Vulnerability Details : CVE-2014-3633
The qemuDomainGetBlockIoTune function in qemu/qemu_driver.c in libvirt before 1.2.9, when a disk has been hot-plugged or removed from the live image, allows remote attackers to cause a denial of service (crash) or read sensitive heap information via a crafted blkiotune query, which triggers an out-of-bounds read.
Vulnerability category: OverflowDenial of service
Products affected by CVE-2014-3633
- cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:12.04:*:lts:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:10.04:*:lts:*:*:*:*:*
- cpe:2.3:a:libvirt:libvirt:*:*:*:*:*:*:*:*
- cpe:2.3:a:libvirt:libvirt:1.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:libvirt:libvirt:1.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:libvirt:libvirt:1.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:libvirt:libvirt:1.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:libvirt:libvirt:1.2.6:*:*:*:*:*:*:*
- cpe:2.3:a:libvirt:libvirt:1.2.5:*:*:*:*:*:*:*
- cpe:2.3:a:libvirt:libvirt:1.2.7:*:*:*:*:*:*:*
- cpe:2.3:a:libvirt:libvirt:1.2.0:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2014-3633
3.88%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 91 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2014-3633
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:N/A:P |
8.6
|
4.9
|
NIST |
CWE ids for CVE-2014-3633
-
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.Assigned by: nvd@nist.gov (Primary)
References for CVE-2014-3633
-
http://security.libvirt.org/2014/0004.html
Libvirt Security Notice: LSN-2014-0004Vendor Advisory
-
http://lists.opensuse.org/opensuse-updates/2014-10/msg00014.html
openSUSE-SU-2014:1290-1: moderate: update for libvirt
-
http://security.gentoo.org/glsa/glsa-201412-04.xml
libvirt: Multiple vulnerabilities (GLSA 201412-04) — Gentoo security
-
http://www.debian.org/security/2014/dsa-3038
Debian -- Security Information -- DSA-3038-1 libvirt
-
http://lists.opensuse.org/opensuse-updates/2014-10/msg00017.html
openSUSE-SU-2014:1293-1: moderate: update for libvirt
-
http://rhn.redhat.com/errata/RHSA-2014-1352.html
RHSA-2014:1352 - Security Advisory - Red Hat Customer Portal
-
http://www.ubuntu.com/usn/USN-2366-1
USN-2366-1: libvirt vulnerabilities | Ubuntu security notices
-
http://libvirt.org/git/?p=libvirt.git%3Ba=commitdiff%3Bh=3e745e8f775dfe6f64f18b5c2fe4791b35d3546b
libvirt.org Git
Jump to