An out-of-bounds heap buffer access issue was found in the way iSCSI Block driver in QEMU handled response coming from an iSCSI server, while checking status of a Logical Address Block (LBA) in iscsi_co_block_status() routine. A remote user could use this flaw to crash the QEMU process resulting in DoS OR potentially execute arbitrary code with privileges of the QEMU process on the host. Upstream patch: --------------- -> https://lists.gnu.org/archive/html/qemu-devel/2020-01/msg05535.html Reference: ---------- -> https://www.openwall.com/lists/oss-security/2020/01/23/3
Acknowledgments: Name: Felipe Franciosi (nutanix.com), Raphael Norwitz (nutanix.com), Peter Turschmid (nutanix.com)
Created qemu tracking bugs for this issue: Affects: fedora-all [bug 1794494]
Created xen tracking bugs for this issue: Affects: fedora-all [bug 1794524]
Statement: This issue affects the versions of the qemu-kvm package as shipped with Red Hat Enterprise Linux 8, Red Hat OpenStack, Red Hat Virtualization and Red Hat Enterprise Linux Advanced Virtualization 8.
Hi, do we have an update on this issue as it will affect our container grades. Is someone actively working on a fix?
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.6 Extended Update Support Via RHSA-2020:0669 https://access.redhat.com/errata/RHSA-2020:0669
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-1711
This issue has been addressed in the following products: Red Hat Virtualization Engine 4.2 Via RHSA-2020:0730 https://access.redhat.com/errata/RHSA-2020:0730
This issue has been addressed in the following products: Advanced Virtualization for RHEL 8.1.1 Via RHSA-2020:0731 https://access.redhat.com/errata/RHSA-2020:0731
This issue has been addressed in the following products: Red Hat OpenStack Platform 13.0 (Queens) for RHEL 7.6 EUS Via RHSA-2020:0773 https://access.redhat.com/errata/RHSA-2020:0773
This issue has been addressed in the following products: Red Hat Virtualization 4 for Red Hat Enterprise Linux 7 Red Hat Virtualization Engine 4.3 Via RHSA-2020:1216 https://access.redhat.com/errata/RHSA-2020:1216
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:1150 https://access.redhat.com/errata/RHSA-2020:1150
This issue has been addressed in the following products: Red Hat OpenStack Platform 13.0 (Queens) Via RHSA-2020:1296 https://access.redhat.com/errata/RHSA-2020:1296
This issue has been addressed in the following products: Red Hat OpenStack Platform 10.0 (Newton) Via RHSA-2020:1300 https://access.redhat.com/errata/RHSA-2020:1300
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.7 Extended Update Support Via RHSA-2020:1352 https://access.redhat.com/errata/RHSA-2020:1352
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:1358 https://access.redhat.com/errata/RHSA-2020:1358
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.5 Extended Update Support Via RHSA-2020:1505 https://access.redhat.com/errata/RHSA-2020:1505
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions Via RHSA-2020:2472 https://access.redhat.com/errata/RHSA-2020:2472