CVE-2024-4467
Public on 2024-07-02
Modified on 2024-08-23
Description
A flaw was found in the QEMU disk image utility (qemu-img) 'info' command. A specially crafted image file containing a `json:{}` value describing block devices in QMP could cause the qemu-img process on the host to consume large amounts of memory or CPU time, leading to denial of service or read/write to an existing external file.
HAQM Linux has assessed CVE-2024-4467 for qemu-kvm. For AL1, backporting the fix as well as all the dependent changes will increase technical complexity. This will in turn increase the risk associated with this change. This risk outweighs the risk associated with the CVE and HAQM Linux will not be shipping a patch for CVE-2024-4467 on AL1 at this point.
Note: HAQM recommends upgrading to HAQM Linux 2 or HAQM Linux 2023. As a matter of general security practice, HAQM recommends to not rely on in-instance facilities for strong separation of privileges or data security compartments.
HAQM Linux has assessed CVE-2024-4467 for qemu-kvm. For AL1, backporting the fix as well as all the dependent changes will increase technical complexity. This will in turn increase the risk associated with this change. This risk outweighs the risk associated with the CVE and HAQM Linux will not be shipping a patch for CVE-2024-4467 on AL1 at this point.
Note: HAQM recommends upgrading to HAQM Linux 2 or HAQM Linux 2023. As a matter of general security practice, HAQM recommends to not rely on in-instance facilities for strong separation of privileges or data security compartments.
Severity
Important
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| HAQM Linux 2 - Core | qemu | 2024-08-14 | ALAS2-2024-2624 | Fixed |
| HAQM Linux 1 | qemu-kvm | No Fix Planned |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| HAQM Linux | CVSSv3 | 7.8 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| NVD | CVSSv3 | 7.8 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |