CVE-2015-4106 — MEDIUM (4.6)

Q: How severe is CVE-2015-4106?

CVE-2015-4106 has been rated MEDIUM with a CVSS base score of 4.6/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2015-4106?

Check the references section above for vendor advisories and patch information. Affected products include: Qemu Qemu, Debian Debian Linux, Fedoraproject Fedora, Suse Linux Enterprise Desktop, Suse Linux Enterprise Server.

Vulnerability Description

QEMU does not properly restrict write access to the PCI config space for certain PCI pass-through devices, which might allow local x86 HVM guests to gain privileges, cause a denial of service (host crash), obtain sensitive information, or possibly have other unspecified impact via unknown vectors.

CVSS Score

4.6

MEDIUM

AV:L/AC:L/Au:N/C:P/I:P/A:P

Confidentiality

PARTIAL

Integrity

PARTIAL

Availability

PARTIAL

Affected Products

Vendor	Product	Versions
Qemu	Qemu	<= 2.3.1
Debian	Debian Linux	7.0
Fedoraproject	Fedora	20
Suse	Linux Enterprise Desktop	11
Suse	Linux Enterprise Server	11
Suse	Linux Enterprise Software Development Kit	11
Citrix	Xenserver	6.0
Canonical	Ubuntu Linux	12.04

Related Weaknesses (CWE)

CWE-863

References

http://lists.fedoraproject.org/pipermail/package-announce/2015-June/160154.htmlThird Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2015-June/160171.htmlThird Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2015-June/160685.htmlThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00004.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00007.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00029.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00030.htmlMailing ListThird Party Advisory
http://support.citrix.com/article/CTX201145Third Party Advisory
http://www.debian.org/security/2015/dsa-3284Third Party Advisory
http://www.debian.org/security/2015/dsa-3286Third Party Advisory
http://www.securityfocus.com/bid/74949Third Party AdvisoryVDB Entry
http://www.securitytracker.com/id/1032467Third Party AdvisoryVDB Entry
http://www.ubuntu.com/usn/USN-2630-1Third Party Advisory
http://xenbits.xen.org/xsa/advisory-131.htmlThird Party Advisory
https://security.gentoo.org/glsa/201604-03Third Party Advisory

FAQ

What is CVE-2015-4106?

CVE-2015-4106 is a vulnerability with a CVSS score of 4.6 (MEDIUM). QEMU does not properly restrict write access to the PCI config space for certain PCI pass-through devices, which might allow local x86 HVM guests to gain privileges, cause a denial of service (host cr...

How severe is CVE-2015-4106?

CVE-2015-4106 has been rated MEDIUM with a CVSS base score of 4.6/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2015-4106?

Check the references section above for vendor advisories and patch information. Affected products include: Qemu Qemu, Debian Debian Linux, Fedoraproject Fedora, Suse Linux Enterprise Desktop, Suse Linux Enterprise Server.