CVE-2016-4020

The patch_instruction function in hw/i386/kvmvapic.c in QEMU does not initialize the imm32 variable, which allows local guest OS administrators to obtain sensitive information from host stack memory by accessing the Task Priority Register (TPR).

CVSS v3 6.5 MEDIUM
CVSS v2.0 2.1 LOW

6.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.0 / Impact : 4.0

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

2.1^/10

CVSS v2.0 : LOW

V2 Legend

Vector : AV:L/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 3.9 / Impact : 2.9

Access Vector LOCAL

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
http://git.qemu.org/?p=qemu.git%3Ba=commit%3Bh=691a02e2ce0c413236a78dee6f2651c937b09fb0
http://www.securityfocus.com/bid/86067	Third Party Advisory VDB Entry
http://www.ubuntu.com/usn/USN-2974-1	Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:1856	Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:2392	Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:2408	Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1313686	Issue Tracking Third Party Advisory
https://lists.debian.org/debian-lts-announce/2018/11/msg00038.html	Mailing List Third Party Advisory
https://lists.gnu.org/archive/html/qemu-devel/2016-04/msg01106.html	Patch Third Party Advisory
https://lists.gnu.org/archive/html/qemu-devel/2016-04/msg01118.html	Patch Third Party Advisory
https://security.gentoo.org/glsa/201609-01	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:qemu:qemu:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR	cpe:2.3:o:canonical:ubuntu_linux:12.04::::esm:::
	cpe:2.3:o:canonical:ubuntu_linux:14.04::::esm:::
	cpe:2.3:o:canonical:ubuntu_linux:15.10:::::::*
	cpe:2.3:o:canonical:ubuntu_linux:16.04::::lts:::

Configuration 3 (hide)

cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*

Configuration 4 (hide)

OR	cpe:2.3:a:redhat:openstack:6.0:::::::*
	cpe:2.3:a:redhat:openstack:7.0:::::::*
	cpe:2.3:a:redhat:openstack:8:::::::*
	cpe:2.3:a:redhat:openstack:9:::::::*
	cpe:2.3:a:redhat:openstack:10:::::::*
	cpe:2.3:a:redhat:openstack:11:::::::*
	cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_eus:7.4:::::::*
	cpe:2.3:o:redhat:enterprise_linux_eus:7.5:::::::*
	cpe:2.3:o:redhat:enterprise_linux_eus:7.6:::::::*
	cpe:2.3:o:redhat:enterprise_linux_eus:7.7:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server:7.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server_aus:7.4:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server_aus:7.7:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server_tus:7.7:::::::*
	cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:::::::*

Configuration 5 (hide)

AND

cpe:2.3:a:redhat:virtualization:4.0:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*

History

04 Aug 2021, 17:15

Type	Values Removed	Values Added
CPE	cpe:2.3:a:redhat:openstack:9.0:::::::* cpe:2.3:a:redhat:openstack:11.0:::::::* cpe:2.3:a:redhat:openstack:8.0:::::::*	cpe:2.3:a:redhat:openstack:11:::::::* cpe:2.3:a:redhat:openstack:8:::::::* cpe:2.3:a:redhat:openstack:9:::::::*

Information

Published : 2016-05-25 15:59

Updated : 2024-02-04 18:53

NVD link : CVE-2016-4020

Mitre link : CVE-2016-4020

CVE.ORG link : CVE-2016-4020

JSON object : View

Products Affected

redhat

enterprise_linux_server
enterprise_linux
virtualization
enterprise_linux_eus
enterprise_linux_server_tus
enterprise_linux_workstation
openstack
enterprise_linux_desktop
enterprise_linux_server_aus

qemu

qemu

canonical

ubuntu_linux

debian

debian_linux

CWE

NVD-CWE-noinfo

6.5 /10

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

2.1 /10

Access Vector LOCAL

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

JSON object

Attach tags to CVE-2016-4020

6.5^/10

2.1^/10

Attach tags to `CVE-2016-4020`