|Summary:||CVE-2017-15268 QEMU: I/O: potential memory exhaustion via websock connection to VNC|
|Product:||[Other] Security Response||Reporter:||Pedro Sampaio <psampaio>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||CLOSED ERRATA||QA Contact:|
|Version:||unspecified||CC:||ailan, amitshah, apevec, areis, berrange, bmcclain, cfergeau, chrisw, dblechte, drjones, dwmw2, eedri, imammedo, itamar, jen, jforbes, jjoyce, jschluet, kbasil, knoel, lhh, lpeer, lynncn1, markmc, m.a.young, mburns, mgoldboi, michal.skrivanek, mkenneth, mrezanin, mst, pbonzini, ppandit, rbryant, rjones, rkrcmar, robinlee.sysu, sclewis, sherold, slinaber, srevivo, tdecacqu, virt-maint, virt-maint, vkuznets, xen-maint, ykaul|
|Fixed In Version:||Doc Type:||Bug Fix|
A memory leakage issue was found in the I/O channels websockets implementation of the Quick Emulator (QEMU). It could occur while sending screen updates to a client, which is slow to read and process them further. A privileged guest user could use this flaw to cause a denial of service on the host and/or potentially crash the QEMU process instance on the host.
|Last Closed:||2019-06-08 03:26:20 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Bug Depends On:||1496881, 1496882, 1518650, 1518651, 1518711|
Description Pedro Sampaio 2017-09-28 17:26:46 UTC
Quick Emulator(Qemu) built with the I/O channels websockets support is vulnerable to a memory leakage issue. It could occur while sending screen updates to a client, which is slow to read and process them further. A privileged guest user could use this flaw to cause a DoS on the host and/or potentially crash the Qemu process instance on the host. Upstream patch: --------------- -> https://lists.gnu.org/archive/html/qemu-devel/2017-10/msg02278.html References: ----------- -> https://bugs.launchpad.net/bugs/1718964 -> http://www.openwall.com/lists/oss-security/2017/10/12/4
Comment 1 Pedro Sampaio 2017-09-28 17:27:49 UTC
Created qemu tracking bugs for this issue: Affects: fedora-all [bug 1496882] Created xen tracking bugs for this issue: Affects: fedora-all [bug 1496881]
Comment 2 Joshua Padman 2017-10-11 03:21:17 UTC
Closing as wontfix. OSP12 should consume from platform and will take the packages, fixed or not from there. Reasoning: Openstack uses websockify.py to provide the websockets for the vnc console (as consumed by novnc in dashboard). The default qemu command, as run by OpenStack is as follows: "/usr/libexec/qemu-kvm -name ..... -vnc 0.0.0.0:0 ..... -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x5 -msg timestamp=on" The bug is in the websocket portion of vnc provided by qemu, which is not used by OpenStack by default.
Comment 4 Prasad J Pandit 2017-10-11 12:11:02 UTC
*** Bug 1500749 has been marked as a duplicate of this bug. ***
Comment 5 Prasad J Pandit 2017-10-11 12:11:13 UTC
*** Bug 1500751 has been marked as a duplicate of this bug. ***
Comment 6 Albert Lynncn 2017-10-16 21:13:26 UTC
At first, we thought the bug is in QEMU's websocket code, so we tried to use a standalone websocket proxy (websockify). Unfortunately, problems persisted. We also tried various other VNC servers (with websockify), all of them works fine. It seems that the underlying problem is in the QEMU's VNC/RFB implementation. Therefore, if you use OpenStack, you will also experience memory exhaustion on the controller node(which nova-novncproxy/websockify runs on by default).
Comment 7 Fedora Update System 2017-11-07 22:12:58 UTC
qemu-2.9.1-2.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2017-11-11 02:58:23 UTC
qemu-2.10.1-1.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.
Comment 11 errata-xmlrpc 2018-04-10 08:23:48 UTC
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2018:0816 https://access.redhat.com/errata/RHSA-2018:0816