnerable to an out-of-bounds access issue. The issue\ncould occur while copying VGA data in cirrus_bitblt_cputovideo. A\nprivileged user inside guest could use this flaw to crash the QEMU\nprocess OR potentially execute arbitrary code on host with privileges\nof the QEMU process. (CVE-2017-2620)\n\nRed Hat would like to thank Wjjzhang (Tencent.com Inc.) and Li Qiang\n(360.cn Inc.) for reporting CVE-2017-2615.\n\nBug Fix(es) :\n\n* When using the virtio-blk driver on a guest virtual machine with no\nspace on the virtual hard drive, the guest terminated unexpectedly\nwith a 'block I/O error in device' message and the qemu-kvm process\nexited with a segmentation fault. This update fixes how the\nsystem_reset QEMU signal is handled in the above scenario. As a\nresult, if a guest crashes due to no space left on the device,\nqemu-kvm continues running and the guest can be reset as expected.\n(BZ#1420049)\n\nNote that Tenable Network Security has attempted to extract the\npreceding description block directly from the corresponding Red Hat\nsecurity advisory. Virtuozzo provides no description for VZLSA\nadvisories. Tenable has attempted to automatically clean and format\nit as much as possible without introducing additional issues.\");\n # http://repo.virtuozzo.com/vzlinux/announcements/json/VZLSA-2017-0396.json\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?f9f143bf\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2017-0396\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected qemu-img / qemu-kvm / qemu-kvm-common / etc package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:U/RC:ND\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:U/RC:X\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/07/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:virtuozzo:virtuozzo:qemu-img\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:virtuozzo:virtuozzo:qemu-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:virtuozzo:virtuozzo:qemu-kvm-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:virtuozzo:virtuozzo:qemu-kvm-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:virtuozzo:virtuozzo:7\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Virtuozzo Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Virtuozzo/release\", \"Host/Virtuozzo/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/Virtuozzo/release\");\nif (isnull(release) || \"Virtuozzo\" >!< release) audit(AUDIT_OS_NOT, \"Virtuozzo\");\nos_ver = pregmatch(pattern: \"Virtuozzo Linux release ([0-9]+\\.[0-9])(\\D|$)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Virtuozzo\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Virtuozzo 7.x\", \"Virtuozzo \" + os_ver);\n\nif (!get_kb_item(\"Host/Virtuozzo/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Virtuozzo\", cpu);\n\nflag = 0;\n\npkgs = [\"qemu-img-1.5.3-126.vl7.5\",\n \"qemu-kvm-1.5.3-126.vl7.5\",\n \"qemu-kvm-common-1.5.3-126.vl7.5\",\n \"qemu-kvm-tools-1.5.3-126.vl7.5\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"Virtuozzo-7\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"qemu-img / qemu-kvm / qemu-kvm-common / etc\");\n}\n", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T04:42:02", "description": "From Red Hat Security Advisory 2017:0454 :\n\nAn update for kvm is now available for Red Hat Enterprise Linux 5.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nKVM (for Kernel-based Virtual Machine) is a full virtualization\nsolution for Linux on x86 hardware. Using KVM, one can run multiple\nvirtual machines running unmodified Linux or Windows images. Each\nvirtual machine has private virtualized hardware: a network card,\ndisk, graphics adapter, etc.\n\nSecurity Fix(es) :\n\n* Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA emulator\nsupport is vulnerable to an out-of-bounds access issue. It could occur\nwhile copying VGA data via bitblt copy in backward mode. A privileged\nuser inside a guest could use this flaw to crash the QEMU process\nresulting in DoS or potentially execute arbitrary code on the host\nwith privileges of QEMU process on the host. (CVE-2017-2615)\n\n* Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA Emulator\nsupport is vulnerable to an out-of-bounds access issue. The issue\ncould occur while copying VGA data in cirrus_bitblt_cputovideo. A\nprivileged user inside guest could use this flaw to crash the QEMU\nprocess OR potentially execute arbitrary code on host with privileges\nof the QEMU process. (CVE-2017-2620)\n\nRed Hat would like to thank Wjjzhang (Tencent.com Inc.) and Li Qiang\n(360.cn Inc.) for reporting CVE-2017-2615.", "edition": 25, "cvss3": {"score": 9.9, "vector": "AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"}, "published": "2017-03-08T00:00:00", "title": "Oracle Linux 5 : kvm (ELSA-2017-0454)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-2615", "CVE-2017-2620"], "modified": "2021-01-02T00:00:00", "cpe": ["p-cpe:/a:oracle:linux:kvm-tools", "p-cpe:/a:oracle:linux:kvm", "cpe:/o:oracle:linux:5", "p-cpe:/a:oracle:linux:kmod-kvm", "p-cpe:/a:oracle:linux:kmod-kvm-debug", "p-cpe:/a:oracle:linux:kvm-qemu-img"], "id": "ORACLELINUX_ELSA-2017-0454.NASL", "href": "https://www.tenable.com/plugins/nessus/97593", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2017:0454 and \n# Oracle Linux Security Advisory ELSA-2017-0454 respectively.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(97593);\n script_version(\"3.8\");\n script_cvs_date(\"Date: 2019/09/27 13:00:37\");\n\n script_cve_id(\"CVE-2017-2615\", \"CVE-2017-2620\");\n script_xref(name:\"RHSA\", value:\"2017:0454\");\n\n script_name(english:\"Oracle Linux 5 : kvm (ELSA-2017-0454)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2017:0454 :\n\nAn update for kvm is now available for Red Hat Enterprise Linux 5.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nKVM (for Kernel-based Virtual Machine) is a full virtualization\nsolution for Linux on x86 hardware. Using KVM, one can run multiple\nvirtual machines running unmodified Linux or Windows images. Each\nvirtual machine has private virtualized hardware: a network card,\ndisk, graphics adapter, etc.\n\nSecurity Fix(es) :\n\n* Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA emulator\nsupport is vulnerable to an out-of-bounds access issue. It could occur\nwhile copying VGA data via bitblt copy in backward mode. A privileged\nuser inside a guest could use this flaw to crash the QEMU process\nresulting in DoS or potentially execute arbitrary code on the host\nwith privileges of QEMU process on the host. (CVE-2017-2615)\n\n* Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA Emulator\nsupport is vulnerable to an out-of-bounds access issue. The issue\ncould occur while copying VGA data in cirrus_bitblt_cputovideo. A\nprivileged user inside guest could use this flaw to crash the QEMU\nprocess OR potentially execute arbitrary code on host with privileges\nof the QEMU process. (CVE-2017-2620)\n\nRed Hat would like to thank Wjjzhang (Tencent.com Inc.) and Li Qiang\n(360.cn Inc.) for reporting CVE-2017-2615.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2017-March/006773.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected kvm packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kmod-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kmod-kvm-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kvm-qemu-img\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kvm-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:5\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/07/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/08\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^5([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 5\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && \"ia64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL5\", cpu:\"x86_64\", reference:\"kmod-kvm-83-277.0.1.el5_11\")) flag++;\nif (rpm_check(release:\"EL5\", cpu:\"x86_64\", reference:\"kmod-kvm-debug-83-277.0.1.el5_11\")) flag++;\nif (rpm_check(release:\"EL5\", cpu:\"x86_64\", reference:\"kvm-83-277.0.1.el5_11\")) flag++;\nif (rpm_check(release:\"EL5\", cpu:\"x86_64\", reference:\"kvm-qemu-img-83-277.0.1.el5_11\")) flag++;\nif (rpm_check(release:\"EL5\", cpu:\"x86_64\", reference:\"kvm-tools-83-277.0.1.el5_11\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kmod-kvm / kmod-kvm-debug / kvm / kvm-qemu-img / kvm-tools\");\n}\n", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-01-07T08:51:54", "description": "According to the versions of the qemu-kvm package installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerabilities :\n\n - Quick emulator (QEMU) built with the Cirrus CLGD 54xx\n VGA emulator support is vulnerable to an out-of-bounds\n access issue. It could occur while copying VGA data via\n bitblt copy in backward mode. A privileged user inside\n a guest could use this flaw to crash the QEMU process\n resulting in DoS or potentially execute arbitrary code\n on the host with privileges of QEMU process on the\n host. (CVE-2017-2615)\n\n - Quick emulator (QEMU) built with the Cirrus CLGD 54xx\n VGA Emulator support is vulnerable to an out-of-bounds\n access issue. The issue could occur while copying VGA\n data in cirrus_bitblt_cputovideo. A privileged user\n inside guest could use this flaw to crash the QEMU\n process OR potentially execute arbitrary code on host\n with privileges of the QEMU process. (CVE-2017-2620)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 52, "cvss3": {"score": 9.1, "vector": "AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"}, "published": "2017-05-01T00:00:00", "title": "EulerOS 2.0 SP1 : qemu-kvm (EulerOS-SA-2017-1037)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-2615", "CVE-2017-2620"], "modified": "2017-05-01T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:qemu-img", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2017-1037.NASL", "href": "https://www.tenable.com/plugins/nessus/99882", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(99882);\n script_version(\"1.49\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\n \"CVE-2017-2615\",\n \"CVE-2017-2620\"\n );\n\n script_name(english:\"EulerOS 2.0 SP1 : qemu-kvm (EulerOS-SA-2017-1037)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the qemu-kvm package installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerabilities :\n\n - Quick emulator (QEMU) built with the Cirrus CLGD 54xx\n VGA emulator support is vulnerable to an out-of-bounds\n access issue. It could occur while copying VGA data via\n bitblt copy in backward mode. A privileged user inside\n a guest could use this flaw to crash the QEMU process\n resulting in DoS or potentially execute arbitrary code\n on the host with privileges of QEMU process on the\n host. (CVE-2017-2615)\n\n - Quick emulator (QEMU) built with the Cirrus CLGD 54xx\n VGA Emulator support is vulnerable to an out-of-bounds\n access issue. The issue could occur while copying VGA\n data in cirrus_bitblt_cputovideo. A privileged user\n inside guest could use this flaw to crash the QEMU\n process OR potentially execute arbitrary code on host\n with privileges of the QEMU process. (CVE-2017-2620)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2017-1037\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?428dc533\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected qemu-kvm packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:U/RC:ND\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:U/RC:X\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:qemu-img\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(1)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP1\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP1\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"qemu-img-1.5.3-126.5\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"1\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"qemu-kvm\");\n}\n", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-01-07T08:51:54", "description": "According to the versions of the qemu-kvm packages installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerabilities :\n\n - Quick emulator (QEMU) built with the Cirrus CLGD 54xx\n VGA emulator support is vulnerable to an out-of-bounds\n access issue. It could occur while copying VGA data via\n bitblt copy in backward mode. A privileged user inside\n a guest could use this flaw to crash the QEMU process\n resulting in DoS or potentially execute arbitrary code\n on the host with privileges of QEMU process on the\n host. (CVE-2017-2615)\n\n - Quick emulator (QEMU) built with the Cirrus CLGD 54xx\n VGA Emulator support is vulnerable to an out-of-bounds\n access issue. The issue could occur while copying VGA\n data in cirrus_bitblt_cputovideo. A privileged user\n inside guest could use this flaw to crash the QEMU\n process OR potentially execute arbitrary code on host\n with privileges of the QEMU process. (CVE-2017-2620)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 41, "cvss3": {"score": 9.1, "vector": "AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"}, "published": "2017-05-01T00:00:00", "title": "EulerOS 2.0 SP2 : qemu-kvm (EulerOS-SA-2017-1038)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-2615", "CVE-2017-2620"], "modified": "2017-05-01T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:qemu-kvm", "p-cpe:/a:huawei:euleros:qemu-kvm-common", "p-cpe:/a:huawei:euleros:qemu-img", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2017-1038.NASL", "href": "https://www.tenable.com/plugins/nessus/99883", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(99883);\n script_version(\"1.35\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\n \"CVE-2017-2615\",\n \"CVE-2017-2620\"\n );\n\n script_name(english:\"EulerOS 2.0 SP2 : qemu-kvm (EulerOS-SA-2017-1038)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the qemu-kvm packages installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerabilities :\n\n - Quick emulator (QEMU) built with the Cirrus CLGD 54xx\n VGA emulator support is vulnerable to an out-of-bounds\n access issue. It could occur while copying VGA data via\n bitblt copy in backward mode. A privileged user inside\n a guest could use this flaw to crash the QEMU process\n resulting in DoS or potentially execute arbitrary code\n on the host with privileges of QEMU process on the\n host. (CVE-2017-2615)\n\n - Quick emulator (QEMU) built with the Cirrus CLGD 54xx\n VGA Emulator support is vulnerable to an out-of-bounds\n access issue. The issue could occur while copying VGA\n data in cirrus_bitblt_cputovideo. A privileged user\n inside guest could use this flaw to crash the QEMU\n process OR potentially execute arbitrary code on host\n with privileges of the QEMU process. (CVE-2017-2620)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2017-1038\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?d2b6e3cf\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected qemu-kvm packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:U/RC:ND\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:U/RC:X\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:qemu-img\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:qemu-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:qemu-kvm-common\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(2)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP2\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP2\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"qemu-img-1.5.3-126.5\",\n \"qemu-kvm-1.5.3-126.5\",\n \"qemu-kvm-common-1.5.3-126.5\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"2\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"qemu-kvm\");\n}\n", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T05:07:10", "description": "An update for kvm is now available for Red Hat Enterprise Linux 5.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nKVM (for Kernel-based Virtual Machine) is a full virtualization\nsolution for Linux on x86 hardware. Using KVM, one can run multiple\nvirtual machines running unmodified Linux or Windows images. Each\nvirtual machine has private virtualized hardware: a network card,\ndisk, graphics adapter, etc.\n\nSecurity Fix(es) :\n\n* Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA emulator\nsupport is vulnerable to an out-of-bounds access issue. It could occur\nwhile copying VGA data via bitblt copy in backward mode. A privileged\nuser inside a guest could use this flaw to crash the QEMU process\nresulting in DoS or potentially execute arbitrary code on the host\nwith privileges of QEMU process on the host. (CVE-2017-2615)\n\n* Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA Emulator\nsupport is vulnerable to an out-of-bounds access issue. The issue\ncould occur while copying VGA data in cirrus_bitblt_cputovideo. A\nprivileged user inside guest could use this flaw to crash the QEMU\nprocess OR potentially execute arbitrary code on host with privileges\nof the QEMU process. (CVE-2017-2620)\n\nRed Hat would like to thank Wjjzhang (Tencent.com Inc.) and Li Qiang\n(360.cn Inc.) for reporting CVE-2017-2615.", "edition": 26, "cvss3": {"score": 9.9, "vector": "AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"}, "published": "2017-03-08T00:00:00", "title": "RHEL 5 : kvm (RHSA-2017:0454)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-2615", "CVE-2017-2620"], "modified": "2021-01-02T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:kvm", "cpe:/o:redhat:enterprise_linux:5", "p-cpe:/a:redhat:enterprise_linux:kvm-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kmod-kvm-debug", "p-cpe:/a:redhat:enterprise_linux:kvm-qemu-img", "p-cpe:/a:redhat:enterprise_linux:kmod-kvm", "p-cpe:/a:redhat:enterprise_linux:kvm-tools"], "id": "REDHAT-RHSA-2017-0454.NASL", "href": "https://www.tenable.com/plugins/nessus/97594", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2017:0454. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(97594);\n script_version(\"3.9\");\n script_cvs_date(\"Date: 2019/10/24 15:35:42\");\n\n script_cve_id(\"CVE-2017-2615\", \"CVE-2017-2620\");\n script_xref(name:\"RHSA\", value:\"2017:0454\");\n\n script_name(english:\"RHEL 5 : kvm (RHSA-2017:0454)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for kvm is now available for Red Hat Enterprise Linux 5.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nKVM (for Kernel-based Virtual Machine) is a full virtualization\nsolution for Linux on x86 hardware. Using KVM, one can run multiple\nvirtual machines running unmodified Linux or Windows images. Each\nvirtual machine has private virtualized hardware: a network card,\ndisk, graphics adapter, etc.\n\nSecurity Fix(es) :\n\n* Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA emulator\nsupport is vulnerable to an out-of-bounds access issue. It could occur\nwhile copying VGA data via bitblt copy in backward mode. A privileged\nuser inside a guest could use this flaw to crash the QEMU process\nresulting in DoS or potentially execute arbitrary code on the host\nwith privileges of QEMU process on the host. (CVE-2017-2615)\n\n* Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA Emulator\nsupport is vulnerable to an out-of-bounds access issue. The issue\ncould occur while copying VGA data in cirrus_bitblt_cputovideo. A\nprivileged user inside guest could use this flaw to crash the QEMU\nprocess OR potentially execute arbitrary code on host with privileges\nof the QEMU process. (CVE-2017-2620)\n\nRed Hat would like to thank Wjjzhang (Tencent.com Inc.) and Li Qiang\n(360.cn Inc.) for reporting CVE-2017-2615.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2017:0454\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-2615\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-2620\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kmod-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kmod-kvm-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kvm-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kvm-qemu-img\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kvm-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/08\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = eregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^5([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 5.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2017:0454\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"kmod-kvm-83-277.el5_11\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"kmod-kvm-debug-83-277.el5_11\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"kvm-83-277.el5_11\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"kvm-debuginfo-83-277.el5_11\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"kvm-qemu-img-83-277.el5_11\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"kvm-tools-83-277.el5_11\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kmod-kvm / kmod-kvm-debug / kvm / kvm-debuginfo / kvm-qemu-img / etc\");\n }\n}\n", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-03-18T02:47:35", "description": "Security Fix(es) :\n\n - Quick emulator (QEMU) built with the Cirrus CLGD 54xx\n VGA emulator support is vulnerable to an out-of-bounds\n access issue. It could occur while copying VGA data via\n bitblt copy in backward mode. A privileged user inside a\n guest could use this flaw to crash the QEMU process\n resulting in DoS or potentially execute arbitrary code\n on the host with privileges of QEMU process on the host.\n (CVE-2017-2615)\n\n - Quick emulator (QEMU) built with the Cirrus CLGD 54xx\n VGA Emulator support is vulnerable to an out-of-bounds\n access issue. The issue could occur while copying VGA\n data in cirrus_bitblt_cputovideo. A privileged user\n inside guest could use this flaw to crash the QEMU\n process OR potentially execute arbitrary code on host\n with privileges of the QEMU process. (CVE-2017-2620)", "edition": 16, "cvss3": {"score": 9.9, "vector": "AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"}, "published": "2017-03-08T00:00:00", "title": "Scientific Linux Security Update : kvm on SL5.x x86_64 (20170307)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-2615", "CVE-2017-2620"], "modified": "2017-03-08T00:00:00", "cpe": ["p-cpe:/a:fermilab:scientific_linux:kmod-kvm-debug", "p-cpe:/a:fermilab:scientific_linux:kvm-tools", "p-cpe:/a:fermilab:scientific_linux:kvm-qemu-img", "p-cpe:/a:fermilab:scientific_linux:kmod-kvm", "p-cpe:/a:fermilab:scientific_linux:kvm", "x-cpe:/o:fermilab:scientific_linux", "p-cpe:/a:fermilab:scientific_linux:kvm-debuginfo"], "id": "SL_20170307_KVM_ON_SL5_X.NASL", "href": "https://www.tenable.com/plugins/nessus/97597", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(97597);\n script_version(\"3.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/03/12\");\n\n script_cve_id(\"CVE-2017-2615\", \"CVE-2017-2620\");\n script_xref(name:\"IAVB\", value:\"2017-B-0024\");\n\n script_name(english:\"Scientific Linux Security Update : kvm on SL5.x x86_64 (20170307)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security Fix(es) :\n\n - Quick emulator (QEMU) built with the Cirrus CLGD 54xx\n VGA emulator support is vulnerable to an out-of-bounds\n access issue. It could occur while copying VGA data via\n bitblt copy in backward mode. A privileged user inside a\n guest could use this flaw to crash the QEMU process\n resulting in DoS or potentially execute arbitrary code\n on the host with privileges of QEMU process on the host.\n (CVE-2017-2615)\n\n - Quick emulator (QEMU) built with the Cirrus CLGD 54xx\n VGA Emulator support is vulnerable to an out-of-bounds\n access issue. The issue could occur while copying VGA\n data in cirrus_bitblt_cputovideo. A privileged user\n inside guest could use this flaw to crash the QEMU\n process OR potentially execute arbitrary code on host\n with privileges of the QEMU process. (CVE-2017-2620)\"\n );\n # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1703&L=scientific-linux-errata&F=&S=&P=6365\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?313a41d7\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kmod-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kmod-kvm-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kvm-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kvm-qemu-img\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kvm-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/07/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/08\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nos_ver = pregmatch(pattern: \"Scientific Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Scientific Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^5([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Scientific Linux 5.x\", \"Scientific Linux \" + os_ver);\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL5\", cpu:\"x86_64\", reference:\"kmod-kvm-83-277.el5_11\")) flag++;\nif (rpm_check(release:\"SL5\", cpu:\"x86_64\", reference:\"kmod-kvm-debug-83-277.el5_11\")) flag++;\nif (rpm_check(release:\"SL5\", cpu:\"x86_64\", reference:\"kvm-83-277.el5_11\")) flag++;\nif (rpm_check(release:\"SL5\", cpu:\"x86_64\", reference:\"kvm-debuginfo-83-277.el5_11\")) flag++;\nif (rpm_check(release:\"SL5\", cpu:\"x86_64\", reference:\"kvm-qemu-img-83-277.el5_11\")) flag++;\nif (rpm_check(release:\"SL5\", cpu:\"x86_64\", reference:\"kvm-tools-83-277.el5_11\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kmod-kvm / kmod-kvm-debug / kvm / kvm-debuginfo / kvm-qemu-img / etc\");\n}\n", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-01-06T09:31:01", "description": "An update for kvm is now available for Red Hat Enterprise Linux 5.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nKVM (for Kernel-based Virtual Machine) is a full virtualization\nsolution for Linux on x86 hardware. Using KVM, one can run multiple\nvirtual machines running unmodified Linux or Windows images. Each\nvirtual machine has private virtualized hardware: a network card,\ndisk, graphics adapter, etc.\n\nSecurity Fix(es) :\n\n* Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA emulator\nsupport is vulnerable to an out-of-bounds access issue. It could occur\nwhile copying VGA data via bitblt copy in backward mode. A privileged\nuser inside a guest could use this flaw to crash the QEMU process\nresulting in DoS or potentially execute arbitrary code on the host\nwith privileges of QEMU process on the host. (CVE-2017-2615)\n\n* Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA Emulator\nsupport is vulnerable to an out-of-bounds access issue. The issue\ncould occur while copying VGA data in cirrus_bitblt_cputovideo. A\nprivileged user inside guest could use this flaw to crash the QEMU\nprocess OR potentially execute arbitrary code on host with privileges\nof the QEMU process. (CVE-2017-2620)\n\nRed Hat would like to thank Wjjzhang (Tencent.com Inc.) and Li Qiang\n(360.cn Inc.) for reporting CVE-2017-2615.", "edition": 30, "cvss3": {"score": 9.9, "vector": "AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"}, "published": "2017-03-09T00:00:00", "title": "CentOS 5 : kvm (CESA-2017:0454)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-2615", "CVE-2017-2620"], "modified": "2017-03-09T00:00:00", "cpe": ["p-cpe:/a:centos:centos:kvm-qemu-img", "p-cpe:/a:centos:centos:kvm", "p-cpe:/a:centos:centos:kmod-kvm", "p-cpe:/a:centos:centos:kmod-kvm-debug", "cpe:/o:centos:centos:5", "p-cpe:/a:centos:centos:kvm-tools"], "id": "CENTOS_RHSA-2017-0454.NASL", "href": "https://www.tenable.com/plugins/nessus/97611", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2017:0454 and \n# CentOS Errata and Security Advisory 2017:0454 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(97611);\n script_version(\"3.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2017-2615\", \"CVE-2017-2620\");\n script_xref(name:\"RHSA\", value:\"2017:0454\");\n script_xref(name:\"IAVB\", value:\"2017-B-0024\");\n\n script_name(english:\"CentOS 5 : kvm (CESA-2017:0454)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for kvm is now available for Red Hat Enterprise Linux 5.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nKVM (for Kernel-based Virtual Machine) is a full virtualization\nsolution for Linux on x86 hardware. Using KVM, one can run multiple\nvirtual machines running unmodified Linux or Windows images. Each\nvirtual machine has private virtualized hardware: a network card,\ndisk, graphics adapter, etc.\n\nSecurity Fix(es) :\n\n* Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA emulator\nsupport is vulnerable to an out-of-bounds access issue. It could occur\nwhile copying VGA data via bitblt copy in backward mode. A privileged\nuser inside a guest could use this flaw to crash the QEMU process\nresulting in DoS or potentially execute arbitrary code on the host\nwith privileges of QEMU process on the host. (CVE-2017-2615)\n\n* Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA Emulator\nsupport is vulnerable to an out-of-bounds access issue. The issue\ncould occur while copying VGA data in cirrus_bitblt_cputovideo. A\nprivileged user inside guest could use this flaw to crash the QEMU\nprocess OR potentially execute arbitrary code on host with privileges\nof the QEMU process. (CVE-2017-2620)\n\nRed Hat would like to thank Wjjzhang (Tencent.com Inc.) and Li Qiang\n(360.cn Inc.) for reporting CVE-2017-2615.\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2017-March/022325.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?0861f93b\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected kvm packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-2615\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kmod-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kmod-kvm-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kvm-qemu-img\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kvm-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:5\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/07/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/09\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/CentOS/release\");\nif (isnull(release) || \"CentOS\" >!< release) audit(AUDIT_OS_NOT, \"CentOS\");\nos_ver = pregmatch(pattern: \"CentOS(?: Linux)? release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"CentOS\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^5([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"CentOS 5.x\", \"CentOS \" + os_ver);\n\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-5\", cpu:\"x86_64\", reference:\"kmod-kvm-83-277.el5.centos\")) flag++;\nif (rpm_check(release:\"CentOS-5\", cpu:\"x86_64\", reference:\"kmod-kvm-debug-83-277.el5.centos\")) flag++;\nif (rpm_check(release:\"CentOS-5\", cpu:\"x86_64\", reference:\"kvm-83-277.el5.centos\")) flag++;\nif (rpm_check(release:\"CentOS-5\", cpu:\"x86_64\", reference:\"kvm-qemu-img-83-277.el5.centos\")) flag++;\nif (rpm_check(release:\"CentOS-5\", cpu:\"x86_64\", reference:\"kvm-tools-83-277.el5.centos\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kmod-kvm / kmod-kvm-debug / kvm / kvm-qemu-img / kvm-tools\");\n}\n", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T04:42:01", "description": "From Red Hat Security Advisory 2017:0396 :\n\nAn update for qemu-kvm is now available for Red Hat Enterprise Linux\n7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nKernel-based Virtual Machine (KVM) is a full virtualization solution\nfor Linux on a variety of architectures. The qemu-kvm packages provide\nthe user-space component for running virtual machines that use KVM.\n\nSecurity Fix(es) :\n\n* Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA emulator\nsupport is vulnerable to an out-of-bounds access issue. It could occur\nwhile copying VGA data via bitblt copy in backward mode. A privileged\nuser inside a guest could use this flaw to crash the QEMU process\nresulting in DoS or potentially execute arbitrary code on the host\nwith privileges of QEMU process on the host. (CVE-2017-2615)\n\n* Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA Emulator\nsupport is vulnerable to an out-of-bounds access issue. The issue\ncould occur while copying VGA data in cirrus_bitblt_cputovideo. A\nprivileged user inside guest could use this flaw to crash the QEMU\nprocess OR potentially execute arbitrary code on host with privileges\nof the QEMU process. (CVE-2017-2620)\n\nRed Hat would like to thank Wjjzhang (Tencent.com Inc.) and Li Qiang\n(360.cn Inc.) for reporting CVE-2017-2615.\n\nBug Fix(es) :\n\n* When using the virtio-blk driver on a guest virtual machine with no\nspace on the virtual hard drive, the guest terminated unexpectedly\nwith a 'block I/O error in device' message and the qemu-kvm process\nexited with a segmentation fault. This update fixes how the\nsystem_reset QEMU signal is handled in the above scenario. As a\nresult, if a guest crashes due to no space left on the device,\nqemu-kvm continues running and the guest can be reset as expected.\n(BZ#1420049)", "edition": 28, "cvss3": {"score": 9.9, "vector": "AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"}, "published": "2017-03-03T00:00:00", "title": "Oracle Linux 7 : qemu-kvm (ELSA-2017-0396)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-2615", "CVE-2017-2620"], "modified": "2021-01-02T00:00:00", "cpe": ["p-cpe:/a:oracle:linux:qemu-kvm-tools", "p-cpe:/a:oracle:linux:qemu-kvm-common", "p-cpe:/a:oracle:linux:qemu-img", "cpe:/o:oracle:linux:7", "p-cpe:/a:oracle:linux:qemu-kvm"], "id": "ORACLELINUX_ELSA-2017-0396.NASL", "href": "https://www.tenable.com/plugins/nessus/97508", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2017:0396 and \n# Oracle Linux Security Advisory ELSA-2017-0396 respectively.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(97508);\n script_version(\"3.9\");\n script_cvs_date(\"Date: 2019/09/27 13:00:37\");\n\n script_cve_id(\"CVE-2017-2615\", \"CVE-2017-2620\");\n script_xref(name:\"RHSA\", value:\"2017:0396\");\n\n script_name(english:\"Oracle Linux 7 : qemu-kvm (ELSA-2017-0396)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2017:0396 :\n\nAn update for qemu-kvm is now available for Red Hat Enterprise Linux\n7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nKernel-based Virtual Machine (KVM) is a full virtualization solution\nfor Linux on a variety of architectures. The qemu-kvm packages provide\nthe user-space component for running virtual machines that use KVM.\n\nSecurity Fix(es) :\n\n* Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA emulator\nsupport is vulnerable to an out-of-bounds access issue. It could occur\nwhile copying VGA data via bitblt copy in backward mode. A privileged\nuser inside a guest could use this flaw to crash the QEMU process\nresulting in DoS or potentially execute arbitrary code on the host\nwith privileges of QEMU process on the host. (CVE-2017-2615)\n\n* Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA Emulator\nsupport is vulnerable to an out-of-bounds access issue. The issue\ncould occur while copying VGA data in cirrus_bitblt_cputovideo. A\nprivileged user inside guest could use this flaw to crash the QEMU\nprocess OR potentially execute arbitrary code on host with privileges\nof the QEMU process. (CVE-2017-2620)\n\nRed Hat would like to thank Wjjzhang (Tencent.com Inc.) and Li Qiang\n(360.cn Inc.) for reporting CVE-2017-2615.\n\nBug Fix(es) :\n\n* When using the virtio-blk driver on a guest virtual machine with no\nspace on the virtual hard drive, the guest terminated unexpectedly\nwith a 'block I/O error in device' message and the qemu-kvm process\nexited with a segmentation fault. This update fixes how the\nsystem_reset QEMU signal is handled in the above scenario. As a\nresult, if a guest crashes due to no space left on the device,\nqemu-kvm continues running and the guest can be reset as expected.\n(BZ#1420049)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2017-March/006748.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected qemu-kvm packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:qemu-img\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:qemu-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:qemu-kvm-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:qemu-kvm-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/07/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/03\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 7\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"qemu-img-1.5.3-126.el7_3.5\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"qemu-kvm-1.5.3-126.el7_3.5\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"qemu-kvm-common-1.5.3-126.el7_3.5\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"qemu-kvm-tools-1.5.3-126.el7_3.5\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"qemu-img / qemu-kvm / qemu-kvm-common / qemu-kvm-tools\");\n}\n", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-09-14T18:23:39", "description": "Security Fix(es) :\n\n - Quick emulator (QEMU) built with the Cirrus CLGD 54xx\n VGA emulator support is vulnerable to an out-of-bounds\n access issue. It could occur while copying VGA data via\n bitblt copy in backward mode. A privileged user inside a\n guest could use this flaw to crash the QEMU process\n resulting in DoS or potentially execute arbitrary code\n on the host with privileges of QEMU process on the host.\n (CVE-2017-2615)\n\n - Quick emulator (QEMU) built with the Cirrus CLGD 54xx\n VGA Emulator support is vulnerable to an out-of-bounds\n access issue. The issue could occur while copying VGA\n data in cirrus_bitblt_cputovideo. A privileged user\n inside guest could use this flaw to crash the QEMU\n process OR potentially execute arbitrary code on host\n with privileges of the QEMU process. (CVE-2017-2620)\n\nBug Fix(es) :\n\n - When using the virtio-blk driver on a guest virtual\n machine with no space on the virtual hard drive, the\n guest terminated unexpectedly with a 'block I/O error in\n device' message and the qemu-kvm process exited with a\n segmentation fault. This update fixes how the\n system_reset QEMU signal is handled in the above\n scenario. As a result, if a guest crashes due to no\n space left on the device, qemu-kvm continues running and\n the guest can be reset as expected.", "edition": 17, "cvss3": {"score": 9.9, "vector": "AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"}, "published": "2017-03-03T00:00:00", "title": "Scientific Linux Security Update : qemu-kvm on SL7.x x86_64 (20170302)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-2615", "CVE-2017-2620"], "modified": "2017-03-03T00:00:00", "cpe": ["p-cpe:/a:fermilab:scientific_linux:qemu-img", "p-cpe:/a:fermilab:scientific_linux:qemu-kvm-common", "p-cpe:/a:fermilab:scientific_linux:qemu-kvm", "x-cpe:/o:fermilab:scientific_linux", "p-cpe:/a:fermilab:scientific_linux:qemu-kvm-tools", "p-cpe:/a:fermilab:scientific_linux:qemu-kvm-debuginfo"], "id": "SL_20170302_QEMU_KVM_ON_SL7_X.NASL", "href": "https://www.tenable.com/plugins/nessus/97517", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(97517);\n script_version(\"3.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/02/25\");\n\n script_cve_id(\"CVE-2017-2615\", \"CVE-2017-2620\");\n script_xref(name:\"IAVB\", value:\"2017-B-0024\");\n\n script_name(english:\"Scientific Linux Security Update : qemu-kvm on SL7.x x86_64 (20170302)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security Fix(es) :\n\n - Quick emulator (QEMU) built with the Cirrus CLGD 54xx\n VGA emulator support is vulnerable to an out-of-bounds\n access issue. It could occur while copying VGA data via\n bitblt copy in backward mode. A privileged user inside a\n guest could use this flaw to crash the QEMU process\n resulting in DoS or potentially execute arbitrary code\n on the host with privileges of QEMU process on the host.\n (CVE-2017-2615)\n\n - Quick emulator (QEMU) built with the Cirrus CLGD 54xx\n VGA Emulator support is vulnerable to an out-of-bounds\n access issue. The issue could occur while copying VGA\n data in cirrus_bitblt_cputovideo. A privileged user\n inside guest could use this flaw to crash the QEMU\n process OR potentially execute arbitrary code on host\n with privileges of the QEMU process. (CVE-2017-2620)\n\nBug Fix(es) :\n\n - When using the virtio-blk driver on a guest virtual\n machine with no space on the virtual hard drive, the\n guest terminated unexpectedly with a 'block I/O error in\n device' message and the qemu-kvm process exited with a\n segmentation fault. This update fixes how the\n system_reset QEMU signal is handled in the above\n scenario. As a result, if a guest crashes due to no\n space left on the device, qemu-kvm continues running and\n the guest can be reset as expected.\"\n );\n # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1703&L=scientific-linux-errata&F=&S=&P=406\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?59a8a749\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:qemu-img\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:qemu-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:qemu-kvm-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:qemu-kvm-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:qemu-kvm-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/07/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/03\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nos_ver = pregmatch(pattern: \"Scientific Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Scientific Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Scientific Linux 7.x\", \"Scientific Linux \" + os_ver);\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"qemu-img-1.5.3-126.el7_3.5\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"qemu-kvm-1.5.3-126.el7_3.5\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"qemu-kvm-common-1.5.3-126.el7_3.5\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"qemu-kvm-debuginfo-1.5.3-126.el7_3.5\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"qemu-kvm-tools-1.5.3-126.el7_3.5\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"qemu-img / qemu-kvm / qemu-kvm-common / qemu-kvm-debuginfo / etc\");\n}\n", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2020-04-07T18:25:48", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-2615", "CVE-2017-2620"], "description": "Two security issues have been identified within Citrix XenServer.", "modified": "2020-04-02T00:00:00", "published": "2017-02-22T00:00:00", "id": "OPENVAS:1361412562310140173", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310140173", "type": "openvas", "title": "Citrix XenServer Multiple Security Updates (CTX220771)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Citrix XenServer Multiple Security Updates (CTX220771)\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:citrix:xenserver\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.140173\");\n script_cve_id(\"CVE-2017-2615\", \"CVE-2017-2620\");\n script_tag(name:\"cvss_base\", value:\"9.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_version(\"2020-04-02T13:53:24+0000\");\n\n script_name(\"Citrix XenServer Multiple Security Updates (CTX220771)\");\n\n script_xref(name:\"URL\", value:\"https://support.citrix.com/article/CTX220771\");\n\n script_tag(name:\"vuldetect\", value:\"Check the installed hotfixes.\");\n\n script_tag(name:\"solution\", value:\"Apply the hotfix referenced in the advisory.\");\n\n script_tag(name:\"summary\", value:\"Two security issues have been identified within Citrix XenServer.\");\n\n script_tag(name:\"impact\", value:\"These issues could, if exploited, allow the administrator of an HVM guest VM to compromise the host.\");\n\n script_tag(name:\"insight\", value:\"The following vulnerabilities have been addressed:\n\n - CVE-2017-2615 (High): QEMU: oob access in cirrus bitblt copy\n\n - CVE-2017-2620 (High): QEMU: cirrus_bitblt_cputovideo does not check if memory region is safe.\n\n Customers using only PV guest VMs are not affected by this vulnerability.\n\n Customers using only VMs that use the std-vga graphics emulation are not affected by this vulnerability.\");\n\n script_tag(name:\"affected\", value:\"XenServer 7.0\n\n XenServer 6.5\n\n XenServer 6.2.0\n\n XenServer 6.0.2\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_tag(name:\"last_modification\", value:\"2020-04-02 13:53:24 +0000 (Thu, 02 Apr 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-02-22 14:10:53 +0100 (Wed, 22 Feb 2017)\");\n script_category(ACT_GATHER_INFO);\n script_family(\"Citrix Xenserver Local Security Checks\");\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_dependencies(\"gb_xenserver_version.nasl\");\n script_mandatory_keys(\"xenserver/product_version\", \"xenserver/patches\");\n\n exit(0);\n}\n\ninclude(\"citrix_version_func.inc\");\ninclude(\"host_details.inc\");\ninclude(\"list_array_func.inc\");\n\nif( ! version = get_app_version( cpe:CPE ) )\n exit( 0 );\n\nif( ! hotfixes = get_kb_item(\"xenserver/patches\") )\n exit( 0 );\n\npatches = make_array();\n\npatches['7.0.0'] = make_list( 'XS70E029' );\npatches['6.5.0'] = make_list( 'XS65ESP1050' );\npatches['6.2.0'] = make_list( 'XS62ESP1057' );\npatches['6.0.2'] = make_list( 'XS602ECC041' );\n\ncitrix_xenserver_check_report_is_vulnerable( version:version, hotfixes:hotfixes, patches:patches );\n\nexit( 99 );\n", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:33", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-2615", "CVE-2017-2620"], "description": "Check the version of qemu-img", "modified": "2019-03-08T00:00:00", "published": "2017-03-04T00:00:00", "id": "OPENVAS:1361412562310882671", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310882671", "type": "openvas", "title": "CentOS Update for qemu-img CESA-2017:0396 centos7", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for qemu-img CESA-2017:0396 centos7\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.882671\");\n script_version(\"$Revision: 14058 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-08 14:25:52 +0100 (Fri, 08 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-03-04 05:49:30 +0100 (Sat, 04 Mar 2017)\");\n script_cve_id(\"CVE-2017-2615\", \"CVE-2017-2620\");\n script_tag(name:\"cvss_base\", value:\"9.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"CentOS Update for qemu-img CESA-2017:0396 centos7\");\n script_tag(name:\"summary\", value:\"Check the version of qemu-img\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Kernel-based Virtual Machine (KVM) is a\nfull virtualization solution for Linux on a variety of architectures.\nThe qemu-kvm packages provide the user-space component for running virtual\nmachines that use KVM.\n\nSecurity Fix(es):\n\n * Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA emulator\nsupport is vulnerable to an out-of-bounds access issue. It could occur\nwhile copying VGA data via bitblt copy in backward mode. A privileged user\ninside a guest could use this flaw to crash the QEMU process resulting in\nDoS or potentially execute arbitrary code on the host with privileges of\nQEMU process on the host. (CVE-2017-2615)\n\n * Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA Emulator\nsupport is vulnerable to an out-of-bounds access issue. The issue could\noccur while copying VGA data in cirrus_bitblt_cputovideo. A privileged user\ninside guest could use this flaw to crash the QEMU process OR potentially\nexecute arbitrary code on host with privileges of the QEMU process.\n(CVE-2017-2620)\n\nRed Hat would like to thank Wjjzhang (Tencent.com Inc.) and Li Qiang\n(360.cn Inc.) for reporting CVE-2017-2615.\n\nBug Fix(es):\n\n * When using the virtio-blk driver on a guest virtual machine with no space\non the virtual hard drive, the guest terminated unexpectedly with a 'block\nI/O error in device' message and the qemu-kvm process exited with a\nsegmentation fault. This update fixes how the system_reset QEMU signal is\nhandled in the above scenario. As a result, if a guest crashes due to no\nspace left on the device, qemu-kvm continues running and the guest can be\nreset as expected. (BZ#1420049)\");\n script_tag(name:\"affected\", value:\"qemu-img on CentOS 7\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"CESA\", value:\"2017:0396\");\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2017-March/022321.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS7\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS7\")\n{\n\n if ((res = isrpmvuln(pkg:\"qemu-img\", rpm:\"qemu-img~1.5.3~126.el7_3.5\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"qemu-kvm\", rpm:\"qemu-kvm~1.5.3~126.el7_3.5\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"qemu-kvm-common\", rpm:\"qemu-kvm-common~1.5.3~126.el7_3.5\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"qemu-kvm-tools\", rpm:\"qemu-kvm-tools~1.5.3~126.el7_3.5\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:37", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-2615", "CVE-2017-2620"], "description": "The remote host is missing an update for the ", "modified": "2018-11-23T00:00:00", "published": "2017-03-03T00:00:00", "id": "OPENVAS:1361412562310871769", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310871769", "type": "openvas", "title": "RedHat Update for qemu-kvm RHSA-2017:0396-01", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for qemu-kvm RHSA-2017:0396-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.871769\");\n script_version(\"$Revision: 12497 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-23 09:28:21 +0100 (Fri, 23 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-03-03 05:49:43 +0100 (Fri, 03 Mar 2017)\");\n script_cve_id(\"CVE-2017-2615\", \"CVE-2017-2620\");\n script_tag(name:\"cvss_base\", value:\"9.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"RedHat Update for qemu-kvm RHSA-2017:0396-01\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'qemu-kvm'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Kernel-based Virtual Machine (KVM) is a\nfull virtualization solution for Linux on a variety of architectures. The qemu-kvm\npackages provide the user-space component for running virtual machines that use KVM.\n\nSecurity Fix(es):\n\n * Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA emulator\nsupport is vulnerable to an out-of-bounds access issue. It could occur\nwhile copying VGA data via bitblt copy in backward mode. A privileged user\ninside a guest could use this flaw to crash the QEMU process resulting in\nDoS or potentially execute arbitrary code on the host with privileges of\nQEMU process on the host. (CVE-2017-2615)\n\n * Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA Emulator\nsupport is vulnerable to an out-of-bounds access issue. The issue could\noccur while copying VGA data in cirrus_bitblt_cputovideo. A privileged user\ninside guest could use this flaw to crash the QEMU process OR potentially\nexecute arbitrary code on host with privileges of the QEMU process.\n(CVE-2017-2620)\n\nRed Hat would like to thank Wjjzhang (Tencent.com Inc.) and Li Qiang\n(360.cn Inc.) for reporting CVE-2017-2615.\n\nBug Fix(es):\n\n * When using the virtio-blk driver on a guest virtual machine with no space\non the virtual hard drive, the guest terminated unexpectedly with a 'block\nI/O error in device' message and the qemu-kvm process exited with a\nsegmentation fault. This update fixes how the system_reset QEMU signal is\nhandled in the above scenario. As a result, if a guest crashes due to no\nspace left on the device, qemu-kvm continues running and the guest can be\nreset as expected. (BZ#1420049)\");\n script_tag(name:\"affected\", value:\"qemu-kvm on\n Red Hat Enterprise Linux Server (v. 7)\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"RHSA\", value:\"2017:0396-01\");\n script_xref(name:\"URL\", value:\"https://www.redhat.com/archives/rhsa-announce/2017-March/msg00007.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\", re:\"ssh/login/release=RHENT_7\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"RHENT_7\")\n{\n\n if ((res = isrpmvuln(pkg:\"qemu-img\", rpm:\"qemu-img~1.5.3~126.el7_3.5\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"qemu-kvm\", rpm:\"qemu-kvm~1.5.3~126.el7_3.5\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"qemu-kvm-common\", rpm:\"qemu-kvm-common~1.5.3~126.el7_3.5\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"qemu-kvm-debuginfo\", rpm:\"qemu-kvm-debuginfo~1.5.3~126.el7_3.5\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"qemu-kvm-tools\", rpm:\"qemu-kvm-tools~1.5.3~126.el7_3.5\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-01-27T18:39:12", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-2615", "CVE-2017-2620"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-01-23T00:00:00", "published": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220171037", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220171037", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for qemu-kvm (EulerOS-SA-2017-1037)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2017.1037\");\n script_version(\"2020-01-23T10:45:22+0000\");\n script_cve_id(\"CVE-2017-2615\", \"CVE-2017-2620\");\n script_tag(name:\"cvss_base\", value:\"9.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 10:45:22 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 10:45:22 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for qemu-kvm (EulerOS-SA-2017-1037)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP1\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2017-1037\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2017-1037\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'qemu-kvm' package(s) announced via the EulerOS-SA-2017-1037 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA emulator support is vulnerable to an out-of-bounds access issue. It could occur while copying VGA data via bitblt copy in backward mode. A privileged user inside a guest could use this flaw to crash the QEMU process resulting in DoS or potentially execute arbitrary code on the host with privileges of QEMU process on the host. (CVE-2017-2615)\n\nQuick emulator (QEMU) built with the Cirrus CLGD 54xx VGA Emulator support is vulnerable to an out-of-bounds access issue. The issue could occur while copying VGA data in cirrus_bitblt_cputovideo. A privileged user inside guest could use this flaw to crash the QEMU process OR potentially execute arbitrary code on host with privileges of the QEMU process. (CVE-2017-2620)\");\n\n script_tag(name:\"affected\", value:\"'qemu-kvm' package(s) on Huawei EulerOS V2.0SP1.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP1\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"qemu-img\", rpm:\"qemu-img~1.5.3~126.5\", rls:\"EULEROS-2.0SP1\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-01-27T18:36:44", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-2615", "CVE-2017-2620"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-01-23T00:00:00", "published": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220171038", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220171038", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for qemu-kvm (EulerOS-SA-2017-1038)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2017.1038\");\n script_version(\"2020-01-23T10:45:24+0000\");\n script_cve_id(\"CVE-2017-2615\", \"CVE-2017-2620\");\n script_tag(name:\"cvss_base\", value:\"9.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 10:45:24 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 10:45:24 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for qemu-kvm (EulerOS-SA-2017-1038)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP2\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2017-1038\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2017-1038\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'qemu-kvm' package(s) announced via the EulerOS-SA-2017-1038 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA emulator support is vulnerable to an out-of-bounds access issue. It could occur while copying VGA data via bitblt copy in backward mode. A privileged user inside a guest could use this flaw to crash the QEMU process resulting in DoS or potentially execute arbitrary code on the host with privileges of QEMU process on the host. (CVE-2017-2615)\n\nQuick emulator (QEMU) built with the Cirrus CLGD 54xx VGA Emulator support is vulnerable to an out-of-bounds access issue. The issue could occur while copying VGA data in cirrus_bitblt_cputovideo. A privileged user inside guest could use this flaw to crash the QEMU process OR potentially execute arbitrary code on host with privileges of the QEMU process. (CVE-2017-2620)\");\n\n script_tag(name:\"affected\", value:\"'qemu-kvm' package(s) on Huawei EulerOS V2.0SP2.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP2\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"qemu-img\", rpm:\"qemu-img~1.5.3~126.5\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"qemu-kvm\", rpm:\"qemu-kvm~1.5.3~126.5\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"qemu-kvm-common\", rpm:\"qemu-kvm-common~1.5.3~126.5\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:35", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-2615", "CVE-2017-2620"], "description": "Check the version of kmod-kvm", "modified": "2019-03-11T00:00:00", "published": "2017-03-09T00:00:00", "id": "OPENVAS:1361412562310882678", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310882678", "type": "openvas", "title": "CentOS Update for kmod-kvm CESA-2017:0454 centos5", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for kmod-kvm CESA-2017:0454 centos5\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.882678\");\n script_version(\"$Revision: 14095 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-11 14:54:56 +0100 (Mon, 11 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-03-09 05:01:35 +0100 (Thu, 09 Mar 2017)\");\n script_cve_id(\"CVE-2017-2615\", \"CVE-2017-2620\");\n script_tag(name:\"cvss_base\", value:\"9.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"CentOS Update for kmod-kvm CESA-2017:0454 centos5\");\n script_tag(name:\"summary\", value:\"Check the version of kmod-kvm\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"KVM (for Kernel-based Virtual Machine) is\na full virtualization solution for Linux on x86 hardware. Using KVM, one can\nrun multiple virtual machines running unmodified Linux or Windows images.\nEach virtual machine has private virtualized hardware: a network card, disk,\ngraphics adapter, etc.\n\nSecurity Fix(es):\n\n * Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA emulator\nsupport is vulnerable to an out-of-bounds access issue. It could occur\nwhile copying VGA data via bitblt copy in backward mode. A privileged user\ninside a guest could use this flaw to crash the QEMU process resulting in\nDoS or potentially execute arbitrary code on the host with privileges of\nQEMU process on the host. (CVE-2017-2615)\n\n * Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA Emulator\nsupport is vulnerable to an out-of-bounds access issue. The issue could\noccur while copying VGA data in cirrus_bitblt_cputovideo. A privileged user\ninside guest could use this flaw to crash the QEMU process OR potentially\nexecute arbitrary code on host with privileges of the QEMU process.\n(CVE-2017-2620)\n\nRed Hat would like to thank Wjjzhang (Tencent.com Inc.) and Li Qiang\n(360.cn Inc.) for reporting CVE-2017-2615.\n\n4. Solution:\n\nFor details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to the linked article.\");\n\n script_xref(name:\"URL\", value:\"https://access.redhat.com/articles/11258\");\n script_tag(name:\"affected\", value:\"kmod-kvm on CentOS 5\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"CESA\", value:\"2017:0454\");\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2017-March/022325.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS5\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS5\")\n{\n\n if ((res = isrpmvuln(pkg:\"kmod-kvm\", rpm:\"kmod-kvm~83~277.el5.centos\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kmod-kvm-debug\", rpm:\"kmod-kvm-debug~83~277.el5.centos\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kvm\", rpm:\"kvm~83~277.el5.centos\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kvm-qemu-img\", rpm:\"kvm-qemu-img~83~277.el5.centos\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kvm-tools\", rpm:\"kvm-tools~83~277.el5.centos\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-01-31T18:28:04", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-9922", "CVE-2017-2615", "CVE-2016-9921", "CVE-2017-2620"], "description": "The remote host is missing an update for the ", "modified": "2020-01-31T00:00:00", "published": "2017-03-12T00:00:00", "id": "OPENVAS:1361412562310851522", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310851522", "type": "openvas", "title": "openSUSE: Security Advisory for xen (openSUSE-SU-2017:0665-1)", "sourceData": "# Copyright (C) 2017 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.851522\");\n script_version(\"2020-01-31T08:23:39+0000\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 08:23:39 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-03-12 05:48:22 +0100 (Sun, 12 Mar 2017)\");\n script_cve_id(\"CVE-2016-9921\", \"CVE-2016-9922\", \"CVE-2017-2615\", \"CVE-2017-2620\");\n script_tag(name:\"cvss_base\", value:\"9.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"openSUSE: Security Advisory for xen (openSUSE-SU-2017:0665-1)\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'xen'\n package(s) announced via the referenced advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"This update for xen fixes several issues.\n\n These security issues were fixed:\n\n - CVE-2017-2620: In CIRRUS_BLTMODE_MEMSYSSRC mode the bitblit copy routine\n cirrus_bitblt_cputovideo failed to check the memory region, allowing for\n an out-of-bounds write that allows for privilege escalation\n (bsc#1024834).\n\n - CVE-2017-2615: An error in the bitblt copy operation could have allowed\n a malicious guest administrator to cause an out of bounds memory access,\n possibly leading to information disclosure or privilege escalation\n (bsc#1023004).\n\n - A malicious guest could have, by frequently rebooting over extended\n periods of time, run the host system out of memory, resulting in a\n Denial of Service (DoS) (bsc#1022871)\n\n - CVE-2016-9921: The Cirrus CLGD 54xx VGA Emulator support was vulnerable\n to a divide by zero issue while copying VGA data. A privileged user\n inside guest could have used this flaw to crash the process instance on\n the host, resulting in DoS (bsc#1015169\n\n These non-security issues were fixed:\n\n - bsc#1000195: Prevent panic on CPU0 while booting on SLES 11 SP3\n\n - bsc#1002496: Added support for reloading clvm in block-dmmd block-dmmd\n\n - bsc#1005028: Fixed building Xen RPMs from Sources\n\n This update was imported from the SUSE:SLE-12-SP2:Update update project.\");\n\n script_tag(name:\"affected\", value:\"xen on openSUSE Leap 42.2\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2017:0665-1\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSELeap42\\.2\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSELeap42.2\") {\n if(!isnull(res = isrpmvuln(pkg:\"xen-debugsource\", rpm:\"xen-debugsource~4.7.1_06~9.2\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xen-devel\", rpm:\"xen-devel~4.7.1_06~9.2\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xen-libs\", rpm:\"xen-libs~4.7.1_06~9.2\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xen-libs-debuginfo\", rpm:\"xen-libs-debuginfo~4.7.1_06~9.2\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xen-tools-domU\", rpm:\"xen-tools-domU~4.7.1_06~9.2\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xen-tools-domU-debuginfo\", rpm:\"xen-tools-domU-debuginfo~4.7.1_06~9.2\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xen\", rpm:\"xen~4.7.1_06~9.2\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xen-doc-html\", rpm:\"xen-doc-html~4.7.1_06~9.2\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xen-libs-32bit\", rpm:\"xen-libs-32bit~4.7.1_06~9.2\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xen-libs-debuginfo-32bit\", rpm:\"xen-libs-debuginfo-32bit~4.7.1_06~9.2\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xen-tools\", rpm:\"xen-tools~4.7.1_06~9.2\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xen-tools-debuginfo\", rpm:\"xen-tools-debuginfo~4.7.1_06~9.2\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-01-29T20:09:27", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-2615", "CVE-2017-5973", "CVE-2017-5898", "CVE-2016-9921", "CVE-2017-2620"], "description": "Several vulnerabilities were discovered in qemu-kvm, a full\nvirtualization solution for Linux hosts on x86 hardware with x86 guests.\n\nCVE-2017-2615\n\nThe Cirrus CLGD 54xx VGA Emulator in qemu-kvm is vulnerable to an\nout-of-bounds access issue. It could occur while copying VGA data\nvia bitblt copy in backward mode.\n\nA privileged user inside guest could use this flaw to crash the\nQemu process resulting in DoS OR potentially execute arbitrary\ncode on the host with privileges of qemu-kvm process on the host.\n\nCVE-2017-2620\n\nThe Cirrus CLGD 54xx VGA Emulator in qemu-kvm is vulnerable to an\nout-of-bounds access issue. It could occur while copying VGA data\nin cirrus_bitblt_cputovideo.\n\nA privileged user inside guest could use this flaw to crash the\nQemu process resulting in DoS OR potentially execute arbitrary\ncode on the host with privileges of qemu-kvm process on the host.\n\nCVE-2017-5898\n\nThe CCID Card device emulator support is vulnerable to an integer\noverflow flaw. It could occur while passing message via\ncommand/responses packets to and from the host.\n\nA privileged user inside guest could use this flaw to crash the\nqemu-kvm process on the host resulting in a DoS.\n\nThis issue does not affect the qemu-kvm binaries in Debian but we\napply the patch to the sources to stay in sync with the qemu\npackage.\n\nCVE-2017-5973\n\nThe USB xHCI controller emulator support in qemu-kvm is vulnerable\nto an infinite loop issue. It could occur while processing control\ntransfer descriptors", "modified": "2020-01-29T00:00:00", "published": "2018-01-08T00:00:00", "id": "OPENVAS:1361412562310890842", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310890842", "type": "openvas", "title": "Debian LTS: Security Advisory for qemu-kvm (DLA-842-1)", "sourceData": "# Copyright (C) 2018 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.890842\");\n script_version(\"2020-01-29T08:22:52+0000\");\n script_cve_id(\"CVE-2016-9921\", \"CVE-2017-2615\", \"CVE-2017-2620\", \"CVE-2017-5898\", \"CVE-2017-5973\");\n script_name(\"Debian LTS: Security Advisory for qemu-kvm (DLA-842-1)\");\n script_tag(name:\"last_modification\", value:\"2020-01-29 08:22:52 +0000 (Wed, 29 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-01-08 00:00:00 +0100 (Mon, 08 Jan 2018)\");\n script_tag(name:\"cvss_base\", value:\"9.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2017/02/msg00033.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB7\");\n\n script_tag(name:\"affected\", value:\"qemu-kvm on Debian Linux\");\n\n script_tag(name:\"solution\", value:\"For Debian 7 'Wheezy', these problems have been fixed in version\n1.1.2+dfsg-6+deb7u20.\n\nWe recommend that you upgrade your qemu-kvm packages.\");\n\n script_tag(name:\"summary\", value:\"Several vulnerabilities were discovered in qemu-kvm, a full\nvirtualization solution for Linux hosts on x86 hardware with x86 guests.\n\nCVE-2017-2615\n\nThe Cirrus CLGD 54xx VGA Emulator in qemu-kvm is vulnerable to an\nout-of-bounds access issue. It could occur while copying VGA data\nvia bitblt copy in backward mode.\n\nA privileged user inside guest could use this flaw to crash the\nQemu process resulting in DoS OR potentially execute arbitrary\ncode on the host with privileges of qemu-kvm process on the host.\n\nCVE-2017-2620\n\nThe Cirrus CLGD 54xx VGA Emulator in qemu-kvm is vulnerable to an\nout-of-bounds access issue. It could occur while copying VGA data\nin cirrus_bitblt_cputovideo.\n\nA privileged user inside guest could use this flaw to crash the\nQemu process resulting in DoS OR potentially execute arbitrary\ncode on the host with privileges of qemu-kvm process on the host.\n\nCVE-2017-5898\n\nThe CCID Card device emulator support is vulnerable to an integer\noverflow flaw. It could occur while passing message via\ncommand/responses packets to and from the host.\n\nA privileged user inside guest could use this flaw to crash the\nqemu-kvm process on the host resulting in a DoS.\n\nThis issue does not affect the qemu-kvm binaries in Debian but we\napply the patch to the sources to stay in sync with the qemu\npackage.\n\nCVE-2017-5973\n\nThe USB xHCI controller emulator support in qemu-kvm is vulnerable\nto an infinite loop issue. It could occur while processing control\ntransfer descriptors' sequence in xhci_kick_epctx.\n\nA privileged user inside guest could use this flaw to crash the\nqemu-kvm process resulting in a DoS.\n\nThis update also updates the fix CVE-2016-9921 since it was too strict\nand broke certain guests.\");\n\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"kvm\", ver:\"1.1.2+dfsg-6+deb7u20\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"qemu-kvm\", ver:\"1.1.2+dfsg-6+deb7u20\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"qemu-kvm-dbg\", ver:\"1.1.2+dfsg-6+deb7u20\", rls:\"DEB7\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-01-29T20:11:02", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-2615", "CVE-2017-5973", "CVE-2017-5898", "CVE-2016-9921", "CVE-2017-2620"], "description": "Several vulnerabilities were discovered in qemu, a fast processor emulator.", "modified": "2020-01-29T00:00:00", "published": "2018-01-12T00:00:00", "id": "OPENVAS:1361412562310890845", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310890845", "type": "openvas", "title": "Debian LTS: Security Advisory for qemu (DLA-845-1)", "sourceData": "# Copyright (C) 2018 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.890845\");\n script_version(\"2020-01-29T08:22:52+0000\");\n script_cve_id(\"CVE-2016-9921\", \"CVE-2017-2615\", \"CVE-2017-2620\", \"CVE-2017-5898\", \"CVE-2017-5973\");\n script_name(\"Debian LTS: Security Advisory for qemu (DLA-845-1)\");\n script_tag(name:\"last_modification\", value:\"2020-01-29 08:22:52 +0000 (Wed, 29 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-01-12 00:00:00 +0100 (Fri, 12 Jan 2018)\");\n script_tag(name:\"cvss_base\", value:\"9.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2017/03/msg00001.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB7\");\n\n script_tag(name:\"affected\", value:\"qemu on Debian Linux\");\n\n script_tag(name:\"solution\", value:\"For Debian 7 'Wheezy', these problems have been fixed in version\n1.1.2+dfsg-6+deb7u20.\n\nWe recommend that you upgrade your qemu packages.\");\n\n script_tag(name:\"summary\", value:\"Several vulnerabilities were discovered in qemu, a fast processor emulator.\");\n\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"qemu\", ver:\"1.1.2+dfsg-6+deb7u20\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"qemu-keymaps\", ver:\"1.1.2+dfsg-6+deb7u20\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"qemu-system\", ver:\"1.1.2+dfsg-6+deb7u20\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"qemu-user\", ver:\"1.1.2+dfsg-6+deb7u20\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"qemu-user-static\", ver:\"1.1.2+dfsg-6+deb7u20\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"qemu-utils\", ver:\"1.1.2+dfsg-6+deb7u20\", rls:\"DEB7\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:08", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-2620"], "description": "Check the version of qemu-guest-agent", "modified": "2019-03-08T00:00:00", "published": "2017-03-03T00:00:00", "id": "OPENVAS:1361412562310882669", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310882669", "type": "openvas", "title": "CentOS Update for qemu-guest-agent CESA-2017:0352 centos6", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for qemu-guest-agent CESA-2017:0352 centos6\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.882669\");\n script_version(\"$Revision: 14058 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-08 14:25:52 +0100 (Fri, 08 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-03-03 10:39:50 +0530 (Fri, 03 Mar 2017)\");\n script_cve_id(\"CVE-2017-2620\");\n script_tag(name:\"cvss_base\", value:\"9.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"CentOS Update for qemu-guest-agent CESA-2017:0352 centos6\");\n script_tag(name:\"summary\", value:\"Check the version of qemu-guest-agent\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Kernel-based Virtual Machine (KVM) is a\nfull virtualization solution for Linux on a variety of architectures.\nThe qemu-kvm packages provide the user-space component for running virtual\nmachines that use KVM.\n\nSecurity Fix(es):\n\n * Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA Emulator\nsupport is vulnerable to an out-of-bounds access issue. The issue could\noccur while copying VGA data in cirrus_bitblt_cputovideo. A privileged user\ninside guest could use this flaw to crash the QEMU process OR potentially\nexecute arbitrary code on host with privileges of the QEMU process.\n(CVE-2017-2620)\");\n script_tag(name:\"affected\", value:\"qemu-guest-agent on CentOS 6\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"CESA\", value:\"2017:0352\");\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2017-March/022294.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS6\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS6\")\n{\n\n if ((res = isrpmvuln(pkg:\"qemu-guest-agent\", rpm:\"qemu-guest-agent~0.12.1.2~2.491.el6_8.7\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"qemu-img\", rpm:\"qemu-img~0.12.1.2~2.491.el6_8.7\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"qemu-kvm\", rpm:\"qemu-kvm~0.12.1.2~2.491.el6_8.7\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"qemu-kvm-tools\", rpm:\"qemu-kvm-tools~0.12.1.2~2.491.el6_8.7\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "suse": [{"lastseen": "2017-02-27T19:11:36", "bulletinFamily": "unix", "cvelist": ["CVE-2016-9922", "CVE-2017-2615", "CVE-2016-9921", "CVE-2017-2620"], "edition": 1, "description": "This update for xen fixes several issues.\n\n These security issues were fixed:\n\n - CVE-2017-2620: In CIRRUS_BLTMODE_MEMSYSSRC mode the bitblit copy routine\n cirrus_bitblt_cputovideo failed to check the memory region, allowing for\n an out-of-bounds write that allows for privilege escalation\n (bsc#1024834).\n - CVE-2017-2615: An error in the bitblt copy operation could have allowed\n a malicious guest administrator to cause an out of bounds memory access,\n possibly leading to information disclosure or privilege escalation\n (bsc#1023004).\n - A malicious guest could have, by frequently rebooting over extended\n periods of time, run the host system out of memory, resulting in a\n Denial of Service (DoS) (bsc#1022871)\n - CVE-2016-9921: The Cirrus CLGD 54xx VGA Emulator support was vulnerable\n to a divide by zero issue while copying VGA data. A privileged user\n inside guest could have used this flaw to crash the process instance on\n the host, resulting in DoS (bsc#1015169\n\n These non-security issues were fixed:\n\n - bsc#1000195: Prevent panic on CPU0 while booting on SLES 11 SP3\n - bsc#1002496: Added support for reloading clvm in block-dmmd block-dmmd\n - bsc#1005028: Fixed building Xen RPMs from Sources\n\n", "modified": "2017-02-27T18:13:48", "published": "2017-02-27T18:13:48", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-02/msg00046.html", "id": "SUSE-SU-2017:0571-1", "type": "suse", "title": "Security update for xen (important)", "cvss": {"score": 2.1, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-03-11T15:11:55", "bulletinFamily": "unix", "cvelist": ["CVE-2016-9922", "CVE-2017-2615", "CVE-2016-9921", "CVE-2017-2620"], "edition": 1, "description": "This update for xen fixes several issues.\n\n These security issues were fixed:\n\n - CVE-2017-2620: In CIRRUS_BLTMODE_MEMSYSSRC mode the bitblit copy routine\n cirrus_bitblt_cputovideo failed to check the memory region, allowing for\n an out-of-bounds write that allows for privilege escalation\n (bsc#1024834).\n - CVE-2017-2615: An error in the bitblt copy operation could have allowed\n a malicious guest administrator to cause an out of bounds memory access,\n possibly leading to information disclosure or privilege escalation\n (bsc#1023004).\n - A malicious guest could have, by frequently rebooting over extended\n periods of time, run the host system out of memory, resulting in a\n Denial of Service (DoS) (bsc#1022871)\n - CVE-2016-9921: The Cirrus CLGD 54xx VGA Emulator support was vulnerable\n to a divide by zero issue while copying VGA data. A privileged user\n inside guest could have used this flaw to crash the process instance on\n the host, resulting in DoS (bsc#1015169\n\n These non-security issues were fixed:\n\n - bsc#1000195: Prevent panic on CPU0 while booting on SLES 11 SP3\n - bsc#1002496: Added support for reloading clvm in block-dmmd block-dmmd\n - bsc#1005028: Fixed building Xen RPMs from Sources\n\n This update was imported from the SUSE:SLE-12-SP2:Update update project.\n\n", "modified": "2017-03-11T15:07:34", "published": "2017-03-11T15:07:34", "id": "OPENSUSE-SU-2017:0665-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-03/msg00008.html", "title": "Security update for xen (important)", "type": "suse", "cvss": {"score": 2.1, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-04-28T19:19:08", "bulletinFamily": "unix", "cvelist": ["CVE-2016-9776", "CVE-2016-10155", "CVE-2016-9922", "CVE-2017-2615", "CVE-2017-5898", "CVE-2016-9921", "CVE-2017-2620", "CVE-2017-5856", "CVE-2016-9907", "CVE-2016-9911"], "description": "This update for kvm fixes several issues.\n\n These security issues were fixed:\n\n - CVE-2017-2620: In CIRRUS_BLTMODE_MEMSYSSRC mode the bitblit copy routine\n cirrus_bitblt_cputovideo failed to check the memory region, allowing for\n an out-of-bounds write that allows for privilege escalation (bsc#1024972)\n - CVE-2017-2615: An error in the bitblt copy operation could have allowed\n a malicious guest administrator to cause an out of bounds memory access,\n possibly leading to information disclosure or privilege escalation\n (bsc#1023004)\n - CVE-2016-9776: The ColdFire Fast Ethernet Controller emulator support\n was vulnerable to an infinite loop issue while receiving packets in\n 'mcf_fec_receive'. A privileged user/process inside guest could have\n used this issue to crash the Qemu process on the host leading to DoS\n (bsc#1013285)\n - CVE-2016-9911: The USB EHCI Emulation support was vulnerable to a memory\n leakage issue while processing packet data in 'ehci_init_transfer'. A\n guest user/process could have used this issue to leak host memory,\n resulting in DoS for the host (bsc#1014111)\n - CVE-2016-9907: The USB redirector usb-guest support was vulnerable to a\n memory leakage flaw when destroying the USB redirector in\n 'usbredir_handle_destroy'. A guest user/process could have used this\n issue to leak host memory, resulting in DoS for a host (bsc#1014109)\n - CVE-2016-9921: The Cirrus CLGD 54xx VGA Emulator support was vulnerable\n to a divide by zero issue while copying VGA data. A privileged user\n inside guest could have used this flaw to crash the process instance on\n the host, resulting in DoS (bsc#1014702)\n - CVE-2016-9922: The Cirrus CLGD 54xx VGA Emulator support was vulnerable\n to a divide by zero issue while copying VGA data. A privileged user\n inside guest could have used this flaw to crash the process instance on\n the host, resulting in DoS (bsc#1014702)\n - CVE-2017-5898: The CCID Card device emulator support was vulnerable to\n an integer overflow allowing a privileged user inside the guest to crash\n the Qemu process resulting in DoS (bnc#1023907)\n - CVE-2016-10155: The virtual hardware watchdog 'wdt_i6300esb' was\n vulnerable to a memory leakage issue allowing a privileged user to cause\n a DoS and/or potentially crash the Qemu process on the host (bsc#1021129)\n - CVE-2017-5856: The MegaRAID SAS 8708EM2 Host Bus Adapter emulation\n support was vulnerable to a memory leakage issue allowing a privileged\n user to leak host memory resulting in DoS (bsc#1023053)\n\n These non-security issues were fixed:\n\n - Fixed various inaccuracies in cirrus vga device emulation\n - Fixed virtio interface failure (bsc#1015048)\n - Fixed graphical update errors introduced by previous security fix\n (bsc#1016779)\n\n", "edition": 1, "modified": "2017-04-28T21:11:21", "published": "2017-04-28T21:11:21", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-04/msg00035.html", "id": "SUSE-SU-2017:1135-1", "title": "Security update for kvm (important)", "type": "suse", "cvss": {"score": 4.9, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}], "debian": [{"lastseen": "2019-05-30T02:22:48", "bulletinFamily": "unix", "cvelist": ["CVE-2017-2615", "CVE-2017-5973", "CVE-2017-5898", "CVE-2016-9921", "CVE-2017-2620"], "description": "Package : qemu-kvm\nVersion : 1.1.2+dfsg-6+deb7u20\nCVE ID : CVE-2017-2615 CVE-2017-2620 CVE-2017-5898 CVE-2017-5973\n\n\nSeveral vulnerabilities were discovered in qemu-kvm, a full\nvirtualization solution for Linux hosts on x86 hardware with x86 guests.\n\nCVE-2017-2615\n\n The Cirrus CLGD 54xx VGA Emulator in qemu-kvm is vulnerable to an\n out-of-bounds access issue. It could occur while copying VGA data\n via bitblt copy in backward mode.\n\n A privileged user inside guest could use this flaw to crash the\n Qemu process resulting in DoS OR potentially execute arbitrary\n code on the host with privileges of qemu-kvm process on the host.\n\nCVE-2017-2620\n\n The Cirrus CLGD 54xx VGA Emulator in qemu-kvm is vulnerable to an\n out-of-bounds access issue. It could occur while copying VGA data\n in cirrus_bitblt_cputovideo.\n\n A privileged user inside guest could use this flaw to crash the\n Qemu process resulting in DoS OR potentially execute arbitrary\n code on the host with privileges of qemu-kvm process on the host.\n\nCVE-2017-5898\n\n The CCID Card device emulator support is vulnerable to an integer\n overflow flaw. It could occur while passing message via\n command/responses packets to and from the host.\n\n A privileged user inside guest could use this flaw to crash the\n qemu-kvm process on the host resulting in a DoS.\n\n This issue does not affect the qemu-kvm binaries in Debian but we\n apply the patch to the sources to stay in sync with the qemu\n package.\n\nCVE-2017-5973\n\n The USB xHCI controller emulator support in qemu-kvm is vulnerable\n to an infinite loop issue. It could occur while processing control\n transfer descriptors&#x27; sequence in xhci_kick_epctx.\n\n A privileged user inside guest could use this flaw to crash the\n qemu-kvm process resulting in a DoS.\n\nThis update also updates the fix CVE-2016-9921 since it was too strict\nand broke certain guests.\n\nFor Debian 7 &quot;Wheezy&quot;, these problems have been fixed in version\n1.1.2+dfsg-6+deb7u20.\n\nWe recommend that you upgrade your qemu-kvm packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n", "edition": 3, "modified": "2017-02-28T22:10:25", "published": "2017-02-28T22:10:25", "id": "DEBIAN:DLA-842-1:6B5AC", "href": "https://lists.debian.org/debian-lts-announce/2017/debian-lts-announce-201702/msg00033.html", "title": "[SECURITY] [DLA 842-1] qemu-kvm security update", "type": "debian", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2019-05-30T02:22:24", "bulletinFamily": "unix", "cvelist": ["CVE-2017-2615", "CVE-2017-5973", "CVE-2017-5898", "CVE-2016-9921", "CVE-2017-2620"], "description": "Package : qemu\nVersion : 1.1.2+dfsg-6+deb7u20\nCVE ID : CVE-2017-2615 CVE-2017-2620 CVE-2017-5898 CVE-2017-5973\nDebian Bug : \n\nSeveral vulnerabilities were discovered in qemu, a fast processor\nemulator. The Common Vulnerabilities and Exposures project identifies\nthe following problems:\n\nCVE-2017-2615\n\n The Cirrus CLGD 54xx VGA Emulator in qemu is vulnerable to an\n out-of-bounds access issue. It could occur while copying VGA data\n via bitblt copy in backward mode.\n\n A privileged user inside guest could use this flaw to crash the\n Qemu process resulting in DoS OR potentially execute arbitrary\n code on the host with privileges of Qemu process on the host.\n\nCVE-2017-2620\n\n The Cirrus CLGD 54xx VGA Emulator in qemu is vulnerable to an\n out-of-bounds access issue. It could occur while copying VGA data\n in cirrus_bitblt_cputovideo.\n\n A privileged user inside guest could use this flaw to crash the\n Qemu process resulting in DoS OR potentially execute arbitrary\n code on the host with privileges of Qemu process on the host.\n\nCVE-2017-5898\n\n The CCID Card device emulator support is vulnerable to an integer\n overflow flaw. It could occur while passing message via\n command/responses packets to and from the host.\n\n A privileged user inside guest could use this flaw to crash the\n Qemu process on host resulting in DoS.\n\nCVE-2017-5973\n\n The USB xHCI controller emulator support in qemu is vulnerable\n to an infinite loop issue. It could occur while processing control\n transfer descriptors&#x27; sequence in xhci_kick_epctx.\n\n A privileged user inside guest could use this flaw to crash the\n Qemu process resulting in DoS.\n\nThis update also updates the fix CVE-2016-9921 since it was too strict\nand broke certain guests.\n\nFor Debian 7 &quot;Wheezy&quot;, these problems have been fixed in version\n1.1.2+dfsg-6+deb7u20.\n\nWe recommend that you upgrade your qemu packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n", "edition": 3, "modified": "2017-03-01T19:52:31", "published": "2017-03-01T19:52:31", "id": "DEBIAN:DLA-845-1:D7636", "href": "https://lists.debian.org/debian-lts-announce/2017/debian-lts-announce-201703/msg00001.html", "title": "[SECURITY] [DLA 845-1] qemu security update", "type": "debian", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "gentoo": [{"lastseen": "2017-02-21T01:00:00", "bulletinFamily": "unix", "cvelist": ["CVE-2017-2615"], "edition": 1, "description": "### Background\n\nXen is a bare-metal hypervisor.\n\n### Description\n\nMultiple vulnerabilities have been discovered in Xen. Please review the CVE identifiers and Xen Security Advisory referenced below for details. \n\n### Impact\n\nA local attacker could potentially execute arbitrary code with privileges of Xen (QEMU) process on the host, gain privileges on the host system, cause a Denial of Service condition, or obtain sensitive information. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll Xen users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=app-emulation/xen-4.7.1-r5\"\n \n\nAll Xen Tools users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose\n \">=app-emulation/xen-tools-4.7.1-r6\"", "modified": "2017-02-21T00:00:00", "published": "2017-02-21T00:00:00", "id": "GLSA-201702-27", "href": "https://security.gentoo.org/glsa/201702-27", "title": "Xen: Multiple vulnerabilities", "type": "gentoo", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2017-03-28T05:17:53", "bulletinFamily": "unix", "cvelist": ["CVE-2017-2620"], "edition": 1, "description": "### Background\n\nXen is a bare-metal hypervisor.\n\n### Description\n\nIn CIRRUS_BLTMODE_MEMSYSSRC mode the bitblit copy routine cirrus_bitblt_cputovideo fails to check wethehr the specified memory region is safe. \n\n### Impact\n\nA local attacker could potentially execute arbitrary code with privileges of Xen (QEMU) process on the host, gain privileges on the host system, or cause a Denial of Service condition. \n\n### Workaround\n\nRunning guests in Paravirtualization (PV) mode, or running guests in Hardware-assisted virtualizion (HVM) utilizing stub domains mitigate the issue. \n\nRunning HVM guests with the device model in a stubdomain will mitigate the issue. \n\nChanging the video card emulation to stdvga (stdvga=1, vga=\u201dstdvga\u201d, in the xl domain configuration) will avoid the vulnerability. \n\n### Resolution\n\nAll Xen Tools users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose\n \">=app-emulation/xen-tools-4.7.1-r8\"", "modified": "2017-03-28T00:00:00", "published": "2017-03-28T00:00:00", "id": "GLSA-201703-07", "href": "https://security.gentoo.org/glsa/201703-07", "title": "Xen: Privilege Escalation", "type": "gentoo", "cvss": {"score": 0.0, "vector": "NONE"}}], "freebsd": [{"lastseen": "2019-05-29T18:32:21", "bulletinFamily": "unix", "cvelist": ["CVE-2017-2615"], "description": "\nThe Xen Project reports:\n\nWhen doing bitblt copy backwards, qemu should negate the blit\n\t width. This avoids an oob access before the start of video\n\t memory.\nA malicious guest administrator can cause an out of bounds memory\n\t access, possibly leading to information disclosure or privilege\n\t escalation.\n\n", "edition": 3, "modified": "2017-02-10T00:00:00", "published": "2017-02-10T00:00:00", "id": "A73ABA9A-EFFE-11E6-AE1B-002590263BF5", "href": "https://vuxml.freebsd.org/freebsd/a73aba9a-effe-11e6-ae1b-002590263bf5.html", "title": "xen-tools -- oob access in cirrus bitblt copy", "type": "freebsd", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:32:20", "bulletinFamily": "unix", "cvelist": ["CVE-2017-2620"], "description": "\nThe Xen Project reports:\n\nIn CIRRUS_BLTMODE_MEMSYSSRC mode the bitblit copy routine\n\t cirrus_bitblt_cputovideo fails to check whether the specified\n\t memory region is safe. A malicious guest administrator can cause\n\t an out of bounds memory write, very likely exploitable as a\n\t privilege escalation.\n\n", "edition": 4, "modified": "2017-02-21T00:00:00", "published": "2017-02-21T00:00:00", "id": "8CBD9C08-F8B9-11E6-AE1B-002590263BF5", "href": "https://vuxml.freebsd.org/freebsd/8cbd9c08-f8b9-11e6-ae1b-002590263bf5.html", "title": "xen-tools -- cirrus_bitblt_cputovideo does not check if memory region is safe", "type": "freebsd", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "xen": [{"lastseen": "2017-02-10T12:59:47", "bulletinFamily": "software", "cvelist": ["CVE-2017-2615"], "edition": 1, "description": "#### ISSUE DESCRIPTION\nWhen doing bitblt copy backwards, qemu should negate the blit width. This avoids an oob access before the start of video memory.\n#### IMPACT\nA malicious guest administrator can cause an out of bounds memory access, possibly leading to information disclosure or privilege escalation.\n#### VULNERABLE SYSTEMS\nVersions of qemu shipped with all Xen versions are vulnerable.\nXen systems running on x86 with HVM guests, with the qemu process running in dom0 are vulnerable.\nOnly guests provided with the &quot;cirrus&quot; emulated video card can exploit the vulnerability. The non-default &quot;stdvga&quot; emulated video card is not vulnerable. (With xl the emulated video card is controlled by the &quot;stdvga=&quot; and &quot;vga=&quot; domain configuration options.)\nARM systems are not vulnerable. Systems using only PV guests are not vulnerable.\nFor VMs whose qemu process is running in a stub domain, a successful attacker will only gain the privileges of that stubdom, which should be only over the guest itself.\nBoth upstream-based versions of qemu (device_model_version=&quot;qemu-xen&quot;) and `traditional&#39; qemu (device_model_version=&quot;qemu-xen-traditional&quot;) are vulnerable.\n", "modified": "2017-02-10T12:43:00", "published": "2017-02-10T12:43:00", "id": "XSA-208", "href": "http://xenbits.xen.org/xsa/advisory-208.html", "title": "oob access in cirrus bitblt copy", "type": "xen", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2017-02-21T12:59:56", "bulletinFamily": "software", "cvelist": ["CVE-2017-2620"], "edition": 1, "description": "#### ISSUE DESCRIPTION\nIn CIRRUS_BLTMODE_MEMSYSSRC mode the bitblit copy routine cirrus_bitblt_cputovideo fails to check wethehr the specified memory region is safe.\n#### IMPACT\nA malicious guest administrator can cause an out of bounds memory write, very likely exploitable as a privilege escalation.\n#### VULNERABLE SYSTEMS\nVersions of qemu shipped with all Xen versions are vulnerable.\nXen systems running on x86 with HVM guests, with the qemu process running in dom0 are vulnerable.\nOnly guests provided with the &quot;cirrus&quot; emulated video card can exploit the vulnerability. The non-default &quot;stdvga&quot; emulated video card is not vulnerable. (With xl the emulated video card is controlled by the &quot;stdvga=&quot; and &quot;vga=&quot; domain configuration options.)\nARM systems are not vulnerable. Systems using only PV guests are not vulnerable.\nFor VMs whose qemu process is running in a stub domain, a successful attacker will only gain the privileges of that stubdom, which should be only over the guest itself.\nBoth upstream-based versions of qemu (device_model_version=&quot;qemu-xen&quot;) and `traditional&#39; qemu (device_model_version=&quot;qemu-xen-traditional&quot;) are vulnerable.\n", "modified": "2017-02-21T10:42:00", "published": "2017-02-21T10:42:00", "href": "http://xenbits.xen.org/xsa/advisory-209.html", "id": "XSA-209", "type": "xen", "title": "cirrus_bitblt_cputovideo does not check if memory region is safe", "cvss": {"score": 0.0, "vector": "NONE"}}], "fedora": [{"lastseen": "2020-12-21T08:17:54", "bulletinFamily": "unix", "cvelist": ["CVE-2017-2620"], "description": "This package contains the XenD daemon and xm command line tools, needed to manage virtual machines running under the Xen hypervisor ", "modified": "2017-03-08T13:33:09", "published": "2017-03-08T13:33:09", "id": "FEDORA:007EE62B4039", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 24 Update: xen-4.6.4-8.fc24", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-12-21T08:17:54", "bulletinFamily": "unix", "cvelist": ["CVE-2017-2620"], "description": "This package contains the XenD daemon and xm command line tools, needed to manage virtual machines running under the Xen hypervisor ", "modified": "2017-03-01T01:30:45", "published": "2017-03-01T01:30:45", "id": "FEDORA:8EE9A605A344", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 25 Update: xen-4.7.1-9.fc25", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}]}