CVE-2023-3354
Publication date 11 July 2023
Last updated 24 July 2024
Ubuntu priority
Cvss 3 Severity Score
A flaw was found in the QEMU built-in VNC server. When a client connects to the VNC server, QEMU checks whether the current number of connections crosses a certain threshold and if so, cleans up the previous connection. If the previous connection happens to be in the handshake phase and fails, QEMU cleans up the connection again, resulting in a NULL pointer dereference issue. This could allow a remote unauthenticated client to cause a denial of service.
Read the notes from the security team
Why is this CVE low priority?
Limited to a denial of service in the VNC server component.
Status
Package | Ubuntu Release | Status |
---|---|---|
qemu | 24.10 oracular |
Not affected
|
24.04 LTS noble |
Not affected
|
|
22.04 LTS jammy |
Fixed 1:6.2+dfsg-2ubuntu6.16
|
|
20.04 LTS focal |
Fixed 1:4.2-3ubuntu6.28
|
|
18.04 LTS bionic |
Vulnerable
|
|
16.04 LTS xenial |
Vulnerable
|
|
14.04 LTS trusty | Ignored end of ESM support, was needed |
Notes
Severity score breakdown
Parameter | Value |
---|---|
Base score | 7.5 · High |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | None |
Integrity impact | None |
Availability impact | High |
Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
References
Related Ubuntu Security Notices (USN)
- USN-6567-1
- QEMU vulnerabilities
- 8 January 2024