CVE-2022-36648 - QEMU UP TO 7.0.0 ROCKER DEVICE

[BelCloud]

Hello

https://vuldb.com/?id.237695

Does proxmox use the rocker device in any way or are we safe from this? Or can this bug be exploited even if we do not add such a rocker device ?
I couldn't find much information about it, but it seems to be high-severity.

Thank you

 

[BobhWasatch]

PVE 8 has Qemu 8.

 

[BelCloud]

Yes, but 7 is still supported.

 

[Neobin]

The hardware emulation in the of_dpa_cmd_add_l2_flood of rocker device model in QEMU, as used in 7.0.0 and earlier, allows remote attackers to crash the host qemu and potentially execute code on the host via execute a malformed program in the guest OS.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36648

PVE 7.4 is on QEMU 7.2.0.

But, of course, you want to wait for an answer from a Proxmox developer to be absolutely sure.

 

[fiona]

Hi,
if you haven't added it explicitly via the custom arguments switch -args "-device rocker,<...>", the rocker device is not used by Proxmox VE.

 

[BelCloud]

Thank you!