Bug 1496879 (CVE-2017-15268)

Summary: CVE-2017-15268 QEMU: I/O: potential memory exhaustion via websock connection to VNC
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: ailan, amit, apevec, areis, berrange, bmcclain, cfergeau, chrisw, dblechte, drjones, dwmw2, eedri, imammedo, itamar, jen, jforbes, jjoyce, jschluet, kbasil, knoel, lhh, lpeer, lynncn1, markmc, m.a.young, mburns, mgoldboi, michal.skrivanek, mkenneth, mrezanin, mst, pbonzini, ppandit, rbryant, rjones, rkrcmar, robinlee.sysu, sclewis, sherold, slinaber, srevivo, tdecacqu, virt-maint, virt-maint, vkuznets, xen-maint, ykaul
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
A memory leakage issue was found in the I/O channels websockets implementation of the Quick Emulator (QEMU). It could occur while sending screen updates to a client, which is slow to read and process them further. A privileged guest user could use this flaw to cause a denial of service on the host and/or potentially crash the QEMU process instance on the host.
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 03:26:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 1496881, 1496882, 1518650, 1518651, 1518711    
Bug Blocks: 1496886    

Description Pedro Sampaio 2017-09-28 17:26:46 UTC
Quick Emulator(Qemu) built with the I/O channels websockets support is
vulnerable to a memory leakage issue. It could occur while sending screen
updates to a client, which is slow to read and process them further.

A privileged guest user could use this flaw to cause a DoS on the host
and/or potentially crash the Qemu process instance on the host.

Upstream patch:
---------------
  -> https://lists.gnu.org/archive/html/qemu-devel/2017-10/msg02278.html

References:
-----------
  -> https://bugs.launchpad.net/bugs/1718964
  -> http://www.openwall.com/lists/oss-security/2017/10/12/4

Comment 1 Pedro Sampaio 2017-09-28 17:27:49 UTC
Created qemu tracking bugs for this issue:

Affects: fedora-all [bug 1496882]


Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1496881]

Comment 2 Joshua Padman 2017-10-11 03:21:17 UTC
Closing as wontfix. OSP12 should consume from platform and will take the packages, fixed or not from there.

Reasoning:
Openstack uses websockify.py to provide the websockets for the vnc console (as consumed by novnc in dashboard). 
The default qemu command, as run by OpenStack is as follows:
"/usr/libexec/qemu-kvm -name ..... -vnc 0.0.0.0:0 ..... -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x5 -msg timestamp=on"

The bug is in the websocket portion of vnc provided by qemu, which is not used by OpenStack by default.

Comment 4 Prasad J Pandit 2017-10-11 12:11:02 UTC
*** Bug 1500749 has been marked as a duplicate of this bug. ***

Comment 5 Prasad J Pandit 2017-10-11 12:11:13 UTC
*** Bug 1500751 has been marked as a duplicate of this bug. ***

Comment 6 Albert Lynncn 2017-10-16 21:13:26 UTC
At first, we thought the bug is in QEMU's websocket code, so we tried to use a standalone websocket proxy (websockify). Unfortunately, problems persisted.

We also tried various other VNC servers (with websockify), all of them works fine. It seems that the underlying problem is in the QEMU's VNC/RFB implementation.

Therefore, if you use OpenStack, you will also experience memory exhaustion on the controller node(which nova-novncproxy/websockify runs on by default).

Comment 7 Fedora Update System 2017-11-07 22:12:58 UTC
qemu-2.9.1-2.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.

Comment 8 Fedora Update System 2017-11-11 02:58:23 UTC
qemu-2.10.1-1.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.

Comment 11 errata-xmlrpc 2018-04-10 08:23:48 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:0816 https://access.redhat.com/errata/RHSA-2018:0816

Comment 12 errata-xmlrpc 2018-04-10 18:57:25 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for RHEL-7

Via RHSA-2018:1104 https://access.redhat.com/errata/RHSA-2018:1104