ID CVE-2014-7823
Summary The virDomainGetXMLDesc API in Libvirt before 1.2.11 allows remote read-only users to obtain the VNC password by using the VIR_DOMAIN_XML_MIGRATABLE flag, which triggers the use of the VIR_DOMAIN_XML_SECURE flag.
References
Vulnerable Configurations
  • Red Hat libvirt 1.2.0
    cpe:2.3:a:redhat:libvirt:1.2.0
  • Red Hat libvirt 1.2.1
    cpe:2.3:a:redhat:libvirt:1.2.1
  • Red Hat libvirt 1.2.2
    cpe:2.3:a:redhat:libvirt:1.2.2
  • Red Hat libvirt 1.2.3
    cpe:2.3:a:redhat:libvirt:1.2.3
  • Red Hat libvirt 1.2.4
    cpe:2.3:a:redhat:libvirt:1.2.4
  • Red Hat libvirt 1.2.5
    cpe:2.3:a:redhat:libvirt:1.2.5
  • Red Hat libvirt 1.2.6
    cpe:2.3:a:redhat:libvirt:1.2.6
  • Red Hat libvirt 1.2.7
    cpe:2.3:a:redhat:libvirt:1.2.7
  • cpe:2.3:a:redhat:libvirt:1.2.8
    cpe:2.3:a:redhat:libvirt:1.2.8
  • cpe:2.3:a:redhat:libvirt:1.2.9
    cpe:2.3:a:redhat:libvirt:1.2.9
  • cpe:2.3:a:redhat:libvirt:1.2.10
    cpe:2.3:a:redhat:libvirt:1.2.10
CVSS
Base: 5.0 (as of 30-12-2014 - 13:49)
Impact:
Exploitability:
CWE CWE-255
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL NONE NONE
nessus via4
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2015-115.NASL
    description Updated libvirt packages fix security vulnerabilities : The LXC driver (lxc/lxc_driver.c) in libvirt 1.0.1 through 1.2.1 allows local users to (1) delete arbitrary host devices via the virDomainDeviceDettach API and a symlink attack on /dev in the container; (2) create arbitrary nodes (mknod) via the virDomainDeviceAttach API and a symlink attack on /dev in the container; and cause a denial of service (shutdown or reboot host OS) via the (3) virDomainShutdown or (4) virDomainReboot API and a symlink attack on /dev/initctl in the container, related to paths under /proc//root and the virInitctlSetRunLevel function (CVE-2013-6456). libvirt was patched to prevent expansion of entities when parsing XML files. This vulnerability allowed malicious users to read arbitrary files or cause a denial of service (CVE-2014-0179). An out-of-bounds read flaw was found in the way libvirt's qemuDomainGetBlockIoTune() function looked up the disk index in a non-persistent (live) disk configuration while a persistent disk configuration was being indexed. A remote attacker able to establish a read-only connection to libvirtd could use this flaw to crash libvirtd or, potentially, leak memory from the libvirtd process (CVE-2014-3633). A denial of service flaw was found in the way libvirt's virConnectListAllDomains() function computed the number of used domains. A remote attacker able to establish a read-only connection to libvirtd could use this flaw to make any domain operations within libvirt unresponsive (CVE-2014-3657). Eric Blake discovered that libvirt incorrectly handled permissions when processing the qemuDomainFormatXML command. An attacker with read-only privileges could possibly use this to gain access to certain information from the domain xml file (CVE-2014-7823). The qemuDomainMigratePerform and qemuDomainMigrateFinish2 functions in qemu/qemu_driver.c in libvirt do not unlock the domain when an ACL check fails, which allow local users to cause a denial of service via unspecified vectors (CVE-2014-8136). The XML getters for for save images and snapshots objects don't check ACLs for the VIR_DOMAIN_XML_SECURE flag and might possibly dump security sensitive information. A remote attacker able to establish a connection to libvirtd could use this flaw to cause leak certain limited information from the domain xml file (CVE-2015-0236).
    last seen 2017-10-29
    modified 2015-03-30
    plugin id 82368
    published 2015-03-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=82368
    title Mandriva Linux Security Advisory : libvirt (MDVSA-2015:115)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2015-0008.NASL
    description From Red Hat Security Advisory 2015:0008 : Updated libvirt packages that fix one security issue and three bugs are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The libvirt library is a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remote management of virtualized systems. It was found that when the VIR_DOMAIN_XML_MIGRATABLE flag was used, the QEMU driver implementation of the virDomainGetXMLDesc() function could bypass the restrictions of the VIR_DOMAIN_XML_SECURE flag. A remote attacker able to establish a read-only connection to libvirtd could use this flaw to leak certain limited information from the domain XML data. (CVE-2014-7823) This issue was discovered by Eric Blake of Red Hat. This update also fixes the following bugs : * In Red Hat Enterprise Linux 6, libvirt relies on the QEMU emulator to supply the error message when an active commit is attempted. However, with Red Hat Enterprise Linux 7, QEMU added support for an active commit, but an additional interaction from libvirt to fully enable active commits is still missing. As a consequence, attempts to perform an active commit caused libvirt to become unresponsive. With this update, libvirt has been fixed to detect an active commit by itself, and now properly declares the feature as unsupported. As a result, libvirt no longer hangs when an active commit is attempted and instead produces an error message. Note that the missing libvirt interaction will be added in Red Hat Enterprise Linux 7.1, adding full support for active commits. (BZ#1150379) * Prior to this update, the libvirt API did not properly check whether a Discretionary Access Control (DAC) security label is non-NULL before trying to parse user/group ownership from it. In addition, the DAC security label of a transient domain that had just finished migrating to another host is in some cases NULL. As a consequence, when the virDomainGetBlockInfo API was called on such a domain, the libvirtd daemon sometimes terminated unexpectedly. With this update, libvirt properly checks DAC labels before trying to parse them, and libvirtd thus no longer crashes in the described scenario. (BZ#1171124) * If a block copy operation was attempted while another block copy was already in progress to an explicit raw destination, libvirt previously stopped regarding the destination as raw. As a consequence, if the qemu.conf file was edited to allow file format probing, triggering the bug could allow a malicious guest to bypass sVirt protection by making libvirt regard the file as non-raw. With this update, libvirt has been fixed to consistently remember when a block copy destination is raw, and guests can no longer circumvent sVirt protection when the host is configured to allow format probing. (BZ#1149078) All libvirt users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, libvirtd will be restarted automatically.
    last seen 2017-10-29
    modified 2015-12-01
    plugin id 80387
    published 2015-01-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=80387
    title Oracle Linux 7 : libvirt (ELSA-2015-0008)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2014-695.NASL
    description libvirt was updated to fix one security issue. This security issue was fixed : - Security issue with migratable flag (CVE-2014-7823).
    last seen 2017-10-29
    modified 2014-11-24
    plugin id 79412
    published 2014-11-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79412
    title openSUSE Security Update : libvirt (openSUSE-SU-2014:1471-1)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2014-15228.NASL
    description - Rebased to version 1.1.3.8 - CVE-2014-3633: out-of-bounds read in blockiotune (bz #1160823) - CVE-2014-3657: Potential deadlock in domain_conf (bz #1160824) - CVE-2014-7823: information leak with migratable flag (bz #1160822) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2015-10-19
    plugin id 79397
    published 2014-11-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79397
    title Fedora 20 : libvirt-1.1.3.8-1.fc20 (2014-15228)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2015-0008.NASL
    description Updated libvirt packages that fix one security issue and three bugs are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The libvirt library is a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remote management of virtualized systems. It was found that when the VIR_DOMAIN_XML_MIGRATABLE flag was used, the QEMU driver implementation of the virDomainGetXMLDesc() function could bypass the restrictions of the VIR_DOMAIN_XML_SECURE flag. A remote attacker able to establish a read-only connection to libvirtd could use this flaw to leak certain limited information from the domain XML data. (CVE-2014-7823) This issue was discovered by Eric Blake of Red Hat. This update also fixes the following bugs : * In Red Hat Enterprise Linux 6, libvirt relies on the QEMU emulator to supply the error message when an active commit is attempted. However, with Red Hat Enterprise Linux 7, QEMU added support for an active commit, but an additional interaction from libvirt to fully enable active commits is still missing. As a consequence, attempts to perform an active commit caused libvirt to become unresponsive. With this update, libvirt has been fixed to detect an active commit by itself, and now properly declares the feature as unsupported. As a result, libvirt no longer hangs when an active commit is attempted and instead produces an error message. Note that the missing libvirt interaction will be added in Red Hat Enterprise Linux 7.1, adding full support for active commits. (BZ#1150379) * Prior to this update, the libvirt API did not properly check whether a Discretionary Access Control (DAC) security label is non-NULL before trying to parse user/group ownership from it. In addition, the DAC security label of a transient domain that had just finished migrating to another host is in some cases NULL. As a consequence, when the virDomainGetBlockInfo API was called on such a domain, the libvirtd daemon sometimes terminated unexpectedly. With this update, libvirt properly checks DAC labels before trying to parse them, and libvirtd thus no longer crashes in the described scenario. (BZ#1171124) * If a block copy operation was attempted while another block copy was already in progress to an explicit raw destination, libvirt previously stopped regarding the destination as raw. As a consequence, if the qemu.conf file was edited to allow file format probing, triggering the bug could allow a malicious guest to bypass sVirt protection by making libvirt regard the file as non-raw. With this update, libvirt has been fixed to consistently remember when a block copy destination is raw, and guests can no longer circumvent sVirt protection when the host is configured to allow format probing. (BZ#1149078) All libvirt users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, libvirtd will be restarted automatically.
    last seen 2017-10-29
    modified 2015-01-07
    plugin id 80360
    published 2015-01-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=80360
    title CentOS 7 : libvirt (CESA-2015:0008)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20150105_LIBVIRT_ON_SL7_X.NASL
    description It was found that when the VIR_DOMAIN_XML_MIGRATABLE flag was used, the QEMU driver implementation of the virDomainGetXMLDesc() function could bypass the restrictions of the VIR_DOMAIN_XML_SECURE flag. A remote attacker able to establish a read-only connection to libvirtd could use this flaw to leak certain limited information from the domain XML data. (CVE-2014-7823) This update also fixes the following bugs : - In Scientific Linux 6, libvirt relies on the QEMU emulator to supply the error message when an active commit is attempted. However, with Scientific Linux 7, QEMU added support for an active commit, but an additional interaction from libvirt to fully enable active commits is still missing. As a consequence, attempts to perform an active commit caused libvirt to become unresponsive. With this update, libvirt has been fixed to detect an active commit by itself, and now properly declares the feature as unsupported. As a result, libvirt no longer hangs when an active commit is attempted and instead produces an error message. - Prior to this update, the libvirt API did not properly check whether a Discretionary Access Control (DAC) security label is non-NULL before trying to parse user/group ownership from it. In addition, the DAC security label of a transient domain that had just finished migrating to another host is in some cases NULL. As a consequence, when the virDomainGetBlockInfo API was called on such a domain, the libvirtd daemon sometimes terminated unexpectedly. With this update, libvirt properly checks DAC labels before trying to parse them, and libvirtd thus no longer crashes in the described scenario. - If a block copy operation was attempted while another block copy was already in progress to an explicit raw destination, libvirt previously stopped regarding the destination as raw. As a consequence, if the qemu.conf file was edited to allow file format probing, triggering the bug could allow a malicious guest to bypass sVirt protection by making libvirt regard the file as non-raw. With this update, libvirt has been fixed to consistently remember when a block copy destination is raw, and guests can no longer circumvent sVirt protection when the host is configured to allow format probing. After installing the updated packages, libvirtd will be restarted automatically.
    last seen 2017-10-29
    modified 2015-01-07
    plugin id 80397
    published 2015-01-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=80397
    title Scientific Linux Security Update : libvirt on SL7.x x86_64
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201412-04.NASL
    description The remote host is affected by the vulnerability described in GLSA-201412-04 (libvirt: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in libvirt. Please review the CVE identifiers referenced below for details. Impact : A remote attacker may be able to cause a Denial of Service or cause information leakage. A local attacker may be able to escalate privileges, cause a Denial of Service or possibly execute arbitrary code. Workaround : There is no known workaround at this time.
    last seen 2017-10-29
    modified 2015-04-13
    plugin id 79814
    published 2014-12-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79814
    title GLSA-201412-04 : libvirt: Multiple vulnerabilities
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-2404-1.NASL
    description Pavel Hrdina discovered that libvirt incorrectly handled locking when processing the virConnectListAllDomains command. An attacker could use this issue to cause libvirtd to hang, resulting in a denial of service. (CVE-2014-3657) Eric Blake discovered that libvirt incorrectly handled permissions when processing the qemuDomainFormatXML command. An attacker with read-only privileges could possibly use this to gain access to certain information from the domain xml file. (CVE-2014-7823). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2016-05-24
    plugin id 79210
    published 2014-11-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79210
    title Ubuntu 14.04 LTS / 14.10 : libvirt vulnerabilities (USN-2404-1)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20141118_LIBVIRT_ON_SL6_X.NASL
    description An out-of-bounds read flaw was found in the way libvirt's qemuDomainGetBlockIoTune() function looked up the disk index in a non- persistent (live) disk configuration while a persistent disk configuration was being indexed. A remote attacker able to establish a read-only connection to libvirtd could use this flaw to crash libvirtd or, potentially, leak memory from the libvirtd process. (CVE-2014-3633) A denial of service flaw was found in the way libvirt's virConnectListAllDomains() function computed the number of used domains. A remote attacker able to establish a read-only connection to libvirtd could use this flaw to make any domain operations within libvirt unresponsive. (CVE-2014-3657) It was found that when the VIR_DOMAIN_XML_MIGRATABLE flag was used, the QEMU driver implementation of the virDomainGetXMLDesc() function could bypass the restrictions of the VIR_DOMAIN_XML_SECURE flag. A remote attacker able to establish a read-only connection to libvirtd could use this flaw to leak certain limited information from the domain XML data. (CVE-2014-7823) This update also fixes the following bug : When dumping migratable XML configuration of a domain, libvirt removes some automatically added devices for compatibility with older libvirt releases. If such XML is passed to libvirt as a domain XML that should be used during migration, libvirt checks this XML for compatibility with the internally stored configuration of the domain. However, prior to this update, these checks failed because of devices that were missing (the same devices libvirt removed). As a consequence, migration with user-supplied migratable XML failed. Since this feature is used by OpenStack, migrating QEMU/KVM domains with OpenStack always failed. With this update, before checking domain configurations for compatibility, libvirt transforms both user-supplied and internal configuration into a migratable form (automatically added devices are removed) and checks those instead. Thus, no matter whether the user-supplied configuration was generated as migratable or not, libvirt does not err about missing devices, and migration succeeds as expected. After installing the updated packages, libvirtd will be restarted automatically.
    last seen 2017-10-29
    modified 2014-11-19
    plugin id 79331
    published 2014-11-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79331
    title Scientific Linux Security Update : libvirt on SL6.x i386/x86_64
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2014-1873.NASL
    description Updated libvirt packages that fix three security issues and one bug are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The libvirt library is a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remote management of virtualized systems. An out-of-bounds read flaw was found in the way libvirt's qemuDomainGetBlockIoTune() function looked up the disk index in a non-persistent (live) disk configuration while a persistent disk configuration was being indexed. A remote attacker able to establish a read-only connection to libvirtd could use this flaw to crash libvirtd or, potentially, leak memory from the libvirtd process. (CVE-2014-3633) A denial of service flaw was found in the way libvirt's virConnectListAllDomains() function computed the number of used domains. A remote attacker able to establish a read-only connection to libvirtd could use this flaw to make any domain operations within libvirt unresponsive. (CVE-2014-3657) It was found that when the VIR_DOMAIN_XML_MIGRATABLE flag was used, the QEMU driver implementation of the virDomainGetXMLDesc() function could bypass the restrictions of the VIR_DOMAIN_XML_SECURE flag. A remote attacker able to establish a read-only connection to libvirtd could use this flaw to leak certain limited information from the domain XML data. (CVE-2014-7823) The CVE-2014-3633 issue was discovered by Luyao Huang of Red Hat. This update also fixes the following bug : When dumping migratable XML configuration of a domain, libvirt removes some automatically added devices for compatibility with older libvirt releases. If such XML is passed to libvirt as a domain XML that should be used during migration, libvirt checks this XML for compatibility with the internally stored configuration of the domain. However, prior to this update, these checks failed because of devices that were missing (the same devices libvirt removed). As a consequence, migration with user-supplied migratable XML failed. Since this feature is used by OpenStack, migrating QEMU/KVM domains with OpenStack always failed. With this update, before checking domain configurations for compatibility, libvirt transforms both user-supplied and internal configuration into a migratable form (automatically added devices are removed) and checks those instead. Thus, no matter whether the user-supplied configuration was generated as migratable or not, libvirt does not err about missing devices, and migration succeeds as expected. (BZ#1155564) All libvirt users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, libvirtd will be restarted automatically.
    last seen 2017-10-29
    modified 2017-01-06
    plugin id 79329
    published 2014-11-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79329
    title RHEL 6 : libvirt (RHSA-2014:1873)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2014-1873.NASL
    description From Red Hat Security Advisory 2014:1873 : Updated libvirt packages that fix three security issues and one bug are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The libvirt library is a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remote management of virtualized systems. An out-of-bounds read flaw was found in the way libvirt's qemuDomainGetBlockIoTune() function looked up the disk index in a non-persistent (live) disk configuration while a persistent disk configuration was being indexed. A remote attacker able to establish a read-only connection to libvirtd could use this flaw to crash libvirtd or, potentially, leak memory from the libvirtd process. (CVE-2014-3633) A denial of service flaw was found in the way libvirt's virConnectListAllDomains() function computed the number of used domains. A remote attacker able to establish a read-only connection to libvirtd could use this flaw to make any domain operations within libvirt unresponsive. (CVE-2014-3657) It was found that when the VIR_DOMAIN_XML_MIGRATABLE flag was used, the QEMU driver implementation of the virDomainGetXMLDesc() function could bypass the restrictions of the VIR_DOMAIN_XML_SECURE flag. A remote attacker able to establish a read-only connection to libvirtd could use this flaw to leak certain limited information from the domain XML data. (CVE-2014-7823) The CVE-2014-3633 issue was discovered by Luyao Huang of Red Hat. This update also fixes the following bug : When dumping migratable XML configuration of a domain, libvirt removes some automatically added devices for compatibility with older libvirt releases. If such XML is passed to libvirt as a domain XML that should be used during migration, libvirt checks this XML for compatibility with the internally stored configuration of the domain. However, prior to this update, these checks failed because of devices that were missing (the same devices libvirt removed). As a consequence, migration with user-supplied migratable XML failed. Since this feature is used by OpenStack, migrating QEMU/KVM domains with OpenStack always failed. With this update, before checking domain configurations for compatibility, libvirt transforms both user-supplied and internal configuration into a migratable form (automatically added devices are removed) and checks those instead. Thus, no matter whether the user-supplied configuration was generated as migratable or not, libvirt does not err about missing devices, and migration succeeds as expected. (BZ#1155564) All libvirt users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, libvirtd will be restarted automatically.
    last seen 2017-10-29
    modified 2015-12-04
    plugin id 79372
    published 2014-11-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79372
    title Oracle Linux 6 : libvirt (ELSA-2014-1873)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2014-222.NASL
    description Updated libvirt packages fix security vulnerability : Eric Blake discovered that libvirt incorrectly handled permissions when processing the qemuDomainFormatXML command. An attacker with read-only privileges could possibly use this to gain access to certain information from the domain xml file (CVE-2014-7823).
    last seen 2017-10-29
    modified 2014-11-24
    plugin id 79409
    published 2014-11-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79409
    title Mandriva Linux Security Advisory : libvirt (MDVSA-2014:222)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2015-0008.NASL
    description Updated libvirt packages that fix one security issue and three bugs are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The libvirt library is a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remote management of virtualized systems. It was found that when the VIR_DOMAIN_XML_MIGRATABLE flag was used, the QEMU driver implementation of the virDomainGetXMLDesc() function could bypass the restrictions of the VIR_DOMAIN_XML_SECURE flag. A remote attacker able to establish a read-only connection to libvirtd could use this flaw to leak certain limited information from the domain XML data. (CVE-2014-7823) This issue was discovered by Eric Blake of Red Hat. This update also fixes the following bugs : * In Red Hat Enterprise Linux 6, libvirt relies on the QEMU emulator to supply the error message when an active commit is attempted. However, with Red Hat Enterprise Linux 7, QEMU added support for an active commit, but an additional interaction from libvirt to fully enable active commits is still missing. As a consequence, attempts to perform an active commit caused libvirt to become unresponsive. With this update, libvirt has been fixed to detect an active commit by itself, and now properly declares the feature as unsupported. As a result, libvirt no longer hangs when an active commit is attempted and instead produces an error message. Note that the missing libvirt interaction will be added in Red Hat Enterprise Linux 7.1, adding full support for active commits. (BZ#1150379) * Prior to this update, the libvirt API did not properly check whether a Discretionary Access Control (DAC) security label is non-NULL before trying to parse user/group ownership from it. In addition, the DAC security label of a transient domain that had just finished migrating to another host is in some cases NULL. As a consequence, when the virDomainGetBlockInfo API was called on such a domain, the libvirtd daemon sometimes terminated unexpectedly. With this update, libvirt properly checks DAC labels before trying to parse them, and libvirtd thus no longer crashes in the described scenario. (BZ#1171124) * If a block copy operation was attempted while another block copy was already in progress to an explicit raw destination, libvirt previously stopped regarding the destination as raw. As a consequence, if the qemu.conf file was edited to allow file format probing, triggering the bug could allow a malicious guest to bypass sVirt protection by making libvirt regard the file as non-raw. With this update, libvirt has been fixed to consistently remember when a block copy destination is raw, and guests can no longer circumvent sVirt protection when the host is configured to allow format probing. (BZ#1149078) All libvirt users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, libvirtd will be restarted automatically.
    last seen 2017-10-29
    modified 2017-01-06
    plugin id 80388
    published 2015-01-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=80388
    title RHEL 7 : libvirt (RHSA-2015:0008)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_KVM-LIBVIRT-201412-150124.NASL
    description This collective update for KVM and libvirt provides fixes for security and non-security issues. kvm : - Fix NULL pointer dereference because of uninitialized UDP socket. (bsc#897654, CVE-2014-3640) - Fix performance degradation after migration. (bsc#878350) - Fix potential image corruption due to missing FIEMAP_FLAG_SYNC flag in FS_IOC_FIEMAP ioctl. (bsc#908381) - Add validate hex properties for qdev. (bsc#852397) - Add boot option to do strict boot (bsc#900084) - Add query-command-line-options QMP command. (bsc#899144) - Fix incorrect return value of migrate_cancel. (bsc#843074) - Fix insufficient parameter validation during ram load. (bsc#905097, CVE-2014-7840) - Fix insufficient blit region checks in qemu/cirrus. (bsc#907805, CVE-2014-8106) libvirt : - Fix security hole with migratable flag in dumpxml. (bsc#904176, CVE-2014-7823) - Fix domain deadlock. (bsc#899484, CVE-2014-3657) - Use correct definition when looking up disk in qemu blkiotune. (bsc#897783, CVE-2014-3633) - Fix undefined symbol when starting virtlockd. (bsc#910145) - Add '-boot strict' to qemu's commandline whenever possible. (bsc#900084) - Add support for 'reboot-timeout' in qemu. (bsc#899144) - Increase QEMU's monitor timeout to 30sec. (bsc#911742) - Allow setting QEMU's migration max downtime any time. (bsc#879665)
    last seen 2017-10-29
    modified 2015-02-24
    plugin id 81481
    published 2015-02-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=81481
    title SuSE 11.3 Security Update : kvm and libvirt (SAT Patch Number 10222)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2014-1873.NASL
    description Updated libvirt packages that fix three security issues and one bug are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The libvirt library is a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remote management of virtualized systems. An out-of-bounds read flaw was found in the way libvirt's qemuDomainGetBlockIoTune() function looked up the disk index in a non-persistent (live) disk configuration while a persistent disk configuration was being indexed. A remote attacker able to establish a read-only connection to libvirtd could use this flaw to crash libvirtd or, potentially, leak memory from the libvirtd process. (CVE-2014-3633) A denial of service flaw was found in the way libvirt's virConnectListAllDomains() function computed the number of used domains. A remote attacker able to establish a read-only connection to libvirtd could use this flaw to make any domain operations within libvirt unresponsive. (CVE-2014-3657) It was found that when the VIR_DOMAIN_XML_MIGRATABLE flag was used, the QEMU driver implementation of the virDomainGetXMLDesc() function could bypass the restrictions of the VIR_DOMAIN_XML_SECURE flag. A remote attacker able to establish a read-only connection to libvirtd could use this flaw to leak certain limited information from the domain XML data. (CVE-2014-7823) The CVE-2014-3633 issue was discovered by Luyao Huang of Red Hat. This update also fixes the following bug : When dumping migratable XML configuration of a domain, libvirt removes some automatically added devices for compatibility with older libvirt releases. If such XML is passed to libvirt as a domain XML that should be used during migration, libvirt checks this XML for compatibility with the internally stored configuration of the domain. However, prior to this update, these checks failed because of devices that were missing (the same devices libvirt removed). As a consequence, migration with user-supplied migratable XML failed. Since this feature is used by OpenStack, migrating QEMU/KVM domains with OpenStack always failed. With this update, before checking domain configurations for compatibility, libvirt transforms both user-supplied and internal configuration into a migratable form (automatically added devices are removed) and checks those instead. Thus, no matter whether the user-supplied configuration was generated as migratable or not, libvirt does not err about missing devices, and migration succeeds as expected. (BZ#1155564) All libvirt users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, libvirtd will be restarted automatically.
    last seen 2017-10-29
    modified 2014-11-20
    plugin id 79338
    published 2014-11-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79338
    title CentOS 6 : libvirt (CESA-2014:1873)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_KVM-LIBVIRT-201412-150123.NASL
    description This collective update for KVM and libvirt provides fixes for security and non-security issues. kvm : - Fix NULL pointer dereference because of uninitialized UDP socket. (bsc#897654, CVE-2014-3640) - Fix performance degradation after migration. (bsc#878350) - Fix potential image corruption due to missing FIEMAP_FLAG_SYNC flag in FS_IOC_FIEMAP ioctl. (bsc#908381) - Add validate hex properties for qdev. (bsc#852397) - Add boot option to do strict boot (bsc#900084) - Add query-command-line-options QMP command. (bsc#899144) - Fix incorrect return value of migrate_cancel. (bsc#843074) - Fix insufficient parameter validation during ram load. (bsc#905097, CVE-2014-7840) - Fix insufficient blit region checks in qemu/cirrus. (bsc#907805, CVE-2014-8106) libvirt : - Fix security hole with migratable flag in dumpxml. (bsc#904176, CVE-2014-7823) - Fix domain deadlock. (bsc#899484, CVE-2014-3657) - Use correct definition when looking up disk in qemu blkiotune. (bsc#897783, CVE-2014-3633) - Fix undefined symbol when starting virtlockd. (bsc#910145) - Add '-boot strict' to qemu's commandline whenever possible. (bsc#900084) - Add support for 'reboot-timeout' in qemu. (bsc#899144) - Increase QEMU's monitor timeout to 30sec. (bsc#911742) - Allow setting QEMU's migration max downtime any time. (bsc#879665)
    last seen 2017-10-29
    modified 2015-02-24
    plugin id 81480
    published 2015-02-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=81480
    title SuSE 11.3 Security Update : kvm and libvirt (SAT Patch Number 10222)
redhat via4
advisories
  • bugzilla
    id 1160817
    title CVE-2014-7823 libvirt: dumpxml: information leak with migratable flag
    oval
    AND
    • OR
      • comment Red Hat Enterprise Linux 6 Client is installed
        oval oval:com.redhat.rhsa:tst:20100842001
      • comment Red Hat Enterprise Linux 6 Server is installed
        oval oval:com.redhat.rhsa:tst:20100842002
      • comment Red Hat Enterprise Linux 6 Workstation is installed
        oval oval:com.redhat.rhsa:tst:20100842003
      • comment Red Hat Enterprise Linux 6 ComputeNode is installed
        oval oval:com.redhat.rhsa:tst:20100842004
    • OR
      • AND
        • comment libvirt is earlier than 0:0.10.2-46.el6_6.2
          oval oval:com.redhat.rhsa:tst:20141873005
        • comment libvirt is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110391006
      • AND
        • comment libvirt-client is earlier than 0:0.10.2-46.el6_6.2
          oval oval:com.redhat.rhsa:tst:20141873007
        • comment libvirt-client is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110391010
      • AND
        • comment libvirt-devel is earlier than 0:0.10.2-46.el6_6.2
          oval oval:com.redhat.rhsa:tst:20141873009
        • comment libvirt-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110391008
      • AND
        • comment libvirt-lock-sanlock is earlier than 0:0.10.2-46.el6_6.2
          oval oval:com.redhat.rhsa:tst:20141873013
        • comment libvirt-lock-sanlock is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20120748014
      • AND
        • comment libvirt-python is earlier than 0:0.10.2-46.el6_6.2
          oval oval:com.redhat.rhsa:tst:20141873011
        • comment libvirt-python is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110391012
    rhsa
    id RHSA-2014:1873
    released 2014-11-18
    severity Moderate
    title RHSA-2014:1873: libvirt security and bug fix update (Moderate)
  • bugzilla
    id 1171124
    title libvirtd occasionally crashes at the end of migration
    oval
    AND
    • OR
      • comment Red Hat Enterprise Linux 7 Client is installed
        oval oval:com.redhat.rhsa:tst:20140675001
      • comment Red Hat Enterprise Linux 7 Server is installed
        oval oval:com.redhat.rhsa:tst:20140675002
      • comment Red Hat Enterprise Linux 7 Workstation is installed
        oval oval:com.redhat.rhsa:tst:20140675003
      • comment Red Hat Enterprise Linux 7 ComputeNode is installed
        oval oval:com.redhat.rhsa:tst:20140675004
    • OR
      • AND
        • comment libvirt is earlier than 0:1.1.1-29.el7_0.4
          oval oval:com.redhat.rhsa:tst:20150008005
        • comment libvirt is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110391006
      • AND
        • comment libvirt-client is earlier than 0:1.1.1-29.el7_0.4
          oval oval:com.redhat.rhsa:tst:20150008037
        • comment libvirt-client is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110391010
      • AND
        • comment libvirt-daemon is earlier than 0:1.1.1-29.el7_0.4
          oval oval:com.redhat.rhsa:tst:20150008035
        • comment libvirt-daemon is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20140914016
      • AND
        • comment libvirt-daemon-config-network is earlier than 0:1.1.1-29.el7_0.4
          oval oval:com.redhat.rhsa:tst:20150008011
        • comment libvirt-daemon-config-network is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20140914008
      • AND
        • comment libvirt-daemon-config-nwfilter is earlier than 0:1.1.1-29.el7_0.4
          oval oval:com.redhat.rhsa:tst:20150008013
        • comment libvirt-daemon-config-nwfilter is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20140914022
      • AND
        • comment libvirt-daemon-driver-interface is earlier than 0:1.1.1-29.el7_0.4
          oval oval:com.redhat.rhsa:tst:20150008021
        • comment libvirt-daemon-driver-interface is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20140914028
      • AND
        • comment libvirt-daemon-driver-lxc is earlier than 0:1.1.1-29.el7_0.4
          oval oval:com.redhat.rhsa:tst:20150008033
        • comment libvirt-daemon-driver-lxc is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20140914026
      • AND
        • comment libvirt-daemon-driver-network is earlier than 0:1.1.1-29.el7_0.4
          oval oval:com.redhat.rhsa:tst:20150008029
        • comment libvirt-daemon-driver-network is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20140914010
      • AND
        • comment libvirt-daemon-driver-nodedev is earlier than 0:1.1.1-29.el7_0.4
          oval oval:com.redhat.rhsa:tst:20150008019
        • comment libvirt-daemon-driver-nodedev is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20140914020
      • AND
        • comment libvirt-daemon-driver-nwfilter is earlier than 0:1.1.1-29.el7_0.4
          oval oval:com.redhat.rhsa:tst:20150008015
        • comment libvirt-daemon-driver-nwfilter is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20140914038
      • AND
        • comment libvirt-daemon-driver-qemu is earlier than 0:1.1.1-29.el7_0.4
          oval oval:com.redhat.rhsa:tst:20150008039
        • comment libvirt-daemon-driver-qemu is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20140914040
      • AND
        • comment libvirt-daemon-driver-secret is earlier than 0:1.1.1-29.el7_0.4
          oval oval:com.redhat.rhsa:tst:20150008023
        • comment libvirt-daemon-driver-secret is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20140914012
      • AND
        • comment libvirt-daemon-driver-storage is earlier than 0:1.1.1-29.el7_0.4
          oval oval:com.redhat.rhsa:tst:20150008031
        • comment libvirt-daemon-driver-storage is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20140914018
      • AND
        • comment libvirt-daemon-kvm is earlier than 0:1.1.1-29.el7_0.4
          oval oval:com.redhat.rhsa:tst:20150008041
        • comment libvirt-daemon-kvm is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20140914044
      • AND
        • comment libvirt-daemon-lxc is earlier than 0:1.1.1-29.el7_0.4
          oval oval:com.redhat.rhsa:tst:20150008007
        • comment libvirt-daemon-lxc is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20140914030
      • AND
        • comment libvirt-devel is earlier than 0:1.1.1-29.el7_0.4
          oval oval:com.redhat.rhsa:tst:20150008009
        • comment libvirt-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110391008
      • AND
        • comment libvirt-docs is earlier than 0:1.1.1-29.el7_0.4
          oval oval:com.redhat.rhsa:tst:20150008025
        • comment libvirt-docs is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20140914032
      • AND
        • comment libvirt-lock-sanlock is earlier than 0:1.1.1-29.el7_0.4
          oval oval:com.redhat.rhsa:tst:20150008043
        • comment libvirt-lock-sanlock is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20120748014
      • AND
        • comment libvirt-login-shell is earlier than 0:1.1.1-29.el7_0.4
          oval oval:com.redhat.rhsa:tst:20150008017
        • comment libvirt-login-shell is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20140914014
      • AND
        • comment libvirt-python is earlier than 0:1.1.1-29.el7_0.4
          oval oval:com.redhat.rhsa:tst:20150008027
        • comment libvirt-python is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110391012
    rhsa
    id RHSA-2015:0008
    released 2015-01-05
    severity Low
    title RHSA-2015:0008: libvirt security and bug fix update (Low)
rpms
  • libvirt-0:0.10.2-46.el6_6.2
  • libvirt-client-0:0.10.2-46.el6_6.2
  • libvirt-devel-0:0.10.2-46.el6_6.2
  • libvirt-lock-sanlock-0:0.10.2-46.el6_6.2
  • libvirt-python-0:0.10.2-46.el6_6.2
  • libvirt-0:1.1.1-29.el7_0.4
  • libvirt-client-0:1.1.1-29.el7_0.4
  • libvirt-daemon-0:1.1.1-29.el7_0.4
  • libvirt-daemon-config-network-0:1.1.1-29.el7_0.4
  • libvirt-daemon-config-nwfilter-0:1.1.1-29.el7_0.4
  • libvirt-daemon-driver-interface-0:1.1.1-29.el7_0.4
  • libvirt-daemon-driver-lxc-0:1.1.1-29.el7_0.4
  • libvirt-daemon-driver-network-0:1.1.1-29.el7_0.4
  • libvirt-daemon-driver-nodedev-0:1.1.1-29.el7_0.4
  • libvirt-daemon-driver-nwfilter-0:1.1.1-29.el7_0.4
  • libvirt-daemon-driver-qemu-0:1.1.1-29.el7_0.4
  • libvirt-daemon-driver-secret-0:1.1.1-29.el7_0.4
  • libvirt-daemon-driver-storage-0:1.1.1-29.el7_0.4
  • libvirt-daemon-kvm-0:1.1.1-29.el7_0.4
  • libvirt-daemon-lxc-0:1.1.1-29.el7_0.4
  • libvirt-devel-0:1.1.1-29.el7_0.4
  • libvirt-docs-0:1.1.1-29.el7_0.4
  • libvirt-lock-sanlock-0:1.1.1-29.el7_0.4
  • libvirt-login-shell-0:1.1.1-29.el7_0.4
  • libvirt-python-0:1.1.1-29.el7_0.4
refmap via4
confirm http://security.libvirt.org/2014/0007.html
gentoo GLSA-201412-04
secunia
  • 60010
  • 60895
  • 62058
  • 62303
suse openSUSE-SU-2014:1471
ubuntu USN-2404-1
Last major update 02-01-2017 - 21:59
Published 13-11-2014 - 16:32
Back to Top