RHEL 9 : qemu-kvm (RHSA-2023:2162)

medium Nessus Plugin ID 175443

Synopsis

The remote Red Hat host is missing one or more security updates.

Description

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:2162 advisory.

Kernel-based Virtual Machine (KVM) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM.

The following packages have been upgraded to a later upstream version: qemu-kvm (7.2.0). (BZ#2111769, BZ#2135806)

Security Fix(es):

* QEMU: VNC: integer underflow in vnc_client_cut_text_ext leads to CPU exhaustion (CVE-2022-3165)

* QEMU: ACPI ERST: memory corruption issues in read_erst_record and write_erst_record (CVE-2022-4172)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.2 Release Notes linked from the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

http://www.nessus.org/u?96b85a17

http://www.nessus.org/u?ecefa061

https://access.redhat.com/security/updates/classification/#moderate

https://bugzilla.redhat.com/show_bug.cgi?id=1860292

https://bugzilla.redhat.com/show_bug.cgi?id=1905805

https://bugzilla.redhat.com/show_bug.cgi?id=1963845

https://bugzilla.redhat.com/show_bug.cgi?id=1979276

https://bugzilla.redhat.com/show_bug.cgi?id=1983208

https://bugzilla.redhat.com/show_bug.cgi?id=1983493

https://bugzilla.redhat.com/show_bug.cgi?id=1986665

https://bugzilla.redhat.com/show_bug.cgi?id=2074000

https://bugzilla.redhat.com/show_bug.cgi?id=2077376

https://bugzilla.redhat.com/show_bug.cgi?id=2086980

https://bugzilla.redhat.com/show_bug.cgi?id=2087155

https://bugzilla.redhat.com/show_bug.cgi?id=2091166

https://bugzilla.redhat.com/show_bug.cgi?id=2108531

https://bugzilla.redhat.com/show_bug.cgi?id=2108923

https://bugzilla.redhat.com/show_bug.cgi?id=2111769

https://bugzilla.redhat.com/show_bug.cgi?id=2113840

https://bugzilla.redhat.com/show_bug.cgi?id=2116496

https://bugzilla.redhat.com/show_bug.cgi?id=2120480

https://bugzilla.redhat.com/show_bug.cgi?id=2121430

https://bugzilla.redhat.com/show_bug.cgi?id=2122788

https://bugzilla.redhat.com/show_bug.cgi?id=2123297

https://bugzilla.redhat.com/show_bug.cgi?id=2124446

https://bugzilla.redhat.com/show_bug.cgi?id=2124856

https://bugzilla.redhat.com/show_bug.cgi?id=2126095

https://bugzilla.redhat.com/show_bug.cgi?id=2127825

https://bugzilla.redhat.com/show_bug.cgi?id=2128222

https://bugzilla.redhat.com/show_bug.cgi?id=2128235

https://bugzilla.redhat.com/show_bug.cgi?id=2129739

https://bugzilla.redhat.com/show_bug.cgi?id=2131982

https://bugzilla.redhat.com/show_bug.cgi?id=2135806

https://bugzilla.redhat.com/show_bug.cgi?id=2136473

https://bugzilla.redhat.com/show_bug.cgi?id=2136797

https://bugzilla.redhat.com/show_bug.cgi?id=2137327

https://bugzilla.redhat.com/show_bug.cgi?id=2137330

https://bugzilla.redhat.com/show_bug.cgi?id=2137332

https://bugzilla.redhat.com/show_bug.cgi?id=2138242

https://bugzilla.redhat.com/show_bug.cgi?id=2141088

https://bugzilla.redhat.com/show_bug.cgi?id=2141218

https://bugzilla.redhat.com/show_bug.cgi?id=2143584

https://bugzilla.redhat.com/show_bug.cgi?id=2143585

https://bugzilla.redhat.com/show_bug.cgi?id=2144367

https://bugzilla.redhat.com/show_bug.cgi?id=2144436

https://bugzilla.redhat.com/show_bug.cgi?id=2148352

https://bugzilla.redhat.com/show_bug.cgi?id=2149022

https://bugzilla.redhat.com/show_bug.cgi?id=2149105

https://bugzilla.redhat.com/show_bug.cgi?id=2149191

https://bugzilla.redhat.com/show_bug.cgi?id=2150180

https://bugzilla.redhat.com/show_bug.cgi?id=2152977

https://bugzilla.redhat.com/show_bug.cgi?id=2154640

https://bugzilla.redhat.com/show_bug.cgi?id=2155112

https://bugzilla.redhat.com/show_bug.cgi?id=2155173

https://bugzilla.redhat.com/show_bug.cgi?id=2155748

https://bugzilla.redhat.com/show_bug.cgi?id=2155749

https://bugzilla.redhat.com/show_bug.cgi?id=2156515

https://bugzilla.redhat.com/show_bug.cgi?id=2156876

https://bugzilla.redhat.com/show_bug.cgi?id=2158704

https://bugzilla.redhat.com/show_bug.cgi?id=2159408

https://bugzilla.redhat.com/show_bug.cgi?id=2162569

https://bugzilla.redhat.com/show_bug.cgi?id=2168209

https://bugzilla.redhat.com/show_bug.cgi?id=2169232

https://bugzilla.redhat.com/show_bug.cgi?id=2169732

https://bugzilla.redhat.com/show_bug.cgi?id=2169904

https://bugzilla.redhat.com/show_bug.cgi?id=2173590

https://access.redhat.com/errata/RHSA-2023:2162

Plugin Details

Severity: Medium

ID: 175443

File Name: redhat-RHSA-2023-2162.nasl

Version: 1.5

Type: local

Agent: unix

Published: 5/12/2023

Updated: 11/7/2024

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.2

Vendor

Vendor Severity: Moderate

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.3

Vector: CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:C

CVSS Score Source: CVE-2022-3165

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.9

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS Score Source: CVE-2022-4172

Vulnerability Information

CPE: p-cpe:/a:redhat:enterprise_linux:qemu-guest-agent, p-cpe:/a:redhat:enterprise_linux:qemu-kvm-device-display-virtio-gpu-pci, p-cpe:/a:redhat:enterprise_linux:qemu-kvm-block-rbd, p-cpe:/a:redhat:enterprise_linux:qemu-img, p-cpe:/a:redhat:enterprise_linux:qemu-kvm-device-display-virtio-vga, p-cpe:/a:redhat:enterprise_linux:qemu-kvm, p-cpe:/a:redhat:enterprise_linux:qemu-kvm-device-usb-redirect, p-cpe:/a:redhat:enterprise_linux:qemu-kvm-block-curl, p-cpe:/a:redhat:enterprise_linux:qemu-kvm-device-usb-host, p-cpe:/a:redhat:enterprise_linux:qemu-pr-helper, p-cpe:/a:redhat:enterprise_linux:qemu-kvm-ui-opengl, cpe:/o:redhat:enterprise_linux:9, p-cpe:/a:redhat:enterprise_linux:qemu-kvm-device-display-virtio-gpu-ccw, p-cpe:/a:redhat:enterprise_linux:qemu-kvm-docs, p-cpe:/a:redhat:enterprise_linux:qemu-kvm-device-display-virtio-gpu, p-cpe:/a:redhat:enterprise_linux:qemu-kvm-core, p-cpe:/a:redhat:enterprise_linux:qemu-kvm-ui-egl-headless, p-cpe:/a:redhat:enterprise_linux:qemu-kvm-tools, p-cpe:/a:redhat:enterprise_linux:qemu-kvm-audio-pa, p-cpe:/a:redhat:enterprise_linux:qemu-kvm-common

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 5/9/2023

Vulnerability Publication Date: 10/17/2022

Reference Information

CVE: CVE-2022-3165, CVE-2022-4172

CWE: 190, 400

RHSA: 2023:2162