Vulnerability Description
VNC server implementation in Quick Emulator (QEMU) 2.11.0 and older was found to be vulnerable to an unbounded memory allocation issue, as it did not throttle the framebuffer updates sent to its client. If the client did not consume these updates, VNC server allocates growing memory to hold onto this data. A malicious remote VNC client could use this flaw to cause DoS to the server host.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Qemu | Qemu | <= 2.11.0 |
Related Weaknesses (CWE)
References
- http://www.securityfocus.com/bid/102295
- https://access.redhat.com/errata/RHSA-2018:0816
- https://access.redhat.com/errata/RHSA-2018:1104
- https://access.redhat.com/errata/RHSA-2018:1113
- https://access.redhat.com/errata/RHSA-2018:3062
- https://bugzilla.redhat.com/show_bug.cgi?id=1525195Issue TrackingThird Party Advisory
- https://usn.ubuntu.com/3575-1/
- https://www.debian.org/security/2018/dsa-4213
- http://www.securityfocus.com/bid/102295
- https://access.redhat.com/errata/RHSA-2018:0816
- https://access.redhat.com/errata/RHSA-2018:1104
- https://access.redhat.com/errata/RHSA-2018:1113
- https://access.redhat.com/errata/RHSA-2018:3062
- https://bugzilla.redhat.com/show_bug.cgi?id=1525195Issue TrackingThird Party Advisory
- https://usn.ubuntu.com/3575-1/
FAQ
What is CVE-2017-15124?
CVE-2017-15124 is a vulnerability with a CVSS score of 7.5 (HIGH). VNC server implementation in Quick Emulator (QEMU) 2.11.0 and older was found to be vulnerable to an unbounded memory allocation issue, as it did not throttle the framebuffer updates sent to its clien...
How severe is CVE-2017-15124?
CVE-2017-15124 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2017-15124?
Check the references section above for vendor advisories and patch information. Affected products include: Qemu Qemu.