CVE-2023-4135 - OpenCVE

A heap out-of-bounds memory read flaw was found in the virtual nvme device in QEMU. The QEMU process does not validate an offset provided by the guest before computing a host heap pointer, which is used for copying data back to the guest. Arbitrary heap memory relative to an allocated buffer can be disclosed.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Fedoraproject	Fedora
Qemu	Qemu
Redhat	Advanced Virtualization Enterprise Linux

Configuration 1 [-]

OR	cpe:2.3:a:qemu:qemu::::::::
	cpe:2.3:a:qemu:qemu:8.1.0:rc0::::::
	cpe:2.3:a:qemu:qemu:8.1.0:rc1::::::
	cpe:2.3:a:qemu:qemu:8.1.0:rc2::::::

Configuration 2 [-]

cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://access.redhat.com/security/cve/CVE-2023-4135
https://bugzilla.redhat.com/show_bug.cgi?id=2229101
https://nvd.nist.gov/vuln/detail/CVE-2023-4135
https://security.netapp.com/advisory/ntap-20230915-0012/
https://www.cve.org/CVERecord?id=CVE-2023-4135
https://www.zerodayinitiative.com/advisories/ZDI-CAN-21521

History

No history.

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2023-08-04T13:19:15.760Z

Updated: 2024-08-02T07:17:11.930Z

Reserved: 2023-08-03T09:52:00.316Z

Link: CVE-2023-4135

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2023-08-04T14:15:12.173

Modified: 2023-12-11T18:35:03.667

Link: CVE-2023-4135

Redhat

Severity : Moderate

Publid Date: 2023-08-03T00:00:00Z

Links: CVE-2023-4135 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-4135", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2023-08-03T09:52:00.316Z", "datePublished": "2023-08-04T13:19:15.760Z", "dateUpdated": "2024-08-02T07:17:11.930Z"}, "containers": {"cna": {"title": "Out-of-bounds read information disclosure vulnerability", "metrics": [{"other": {"content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A heap out-of-bounds memory read flaw was found in the virtual nvme device in QEMU. The QEMU process does not validate an offset provided by the guest before computing a host heap pointer, which is used for copying data back to the guest. Arbitrary heap memory relative to an allocated buffer can be disclosed."}], "affected": [{"product": "qemu-kvm", "vendor": "n/a", "versions": [{"version": "8.1.0", "status": "unaffected"}]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 6", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "qemu-kvm", "defaultStatus": "unaffected", "cpes": ["cpe:/o:redhat:enterprise_linux:6"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 7", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "qemu-kvm", "defaultStatus": "unaffected", "cpes": ["cpe:/o:redhat:enterprise_linux:7"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 7", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "qemu-kvm-ma", "defaultStatus": "unaffected", "cpes": ["cpe:/o:redhat:enterprise_linux:7"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "virt:rhel/qemu-kvm", "defaultStatus": "unaffected", "cpes": ["cpe:/o:redhat:enterprise_linux:8"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8 Advanced Virtualization", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "virt:av/qemu-kvm", "defaultStatus": "unaffected", "cpes": ["cpe:/a:redhat:advanced_virtualization:8::el8"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "qemu-kvm", "defaultStatus": "unaffected", "cpes": ["cpe:/o:redhat:enterprise_linux:9"]}, {"product": "Fedora", "vendor": "Fedora", "collectionURL": "https://packages.fedoraproject.org/", "packageName": "qemu", "defaultStatus": "affected"}, {"product": "Extra Packages for Enterprise Linux", "vendor": "Fedora", "collectionURL": "https://packages.fedoraproject.org/", "packageName": "qemu", "defaultStatus": "unaffected"}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2023-4135", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2229101", "name": "RHBZ#2229101", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://security.netapp.com/advisory/ntap-20230915-0012/"}, {"url": "https://www.zerodayinitiative.com/advisories/ZDI-CAN-21521"}], "datePublic": "2023-08-03T00:00:00+00:00", "problemTypes": [{"descriptions": [{"cweId": "CWE-125", "description": "Out-of-bounds Read", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-125: Out-of-bounds Read", "timeline": [{"lang": "en", "time": "2023-08-03T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2023-08-03T00:00:00+00:00", "value": "Made public."}], "credits": [{"lang": "en", "value": "Red Hat would like to thank Trend Micro Zero Day Initiative for reporting this issue."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2024-01-23T01:32:54.867Z"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T07:17:11.930Z"}, "title": "CVE Program Container", "references": [{"url": "https://access.redhat.com/security/cve/CVE-2023-4135", "tags": ["vdb-entry", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2229101", "name": "RHBZ#2229101", "tags": ["issue-tracking", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20230915-0012/", "tags": ["x_transferred"]}, {"url": "https://www.zerodayinitiative.com/advisories/ZDI-CAN-21521", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:qemu:qemu:*:*:*:*:*:*:*:*", "matchCriteriaId": "423C1B29-97E6-4574-84B0-1F68F1A65DAF", "versionEndExcluding": "8.1.0", "versionStartIncluding": "8.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:qemu:qemu:8.1.0:rc0:*:*:*:*:*:*", "matchCriteriaId": "2F730D08-43CC-4FFC-9C37-42C1D69518E1", "vulnerable": true}, {"criteria": "cpe:2.3:a:qemu:qemu:8.1.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "D61909EC-7FFA-4600-86F9-E9AA303D2A63", "vulnerable": true}, {"criteria": "cpe:2.3:a:qemu:qemu:8.1.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "8414D556-72A7-4082-AB77-5ADE46A31179", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*", "matchCriteriaId": "CC559B26-5DFC-4B7A-A27C-B77DE755DFF9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A heap out-of-bounds memory read flaw was found in the virtual nvme device in QEMU. The QEMU process does not validate an offset provided by the guest before computing a host heap pointer, which is used for copying data back to the guest. Arbitrary heap memory relative to an allocated buffer can be disclosed."}, {"lang": "es", "value": "Se encontr\u00f3 una falla de lectura de memoria fuera de los l\u00edmites en el dispositivo nvme virtual en QEMU. El proceso QEMU no valida un desplazamiento proporcionado por el invitado antes de calcular un puntero de la memoria del host, que se utiliza para copiar datos al invitado. Se puede revelar memoria arbitraria en relaci\u00f3n con un b\u00fafer asignado."}], "id": "CVE-2023-4135", "lastModified": "2023-12-11T18:35:03.667", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.0, "impactScore": 4.0, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.5, "impactScore": 4.0, "source": "secalert@redhat.com", "type": "Secondary"}]}, "published": "2023-08-04T14:15:12.173", "references": [{"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2023-4135"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2229101"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20230915-0012/"}, {"source": "secalert@redhat.com", "tags": ["Broken Link", "Third Party Advisory", "VDB Entry"], "url": "https://www.zerodayinitiative.com/advisories/ZDI-CAN-21521"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-125"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"acknowledgement": "Red Hat would like to thank Trend Micro Zero Day Initiative for reporting this issue.", "bugzilla": {"description": "QEMU: NVMe: out-of-bounds read information disclosure vulnerability", "id": "2229101", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2229101"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-125", "details": ["A heap out-of-bounds memory read flaw was found in the virtual nvme device in QEMU. The QEMU process does not validate an offset provided by the guest before computing a host heap pointer, which is used for copying data back to the guest. Arbitrary heap memory relative to an allocated buffer can be disclosed.", "A heap out-of-bounds memory read flaw was found in the virtual nvme device in QEMU. The QEMU process does not validate an offset provided by the guest before computing a host heap pointer, which is used for copying data back to the guest. Arbitrary heap memory relative to an allocated buffer can be disclosed."], "name": "CVE-2023-4135", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "qemu-kvm", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "qemu-kvm", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "qemu-kvm-ma", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "virt:rhel/qemu-kvm", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/a:redhat:advanced_virtualization:8::el8", "fix_state": "Not affected", "package_name": "virt:av/qemu-kvm", "product_name": "Red Hat Enterprise Linux 8 Advanced Virtualization"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "qemu-kvm", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2023-08-03T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-4135\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-4135\nhttps://www.zerodayinitiative.com/advisories/ZDI-CAN-21521"], "statement": "The `qemu-kvm` packages as shipped with Red Hat Enterprise Linux are not affected by this flaw as they do not include support for NVMe emulation.", "threat_severity": "Moderate", "upstream_fix": "qemu-kvm 8.1.0"}