CVE-2017-13711: Use After Free
First published: Tue Aug 29 2017(Updated: )
Quick emulator(Qemu) built with the Slirp networking support is vulnerable to an use-after-free issue. It occurs due to Socket referenced from multiple packets is freed while responding to a message. A user/process could use this flaw to crash the Qemu process on the host resulting in DoS. Upstream patch: --------------- -> <a href="https://lists.gnu.org/archive/html/qemu-devel/2017-08/msg05201.html">https://lists.gnu.org/archive/html/qemu-devel/2017-08/msg05201.html</a> Reference: ---------- -> <a href="http://www.openwall.com/lists/oss-security/2017/08/29/6">http://www.openwall.com/lists/oss-security/2017/08/29/6</a>
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| QEMU KVM | <=2.10.1 | |
| Debian GNU/Linux | =9.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://lists.gnu.org/archive/html/qemu-devel/2017-08/msg05201.html
- http://www.openwall.com/lists/oss-security/2017/08/29/6
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1486401
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1508739
- https://access.redhat.com/errata/RHSA-2018:0816
- https://access.redhat.com/errata/RHSA-2018:1104
- https://access.redhat.com/errata/RHSA-2018:1113
- https://bugzilla.redhat.com/show_bug.cgi?id=1486400
- http://www.debian.org/security/2017/dsa-3991
- http://www.securityfocus.com/bid/100534
Frequently Asked Questions
What is the severity of CVE-2017-13711?
CVE-2017-13711 is classified as a high severity vulnerability that can lead to a denial-of-service (DoS) attack.
How do I fix CVE-2017-13711?
To fix CVE-2017-13711, update QEMU to version 2.10.2 or later that addresses this use-after-free vulnerability.
What products are affected by CVE-2017-13711?
CVE-2017-13711 affects QEMU versions up to and including 2.10.1 and Debian GNU/Linux 9.0.
What impact does CVE-2017-13711 have on my system?
Exploiting CVE-2017-13711 can cause the QEMU process to crash, resulting in service disruption.
Is there a workaround for CVE-2017-13711?
There are no effective workarounds for CVE-2017-13711; the best mitigation is to apply the available software update.
- agent/references
- agent/type
- agent/first-publish-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2017-13711
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/last-modified-date
- agent/author
- agent/remedy
- agent/description
- agent/event
- agent/source
- agent/weakness
- agent/tags
- agent/softwarecombine
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/qemu
- canonical/qemu kvm
- version/qemu kvm/2.10.1
- vendor/debian
- canonical/debian gnu/linux
- version/debian gnu/linux/9.0