Bug 1496879 (CVE-2017-15268) - CVE-2017-15268 QEMU: I/O: potential memory exhaustion via websock connection to VNC
Summary: CVE-2017-15268 QEMU: I/O: potential memory exhaustion via websock connection ...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2017-15268
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
: 1500749 1500751 (view as bug list)
Depends On: 1496881 1496882 1518650 1518651 1518711
Blocks: 1496886
TreeView+ depends on / blocked
 
Reported: 2017-09-28 17:26 UTC by Pedro Sampaio
Modified: 2019-09-29 14:23 UTC (History)
47 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A memory leakage issue was found in the I/O channels websockets implementation of the Quick Emulator (QEMU). It could occur while sending screen updates to a client, which is slow to read and process them further. A privileged guest user could use this flaw to cause a denial of service on the host and/or potentially crash the QEMU process instance on the host.
Clone Of:
Environment:
Last Closed: 2019-06-08 03:26:20 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:0816 0 None None None 2018-04-10 08:24:11 UTC
Red Hat Product Errata RHSA-2018:1104 0 None None None 2018-04-10 18:57:48 UTC

Description Pedro Sampaio 2017-09-28 17:26:46 UTC 
Quick Emulator(Qemu) built with the I/O channels websockets support is
vulnerable to a memory leakage issue. It could occur while sending screen
updates to a client, which is slow to read and process them further.

A privileged guest user could use this flaw to cause a DoS on the host
and/or potentially crash the Qemu process instance on the host.

Upstream patch:
---------------
  -> https://lists.gnu.org/archive/html/qemu-devel/2017-10/msg02278.html

References:
-----------
  -> https://bugs.launchpad.net/bugs/1718964
  -> http://www.openwall.com/lists/oss-security/2017/10/12/4
Comment 1 Pedro Sampaio 2017-09-28 17:27:49 UTC 
Created qemu tracking bugs for this issue:

Affects: fedora-all [bug 1496882]


Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1496881]
Comment 2 Joshua Padman 2017-10-11 03:21:17 UTC 
Closing as wontfix. OSP12 should consume from platform and will take the packages, fixed or not from there.

Reasoning:
Openstack uses websockify.py to provide the websockets for the vnc console (as consumed by novnc in dashboard). 
The default qemu command, as run by OpenStack is as follows:
"/usr/libexec/qemu-kvm -name ..... -vnc 0.0.0.0:0 ..... -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x5 -msg timestamp=on"

The bug is in the websocket portion of vnc provided by qemu, which is not used by OpenStack by default.
Comment 4 Prasad Pandit 2017-10-11 12:11:02 UTC 
*** Bug 1500749 has been marked as a duplicate of this bug. ***
Comment 5 Prasad Pandit 2017-10-11 12:11:13 UTC 
*** Bug 1500751 has been marked as a duplicate of this bug. ***
Comment 6 Albert Lynncn 2017-10-16 21:13:26 UTC 
At first, we thought the bug is in QEMU's websocket code, so we tried to use a standalone websocket proxy (websockify). Unfortunately, problems persisted.

We also tried various other VNC servers (with websockify), all of them works fine. It seems that the underlying problem is in the QEMU's VNC/RFB implementation.

Therefore, if you use OpenStack, you will also experience memory exhaustion on the controller node(which nova-novncproxy/websockify runs on by default).
Comment 7 Fedora Update System 2017-11-07 22:12:58 UTC 
qemu-2.9.1-2.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2017-11-11 02:58:23 UTC 
qemu-2.10.1-1.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.
Comment 11 errata-xmlrpc 2018-04-10 08:23:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:0816 https://access.redhat.com/errata/RHSA-2018:0816
Comment 12 errata-xmlrpc 2018-04-10 18:57:25 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for RHEL-7

Via RHSA-2018:1104 https://access.redhat.com/errata/RHSA-2018:1104
Note You need to log in before you can comment on or make changes to this bug.