At the 8th Internet Security Conference 2020 (ISC 2020), the zero-day vulnerabilities in QEMU/KVM VM escape were publicized. Zero-day vulnerabilities in VM escape can be exploited to read and write unauthorized data up to 0xffffffff (that is 4 GB in size) from a heap and enable a complete VM escape. Alibaba Cloud has fixed these vulnerabilities.

Detected vulnerability

The zero-day vulnerabilities in QEMU/KVM VM escape were first exposed in the Tianfu Cup 2019 International Cybersecurity Contest on November 17, 2019. At the ISC 2020 held on August 13th, the vulnerabilities were publicized. Zero-day vulnerabilities in VM escape can be exploited to read and write unauthorized data up to 0xffffffff (that is 4 GB in size) from a heap and enable a complete VM escape. Code can then be executed in the host and result in serious information leaks. So far, QEMU has not provided any official patches for the vulnerabilities.

Solution

Alibaba Cloud has fixed these vulnerabilities as of December 2019. You do not need to perform any operations to fix the vulnerabilities.

Announcing party

Alibaba Cloud Computing Co., Ltd.