CVE-2014-0144 - Vulnerability Details

- Qemu: block: missing input validation

Description

QEMU before 2.0.0 block drivers for CLOOP, QCOW2 version 2 and various other image formats are vulnerable to potential memory corruptions, integer/buffer overflows or crash caused by missing input validations which could allow a remote user to execute arbitrary code on the host with the privileges of the QEMU process.

Published: 2020-02-11

Score: 8.6 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

Configuration 1 [-]

cpe:2.3:a:qemu:qemu:*:*:*:*:*:*:*:*

Configuration 2 [-]

OR	cpe:2.3:a:redhat:virtualization:3.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_eus:6.5:::::::*
	cpe:2.3:o:redhat:enterprise_linux_openstack_platform:5:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server:6.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server_aus:6.5:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server_tus:6.5:::::::*
	cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:::::::*

Package	CPE	Advisory	Released Date
OpenStack 3 for RHEL 6
qemu-kvm-rhev-2:0.12.1.2-2.415.el6_5.8	cpe:/a:redhat:openstack:3::el6	RHSA-2014:0435	2014-04-24T00:00:00Z
OpenStack 4 for RHEL 6
qemu-kvm-rhev-2:0.12.1.2-2.415.el6_5.8	cpe:/a:redhat:openstack:4::el6	RHSA-2014:0434	2014-04-24T00:00:00Z
Red Hat Enterprise Linux 6
qemu-kvm-2:0.12.1.2-2.415.el6_5.8	cpe:/o:redhat:enterprise_linux:6	RHSA-2014:0420	2014-04-22T00:00:00Z
RHEV 3.X Hypervisor and Agents for RHEL-6
qemu-kvm-rhev-2:0.12.1.2-2.415.el6_5.8	cpe:/a:redhat:enterprise_linux:6::hypervisor	RHSA-2014:0421	2014-04-22T00:00:00Z
rhev-hypervisor6-0:6.5-20140603.2.el6ev	cpe:/o:redhat:enterprise_linux:6::hypervisor	RHSA-2014:0674	2014-06-09T00:00:00Z

No data available yet.

Remediation

No remediation available yet.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DSA	DSA-3044-1	qemu-kvm security update
Debian DSA	DSA-3045-1	qemu security update
EUVD	EUVD-2014-0203	QEMU before 2.0.0 block drivers for CLOOP, QCOW2 version 2 and various other image formats are vulnerable to potential memory corruptions, integer/buffer overflows or crash caused by missing input validations which could allow a remote user to execute arbitrary code on the host with the privileges of the QEMU process.
Ubuntu USN	USN-2342-1	QEMU vulnerabilities

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

Access Vector Adjacent Network

Access Complexity High

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00642.

Key SSVC decision points have not yet been added.

References

Link	Providers
http://git.qemu.org/?p=qemu.git%3Ba=commit%3Bh=24342f2cae47d03911e346fe1e520b00dc2818e0
http://git.qemu.org/?p=qemu.git%3Ba=commit%3Bh=2d51c32c4b511db8bb9e58208f1e2c25e4c06c85
http://git.qemu.org/?p=qemu.git%3Ba=commit%3Bh=5dab2faddc8eaa1fb1abdbe2f502001fc13a1b21
http://git.qemu.org/?p=qemu.git%3Ba=commit%3Bh=63fa06dc978f3669dbfd9443b33cde9e2a7f4b41
http://git.qemu.org/?p=qemu.git%3Ba=commit%3Bh=6d4b9e55fc625514a38d27cff4b9933f617fa7dc
http://git.qemu.org/?p=qemu.git%3Ba=commit%3Bh=7b103b36d6ef3b11827c203d3a793bf7da50ecd6
http://git.qemu.org/?p=qemu.git%3Ba=commit%3Bh=97f1c45c6f456572e5b504b8614e4a69e23b8e3a
http://git.qemu.org/?p=qemu.git%3Ba=commit%3Bh=a1b3955c9415b1e767c130a2f59fee6aa28e575b
http://git.qemu.org/?p=qemu.git%3Ba=commit%3Bh=ce48f2f441ca98885267af6fd636a7cb804ee646
http://git.qemu.org/?p=qemu.git%3Ba=commit%3Bh=d65f97a82c4ed48374a764c769d4ba1ea9724e97
http://git.qemu.org/?p=qemu.git%3Ba=commit%3Bh=f56b9bc3ae20fc93815b34aa022be919941406ce
http://rhn.redhat.com/errata/RHSA-2014-0420.html
http://rhn.redhat.com/errata/RHSA-2014-0421.html
https://bugzilla.redhat.com/show_bug.cgi?id=1079240
https://nvd.nist.gov/vuln/detail/CVE-2014-0144
https://www.cve.org/CVERecord?id=CVE-2014-0144
https://www.vulnerabilitycenter.com/#%21vul=44767

History

No history.

Subscriptions

Qemu Qemu

Redhat Enterprise Linux Enterprise Linux Desktop Enterprise Linux Eus Enterprise Linux Openstack Platform Enterprise Linux Server Enterprise Linux Server Aus Enterprise Linux Server Tus Enterprise Linux Workstation Openstack Virtualization

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2020-02-11T02:13:14.000Z

Updated: 2024-08-06T09:05:38.961Z

Reserved: 2013-12-03T00:00:00.000Z

Link: CVE-2014-0144

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-09-29T03:15:11.087

Modified: 2024-11-21T02:01:28.347

Link: CVE-2014-0144

Redhat

Severity : Moderate

Publid Date: 2014-03-26T00:00:00Z

Links: CVE-2014-0144 - Bugzilla

OpenCVE Enrichment

No data.

Weaknesses

CWE-20

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Access Vector Adjacent Network

Access Complexity High

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object