Bug 1496879 (CVE-2017-15268)
Summary: | CVE-2017-15268 QEMU: I/O: potential memory exhaustion via websock connection to VNC | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Pedro Sampaio <psampaio> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | ailan, amit, apevec, areis, berrange, bmcclain, cfergeau, chrisw, dblechte, drjones, dwmw2, eedri, imammedo, itamar, jen, jforbes, jjoyce, jschluet, kbasil, knoel, lhh, lpeer, lynncn1, markmc, m.a.young, mburns, mgoldboi, michal.skrivanek, mkenneth, mrezanin, mst, pbonzini, ppandit, rbryant, rjones, rkrcmar, robinlee.sysu, sclewis, sherold, slinaber, srevivo, tdecacqu, virt-maint, virt-maint, vkuznets, xen-maint, ykaul |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: |
A memory leakage issue was found in the I/O channels websockets implementation of the Quick Emulator (QEMU). It could occur while sending screen updates to a client, which is slow to read and process them further. A privileged guest user could use this flaw to cause a denial of service on the host and/or potentially crash the QEMU process instance on the host.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2019-06-08 03:26:20 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1496881, 1496882, 1518650, 1518651, 1518711 | ||
Bug Blocks: | 1496886 |
Description
Pedro Sampaio
2017-09-28 17:26:46 UTC
Created qemu tracking bugs for this issue: Affects: fedora-all [bug 1496882] Created xen tracking bugs for this issue: Affects: fedora-all [bug 1496881] Closing as wontfix. OSP12 should consume from platform and will take the packages, fixed or not from there. Reasoning: Openstack uses websockify.py to provide the websockets for the vnc console (as consumed by novnc in dashboard). The default qemu command, as run by OpenStack is as follows: "/usr/libexec/qemu-kvm -name ..... -vnc 0.0.0.0:0 ..... -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x5 -msg timestamp=on" The bug is in the websocket portion of vnc provided by qemu, which is not used by OpenStack by default. *** Bug 1500749 has been marked as a duplicate of this bug. *** *** Bug 1500751 has been marked as a duplicate of this bug. *** At first, we thought the bug is in QEMU's websocket code, so we tried to use a standalone websocket proxy (websockify). Unfortunately, problems persisted. We also tried various other VNC servers (with websockify), all of them works fine. It seems that the underlying problem is in the QEMU's VNC/RFB implementation. Therefore, if you use OpenStack, you will also experience memory exhaustion on the controller node(which nova-novncproxy/websockify runs on by default). qemu-2.9.1-2.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report. qemu-2.10.1-1.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report. This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2018:0816 https://access.redhat.com/errata/RHSA-2018:0816 This issue has been addressed in the following products: Red Hat Virtualization 4 for RHEL-7 Via RHSA-2018:1104 https://access.redhat.com/errata/RHSA-2018:1104 |