Bug 1944075 (CVE-2021-20295)

Summary: CVE-2021-20295 QEMU: Regression of CVE-2020-10756 fix in virt:rhel/qemu-kvm in Red Hat Enterprise Linux 8.3
Product: [Other] Security Response Reporter: Mauro Matteo Cascella <mcascell>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: berrange, bmontgom, cfergeau, dbecker, eparis, jburrell, jen, jferlan, jjoyce, jmaloy, jnovy, jokerman, jschluet, knoel, lhh, lpeer, lsm5, marcandre.lureau, mburns, mkenneth, mrezanin, mst, nstielau, ondrejj, pbonzini, philmd, ribarry, rjones, sclewis, slinaber, sponnaga, virt-maint, virt-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: qemu-kvm 4.2.0-34 Doc Type: If docs needed, set a value
Doc Text:
It was discovered that the update for the virt:rhel module in the RHSA-2020:4676 (https://access.redhat.com/errata/RHSA-2020:4676) erratum released as part of Red Hat Enterprise Linux 8.3 failed to include the fix for the qemu-kvm component issue CVE-2020-10756, which was previously corrected in virt:rhel/qemu-kvm via erratum RHSA-2020:4059 (https://access.redhat.com/errata/RHSA-2020:4059). CVE-2021-20295 was assigned to that Red Hat specific security regression. For more details about the original security issue CVE-2020-10756, refer to bug 1835986 or the CVE page: https://access.redhat.com/security/cve/CVE-2020-10756.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-04-05 17:35:22 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1939493    
Bug Blocks: 1944074, 1944081    

Description Mauro Matteo Cascella 2021-03-29 08:55:29 UTC 
It was discovered that the update for the virt:rhel module in the RHSA-2020:4676 (https://access.redhat.com/errata/RHSA-2020:4676) erratum released as part of Red Hat Enterprise Linux 8.3 failed to include the fix for the qemu-kvm component issue CVE-2020-10756, which was previously corrected in virt:rhel/qemu-kvm via erratum RHSA-2020:4059 (https://access.redhat.com/errata/RHSA-2020:4059). CVE-2021-20295 was assigned to that Red Hat specific security regression.

For more details about the original security issue CVE-2020-10756, refer to bug 1835986 or the CVE page: https://access.redhat.com/security/cve/CVE-2020-10756.
Comment 3 Mauro Matteo Cascella 2021-03-29 09:57:11 UTC 
Statement:

This issue affects the versions of `qemu-kvm` as shipped with Red Hat Enterprise Linux 8.3 release. The fix for the original CVE-2020-10756 issue was not included in the 8.3 release, leading to a security regression.
Comment 5 Mauro Matteo Cascella 2021-03-29 13:38:15 UTC 
External References:

https://access.redhat.com/security/cve/CVE-2020-10756
Comment 6 errata-xmlrpc 2021-04-05 16:49:31 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:1064 https://access.redhat.com/errata/RHSA-2021:1064
Comment 7 Product Security DevOps Team 2021-04-05 17:35:22 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-20295