CVE-2019-8934 — Resource Exposure in Qemu

CWE-668 — Resource Exposure CWE-200 — Sensitive Information Exposure7 documents6 sources

Severity

3.3LOWNVD

EPSS

0.1%

top 71.99%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Qemu Debian Qemu Opensuse Leap

Timeline

PublishedMar 21

Latest updateMay 13

Description

hw/ppc/spapr.c in QEMU through 3.1.0 allows Information Exposure because the hypervisor shares the /proc/device-tree/system-id and /proc/device-tree/model system attributes with a guest.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 1.8 | Impact: 1.4

Affected Packages4 packages

▶debiandebian/qemu< qemu 1:4.1-1 (bookworm)

▶Debianqemu/qemu< 1:4.1-1+3

▶NVDqemu/qemu3.1.0

▶NVDopensuse/leap15.0, 42.3+1

Patches

Patch: www.openwall.com ↗Patch: lists.gnu.org ↗Patch: www.openwall.com ↗

🔴Vulnerability Details

GHSA

GHSA-wcm6-f8w6-w5fj: hw/ppc/spapr↗2022-05-13

▶

OSV

CVE-2019-8934: hw/ppc/spapr↗2019-03-21

▶

📋Vendor Advisories

Red Hat

QEMU: ppc64: sPAPR emulator leaks the host hardware identity↗2019-02-02

▶

Debian

CVE-2019-8934: qemu - hw/ppc/spapr.c in QEMU through 3.1.0 allows Information Exposure because the hyp...↗2019

▶

💬Community

Bugzilla

CVE-2019-8934 qemu: ppc64: sPAPR emulator leaks the host hardware identity [fedora-all]↗2019-02-21

▶

Bugzilla

CVE-2019-8934 QEMU: ppc64: sPAPR emulator leaks the host hardware identity↗2019-01-21

▶