CVE-2023-30612: 
CBL Mariner vulnerability analysis and mitigation

CVE-2023-30612 affects Cloud Hypervisor, a Virtual Machine Monitor for Cloud workloads. The vulnerability was discovered through httpapifuzzer via oss-fuzz and disclosed in April 2023. It impacts upstream main branch, v31.0, and v30.0 versions of Cloud Hypervisor (GitHub Advisory).

The vulnerability allows users to close arbitrary open file descriptors in the Cloud Hypervisor process through malicious HTTP requests sent via the HTTP API socket. The issue has been assigned a CVSS v3.1 base score of 4.0 (MEDIUM) with vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L. The vulnerability is classified as both a Use-After-Free (CWE-416) and Missing Authentication for Critical Function (CWE-306) issue (NVD).

The exploitation of this vulnerability can result in a Denial-of-Service (DoS) condition by crashing the Cloud Hypervisor process. Additionally, it presents a potential Use-After-Free (UAF) vulnerability. The impact is limited to scenarios where an attacker has write access to the API socket file (GitHub Advisory).

The vulnerability has been patched in versions 30.1 and 31.1. For users unable to upgrade, the recommended mitigation is to ensure that write access to the API socket file is granted only to trusted users. Two pull requests (#5350 and #5373) were merged to address this issue (GitHub Advisory).