SB2023073115 - SUSE update for qemu

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2023073115

SB2023073115 - SUSE update for qemu

Published: July 31, 2023

Security Bulletin ID SB2023073115
Severity
Low
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Local access
Highest impact Code execution

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 secuirty vulnerabilities.


1) Race condition (CVE-ID: CVE-2021-4207)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a race condition in the QXL display device emulation in QEMU. A privileged user can exploit the race and gain unauthorized access to sensitive information and escalate privileges on the system.


2) Out-of-bounds write (CVE-ID: CVE-2023-0330)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a boundary error within hw/scsi/lsi53c895a.c in QEMU caused by a DMA-MMIO reentrancy problem. A local privileged user can trigger an out-of-bounds write and execute arbitrary code on the target system.


3) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2023-2861)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to an error in the 9p passthrough filesystem (9pfs) implementation in QEMU. A local user can escape from the exported 9p tree by creating and opening a device file in the shared folder.


Remediation

Install update from vendor's website.

References