Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2021-20196 CVE-2021-3392 CVE-2021-3527 CVE-2021-3930 CVE-2021-4207 CVE-2022-4144

A NULL pointer dereference flaw was found in the floppy disk emulator of QEMU. This issue occurs while processing read/write ioport commands if the selected floppy drive is not initialized with a block device. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability. (CVE-2021-20196) A use-after-free flaw was found in the MegaRAID emulator of QEMU. This issue occurs while processing SCSI I/O requests in the case of an error mptsas_free_request() that does not dequeue the request object 'req' from a pending requests queue. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. Versions between 2.10.0 and 5.2.0 are potentially affected. (CVE-2021-3392) A flaw was found in the USB redirector device (usb-redir) of QEMU. Small USB packets are combined into a single, large transfer request, to reduce the overhead and improve performance. The combined size of the bulk transfer is used to dynamically allocate a variable length array (VLA) on the stack without proper validation. Since the total size is not bounded, a malicious guest could use this flaw to influence the array length and cause the QEMU process to perform an excessive allocation on the stack, resulting in a denial of service. (CVE-2021-3527) An off-by-one error was found in the SCSI device emulation in QEMU. It could occur while processing MODE SELECT commands in mode_sense_page() if the 'page' argument was set to MODE_PAGE_ALLS (0x3f). A malicious guest could use this flaw to potentially crash QEMU, resulting in a denial of service condition. (CVE-2021-3930) A flaw was found in the QXL display device emulation in QEMU. A double fetch of guest controlled values `cursor->header.width` and `cursor->header.height` can lead to the allocation of a small cursor object followed by a subsequent heap-based buffer overflow. A malicious privileged guest user could use this flaw to crash the QEMU process on the host or potentially execute arbitrary code within the context of the QEMU process. (CVE-2021-4207) An out-of-bounds read flaw was found in the QXL display device emulation in QEMU. The qxl_phys2virt() function does not check the size of the structure pointed to by the guest physical address, potentially reading past the end of the bar space into adjacent pages. A malicious guest user could use this flaw to crash the QEMU process on the host causing a denial of service condition. (CVE-2022-4144)

Source

ALAS2-2023-2061

Amazon Linux 2 Security Advisory: ALAS-2023-2061
Advisory Release Date: 2023-05-25 17:41 Pacific
Advisory Updated Date: 2023-06-01 23:37 Pacific

Severity: Medium

References: CVE-2021-20196 CVE-2021-3392 CVE-2021-3527 CVE-2021-3930 CVE-2021-4207 CVE-2022-4144
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

A NULL pointer dereference flaw was found in the floppy disk emulator of QEMU. This issue occurs while processing read/write ioport commands if the selected floppy drive is not initialized with a block device. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability. (CVE-2021-20196)

A use-after-free flaw was found in the MegaRAID emulator of QEMU. This issue occurs while processing SCSI I/O requests in the case of an error mptsas_free_request() that does not dequeue the request object 'req' from a pending requests queue. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. Versions between 2.10.0 and 5.2.0 are potentially affected. (CVE-2021-3392)

A flaw was found in the USB redirector device (usb-redir) of QEMU. Small USB packets are combined into a single, large transfer request, to reduce the overhead and improve performance. The combined size of the bulk transfer is used to dynamically allocate a variable length array (VLA) on the stack without proper validation. Since the total size is not bounded, a malicious guest could use this flaw to influence the array length and cause the QEMU process to perform an excessive allocation on the stack, resulting in a denial of service. (CVE-2021-3527)

An off-by-one error was found in the SCSI device emulation in QEMU. It could occur while processing MODE SELECT commands in mode_sense_page() if the 'page' argument was set to MODE_PAGE_ALLS (0x3f). A malicious guest could use this flaw to potentially crash QEMU, resulting in a denial of service condition. (CVE-2021-3930)

A flaw was found in the QXL display device emulation in QEMU. A double fetch of guest controlled values `cursor->header.width` and `cursor->header.height` can lead to the allocation of a small cursor object followed by a subsequent heap-based buffer overflow. A malicious privileged guest user could use this flaw to crash the QEMU process on the host or potentially execute arbitrary code within the context of the QEMU process. (CVE-2021-4207)

An out-of-bounds read flaw was found in the QXL display device emulation in QEMU. The qxl_phys2virt() function does not check the size of the structure pointed to by the guest physical address, potentially reading past the end of the bar space into adjacent pages. A malicious guest user could use this flaw to crash the QEMU process on the host causing a denial of service condition. (CVE-2022-4144)

Affected Packages:

qemu

Issue Correction:
Run yum update qemu to update your system.

New Packages:

aarch64:
    qemu-3.1.0-8.amzn2.0.10.aarch64
    qemu-common-3.1.0-8.amzn2.0.10.aarch64
    qemu-guest-agent-3.1.0-8.amzn2.0.10.aarch64
    qemu-img-3.1.0-8.amzn2.0.10.aarch64
    ivshmem-tools-3.1.0-8.amzn2.0.10.aarch64
    qemu-block-curl-3.1.0-8.amzn2.0.10.aarch64
    qemu-block-dmg-3.1.0-8.amzn2.0.10.aarch64
    qemu-block-iscsi-3.1.0-8.amzn2.0.10.aarch64
    qemu-block-nfs-3.1.0-8.amzn2.0.10.aarch64
    qemu-block-rbd-3.1.0-8.amzn2.0.10.aarch64
    qemu-block-ssh-3.1.0-8.amzn2.0.10.aarch64
    qemu-audio-alsa-3.1.0-8.amzn2.0.10.aarch64
    qemu-audio-oss-3.1.0-8.amzn2.0.10.aarch64
    qemu-audio-pa-3.1.0-8.amzn2.0.10.aarch64
    qemu-audio-sdl-3.1.0-8.amzn2.0.10.aarch64
    qemu-ui-curses-3.1.0-8.amzn2.0.10.aarch64
    qemu-ui-gtk-3.1.0-8.amzn2.0.10.aarch64
    qemu-ui-sdl-3.1.0-8.amzn2.0.10.aarch64
    qemu-kvm-3.1.0-8.amzn2.0.10.aarch64
    qemu-kvm-core-3.1.0-8.amzn2.0.10.aarch64
    qemu-user-3.1.0-8.amzn2.0.10.aarch64
    qemu-user-binfmt-3.1.0-8.amzn2.0.10.aarch64
    qemu-user-static-3.1.0-8.amzn2.0.10.aarch64
    qemu-system-aarch64-3.1.0-8.amzn2.0.10.aarch64
    qemu-system-aarch64-core-3.1.0-8.amzn2.0.10.aarch64
    qemu-system-x86-3.1.0-8.amzn2.0.10.aarch64
    qemu-system-x86-core-3.1.0-8.amzn2.0.10.aarch64
    qemu-debuginfo-3.1.0-8.amzn2.0.10.aarch64

i686:
    qemu-3.1.0-8.amzn2.0.10.i686
    qemu-common-3.1.0-8.amzn2.0.10.i686
    qemu-guest-agent-3.1.0-8.amzn2.0.10.i686
    qemu-img-3.1.0-8.amzn2.0.10.i686
    ivshmem-tools-3.1.0-8.amzn2.0.10.i686
    qemu-block-curl-3.1.0-8.amzn2.0.10.i686
    qemu-block-dmg-3.1.0-8.amzn2.0.10.i686
    qemu-block-iscsi-3.1.0-8.amzn2.0.10.i686
    qemu-block-nfs-3.1.0-8.amzn2.0.10.i686
    qemu-block-ssh-3.1.0-8.amzn2.0.10.i686
    qemu-audio-alsa-3.1.0-8.amzn2.0.10.i686
    qemu-audio-oss-3.1.0-8.amzn2.0.10.i686
    qemu-audio-pa-3.1.0-8.amzn2.0.10.i686
    qemu-audio-sdl-3.1.0-8.amzn2.0.10.i686
    qemu-ui-curses-3.1.0-8.amzn2.0.10.i686
    qemu-ui-gtk-3.1.0-8.amzn2.0.10.i686
    qemu-ui-sdl-3.1.0-8.amzn2.0.10.i686
    qemu-kvm-3.1.0-8.amzn2.0.10.i686
    qemu-kvm-core-3.1.0-8.amzn2.0.10.i686
    qemu-user-3.1.0-8.amzn2.0.10.i686
    qemu-user-binfmt-3.1.0-8.amzn2.0.10.i686
    qemu-user-static-3.1.0-8.amzn2.0.10.i686
    qemu-system-aarch64-3.1.0-8.amzn2.0.10.i686
    qemu-system-aarch64-core-3.1.0-8.amzn2.0.10.i686
    qemu-system-x86-3.1.0-8.amzn2.0.10.i686
    qemu-system-x86-core-3.1.0-8.amzn2.0.10.i686
    qemu-debuginfo-3.1.0-8.amzn2.0.10.i686

src:
    qemu-3.1.0-8.amzn2.0.10.src

x86_64:
    qemu-3.1.0-8.amzn2.0.10.x86_64
    qemu-common-3.1.0-8.amzn2.0.10.x86_64
    qemu-guest-agent-3.1.0-8.amzn2.0.10.x86_64
    qemu-img-3.1.0-8.amzn2.0.10.x86_64
    ivshmem-tools-3.1.0-8.amzn2.0.10.x86_64
    qemu-block-curl-3.1.0-8.amzn2.0.10.x86_64
    qemu-block-dmg-3.1.0-8.amzn2.0.10.x86_64
    qemu-block-iscsi-3.1.0-8.amzn2.0.10.x86_64
    qemu-block-nfs-3.1.0-8.amzn2.0.10.x86_64
    qemu-block-rbd-3.1.0-8.amzn2.0.10.x86_64
    qemu-block-ssh-3.1.0-8.amzn2.0.10.x86_64
    qemu-audio-alsa-3.1.0-8.amzn2.0.10.x86_64
    qemu-audio-oss-3.1.0-8.amzn2.0.10.x86_64
    qemu-audio-pa-3.1.0-8.amzn2.0.10.x86_64
    qemu-audio-sdl-3.1.0-8.amzn2.0.10.x86_64
    qemu-ui-curses-3.1.0-8.amzn2.0.10.x86_64
    qemu-ui-gtk-3.1.0-8.amzn2.0.10.x86_64
    qemu-ui-sdl-3.1.0-8.amzn2.0.10.x86_64
    qemu-kvm-3.1.0-8.amzn2.0.10.x86_64
    qemu-kvm-core-3.1.0-8.amzn2.0.10.x86_64
    qemu-user-3.1.0-8.amzn2.0.10.x86_64
    qemu-user-binfmt-3.1.0-8.amzn2.0.10.x86_64
    qemu-user-static-3.1.0-8.amzn2.0.10.x86_64
    qemu-system-aarch64-3.1.0-8.amzn2.0.10.x86_64
    qemu-system-aarch64-core-3.1.0-8.amzn2.0.10.x86_64
    qemu-system-x86-3.1.0-8.amzn2.0.10.x86_64
    qemu-system-x86-core-3.1.0-8.amzn2.0.10.x86_64
    qemu-debuginfo-3.1.0-8.amzn2.0.10.x86_64

Additional References

Red Hat: CVE-2021-20196, CVE-2021-3392, CVE-2021-3527, CVE-2021-3930, CVE-2021-4207, CVE-2022-4144

Mitre: CVE-2021-20196, CVE-2021-3392, CVE-2021-3527, CVE-2021-3930, CVE-2021-4207, CVE-2022-4144

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

ALAS2-2023-2061

ALAS2-2023-2061

Additional References

Vulmon Search

About

Products

Connect