CVE-2017-15119Uncontrolled Resource Consumption in Qemu

CWE-400Uncontrolled Resource Consumption10 documents8 sources
Severity
8.6HIGHNVD
CNA5.8
EPSS
1.6%
top 18.55%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
QemuCanonical Ubuntu LinuxDebian Linux+1 more
Timeline
PublishedJul 27
Latest updateMay 13

Description

The Network Block Device (NBD) server in Quick Emulator (QEMU) before 2.11 is vulnerable to a denial of service issue. It could occur if a client sent large option requests, making the server waste CPU time on reading up to 4GB per request. A client could use this flaw to keep the NBD server from serving other requests, resulting in DoS.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:HExploitability: 3.9 | Impact: 4.0

Affected Packages4 packages

NVDqemu/qemu< 2.11.0
Debianqemu/qemu< 1:2.11+dfsg-1+3
CVEListV5qemu/qemu2.11

Also affects: Debian Linux 9.0, Ubuntu Linux 14.04, 16.04, 17.10

Patches

Patch: www.openwall.comPatch: bugzilla.redhat.comPatch: www.openwall.com

🔴Vulnerability Details

3
GHSA
GHSA-c329-xm38-f566: The Network Block Device (NBD) server in Quick Emulator (QEMU) before 22022-05-13
CVEList
CVE-2017-15119: The Network Block Device (NBD) server in Quick Emulator (QEMU) before 22018-07-27
OSV
CVE-2017-15119: The Network Block Device (NBD) server in Quick Emulator (QEMU) before 22018-07-27

📋Vendor Advisories

3
Ubuntu
QEMU vulnerabilities2018-02-20
Red Hat
qemu: DoS via large option request2017-11-28
Debian
CVE-2017-15119: qemu - The Network Block Device (NBD) server in Quick Emulator (QEMU) before 2.11 is vu...2017

💬Community

3
Bugzilla
CVE-2017-15119 qemu: DoS via large option request [epel-7]2017-11-28
Bugzilla
CVE-2017-15119 qemu: DoS via large option request [fedora-all]2017-11-28
Bugzilla
CVE-2017-15119 qemu: DoS via large option request2017-11-23
CVE-2017-15119 — Uncontrolled Resource Consumption | cvebase