RHEL 7 : qemu-kvm (RHSA-2017:1856)

Low Nessus Plugin ID 102145


The remote Red Hat host is missing one or more security updates.


An update for qemu-kvm is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Kernel-based Virtual Machine (KVM) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm package provides the user-space component for running virtual machines that use KVM.

Security Fix(es) :

* An out-of-bounds memory access issue was found in Quick Emulator (QEMU) in the VNC display driver. This flaw could occur while refreshing the VNC display surface area in the 'vnc_refresh_server_surface'. A user inside a guest could use this flaw to crash the QEMU process. (CVE-2017-2633)

* An integer overflow flaw was found in Quick Emulator (QEMU) in the CCID Card device support. The flaw could occur while passing messages via command/response packets to and from the host. A privileged user inside a guest could use this flaw to crash the QEMU process.

* An information exposure flaw was found in Quick Emulator (QEMU) in Task Priority Register (TPR) optimizations for 32-bit Windows guests.
The flaw could occur while accessing TPR. A privileged user inside a guest could use this issue to read portions of the host memory.

Red Hat would like to thank Li Qiang (360.cn Inc.) for reporting CVE-2017-5898 and Donghai Zdh (Alibaba Inc.) for reporting CVE-2016-4020.

Additional Changes :

For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.4 Release Notes linked from the References section.


Update the affected packages.

See Also






Plugin Details

Severity: Low

ID: 102145

File Name: redhat-RHSA-2017-1856.nasl

Version: $Revision: 3.1 $

Type: local

Agent: unix

Published: 2017/08/03

Modified: 2017/08/03

Dependencies: 12634

Risk Information

Risk Factor: Low


Base Score: 2.1

Temporal Score: 1.6

Vector: CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:N

Temporal Vector: CVSS2#E:U/RL:OF/RC:C


Base Score: 6.5

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Vulnerability Information

CPE: p-cpe:/a:redhat:enterprise_linux:qemu-img, p-cpe:/a:redhat:enterprise_linux:qemu-kvm, p-cpe:/a:redhat:enterprise_linux:qemu-kvm-common, p-cpe:/a:redhat:enterprise_linux:qemu-kvm-debuginfo, p-cpe:/a:redhat:enterprise_linux:qemu-kvm-tools, cpe:/o:redhat:enterprise_linux:7

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu

Exploit Available: false

Exploit Ease: No known exploits are available

Patch Publication Date: 2017/08/01

Reference Information

CVE: CVE-2016-4020, CVE-2017-2633, CVE-2017-5898

OSVDB: 137159, 151566, 152424

RHSA: 2017:1856