CVE-2024-4467

Qemu-kvm: 'qemu-img info' leads to host file read/write

Description

A flaw was found in the QEMU disk image utility (qemu-img) 'info' command. A specially crafted image file containing a `json:{}` value describing block devices in QMP could cause the qemu-img process on the host to consume large amounts of memory or CPU time, leading to denial of service or read/write to an existing external file.

References

Link	Tags
https://access.redhat.com/errata/RHSA-2024:4276	vendor advisory
https://access.redhat.com/errata/RHSA-2024:4277	vendor advisory
https://access.redhat.com/errata/RHSA-2024:4278	vendor advisory
https://access.redhat.com/errata/RHSA-2024:4372	vendor advisory
https://access.redhat.com/errata/RHSA-2024:4373	vendor advisory
https://access.redhat.com/errata/RHSA-2024:4374	vendor advisory
https://access.redhat.com/errata/RHSA-2024:4420	vendor advisory
https://access.redhat.com/errata/RHSA-2024:4724	vendor advisory
https://access.redhat.com/errata/RHSA-2024:4727	vendor advisory
https://access.redhat.com/security/cve/CVE-2024-4467	vdb entry
https://bugzilla.redhat.com/show_bug.cgi?id=2278875	issue tracking
http://www.openwall.com/lists/oss-security/2024/07/23/2
https://security.netapp.com/advisory/ntap-20240822-0005/

Frequently Asked Questions

What is the severity of CVE-2024-4467?: CVE-2024-4467 has been scored as a high severity vulnerability.
How to fix CVE-2024-4467?: To fix CVE-2024-4467, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2024-4467 being actively exploited in the wild?: As for now, there are no information to confirm that CVE-2024-4467 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-4467?: CVE-2024-4467 affects Red Hat Advanced Virtualization for RHEL 8.2.1, Red Hat Advanced Virtualization for RHEL 8.4.0.EUS, Red Hat Advanced Virtualization for RHEL 8.4.0.EUS, Red Hat Red Hat Enterprise Linux 8, Red Hat Red Hat Enterprise Linux 8, Red Hat Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Red Hat Enterprise Linux 8.4 Telecommunications Update Service, Red Hat Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions, Red Hat Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Red Hat Enterprise Linux 8.6 Telecommunications Update Service, Red Hat Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, Red Hat Red Hat Enterprise Linux 8.8 Extended Update Support, Red Hat Red Hat Enterprise Linux 8.8 Extended Update Support, Red Hat Red Hat Enterprise Linux 9, Red Hat Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions, Red Hat Red Hat Enterprise Linux 9.2 Extended Update Support, Red Hat Red Hat Enterprise Linux 10, Red Hat Red Hat Enterprise Linux 6, Red Hat Red Hat Enterprise Linux 7, Red Hat Red Hat Enterprise Linux 7, Red Hat Red Hat Enterprise Linux 8 Advanced Virtualization, Red Hat Red Hat OpenShift Virtualization 4.

Description

Category

CWE-400 – Uncontrolled Resource Consumption

References

Frequently Asked Questions