CVE-2022-36648 - QEMU UP TO 7.0.0 ROCKER DEVICE

BelCloud · Aug 26, 2023

Hello

https://vuldb.com/?id.237695

Does proxmox use the rocker device in any way or are we safe from this? Or can this bug be exploited even if we do not add such a rocker device ?
I couldn't find much information about it, but it seems to be high-severity.

Thank you

BobhWasatch · Aug 27, 2023

PVE 8 has Qemu 8.

BelCloud · Aug 27, 2023

Yes, but 7 is still supported.

Neobin · Aug 27, 2023

The hardware emulation in the of_dpa_cmd_add_l2_flood of rocker device model in QEMU, as used in 7.0.0 and earlier, allows remote attackers to crash the host qemu and potentially execute code on the host via execute a malformed program in the guest OS.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36648

PVE 7.4 is on QEMU 7.2.0.

But, of course, you want to wait for an answer from a Proxmox developer to be absolutely sure.

fiona · Aug 28, 2023

Hi,
if you haven't added it explicitly via the custom arguments switch -args "-device rocker,<...>", the rocker device is not used by Proxmox VE.

BelCloud · Aug 28, 2023

Thank you!

Search

Search

CVE-2022-36648 - QEMU UP TO 7.0.0 ROCKER DEVICE

BelCloud

Renowned Member

BobhWasatch

Famous Member

BelCloud

Renowned Member

Neobin

Distinguished Member

fiona

Proxmox Staff Member

BelCloud

Renowned Member

We value your privacy