CVE-2024-7409 - Vulnerability Details

A flaw was found in the QEMU NBD Server. This vulnerability allows a denial of service (DoS) attack via improper synchronization during socket closure when a client keeps a socket open as the server is taken offline.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Redhat	Advanced Virtualization Enterprise Linux Openshift Rhel Eus

No data.

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 8
virt-devel:rhel-8100020240905091210.489197e6	cpe:/a:redhat:enterprise_linux:8	RHSA-2024:6964	2024-09-24T00:00:00Z
virt:rhel-8100020240905091210.489197e6	cpe:/a:redhat:enterprise_linux:8	RHSA-2024:6964	2024-09-24T00:00:00Z
Red Hat Enterprise Linux 9
qemu-kvm-17:9.0.0-10.el9_5	cpe:/a:redhat:enterprise_linux:9	RHSA-2024:9136	2024-11-12T00:00:00Z
Red Hat Enterprise Linux 9.2 Extended Update Support
qemu-kvm-17:7.2.0-14.el9_2.14	cpe:/a:redhat:rhel_eus:9.2	RHSA-2024:7408	2024-10-01T00:00:00Z
Red Hat Enterprise Linux 9.4 Extended Update Support
qemu-kvm-17:8.2.0-11.el9_4.8	cpe:/a:redhat:rhel_eus:9.4	RHSA-2024:9912	2024-11-19T00:00:00Z
Red Hat OpenShift Container Platform 4.13
rhcos-413.92.202411212100-0	cpe:/a:redhat:openshift:4.13::el9	RHSA-2024:10813	2024-12-12T00:00:00Z
rhcos-413.92.202409180051-0	cpe:/a:redhat:openshift:4.13::el9	RHSA-2024:6811	2024-09-25T00:00:00Z
Red Hat OpenShift Container Platform 4.14
rhcos-414.92.202411130444-0	cpe:/a:redhat:openshift:4.14::el9	RHSA-2024:9620	2024-11-20T00:00:00Z
Red Hat OpenShift Container Platform 4.15
rhcos-415.92.202409162258-0	cpe:/a:redhat:openshift:4.15::el9	RHSA-2024:6818	2024-09-25T00:00:00Z
rhcos-415.92.202411050056-0	cpe:/a:redhat:openshift:4.15::el9	RHSA-2024:8991	2024-11-13T00:00:00Z
Red Hat OpenShift Container Platform 4.16
rhcos-416.94.202411261619-0	cpe:/a:redhat:openshift:4.16::el9	RHSA-2024:10528	2024-12-04T00:00:00Z
Red Hat OpenShift Container Platform 4.17
rhcos-417.94.202411261220-0	cpe:/a:redhat:openshift:4.17::el9	RHSA-2024:10518	2024-12-03T00:00:00Z

References

Link	Providers
https://access.redhat.com/errata/RHSA-2024:10518
https://access.redhat.com/errata/RHSA-2024:10528
https://access.redhat.com/errata/RHSA-2024:10813
https://access.redhat.com/errata/RHSA-2024:6811
https://access.redhat.com/errata/RHSA-2024:6818
https://access.redhat.com/errata/RHSA-2024:6964
https://access.redhat.com/errata/RHSA-2024:7408
https://access.redhat.com/errata/RHSA-2024:8991
https://access.redhat.com/errata/RHSA-2024:9136
https://access.redhat.com/errata/RHSA-2024:9620
https://access.redhat.com/errata/RHSA-2024:9912
https://access.redhat.com/security/cve/CVE-2024-7409
https://bugzilla.redhat.com/show_bug.cgi?id=2302487
https://nvd.nist.gov/vuln/detail/CVE-2024-7409
https://www.cve.org/CVERecord?id=CVE-2024-7409

History

Thu, 12 Dec 2024 04:00:00 +0000

Type	Values Removed	Values Added
References		https://access.redhat.com/errata/RHSA-2024:10813

Wed, 04 Dec 2024 08:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:openshift:4.16::el9
References		https://access.redhat.com/errata/RHSA-2024:10528

Tue, 03 Dec 2024 19:30:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:openshift:4.17::el9
References		https://access.redhat.com/errata/RHSA-2024:10518

Fri, 22 Nov 2024 15:45:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:rhel_eus:9.4

Thu, 21 Nov 2024 18:45:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:openshift:4.14::el8 cpe:/a:redhat:openshift:4.14::el9 cpe:/a:redhat:rhel_eus:9.4::appstream
References		https://access.redhat.com/errata/RHSA-2024:8991 https://access.redhat.com/errata/RHSA-2024:9620 https://access.redhat.com/errata/RHSA-2024:9912

Wed, 13 Nov 2024 02:30:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:enterprise_linux:9

Tue, 12 Nov 2024 17:15:00 +0000

Type	Values Removed	Values Added
CPEs	~~cpe:/o:redhat:enterprise_linux:9~~	cpe:/a:redhat:enterprise_linux:9::appstream
References		https://access.redhat.com/errata/RHSA-2024:9136

Tue, 01 Oct 2024 14:45:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:rhel_eus:9.2

Tue, 01 Oct 2024 05:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat rhel Eus
CPEs		cpe:/a:redhat:rhel_eus:9.2::appstream
Vendors & Products		Redhat rhel Eus
References		https://access.redhat.com/errata/RHSA-2024:7408

Wed, 25 Sep 2024 17:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:openshift:4.15::el8 cpe:/a:redhat:openshift:4.15::el9
References		https://access.redhat.com/errata/RHSA-2024:6818

Wed, 25 Sep 2024 05:00:00 +0000

Type	Values Removed	Values Added
CPEs	~~cpe:/a:redhat:openshift:4~~	cpe:/a:redhat:openshift:4.13::el8 cpe:/a:redhat:openshift:4.13::el9
References		https://access.redhat.com/errata/RHSA-2024:6811

Tue, 24 Sep 2024 11:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:enterprise_linux:8

Tue, 24 Sep 2024 08:00:00 +0000

Type	Values Removed	Values Added
CPEs	~~cpe:/o:redhat:enterprise_linux:8~~	cpe:/a:redhat:enterprise_linux:8::appstream cpe:/a:redhat:enterprise_linux:8::crb
References		https://access.redhat.com/errata/RHSA-2024:6964

Tue, 06 Aug 2024 21:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2024-08-05T13:19:27.498Z

Updated: 2024-12-12T03:50:24.208Z

Reserved: 2024-08-02T12:25:13.211Z

Link: CVE-2024-7409

Vulnrichment

Updated: 2024-08-06T20:17:06.370Z

NVD

Status : Awaiting Analysis

Published: 2024-08-05T14:15:35.813

Modified: 2024-12-12T04:15:08.177

Link: CVE-2024-7409

Redhat

Severity : Moderate

Publid Date: 2024-08-02T11:05:09Z

Links: CVE-2024-7409 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-7409", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2024-08-02T12:25:13.211Z", "datePublished": "2024-08-05T13:19:27.498Z", "dateUpdated": "2024-12-12T03:50:24.208Z"}, "containers": {"cna": {"title": "Qemu: denial of service via improper synchronization in qemu nbd server during socket closure", "metrics": [{"other": {"content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A flaw was found in the QEMU NBD Server. This vulnerability allows a denial of service (DoS) attack via improper synchronization during socket closure when a client keeps a socket open as the server is taken offline."}], "affected": [{"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "virt-devel:rhel", "defaultStatus": "affected", "versions": [{"version": "8100020240905091210.489197e6", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:enterprise_linux:8::appstream", "cpe:/a:redhat:enterprise_linux:8::crb"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "virt:rhel", "defaultStatus": "affected", "versions": [{"version": "8100020240905091210.489197e6", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:enterprise_linux:8::appstream", "cpe:/a:redhat:enterprise_linux:8::crb"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "qemu-kvm", "defaultStatus": "affected", "versions": [{"version": "17:9.0.0-10.el9_5", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:enterprise_linux:9::appstream"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9.2 Extended Update Support", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "qemu-kvm", "defaultStatus": "affected", "versions": [{"version": "17:7.2.0-14.el9_2.14", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:rhel_eus:9.2::appstream"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9.4 Extended Update Support", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "qemu-kvm", "defaultStatus": "affected", "versions": [{"version": "17:8.2.0-11.el9_4.8", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:rhel_eus:9.4::appstream"]}, {"vendor": "Red Hat", "product": "Red Hat OpenShift Container Platform 4.13", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "rhcos", "defaultStatus": "affected", "versions": [{"version": "413.92.202411212100-0", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:openshift:4.13::el8", "cpe:/a:redhat:openshift:4.13::el9"]}, {"vendor": "Red Hat", "product": "Red Hat OpenShift Container Platform 4.13", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "rhcos", "defaultStatus": "affected", "versions": [{"version": "413.92.202409180051-0", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:openshift:4.13::el8", "cpe:/a:redhat:openshift:4.13::el9"]}, {"vendor": "Red Hat", "product": "Red Hat OpenShift Container Platform 4.14", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "rhcos", "defaultStatus": "affected", "versions": [{"version": "414.92.202411130444-0", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:openshift:4.14::el8", "cpe:/a:redhat:openshift:4.14::el9"]}, {"vendor": "Red Hat", "product": "Red Hat OpenShift Container Platform 4.15", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "rhcos", "defaultStatus": "affected", "versions": [{"version": "415.92.202409162258-0", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:openshift:4.15::el9", "cpe:/a:redhat:openshift:4.15::el8"]}, {"vendor": "Red Hat", "product": "Red Hat OpenShift Container Platform 4.15", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "rhcos", "defaultStatus": "affected", "versions": [{"version": "415.92.202411050056-0", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:openshift:4.15::el9", "cpe:/a:redhat:openshift:4.15::el8"]}, {"vendor": "Red Hat", "product": "Red Hat OpenShift Container Platform 4.16", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "rhcos", "defaultStatus": "affected", "versions": [{"version": "416.94.202411261619-0", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:openshift:4.16::el9"]}, {"vendor": "Red Hat", "product": "Red Hat OpenShift Container Platform 4.17", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "rhcos", "defaultStatus": "affected", "versions": [{"version": "417.94.202411261220-0", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:openshift:4.17::el9"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 6", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "qemu-kvm", "defaultStatus": "unknown", "cpes": ["cpe:/o:redhat:enterprise_linux:6"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 7", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "qemu-kvm", "defaultStatus": "unknown", "cpes": ["cpe:/o:redhat:enterprise_linux:7"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 7", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "qemu-kvm-ma", "defaultStatus": "unknown", "cpes": ["cpe:/o:redhat:enterprise_linux:7"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8 Advanced Virtualization", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "virt:8.2/qemu-kvm", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:advanced_virtualization:8::el8"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8 Advanced Virtualization", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "virt:av/qemu-kvm", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:advanced_virtualization:8::el8"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8 Advanced Virtualization", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "virt-devel:8.2/qemu-kvm", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:advanced_virtualization:8::el8"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8 Advanced Virtualization", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "virt-devel:av/qemu-kvm", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:advanced_virtualization:8::el8"]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2024:10518", "name": "RHSA-2024:10518", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:10528", "name": "RHSA-2024:10528", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:10813", "name": "RHSA-2024:10813", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:6811", "name": "RHSA-2024:6811", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:6818", "name": "RHSA-2024:6818", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:6964", "name": "RHSA-2024:6964", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:7408", "name": "RHSA-2024:7408", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:8991", "name": "RHSA-2024:8991", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:9136", "name": "RHSA-2024:9136", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:9620", "name": "RHSA-2024:9620", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:9912", "name": "RHSA-2024:9912", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2024-7409", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2302487", "name": "RHBZ#2302487", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "datePublic": "2024-08-02T11:05:09+00:00", "problemTypes": [{"descriptions": [{"cweId": "CWE-662", "description": "Improper Synchronization", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-662: Improper Synchronization", "workarounds": [{"lang": "en", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}], "timeline": [{"lang": "en", "time": "2024-08-02T10:54:41+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2024-08-02T11:05:09+00:00", "value": "Made public."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2024-12-12T03:50:24.208Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-06T20:16:55.295801Z", "id": "CVE-2024-7409", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-06T20:17:14.655Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-7409", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-08-06T20:16:55.295801Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-06T20:17:06.370Z"}}], "cna": {"title": "Qemu: denial of service via improper synchronization in qemu nbd server during socket closure", "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_0": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"cpes": ["cpe:/a:redhat:enterprise_linux:8::appstream", "cpe:/a:redhat:enterprise_linux:8::crb"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8", "versions": [{"status": "unaffected", "version": "8100020240905091210.489197e6", "lessThan": "*", "versionType": "rpm"}], "packageName": "virt-devel:rhel", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:enterprise_linux:8::appstream", "cpe:/a:redhat:enterprise_linux:8::crb"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8", "versions": [{"status": "unaffected", "version": "8100020240905091210.489197e6", "lessThan": "*", "versionType": "rpm"}], "packageName": "virt:rhel", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:enterprise_linux:9::appstream"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9", "versions": [{"status": "unaffected", "version": "17:9.0.0-10.el9_5", "lessThan": "*", "versionType": "rpm"}], "packageName": "qemu-kvm", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:rhel_eus:9.2::appstream"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9.2 Extended Update Support", "versions": [{"status": "unaffected", "version": "17:7.2.0-14.el9_2.14", "lessThan": "*", "versionType": "rpm"}], "packageName": "qemu-kvm", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:rhel_eus:9.4::appstream"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9.4 Extended Update Support", "versions": [{"status": "unaffected", "version": "17:8.2.0-11.el9_4.8", "lessThan": "*", "versionType": "rpm"}], "packageName": "qemu-kvm", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:openshift:4.13::el8", "cpe:/a:redhat:openshift:4.13::el9"], "vendor": "Red Hat", "product": "Red Hat OpenShift Container Platform 4.13", "versions": [{"status": "unaffected", "version": "413.92.202411212100-0", "lessThan": "*", "versionType": "rpm"}], "packageName": "rhcos", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:openshift:4.13::el8", "cpe:/a:redhat:openshift:4.13::el9"], "vendor": "Red Hat", "product": "Red Hat OpenShift Container Platform 4.13", "versions": [{"status": "unaffected", "version": "413.92.202409180051-0", "lessThan": "*", "versionType": "rpm"}], "packageName": "rhcos", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:openshift:4.14::el8", "cpe:/a:redhat:openshift:4.14::el9"], "vendor": "Red Hat", "product": "Red Hat OpenShift Container Platform 4.14", "versions": [{"status": "unaffected", "version": "414.92.202411130444-0", "lessThan": "*", "versionType": "rpm"}], "packageName": "rhcos", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:openshift:4.15::el9", "cpe:/a:redhat:openshift:4.15::el8"], "vendor": "Red Hat", "product": "Red Hat OpenShift Container Platform 4.15", "versions": [{"status": "unaffected", "version": "415.92.202409162258-0", "lessThan": "*", "versionType": "rpm"}], "packageName": "rhcos", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:openshift:4.15::el9", "cpe:/a:redhat:openshift:4.15::el8"], "vendor": "Red Hat", "product": "Red Hat OpenShift Container Platform 4.15", "versions": [{"status": "unaffected", "version": "415.92.202411050056-0", "lessThan": "*", "versionType": "rpm"}], "packageName": "rhcos", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:openshift:4.16::el9"], "vendor": "Red Hat", "product": "Red Hat OpenShift Container Platform 4.16", "versions": [{"status": "unaffected", "version": "416.94.202411261619-0", "lessThan": "*", "versionType": "rpm"}], "packageName": "rhcos", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:openshift:4.17::el9"], "vendor": "Red Hat", "product": "Red Hat OpenShift Container Platform 4.17", "versions": [{"status": "unaffected", "version": "417.94.202411261220-0", "lessThan": "*", "versionType": "rpm"}], "packageName": "rhcos", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:6"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 6", "packageName": "qemu-kvm", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unknown"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:7"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 7", "packageName": "qemu-kvm", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unknown"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:7"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 7", "packageName": "qemu-kvm-ma", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unknown"}, {"cpes": ["cpe:/a:redhat:advanced_virtualization:8::el8"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8 Advanced Virtualization", "packageName": "virt:8.2/qemu-kvm", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:advanced_virtualization:8::el8"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8 Advanced Virtualization", "packageName": "virt:av/qemu-kvm", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:advanced_virtualization:8::el8"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8 Advanced Virtualization", "packageName": "virt-devel:8.2/qemu-kvm", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:advanced_virtualization:8::el8"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8 Advanced Virtualization", "packageName": "virt-devel:av/qemu-kvm", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}], "timeline": [{"lang": "en", "time": "2024-08-02T10:54:41+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2024-08-02T11:05:09+00:00", "value": "Made public."}], "datePublic": "2024-08-02T11:05:09+00:00", "references": [{"url": "https://access.redhat.com/errata/RHSA-2024:10518", "name": "RHSA-2024:10518", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:10528", "name": "RHSA-2024:10528", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:10813", "name": "RHSA-2024:10813", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:6811", "name": "RHSA-2024:6811", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:6818", "name": "RHSA-2024:6818", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:6964", "name": "RHSA-2024:6964", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:7408", "name": "RHSA-2024:7408", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:8991", "name": "RHSA-2024:8991", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:9136", "name": "RHSA-2024:9136", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:9620", "name": "RHSA-2024:9620", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:9912", "name": "RHSA-2024:9912", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2024-7409", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2302487", "name": "RHBZ#2302487", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "workarounds": [{"lang": "en", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}], "descriptions": [{"lang": "en", "value": "A flaw was found in the QEMU NBD Server. This vulnerability allows a denial of service (DoS) attack via improper synchronization during socket closure when a client keeps a socket open as the server is taken offline."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-662", "description": "Improper Synchronization"}]}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2024-12-12T03:50:24.208Z"}, "x_redhatCweChain": "CWE-662: Improper Synchronization"}}, "cveMetadata": {"cveId": "CVE-2024-7409", "state": "PUBLISHED", "dateUpdated": "2024-12-12T03:50:24.208Z", "dateReserved": "2024-08-02T12:25:13.211Z", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "datePublished": "2024-08-05T13:19:27.498Z", "assignerShortName": "redhat"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in the QEMU NBD Server. This vulnerability allows a denial of service (DoS) attack via improper synchronization during socket closure when a client keeps a socket open as the server is taken offline."}, {"lang": "es", "value": "Se encontr\u00f3 una falla en el servidor QEMU NBD. Esta vulnerabilidad permite un ataque de denegaci\u00f3n de servicio (DoS) a trav\u00e9s de una sincronizaci\u00f3n incorrecta durante el cierre del socket cuando un cliente mantiene un socket abierto mientras el servidor se desconecta."}], "id": "CVE-2024-7409", "lastModified": "2024-12-12T04:15:08.177", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "secalert@redhat.com", "type": "Secondary"}]}, "published": "2024-08-05T14:15:35.813", "references": [{"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2024:10518"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2024:10528"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2024:10813"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2024:6811"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2024:6818"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2024:6964"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2024:7408"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2024:8991"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2024:9136"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2024:9620"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2024:9912"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/security/cve/CVE-2024-7409"}, {"source": "secalert@redhat.com", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2302487"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-662"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2024:6964", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "virt-devel:rhel-8100020240905091210.489197e6", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-09-24T00:00:00Z"}, {"advisory": "RHSA-2024:6964", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "virt:rhel-8100020240905091210.489197e6", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-09-24T00:00:00Z"}, {"advisory": "RHSA-2024:9136", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "qemu-kvm-17:9.0.0-10.el9_5", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-11-12T00:00:00Z"}, {"advisory": "RHSA-2024:7408", "cpe": "cpe:/a:redhat:rhel_eus:9.2", "package": "qemu-kvm-17:7.2.0-14.el9_2.14", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2024-10-01T00:00:00Z"}, {"advisory": "RHSA-2024:9912", "cpe": "cpe:/a:redhat:rhel_eus:9.4", "package": "qemu-kvm-17:8.2.0-11.el9_4.8", "product_name": "Red Hat Enterprise Linux 9.4 Extended Update Support", "release_date": "2024-11-19T00:00:00Z"}, {"advisory": "RHSA-2024:10813", "cpe": "cpe:/a:redhat:openshift:4.13::el9", "package": "rhcos-413.92.202411212100-0", "product_name": "Red Hat OpenShift Container Platform 4.13", "release_date": "2024-12-12T00:00:00Z"}, {"advisory": "RHSA-2024:6811", "cpe": "cpe:/a:redhat:openshift:4.13::el9", "package": "rhcos-413.92.202409180051-0", "product_name": "Red Hat OpenShift Container Platform 4.13", "release_date": "2024-09-25T00:00:00Z"}, {"advisory": "RHSA-2024:9620", "cpe": "cpe:/a:redhat:openshift:4.14::el9", "package": "rhcos-414.92.202411130444-0", "product_name": "Red Hat OpenShift Container Platform 4.14", "release_date": "2024-11-20T00:00:00Z"}, {"advisory": "RHSA-2024:6818", "cpe": "cpe:/a:redhat:openshift:4.15::el9", "package": "rhcos-415.92.202409162258-0", "product_name": "Red Hat OpenShift Container Platform 4.15", "release_date": "2024-09-25T00:00:00Z"}, {"advisory": "RHSA-2024:8991", "cpe": "cpe:/a:redhat:openshift:4.15::el9", "package": "rhcos-415.92.202411050056-0", "product_name": "Red Hat OpenShift Container Platform 4.15", "release_date": "2024-11-13T00:00:00Z"}, {"advisory": "RHSA-2024:10528", "cpe": "cpe:/a:redhat:openshift:4.16::el9", "package": "rhcos-416.94.202411261619-0", "product_name": "Red Hat OpenShift Container Platform 4.16", "release_date": "2024-12-04T00:00:00Z"}, {"advisory": "RHSA-2024:10518", "cpe": "cpe:/a:redhat:openshift:4.17::el9", "package": "rhcos-417.94.202411261220-0", "product_name": "Red Hat OpenShift Container Platform 4.17", "release_date": "2024-12-03T00:00:00Z"}], "bugzilla": {"description": "QEMU: Denial of Service via Improper Synchronization in QEMU NBD Server During Socket Closure", "id": "2302487", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2302487"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-662", "details": ["A flaw was found in the QEMU NBD Server. This vulnerability allows a denial of service (DoS) attack via improper synchronization during socket closure when a client keeps a socket open as the server is taken offline.", "A flaw was found in the QEMU NBD Server. This vulnerability allows a denial of service (DoS) attack via improper synchronization during socket closure when a client keeps a socket open as the server is taken offline."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-7409", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "qemu-kvm", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "qemu-kvm", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "qemu-kvm-ma", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/a:redhat:advanced_virtualization:8::el8", "fix_state": "Will not fix", "package_name": "virt:8.2/qemu-kvm", "product_name": "Red Hat Enterprise Linux 8 Advanced Virtualization"}, {"cpe": "cpe:/a:redhat:advanced_virtualization:8::el8", "fix_state": "Will not fix", "package_name": "virt:av/qemu-kvm", "product_name": "Red Hat Enterprise Linux 8 Advanced Virtualization"}, {"cpe": "cpe:/a:redhat:advanced_virtualization:8::el8", "fix_state": "Will not fix", "package_name": "virt-devel:8.2/qemu-kvm", "product_name": "Red Hat Enterprise Linux 8 Advanced Virtualization"}, {"cpe": "cpe:/a:redhat:advanced_virtualization:8::el8", "fix_state": "Will not fix", "package_name": "virt-devel:av/qemu-kvm", "product_name": "Red Hat Enterprise Linux 8 Advanced Virtualization"}], "public_date": "2024-08-02T11:05:09Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-7409\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-7409"], "statement": "This issue is classified as Moderate severity rather than Important because it primarily results in a denial of service condition rather than a more crucial impact such as data corruption, unauthorized access, or system compromise. The NULL pointer dereference occurs under specific conditions where the NBD server is stopped before nbd_blockdev_client_closed is called, which leads to a segmentation fault and crash of the QEMU process. However, this scenario is mitigated by the fact that it requires a particular sequence of events involving client connection handling and server shutdown. Additionally, proper network segmentation and the use of secure client connections can further reduce the likelihood of this issue being exploited.", "threat_severity": "Moderate"}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object