Vulnerability CVE-2023-3354: Information

Description

A flaw was found in the QEMU built-in VNC server. When a client connects to the VNC server, QEMU checks whether the current number of connections crosses a certain threshold and if so, cleans up the previous connection. If the previous connection happens to be in the handshake phase and fails, QEMU cleans up the connection again, resulting in a NULL pointer dereference issue. This could allow a remote unauthenticated client to cause a denial of service.

Severity: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

URL: https://nvd.nist.gov/vuln/detail/CVE-2023-3354
Published: July 11, 2023
Modified: March 11, 2024
Error type identifier: CWE-476

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
qemusisyphus8.0.4-alt18.2.2-alt4ALT-PU-2023-5106-1327667Fixed
qemup108.0.4-alt1.p108.2.2-alt0.p10.1ALT-PU-2023-5241-3328289Fixed
qemuc10f18.0.4-alt1.p108.2.2-alt0.p10.1ALT-PU-2023-7183-2334310Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://bugzilla.redhat.com/show_bug.cgi?id=2216478
  • Issue Tracking
  • Patch
https://access.redhat.com/security/cve/CVE-2023-3354
  • Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MURWGXDIF2WTDXV36T6HFJDBL632AO7R/
  • Mailing List
https://lists.debian.org/debian-lts-announce/2024/03/msg00012.html

      1. Configuration 1

        cpe:2.3:a:qemu:qemu:*:*:*:*:*:*:*:*
        End excliding
        8.1.0
        cpe:2.3:a:qemu:qemu:8.1.0:rc1:*:*:*:*:*:*
        cpe:2.3:a:qemu:qemu:8.1.0:rc0:*:*:*:*:*:*

        Configuration 2

        cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
        cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:advanced_virtualization:*:*:*
        cpe:2.3:a:redhat:openstack_platform:13.0:*:*:*:*:*:*:*
        cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:-:*:*:*
        cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*

        Configuration 3

        cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*
    VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
    Version: v24.5.0
    Back to top