CVE-2017-14167 Amazon Linux Security Advisory for qemu-kvm: ALAS-2017-934

漏洞类别:Amazon Linux

漏洞等级:

漏洞信息

Quick Emulator (QEMU), compiled with the PC System Emulator with multiboot feature support, is vulnerable to an OOB r/w memory access issue. The issue could occur due to an integer overflow while loading a kernel image during a guest boot. A user or process could use this flaw to potentially achieve arbitrary code execution on a host. (CVE-2017-14167 )

Quick emulator (QEMU), compiled with the Cirrus CLGD 54xx VGA Emulator support, is vulnerable to an OOB write access issue. The issue could occur while writing to VGA memory via mode4and5 write functions. A privileged user inside guest could use this flaw to crash the QEMU process resulting in Denial of Serivce (DoS). (CVE-2017-15289 )

QID Detection Logic:
This authenticated QID verifies if the version of the following files is lesser than 1.5.3-141.5.amzn1: qemu-kvm-common,qemu-kvm-tools,qemu-img,qemu-kvm-debuginfo,qemu-kvm

漏洞危害

Allows unauthorized disclosure of information; allows unauthorized modification; allows disruption of service.

解决方案

Please refer to Amazon advisory ALAS-2017-934 for affected packages and patching details, or update with your package manager.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

ALAS-2017-934: Amazon Linux (qemu-kvm (1.5.3-141.5.amzn1) on src)

ALAS-2017-934: Amazon Linux (qemu-kvm (1.5.3-141.5.amzn1) on x86_64)

Leave a Reply