Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 443
Alerts This Week
Warning Icon 1 443

Ubuntu 15.04: 2608-1 Moderate: QEMU Denial Of Service Flaws

ubuntu
Calendar Grey May 13, 2015
Dist Ubuntu Esm H88
This announcement details QEMU vulnerabilities in Ubuntu released on May 13, 2015, highlighting the identified issues and their corresponding fixes implemented.
Several security issues were fixed in QEMU.

Summary

Several security issues were fixed in QEMU.

Software Description:

- qemu: Machine emulator and virtualizer

- qemu-kvm: Machine emulator and virtualizer

Details:

Jason Geffner discovered that QEMU incorrectly handled the virtual floppy

driver. This issue is known as VENOM. A malicious guest could use this

issue to cause a denial of service, or possibly execute arbitrary code on

the host as the user running the QEMU process. In the default installation,

when QEMU is used with libvirt, attackers would be isolated by the libvirt

AppArmor profile. (CVE-2015-3456)

Daniel P. Berrange discovered that QEMU incorrectly handled VNC websockets.

A remote attacker could use this issue to cause QEMU to consume memory,

resulting in a denial of service. This issue only affected Ubuntu 14.04

LTS, Ubuntu 14.10 and Ubuntu 15.04. (CVE-2015-1779)

Jan Beulich discovered that QEMU, when used with Xen, didn't properly

restrict access to PCI command registers. A malicious guest co...

Read the Full Advisory

Update Instructions

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 15.04:
  qemu-system                     1:2.2+dfsg-5expubuntu9.1
  qemu-system-aarch64             1:2.2+dfsg-5expubuntu9.1
  qemu-system-arm                 1:2.2+dfsg-5expubuntu9.1
  qemu-system-mips                1:2.2+dfsg-5expubuntu9.1
  qemu-system-misc                1:2.2+dfsg-5expubuntu9.1
  qemu-system-ppc                 1:2.2+dfsg-5expubuntu9.1
  qemu-system-sparc               1:2.2+dfsg-5expubuntu9.1
  qemu-system-x86                 1:2.2+dfsg-5expubuntu9.1

Ubuntu 14.10:
  qemu-system                     2.1+dfsg-4ubuntu6.6
  qemu-system-aarch64             2.1+dfsg-4ubuntu6.6
  qemu-system-arm                 2.1+dfsg-4ubuntu6.6
  qemu-system-mips                2.1+dfsg-4ubuntu6.6
  qemu-system-misc                2.1+dfsg-4ubuntu6.6
  qemu-system-ppc                 2.1+dfsg-4ubuntu6.6
  qemu-system-sparc               2.1+dfsg-4ubuntu6.6
  qemu-system-x86                 2.1+dfsg-4ubuntu6.6

Ubuntu 14.04 LTS:
  qemu-system                     2.0.0+dfsg-2ubuntu1.11
  qemu-system-aarch64             2.0.0+dfsg-2ubuntu1.11
  qemu-system-arm                 2.0.0+dfsg-2ubuntu1.11
  qemu-system-mips                2.0.0+dfsg-2ubuntu1.11
  qemu-system-misc                2.0.0+dfsg-2ubuntu1.11
  qemu-system-ppc                 2.0.0+dfsg-2ubuntu1.11
  qemu-system-sparc               2.0.0+dfsg-2ubuntu1.11
  qemu-system-x86                 2.0.0+dfsg-2ubuntu1.11

Ubuntu 12.04 LTS:
  qemu-kvm                        1.0+noroms-0ubuntu14.22

After a standard system update you need to restart all QEMU virtual
machines to make all the necessary changes.

References

https://ubuntu.com/security/notices/USN-2608-1

CVE-2015-1779, CVE-2015-2756, CVE-2015-3456

Severity
important
Lowest
Low
Medium
High
Critical

May 13, 2015

Package Information

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.