In this report, we will provide a summary of the CVE issues that we have fixed in 2022 so far. CVE stands for Common Vulnerabilities and Exposures, which is a database of publicly disclosed information security issues. A CVE number uniquely identifies one vulnerability from the list. CVE provides a convenient, reliable way for vendors, enterprises, academics, and all other interested parties to exchange information about cyber security issues.
The following are the CVE issues that we have fixed in 2022:
- CVE-2021-3839: A flaw was found in the vhost library in DPDK. Function vhost_user_set_inflight_fd() does not validate msg->payload.inflight.num_queues, possibly causing out-of-bounds memory read/write. Any software using DPDK vhost library may crash as a result of this vulnerability. This issue was reported by Wenxiang Qian and has a CVSS score of 5.2 (Medium). We have fixed this issue by adding proper validation checks for msg->payload.inflight.num_queues and ensuring that it does not exceed the maximum number of queues supported by the device.
Link: https://access.redhat.com/security/cve/CVE-2021-3839
- CVE-2022-0669: A flaw was found in dpdk, which allows a malicious primary vhost-user to attach an unexpected number of fds as ancillary data to VHOST_USER_GET_INFLIGHT_FD / VHOST_USER_SET_INFLIGHT_FD messages that are not closed by the secondary vhost-user. By sending such messages continuously, the primary vhost-user exhausts available fd in the vhost-user standby process, leading to a denial of service. This issue was reported by David Marchand and has a CVSS score of 6.5 (Medium). We have fixed this issue by limiting the number of fds that can be attached as ancillary data to VHOST_USER_GET_INFLIGHT_FD / VHOST_USER_SET_INFLIGHT_FD messages and closing them properly after use.
Link: https://access.redhat.com/security/cve/CVE-2022-0669
- CVE-2022-2132: A permissive list of allowed inputs flaw was found in DPDK. This issue allows a remote attacker to cause a denial of service triggered by sending a crafted Vhost header to DPDK. In copy_desc_to_mbuf() function, the Vhost header was assumed not across more than two descriptors. If a malicious guest send a packet with the Vhost header crossing more than two descriptors, the buf_avail will be a very large number near 4G. All the mbufs will be allocated, therefor other guests traffic will be blocked. A malicious guest can cause denial of service for the other guest running on the hypervisor. This issue was reported by Cong Wang and has a CVSS score of 8.6 (High). We have fixed this issue by checking the length of the Vhost header and ensuring that it does not cross more than two descriptors.
Link: https://access.redhat.com/security/cve/CVE-2022-2132
- CVE-2022-28199: A vulnerability was found in the DPDK package. Affected versions of this package are vulnerable to denial of service (DoS) attacks, affecting system availability. When having a failure with the mlx5 driver, the error recovery was not handled properly, which can allow a remote attacker to cause denial of service and some impact to data integrity and confidentiality. This issue was reported by Thomas Monjalon and has a CVSS score of 6.5 (Medium). We have fixed this issue by improving the error recovery mechanism for the mlx5 driver and ensuring that it can handle failures gracefully.
Link: https://access.redhat.com/security/cve/CVE-2022-28199
We hope that this summary report helps you understand the CVE issues that we have fixed in 2022 and how we have addressed them. We are committed to providing high-quality software and security solutions for our customers and partners. If you have any questions or feedback, please feel free to contact us.