Lucene search
HistoryJul 11, 2023 - 5:15 p.m.
CVE-2023-3354
qemu
vnc server
remote unauthenticated
denial of service
cve-2023-3354
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.2 High
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
21.2%
A flaw was found in the QEMU built-in VNC server. When a client connects to the VNC server, QEMU checks whether the current number of connections crosses a certain threshold and if so, cleans up the previous connection. If the previous connection happens to be in the handshake phase and fails, QEMU cleans up the connection again, resulting in a NULL pointer dereference issue. This could allow a remote unauthenticated client to cause a denial of service.
Affected configurations
Node
qemuqemuRange<8.1.0
ORqemuqemuMatch8.1.0rc0
ORqemuqemuMatch8.1.0rc1
Node
redhatopenstack_platformMatch13.0
ORredhatenterprise_linuxMatch7.0
ORredhatenterprise_linuxMatch8.0-
ORredhatenterprise_linuxMatch8.0advanced_virtualization
ORredhatenterprise_linuxMatch9.0
Node
fedoraprojectfedoraMatch38
CNA Affected
[
{
"product": "qemu",
"vendor": "n/a",
"defaultStatus": "affected"
},
{
"vendor": "Red Hat",
"product": "Red Hat Enterprise Linux 6",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "qemu-kvm",
"defaultStatus": "unaffected",
"cpes": [
"cpe:/o:redhat:enterprise_linux:6"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat Enterprise Linux 7",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "qemu-kvm",
"defaultStatus": "unaffected",
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat Enterprise Linux 7",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "qemu-kvm-ma",
"defaultStatus": "affected",
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat Enterprise Linux 8",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "virt:rhel/qemu-kvm",
"defaultStatus": "affected",
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat Enterprise Linux 8 Advanced Virtualization",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "virt:av/qemu-kvm",
"defaultStatus": "affected",
"cpes": [
"cpe:/a:redhat:advanced_virtualization:8::el8"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat Enterprise Linux 9",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "qemu-kvm",
"defaultStatus": "affected",
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat OpenStack Platform 13 (Queens)",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "qemu-kvm-rhev",
"defaultStatus": "affected",
"cpes": [
"cpe:/a:redhat:openstack:13"
]
},
{
"product": "Fedora",
"vendor": "Fedora",
"collectionURL": "https://packages.fedoraproject.org/",
"packageName": "qemu",
"defaultStatus": "affected"
},
{
"product": "Extra Packages for Enterprise Linux",
"vendor": "Fedora",
"collectionURL": "https://packages.fedoraproject.org/",
"packageName": "qemu",
"defaultStatus": "unaffected"
}
]Related
alpinelinux
alpinelinux
CVE-2023-3354
2023-07-11 17:15:13
cbl_mariner
cbl_mariner
CVE-2023-3354 affecting package qemu for versions less than 8.2.0-1
2024-03-19 17:21:46
CVE-2023-3354 affecting package qemu for versions less than 6.2.0-19
2023-11-28 22:14:06
oraclelinux
oraclelinux
qemu-kvm security and bug fix update
2023-09-13 00:00:00
virt:ol and virt-devel:rhel security and bug fix update
2023-09-21 00:00:00
kvm_utils3 security update
2023-10-07 00:00:00
osv
osv
CVE-2023-3354
2023-07-11 17:15:13
Important: qemu-kvm security and bug fix update
2023-09-12 00:00:00
Important: virt:rhel and virt-devel:rhel security and bug fix update
2023-09-19 00:00:00
nvd
nvd
CVE-2023-3354
2023-07-11 17:15:13
debiancve
debiancve
CVE-2023-3354
2023-07-11 17:15:13
nessus
nessus
AlmaLinux 9 : qemu-kvm (ALSA-2023:5094)
2023-09-14 00:00:00
EulerOS 2.0 SP8 : qemu (EulerOS-SA-2023-3153)
2024-01-16 00:00:00
Oracle Linux 9 : qemu-kvm (ELSA-2023-5094)
2023-09-13 00:00:00
redhatcve
redhatcve
CVE-2023-3354
2023-06-28 11:17:06
cvelist
cvelist
openvas
openvas
Huawei EulerOS: Security Advisory for qemu (EulerOS-SA-2023-3153)
2023-11-09 00:00:00
Huawei EulerOS: Security Advisory for qemu (EulerOS-SA-2023-2973)
2023-10-13 00:00:00
Huawei EulerOS: Security Advisory for qemu-micro (EulerOS-SA-2023-3193)
2023-11-10 00:00:00
ubuntucve
ubuntucve
CVE-2023-3354
2023-07-11 00:00:00
redhat
redhat
(RHSA-2023:6227) Important: qemu-kvm security update
2023-11-01 08:58:37
(RHSA-2023:5094) Important: qemu-kvm security and bug fix update
2023-09-12 07:46:21
(RHSA-2023:5587) Important: virt:rhel security update
2023-10-10 13:59:54
redos
redos
ROS-20230825-05
2023-08-25 00:00:00
veracode
veracode
Denial Of Service (DoS)
2023-08-13 19:55:03
almalinux
almalinux
Important: qemu-kvm security and bug fix update
2023-09-12 00:00:00
Important: virt:rhel and virt-devel:rhel security and bug fix update
2023-09-19 00:00:00
prion
prion
Null pointer dereference
2023-07-11 17:15:00
debian
debian
[SECURITY] [DLA 3759-1] qemu security update
2024-03-11 17:27:07
fedora
fedora
[SECURITY] Fedora 38 Update: qemu-7.2.5-1.fc38
2023-08-29 01:35:27
ubuntu
ubuntu
QEMU vulnerabilities
2024-01-08 00:00:00
QEMU regression
2024-06-06 00:00:00
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.2 High
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
21.2%
Related for CVE-2023-3354