Fedora 24 update for xen
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2017-2620 |
| CWE-ID | CWE-125 |
| Exploitation vector | Local network |
| Public exploit | N/A |
| Vulnerable software |
Fedora Operating systems & Components / Operating system xen Operating systems & Components / Operating system package or component |
| Vendor | Fedoraproject |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Out-of-bounds read
EUVDB-ID: #VU31986
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-2620
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote user to gain access to potentially sensitive information.
Quick emulator (QEMU) before 2.8 built with the Cirrus CLGD 54xx VGA Emulator support is vulnerable to an out-of-bounds access issue. The issue could occur while copying VGA data in cirrus_bitblt_cputovideo. A privileged user inside guest could use this flaw to crash the QEMU process OR potentially execute arbitrary code on host with privileges of the QEMU process.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsFedora: 24
xen: before 4.6.4-8.fc24
CPE2.3 External linkshttps://bodhi.fedoraproject.org/updates/FEDORA-2017-1607a3a78e
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
