Bug 1794290 (CVE-2020-1711)

Summary: CVE-2020-1711 QEMU: block: iscsi: OOB heap access via an unexpected response of iSCSI Server
Product: [Other] Security Response Reporter: Prasad Pandit <ppandit>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: ailan, amit, areis, berrange, cfergeau, coli, dbecker, drjones, dwmw2, imammedo, itamar, jen, jferlan, jforbes, jinzhao, jjoyce, jmaloy, jschluet, juzhang, kbasil, knoel, lhh, lpeer, m.a.young, mburns, mkenneth, mrezanin, mst, pbonzini, rbalakri, ribarry, rjones, robinlee.sysu, sclewis, security-response-team, slinaber, spower, virt-maint, virt-maint, vkuznets, xen-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: QEMU 4.2.1 Doc Type: Bug Fix
Doc Text:
An out-of-bounds heap buffer access flaw was found in the way the iSCSI Block driver in QEMU handled a response coming from an iSCSI server while checking the status of a Logical Address Block (LBA) in an iscsi_co_block_status() routine. A remote user could use this flaw to crash the QEMU process, resulting in a denial of service or potential execution of arbitrary code with privileges of the QEMU process on the host.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-03-03 22:32:27 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1794494, 1794498, 1794499, 1794500, 1794501, 1794502, 1794503, 1794504, 1794505, 1794514, 1794515, 1794524, 1794587, 1798013, 1798014, 1798015, 1798017, 1798018, 1798019, 1798020, 1798021, 1798022, 1798023, 1798024, 1798025    
Bug Blocks: 1792846    

Description Prasad Pandit 2020-01-23 08:11:12 UTC 
An out-of-bounds heap buffer access issue was found in the way iSCSI Block driver
in QEMU handled response coming from an iSCSI server, while checking
status of a Logical Address Block (LBA) in iscsi_co_block_status() routine.

A remote user could use this flaw to crash the QEMU process resulting in DoS OR
potentially execute arbitrary code with privileges of the QEMU process on the
host.

Upstream patch:
---------------
  -> https://lists.gnu.org/archive/html/qemu-devel/2020-01/msg05535.html

Reference:
----------
  -> https://www.openwall.com/lists/oss-security/2020/01/23/3
Comment 2 Prasad Pandit 2020-01-23 17:36:32 UTC 
Acknowledgments:

Name: Felipe Franciosi (nutanix.com), Raphael Norwitz (nutanix.com), Peter Turschmid (nutanix.com)
Comment 3 Prasad Pandit 2020-01-23 17:36:55 UTC 
Created qemu tracking bugs for this issue:

Affects: fedora-all [bug 1794494]
Comment 6 Prasad Pandit 2020-01-23 18:30:18 UTC 
Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1794524]
Comment 7 Prasad Pandit 2020-01-23 18:34:22 UTC 
Statement:

This issue affects the versions of the qemu-kvm package as shipped with Red Hat Enterprise Linux 8, Red Hat OpenStack, Red Hat Virtualization and Red Hat Enterprise Linux Advanced Virtualization 8.
Comment 8 spower 2020-02-03 14:35:31 UTC 
Hi, do we have an update on this issue as it will affect our container grades. Is someone actively working on a fix?
Comment 11 errata-xmlrpc 2020-03-03 15:18:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Extended Update Support

Via RHSA-2020:0669 https://access.redhat.com/errata/RHSA-2020:0669
Comment 12 Product Security DevOps Team 2020-03-03 22:32:27 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-1711
Comment 13 errata-xmlrpc 2020-03-05 15:04:54 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization Engine 4.2

Via RHSA-2020:0730 https://access.redhat.com/errata/RHSA-2020:0730
Comment 14 errata-xmlrpc 2020-03-05 15:38:14 UTC 
This issue has been addressed in the following products:

  Advanced Virtualization for RHEL 8.1.1

Via RHSA-2020:0731 https://access.redhat.com/errata/RHSA-2020:0731
Comment 15 errata-xmlrpc 2020-03-10 10:38:16 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 13.0 (Queens) for RHEL 7.6 EUS

Via RHSA-2020:0773 https://access.redhat.com/errata/RHSA-2020:0773
Comment 16 errata-xmlrpc 2020-03-31 14:34:50 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 7
  Red Hat Virtualization Engine 4.3

Via RHSA-2020:1216 https://access.redhat.com/errata/RHSA-2020:1216
Comment 17 errata-xmlrpc 2020-03-31 19:28:17 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:1150 https://access.redhat.com/errata/RHSA-2020:1150
Comment 19 errata-xmlrpc 2020-04-02 10:01:54 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 13.0 (Queens)

Via RHSA-2020:1296 https://access.redhat.com/errata/RHSA-2020:1296
Comment 20 errata-xmlrpc 2020-04-02 10:26:24 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 10.0 (Newton)

Via RHSA-2020:1300 https://access.redhat.com/errata/RHSA-2020:1300
Comment 21 errata-xmlrpc 2020-04-07 10:27:56 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Extended Update Support

Via RHSA-2020:1352 https://access.redhat.com/errata/RHSA-2020:1352
Comment 22 errata-xmlrpc 2020-04-07 14:11:28 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:1358 https://access.redhat.com/errata/RHSA-2020:1358
Comment 24 errata-xmlrpc 2020-04-21 09:06:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.5 Extended Update Support

Via RHSA-2020:1505 https://access.redhat.com/errata/RHSA-2020:1505
Comment 25 errata-xmlrpc 2020-06-10 09:25:25 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:2472 https://access.redhat.com/errata/RHSA-2020:2472