CVE-2022-0358
First published: Tue Jan 25 2022(Updated: )
A flaw was found in the QEMU virtio-fs shared file system daemon (virtiofsd) implementation. This flaw is strictly related to CVE-2018-13405. A local guest user can create files in the directories shared by virtio-fs with unintended group ownership in a scenario where a directory is SGID to a certain group and is writable by a user who is not a member of the group. This could allow a malicious unprivileged user inside the guest to gain access to resources accessible to the root group, potentially escalating their privileges within the guest. A malicious local user in the host might also leverage this unexpected executable file created by the guest to escalate their privileges on the host system.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| QEMU qemu | <6.2.0-7 | |
| Redhat Enterprise Linux | =8.0 | |
| ubuntu/qemu | <1:6.2+dfsg-2ubuntu6.2 | 1:6.2+dfsg-2ubuntu6.2 |
| ubuntu/qemu | <1:6.0+dfsg-2 | 1:6.0+dfsg-2 |
| redhat/qemu 6.2.0 | <7 | 7 |
| debian/qemu | 1:3.1+dfsg-8+deb10u8 1:3.1+dfsg-8+deb10u11 1:5.2+dfsg-11+deb11u3 1:5.2+dfsg-11+deb11u2 1:7.2+dfsg-7+deb12u3 1:8.2.1+ds-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://access.redhat.com/security/cve/CVE-2022-0358
- https://bugzilla.redhat.com/show_bug.cgi?id=2044863
- https://gitlab.com/qemu-project/qemu/-/commit/449e8171f96a6a944d1f3b7d3627ae059eae21ca
- https://security.netapp.com/advisory/ntap-20221007-0008/
- https://launchpad.net/bugs/cve/CVE-2022-0358
- https://access.redhat.com/security/cve/CVE-2018-13405
- https://lists.nongnu.org/archive/html/qemu-devel/2022-01/msg05364.html
- https://lists.gnu.org/archive/html/qemu-devel/2022-01/msg05447.html
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2046202
- https://access.redhat.com/errata/RHSA-2022:0759
- https://access.redhat.com/errata/RHSA-2022:0886
- https://access.redhat.com/errata/RHSA-2022:0949
- https://access.redhat.com/errata/RHSA-2022:0971
- https://access.redhat.com/errata/RHSA-2022:0973
- https://access.redhat.com/security/cve/cve-2022-0358
- https://security-tracker.debian.org/tracker/CVE-2022-0358
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0358
- https://ubuntu.com/security/notices/USN-5307-1
- https://ubuntu.com/security/notices/USN-5489-1
- https://nvd.nist.gov/vuln/detail/CVE-2022-0358
- https://ubuntu.com/security/CVE-2022-0358
Frequently Asked Questions
What is CVE-2022-0358?
CVE-2022-0358 is a vulnerability in the QEMU virtio-fs shared file system daemon (virtiofsd) implementation.
What is the severity of CVE-2022-0358?
CVE-2022-0358 has a severity score of 7.8 (high).
How does CVE-2022-0358 affect QEMU?
CVE-2022-0358 affects the QEMU software, specifically the virtio-fs shared file system daemon (virtiofsd) implementation.
What is the remedy for CVE-2022-0358?
The remedy for CVE-2022-0358 depends on the specific affected software version and source, please refer to the provided references for more information.
Where can I find more information about CVE-2022-0358?
You can find more information about CVE-2022-0358 in the provided references.
- agent/author
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/type
- agent/weakness
- collector/launchpad-cve
- source/Launchpad
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- collector/nvd-index
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2022-0358
- collector/security-tracker-debian
- source/Debian
- collector/usn-cve
- source/Ubuntu
- vendor/qemu
- canonical/qemu qemu
- vendor/redhat
- canonical/redhat enterprise linux
- version/redhat enterprise linux/8.0
- package-manager/redhat
- package-manager/debian
- package-manager/ubuntu