INFSA-2024:6964: virt:rhel and virt-devel:rhel security update
Information about definition
Identificator: INFSA-2024:6964
Type: security
Release date: 2024-10-11 09:37:47 UTC
Information about package
Kernel-based Virtual Machine (KVM) offers a full virtualization solution forLinux on numerous hardware platforms. The virt:rhel module contains packageswhich provide user-space components used to run virtual machines using KVM.The packages also provide APIs for managing and interacting with the virtualized systems.
Vulnerabilities description
- CVE-2024-3446
A double free vulnerability was found in QEMU virtio devices (virtio-gpu, virtio-serial-bus, virtio-crypto), where the mem_reentrancy_guard flag insufficiently protects against DMA reentrancy issues. This issue could allow a malicious privileged guest user to crash the QEMU process on the host, resulting in a denial of service or allow arbitrary code execution within the context of the QEMU process on the host.
- CVE-2024-7383
A flaw was found in libnbd. The client did not always correctly verify the NBD server's certificate when using TLS to connect to an NBD server. This issue allows a man-in-the-middle attack on NBD traffic.
- CVE-2024-7409
A flaw was found in the QEMU NBD Server. This vulnerability allows a denial of service (DoS) attack via improper synchronization during socket closure when a client keeps a socket open as the server is taken offline.
Severity level
| CVE | Score CVSS 2.0 | Score CVSS 3.x | Score CVSS 4.0 |
|---|---|---|---|
|
NIST — CVE-2024-3446
|
no information | 8.2 | no information |
|
NIST — CVE-2024-7383
|
no information | 7.4 | no information |
|
NIST — CVE-2024-7409
|
no information | 7.5 | no information |
Updated packages