SB2023100450 - Out-of-bounds read in vm-memory crate
Published: October 4, 2023
Security Bulletin ID
SB2023100450
CSH Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Information disclosure
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Out-of-bounds read (CVE-ID: CVE-2023-41051)
The vulnerability allows a remote user to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition in multiple functions in VolatileMemory class. A remote user can trigger an out-of-bounds read error and read contents of memory on the system or perform a denial of service attack.
Remediation
Install update from vendor's website.
References
- https://github.com/rust-vmm/vm-memory/commit/aff1dd4a5259f7deba56692840f7a2d9ca34c9c8
- https://github.com/rust-vmm/vm-memory/security/advisories/GHSA-49hh-fprx-m68g
- https://crates.io/crates/vm-memory/0.12.2
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XZGJL6BQLU4XCPQLLTW4GSSBTNQXB3TI/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IPXRXD5VXBZHBGMUM77B52CJJMG7EJGI/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SYM6CYW2DWRHRAVL2HYTQPXC3J2V77J4/