rhba-2014_1206
Vulnerability from csaf_redhat
Published
2014-09-16 00:16
Modified
2024-11-22 07:41
Summary
Red Hat Bug Fix Advisory: virt-who bug fix and enhancement update
Notes
Topic
Updated virt-who packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 5.
Details
The virt-who package provides an agent that collects information about virtual
guests present in the system and reports them to the subscription manager.
The virt-who package has been upgraded to upstream version 0.9, which provides a
number of bug fixes and enhancements over the previous version.
Notably, the permissions for the configuration file has been changed from
world-readable to root-only readable. This change is only for new installations
of virt-who; existing installations should be fixed manually by setting the
permission of the /etc/sysconfig/virt-who file to 600. (BZ#861552)
This update also fixes the following bugs:
* Prior to this update, the configuration file for virt-who contained incorrect
permissions and was world-readable, although this file can contain passwords. As
a consequence, any user could read the passwords from the configuration file. To
fix this bug, the permissions have been changed to be root-readable only, and
non-root users can no longer read passwords from the virt-who configuration
file. (BZ#1088756)
* Previously, the virt-who utility did not report the state of virtual guests to
the Subscription Asset Manager (SAM) server. To fix this bug, the info() method
from libvirt has been used, and the state of a virtual machine is now reported
to the SAM server. (BZ#1124732)
In addition, this update adds the following enhancements:
* With this update, support for Red Hat Enterprise Virtualization Manager
virtualization back end has been added to virt-who. Now, the user can use
virt-who on Red Hat Enterprise Linux 5.11.0 to gather host/guest associations
from Red Hat Enterprise Virtualization Manager. (BZ#1009401)
* Although virt-who worked properly with VMware ESX software, the support for
VMware ESXi software was not functional due to differences between ESX and ESXi.
With this update, support for ESXi as virtualization back end has been provided
for virt-who, which can now use both ESX and ESXi as virtualization back ends.
(BZ#1078858)
Users of virt-who are advised to upgrade to these updated packages, which fix
these bugs and add these enhancements.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated virt-who packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 5.",
"title": "Topic"
},
{
"category": "general",
"text": "The virt-who package provides an agent that collects information about virtual\nguests present in the system and reports them to the subscription manager.\n\nThe virt-who package has been upgraded to upstream version 0.9, which provides a\nnumber of bug fixes and enhancements over the previous version. \nNotably, the permissions for the configuration file has been changed from\nworld-readable to root-only readable. This change is only for new installations\nof virt-who; existing installations should be fixed manually by setting the\npermission of the /etc/sysconfig/virt-who file to 600. (BZ#861552)\n\nThis update also fixes the following bugs:\n\n* Prior to this update, the configuration file for virt-who contained incorrect\npermissions and was world-readable, although this file can contain passwords. As\na consequence, any user could read the passwords from the configuration file. To\nfix this bug, the permissions have been changed to be root-readable only, and\nnon-root users can no longer read passwords from the virt-who configuration\nfile. (BZ#1088756) \n\n* Previously, the virt-who utility did not report the state of virtual guests to\nthe Subscription Asset Manager (SAM) server. To fix this bug, the info() method\nfrom libvirt has been used, and the state of a virtual machine is now reported\nto the SAM server. (BZ#1124732)\n\nIn addition, this update adds the following enhancements:\n\n* With this update, support for Red Hat Enterprise Virtualization Manager\nvirtualization back end has been added to virt-who. Now, the user can use\nvirt-who on Red Hat Enterprise Linux 5.11.0 to gather host/guest associations\nfrom Red Hat Enterprise Virtualization Manager. (BZ#1009401)\n\n* Although virt-who worked properly with VMware ESX software, the support for\nVMware ESXi software was not functional due to differences between ESX and ESXi.\nWith this update, support for ESXi as virtualization back end has been provided\nfor virt-who, which can now use both ESX and ESXi as virtualization back ends.\n(BZ#1078858)\n\nUsers of virt-who are advised to upgrade to these updated packages, which fix\nthese bugs and add these enhancements.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHBA-2014:1206",
"url": "https://access.redhat.com/errata/RHBA-2014:1206"
},
{
"category": "external",
"summary": "861552",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=861552"
},
{
"category": "external",
"summary": "864791",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=864791"
},
{
"category": "external",
"summary": "975340",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=975340"
},
{
"category": "external",
"summary": "990957",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=990957"
},
{
"category": "external",
"summary": "991379",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=991379"
},
{
"category": "external",
"summary": "993822",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=993822"
},
{
"category": "external",
"summary": "1004247",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1004247"
},
{
"category": "external",
"summary": "1009401",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1009401"
},
{
"category": "external",
"summary": "1088756",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1088756"
},
{
"category": "external",
"summary": "1092811",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1092811"
},
{
"category": "external",
"summary": "1092818",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1092818"
},
{
"category": "external",
"summary": "1092848",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1092848"
},
{
"category": "external",
"summary": "1095597",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1095597"
},
{
"category": "external",
"summary": "1124732",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1124732"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2014/rhba-2014_1206.json"
}
],
"title": "Red Hat Bug Fix Advisory: virt-who bug fix and enhancement update",
"tracking": {
"current_release_date": "2024-11-22T07:41:31+00:00",
"generator": {
"date": "2024-11-22T07:41:31+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHBA-2014:1206",
"initial_release_date": "2014-09-16T00:16:42+00:00",
"revision_history": [
{
"date": "2014-09-16T00:16:42+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2014-09-16T00:16:42+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T07:41:31+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Desktop Multi OS (v. 5 client)",
"product": {
"name": "Red Hat Enterprise Linux Desktop Multi OS (v. 5 client)",
"product_id": "5Client-VT",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_virtualization:5::client"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Virtualization (v. 5 server)",
"product": {
"name": "Red Hat Enterprise Linux Virtualization (v. 5 server)",
"product_id": "5Server-VT",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_virtualization:5::server"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "virt-who-0:0.9-6.el5.noarch",
"product": {
"name": "virt-who-0:0.9-6.el5.noarch",
"product_id": "virt-who-0:0.9-6.el5.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/virt-who@0.9-6.el5?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "virt-who-0:0.9-6.el5.src",
"product": {
"name": "virt-who-0:0.9-6.el5.src",
"product_id": "virt-who-0:0.9-6.el5.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/virt-who@0.9-6.el5?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "virt-who-0:0.9-6.el5.noarch as a component of Red Hat Enterprise Linux Desktop Multi OS (v. 5 client)",
"product_id": "5Client-VT:virt-who-0:0.9-6.el5.noarch"
},
"product_reference": "virt-who-0:0.9-6.el5.noarch",
"relates_to_product_reference": "5Client-VT"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "virt-who-0:0.9-6.el5.src as a component of Red Hat Enterprise Linux Desktop Multi OS (v. 5 client)",
"product_id": "5Client-VT:virt-who-0:0.9-6.el5.src"
},
"product_reference": "virt-who-0:0.9-6.el5.src",
"relates_to_product_reference": "5Client-VT"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "virt-who-0:0.9-6.el5.noarch as a component of Red Hat Enterprise Linux Virtualization (v. 5 server)",
"product_id": "5Server-VT:virt-who-0:0.9-6.el5.noarch"
},
"product_reference": "virt-who-0:0.9-6.el5.noarch",
"relates_to_product_reference": "5Server-VT"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "virt-who-0:0.9-6.el5.src as a component of Red Hat Enterprise Linux Virtualization (v. 5 server)",
"product_id": "5Server-VT:virt-who-0:0.9-6.el5.src"
},
"product_reference": "virt-who-0:0.9-6.el5.src",
"relates_to_product_reference": "5Server-VT"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Sal Castiglione"
]
}
],
"cve": "CVE-2014-0189",
"cwe": {
"id": "CWE-522",
"name": "Insufficiently Protected Credentials"
},
"discovery_date": "2014-04-16T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1088732"
}
],
"notes": [
{
"category": "description",
"text": "It was discovered that the /etc/sysconfig/virt-who configuration file, which may contain hypervisor authentication credentials, was world-readable. A local user could use this flaw to obtain authentication credentials from this file.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "virt-who: plaintext hypervisor passwords in world-readable /etc/sysconfig/virt-who configuration file",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"5Client-VT:virt-who-0:0.9-6.el5.noarch",
"5Client-VT:virt-who-0:0.9-6.el5.src",
"5Server-VT:virt-who-0:0.9-6.el5.noarch",
"5Server-VT:virt-who-0:0.9-6.el5.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2014-0189"
},
{
"category": "external",
"summary": "RHBZ#1088732",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1088732"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2014-0189",
"url": "https://www.cve.org/CVERecord?id=CVE-2014-0189"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-0189",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0189"
}
],
"release_date": "2014-03-26T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-09-16T00:16:42+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/site/articles/11258",
"product_ids": [
"5Client-VT:virt-who-0:0.9-6.el5.noarch",
"5Client-VT:virt-who-0:0.9-6.el5.src",
"5Server-VT:virt-who-0:0.9-6.el5.noarch",
"5Server-VT:virt-who-0:0.9-6.el5.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHBA-2014:1206"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 2.1,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"products": [
"5Client-VT:virt-who-0:0.9-6.el5.noarch",
"5Client-VT:virt-who-0:0.9-6.el5.src",
"5Server-VT:virt-who-0:0.9-6.el5.noarch",
"5Server-VT:virt-who-0:0.9-6.el5.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "virt-who: plaintext hypervisor passwords in world-readable /etc/sysconfig/virt-who configuration file"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.