Vulnerability Description
QEMU, as used in Xen 3.3.x through 4.5.x, does not properly restrict access to PCI command registers, which might allow local HVM guest users to cause a denial of service (non-maskable interrupt and host crash) by disabling the (1) memory or (2) I/O decoding for a PCI Express device and then accessing the device, which triggers an Unsupported Request (UR) response.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Debian | Debian Linux | 7.0 |
| Xen | Xen | 4.3.0 |
| Fedoraproject | Fedora | 20 |
| Canonical | Ubuntu Linux | 12.04 |
Related Weaknesses (CWE)
References
- http://lists.fedoraproject.org/pipermail/package-announce/2015-April/154574.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-April/154579.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-April/155198.html
- http://lists.nongnu.org/archive/html/qemu-devel/2015-03/msg06179.html
- http://lists.opensuse.org/opensuse-security-announce/2015-04/msg00014.html
- http://support.citrix.com/article/CTX201145
- http://www.debian.org/security/2015/dsa-3259
- http://www.securityfocus.com/bid/72577
- http://www.securitytracker.com/id/1031998
- http://www.ubuntu.com/usn/USN-2608-1
- http://xenbits.xen.org/xsa/advisory-126.htmlVendor Advisory
- https://security.gentoo.org/glsa/201504-04
- https://support.citrix.com/article/CTX206006
- http://lists.fedoraproject.org/pipermail/package-announce/2015-April/154574.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-April/154579.html
FAQ
What is CVE-2015-2756?
CVE-2015-2756 is a vulnerability with a CVSS score of 4.9 (MEDIUM). QEMU, as used in Xen 3.3.x through 4.5.x, does not properly restrict access to PCI command registers, which might allow local HVM guest users to cause a denial of service (non-maskable interrupt and h...
How severe is CVE-2015-2756?
CVE-2015-2756 has been rated MEDIUM with a CVSS base score of 4.9/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2015-2756?
Check the references section above for vendor advisories and patch information. Affected products include: Debian Debian Linux, Xen Xen, Fedoraproject Fedora, Canonical Ubuntu Linux.