Vulnerability Description
In Amazon AWS Firecracker before 0.21.3, and 0.22.x before 0.22.1, the serial console buffer can grow its memory usage without limit when data is sent to the standard input. This can result in a memory leak on the microVM emulation thread, possibly occupying more memory than intended on the host.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Amazon | Firecracker | < 0.21.3 |
Related Weaknesses (CWE)
References
- http://www.openwall.com/lists/oss-security/2020/10/23/1Third Party Advisory
- https://github.com/firecracker-microvm/firecracker/issues/2177Third Party Advisory
- https://github.com/firecracker-microvm/firecracker/pull/2178PatchThird Party Advisory
- https://github.com/firecracker-microvm/firecracker/pull/2179PatchThird Party Advisory
- http://www.openwall.com/lists/oss-security/2020/10/23/1Third Party Advisory
- https://github.com/firecracker-microvm/firecracker/issues/2177Third Party Advisory
- https://github.com/firecracker-microvm/firecracker/pull/2178PatchThird Party Advisory
- https://github.com/firecracker-microvm/firecracker/pull/2179PatchThird Party Advisory
FAQ
What is CVE-2020-27174?
CVE-2020-27174 is a vulnerability with a CVSS score of 7.5 (HIGH). In Amazon AWS Firecracker before 0.21.3, and 0.22.x before 0.22.1, the serial console buffer can grow its memory usage without limit when data is sent to the standard input. This can result in a memor...
How severe is CVE-2020-27174?
CVE-2020-27174 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-27174?
Check the references section above for vendor advisories and patch information. Affected products include: Amazon Firecracker.