CVE-2020-2732
Public on 2020-03-23
Modified on 2020-05-08
Description
A flaw was found in the way KVM hypervisor handled instruction emulation for the L2 guest when nested(=1) virtualization is enabled. In the instruction emulation, the L2 guest could trick the L0 hypervisor into accessing sensitive bits of the L1 hypervisor. An L2 guest could use this flaw to potentially access information of the L1 hypervisor.
Severity
Medium
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 1 | kernel | 2020-04-20 | ALAS-2020-1360 | Fixed |
| Amazon Linux 2 - Core | kernel | 2020-03-23 | ALAS2-2020-1405 | Fixed |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 5.8 | CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N |
| NVD | CVSSv2 | 2.3 | AV:A/AC:M/Au:S/C:P/I:N/A:N |
| NVD | CVSSv3 | 6.8 | CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N |