ALAS2-2023-2148

Amazon Linux 2 Security Advisory: ALAS2-2023-2148
Advisory Released Date: 2023-07-19
Advisory Updated Date: 2025-09-23

Severity: Medium

References: CVE-2021-3416 CVE-2023-2861
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

A potential stack overflow via infinite loop issue was found in various NIC emulators of QEMU in versions up to and including 5.2.0. The issue occurs in loopback mode of a NIC wherein reentrant DMA checks get bypassed. A guest user/process may use this flaw to consume CPU cycles or crash the QEMU process on the host resulting in DoS scenario. (CVE-2021-3416)

9pfs: prevent opening special files: A malicious client could potentially escape from the exported 9p tree by creating and opening a device file on host side. (CVE-2023-2861)

Affected Packages:

qemu

Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.

Issue Correction:
Run yum update qemu or yum update --advisory ALAS2-2023-2148 to update your system.

New Packages:

aarch64:
    qemu-3.1.0-8.amzn2.0.11.aarch64
    qemu-common-3.1.0-8.amzn2.0.11.aarch64
    qemu-guest-agent-3.1.0-8.amzn2.0.11.aarch64
    qemu-img-3.1.0-8.amzn2.0.11.aarch64
    ivshmem-tools-3.1.0-8.amzn2.0.11.aarch64
    qemu-block-curl-3.1.0-8.amzn2.0.11.aarch64
    qemu-block-dmg-3.1.0-8.amzn2.0.11.aarch64
    qemu-block-iscsi-3.1.0-8.amzn2.0.11.aarch64
    qemu-block-nfs-3.1.0-8.amzn2.0.11.aarch64
    qemu-block-rbd-3.1.0-8.amzn2.0.11.aarch64
    qemu-block-ssh-3.1.0-8.amzn2.0.11.aarch64
    qemu-audio-alsa-3.1.0-8.amzn2.0.11.aarch64
    qemu-audio-oss-3.1.0-8.amzn2.0.11.aarch64
    qemu-audio-pa-3.1.0-8.amzn2.0.11.aarch64
    qemu-audio-sdl-3.1.0-8.amzn2.0.11.aarch64
    qemu-ui-curses-3.1.0-8.amzn2.0.11.aarch64
    qemu-ui-gtk-3.1.0-8.amzn2.0.11.aarch64
    qemu-ui-sdl-3.1.0-8.amzn2.0.11.aarch64
    qemu-kvm-3.1.0-8.amzn2.0.11.aarch64
    qemu-kvm-core-3.1.0-8.amzn2.0.11.aarch64
    qemu-user-3.1.0-8.amzn2.0.11.aarch64
    qemu-user-binfmt-3.1.0-8.amzn2.0.11.aarch64
    qemu-user-static-3.1.0-8.amzn2.0.11.aarch64
    qemu-system-aarch64-3.1.0-8.amzn2.0.11.aarch64
    qemu-system-aarch64-core-3.1.0-8.amzn2.0.11.aarch64
    qemu-system-x86-3.1.0-8.amzn2.0.11.aarch64
    qemu-system-x86-core-3.1.0-8.amzn2.0.11.aarch64
    qemu-debuginfo-3.1.0-8.amzn2.0.11.aarch64

i686:
    qemu-3.1.0-8.amzn2.0.11.i686
    qemu-common-3.1.0-8.amzn2.0.11.i686
    qemu-guest-agent-3.1.0-8.amzn2.0.11.i686
    qemu-img-3.1.0-8.amzn2.0.11.i686
    ivshmem-tools-3.1.0-8.amzn2.0.11.i686
    qemu-block-curl-3.1.0-8.amzn2.0.11.i686
    qemu-block-dmg-3.1.0-8.amzn2.0.11.i686
    qemu-block-iscsi-3.1.0-8.amzn2.0.11.i686
    qemu-block-nfs-3.1.0-8.amzn2.0.11.i686
    qemu-block-ssh-3.1.0-8.amzn2.0.11.i686
    qemu-audio-alsa-3.1.0-8.amzn2.0.11.i686
    qemu-audio-oss-3.1.0-8.amzn2.0.11.i686
    qemu-audio-pa-3.1.0-8.amzn2.0.11.i686
    qemu-audio-sdl-3.1.0-8.amzn2.0.11.i686
    qemu-ui-curses-3.1.0-8.amzn2.0.11.i686
    qemu-ui-gtk-3.1.0-8.amzn2.0.11.i686
    qemu-ui-sdl-3.1.0-8.amzn2.0.11.i686
    qemu-kvm-3.1.0-8.amzn2.0.11.i686
    qemu-kvm-core-3.1.0-8.amzn2.0.11.i686
    qemu-user-3.1.0-8.amzn2.0.11.i686
    qemu-user-binfmt-3.1.0-8.amzn2.0.11.i686
    qemu-user-static-3.1.0-8.amzn2.0.11.i686
    qemu-system-aarch64-3.1.0-8.amzn2.0.11.i686
    qemu-system-aarch64-core-3.1.0-8.amzn2.0.11.i686
    qemu-system-x86-3.1.0-8.amzn2.0.11.i686
    qemu-system-x86-core-3.1.0-8.amzn2.0.11.i686
    qemu-debuginfo-3.1.0-8.amzn2.0.11.i686

src:
    qemu-3.1.0-8.amzn2.0.11.src

x86_64:
    qemu-3.1.0-8.amzn2.0.11.x86_64
    qemu-common-3.1.0-8.amzn2.0.11.x86_64
    qemu-guest-agent-3.1.0-8.amzn2.0.11.x86_64
    qemu-img-3.1.0-8.amzn2.0.11.x86_64
    ivshmem-tools-3.1.0-8.amzn2.0.11.x86_64
    qemu-block-curl-3.1.0-8.amzn2.0.11.x86_64
    qemu-block-dmg-3.1.0-8.amzn2.0.11.x86_64
    qemu-block-iscsi-3.1.0-8.amzn2.0.11.x86_64
    qemu-block-nfs-3.1.0-8.amzn2.0.11.x86_64
    qemu-block-rbd-3.1.0-8.amzn2.0.11.x86_64
    qemu-block-ssh-3.1.0-8.amzn2.0.11.x86_64
    qemu-audio-alsa-3.1.0-8.amzn2.0.11.x86_64
    qemu-audio-oss-3.1.0-8.amzn2.0.11.x86_64
    qemu-audio-pa-3.1.0-8.amzn2.0.11.x86_64
    qemu-audio-sdl-3.1.0-8.amzn2.0.11.x86_64
    qemu-ui-curses-3.1.0-8.amzn2.0.11.x86_64
    qemu-ui-gtk-3.1.0-8.amzn2.0.11.x86_64
    qemu-ui-sdl-3.1.0-8.amzn2.0.11.x86_64
    qemu-kvm-3.1.0-8.amzn2.0.11.x86_64
    qemu-kvm-core-3.1.0-8.amzn2.0.11.x86_64
    qemu-user-3.1.0-8.amzn2.0.11.x86_64
    qemu-user-binfmt-3.1.0-8.amzn2.0.11.x86_64
    qemu-user-static-3.1.0-8.amzn2.0.11.x86_64
    qemu-system-aarch64-3.1.0-8.amzn2.0.11.x86_64
    qemu-system-aarch64-core-3.1.0-8.amzn2.0.11.x86_64
    qemu-system-x86-3.1.0-8.amzn2.0.11.x86_64
    qemu-system-x86-core-3.1.0-8.amzn2.0.11.x86_64
    qemu-debuginfo-3.1.0-8.amzn2.0.11.x86_64

Changelog:

2025-09-23: CVE-2023-0330 was added to this advisory.

Additional References

Release Notes: Amazon Linux 2 Release Notes

Red Hat: CVE-2021-3416, CVE-2023-2861

Mitre: CVE-2021-3416, CVE-2023-2861