CVE Vulnerabilities

CVE-2017-15119

Uncontrolled Resource Consumption

Published: Jul 27, 2018 | Modified: Nov 21, 2024
CVSS 3.x
8.6
HIGH
Source:
NVD
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
CVSS 2.x
5 MEDIUM
AV:N/AC:L/Au:N/C:N/I:N/A:P
RedHat/V2
4.3 MODERATE
AV:N/AC:M/Au:N/C:N/I:N/A:P
RedHat/V3
5.8 MODERATE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L
Ubuntu
MEDIUM

The Network Block Device (NBD) server in Quick Emulator (QEMU) before 2.11 is vulnerable to a denial of service issue. It could occur if a client sent large option requests, making the server waste CPU time on reading up to 4GB per request. A client could use this flaw to keep the NBD server from serving other requests, resulting in DoS.

Weakness

The product does not properly control the allocation and maintenance of a limited resource.

Affected Software

Name Vendor Start Version End Version
Qemu Qemu * 2.11.0 (excluding)
Red Hat OpenStack Platform 10.0 (Newton) RedHat qemu-kvm-rhev-10:2.10.0-21.el7 *
Red Hat OpenStack Platform 11.0 (Ocata) RedHat qemu-kvm-rhev-10:2.10.0-21.el7 *
Red Hat OpenStack Platform 12.0 (Pike) RedHat qemu-kvm-rhev-10:2.10.0-21.el7 *
Red Hat OpenStack Platform 8.0 (Liberty) RedHat qemu-kvm-rhev-10:2.10.0-21.el7 *
Red Hat OpenStack Platform 9.0 (Mitaka) RedHat qemu-kvm-rhev-10:2.10.0-21.el7 *
Red Hat Virtualization 4 for Red Hat Enterprise Linux 7 RedHat qemu-kvm-rhev-10:2.10.0-21.el7 *
Qemu Ubuntu artful *
Qemu Ubuntu esm-infra/xenial *
Qemu Ubuntu upstream *
Qemu Ubuntu xenial *
Qemu Ubuntu zesty *

Potential Mitigations

  • Mitigation of resource exhaustion attacks requires that the target system either:

  • The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question.

  • The second solution is simply difficult to effectively institute – and even when properly done, it does not provide a full solution. It simply makes the attack require more resources on the part of the attacker.

References