Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 538
Alerts This Week
Warning Icon 1 538

Red Hat 7: RHSA-2015:0323-02 Low: libvirt Denial Of Service Advisory

red hat
Calendar Grey March 5, 2015
Dist Redhat Esm H88
Recent libvirt updates for Red Hat address several bugs while introducing improvements that maintain a minimal security footprint.
Updated libvirt packages that fix two security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 7

Solution

All libvirt users are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add these enhancements. After installing the updated packages, libvirtd will be restarted automatically.

Before applying this update, make sure all previously released errata relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Summary

The libvirt library is a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems.
It was found that QEMU's qemuDomainMigratePerform() and qemuDomainMigrateFinish2() functions did not correctly perform a domain unlock on a failed ACL check. A remote attacker able to establish a connection to libvirtd could use this flaw to lock a domain of a more privileged user, causing a denial of service. (CVE-2014-8136)
It was discovered that the virDomainSnapshotGetXMLDesc() and virDomainSaveImageGetXMLDesc() functions did not sufficiently limit the usage of the VIR_DOMAIN_XML_SECURE flag when fine-grained ACLs were enabled. A remote attacker able to establish a connection to libvirtd could use this flaw to obtain certain sensitive information from the domain XML file. (CVE-2015-0236)
The CVE-2015-0236 issue was found by Luyao Huang of Red Hat.
Bug fixes:
* The libvirtd daemon previously attempted to search for SELinux contexts even when SELinux was disabled on the host. Consequently, libvirtd logged "Unable to lookup SELinux process context" error messages every time a client connected to libvirtd and SELinux was disabled. libvirtd now verifies whether SELinux is enabled before searching for SELinux contexts, and no longer logs the error messages on a host with SELinux disabled. (BZ#1135155)
* The libvirt utility passed incomplete PCI addresses to QEMU. Consequently, assigning a PCI device that had a PCI address with a non-zero domain to a guest failed. Now, libvirt properly passes PCI domain to QEMU when assigning PCI devices, which prevents the described problem. (BZ#1127080)
* Because the virDomainSetMaxMemory API did not allow changing the current memory in the LXC driver, the "virsh setmaxmem" command failed when attempting to set the maximum memory to be lower than the current memory. Now, "virsh setmaxmem" sets the current memory to the intended value of the maximum memory, which avoids the mentioned problem. (BZ#1091132)
* Attempting to start a non-existent domain caused network filters to stay locked for read-only access. Because of this, subsequent attempts to gain read-write access to network filters triggered a deadlock. Network filtersare now properly unlocked in the described scenario, and the deadlock no longer occurs. (BZ#1088864)
* If a guest configuration had an active nwfilter using the DHCP snooping feature and an attempt was made to terminate libvirtd before the associated nwfilter rule snooped the guest IP address from DHCP packets, libvirtd became unresponsive. This problem has been fixed by setting a longer wait time for snooping the guest IP address. (BZ#1075543)
Enhancements:
* A new "migrate_host" option is now available in /etc/libvirt/qemu.conf, which allows users to set a custom IP address to be used for incoming migrations. (BZ#1087671)
* With this update, libvirt is able to create a compressed memory-only crash dump of a QEMU domain. This type of crash dump is directly readable by the GNU Debugger and requires significantly less hard disk space than the standard crash dump. (BZ#1035158)
* Support for reporting the NUMA node distance of the host has been added to libvirt. This enhances the current libvirt capabilities for reporting NUMA topology of the host, and allows for easier optimization of new domains. (BZ#1086331)
* The XML file of guest and host capabilities generated by the "virsh capabilities" command has been enhanced to list the following information, where relevant: the interface speed and link status of the host, the PCI Express (PCIe) details, the host's hardware support for I/O virtualization, and a report on the huge memory pages. (BZ#1076960, BZ#1076957, BZ#1076959, BZ#1076962)
These packages also include a number of other bug fixes and enhancements. For additional details, see the "Bugs Fixed" section below.

References

https://access.redhat.com/security/cve/CVE-2014-8136 https://access.redhat.com/security/cve/CVE-2015-0236 https://access.redhat.com/security/updates/classification#low

Package List

Red Hat Enterprise Linux Client (v. 7):
Source: libvirt-1.2.8-16.el7.src.rpm
x86_64: libvirt-1.2.8-16.el7.x86_64.rpm libvirt-client-1.2.8-16.el7.i686.rpm libvirt-client-1.2.8-16.el7.x86_64.rpm libvirt-daemon-1.2.8-16.el7.x86_64.rpm libvirt-daemon-config-network-1.2.8-16.el7.x86_64.rpm libvirt-daemon-config-nwfilter-1.2.8-16.el7.x86_64.rpm libvirt-daemon-driver-interface-1.2.8-16.el7.x86_64.rpm libvirt-daemon-driver-lxc-1.2.8-16.el7.x86_64.rpm libvirt-daemon-driver-network-1.2.8-16.el7.x86_64.rpm libvirt-daemon-driver-nodedev-1.2.8-16.el7.x86_64.rpm libvirt-daemon-driver-nwfilter-1.2.8-16.el7.x86_64.rpm libvirt-daemon-driver-qemu-1.2.8-16.el7.x86_64.rpm libvirt-daemon-driver-secret-1.2.8-16.el7.x86_64.rpm libvirt-daemon-driver-storage-1.2.8-16.el7.x86_64.rpm libvirt-daemon-kvm-1.2.8-16.el7.x86_64.rpm libvirt-debuginfo-1.2.8-16.el7.i686.rpm libvirt-debuginfo-1.2.8-16.el7.x86_64.rpm
Red Hat Enterprise Linux Client Optional (v. 7):
x86_64: libvirt-daemon-lxc-1.2.8-16.el7.x86_64.rpm libvirt-debuginfo-1.2.8-16.el7.i686.rpm libvirt-debuginfo-1.2.8-16.el7.x86_64.rpm libvirt-devel-1.2.8-16.el7.i686.rpm libvirt-devel-1.2.8-16.el7.x86_64.rpm libvirt-docs-1.2.8-16.el7.x86_64.rpm libvirt-lock-sanlock-1.2.8-16.el7.x86_64.rpm libvirt-login-shell-1.2.8-16.el7.x86_64.rpm


Read the Full Advisory


Severity
low
Lowest
Low
Medium
High
Critical

Advisory ID: RHSA-2015:0323-01
Product: Red Hat Enterprise Linux
Issue date: 2015-03-05

Topic

Updated libvirt packages that fix two security issues, several bugs, andadd various enhancements are now available for Red Hat Enterprise Linux 7.Red Hat Product Security has rated this update as having Low securityimpact. Common Vulnerability Scoring System (CVSS) base scores, which givedetailed severity ratings, are available for each vulnerability from theCVE links in the References section.

Relevant Releases Architectures

Red Hat Enterprise Linux Client (v. 7) - x86_64

Red Hat Enterprise Linux Client Optional (v. 7) - x86_64

Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64

Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64

Red Hat Enterprise Linux Server (v. 7) - ppc64, s390x, x86_64

Red Hat Enterprise Linux Server Optional (v. 7) - ppc64, s390x, x86_64

Red Hat Enterprise Linux Workstation (v. 7) - x86_64

Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64

Bugs Fixed

706887 - [TestOnly] qemu truncates JSON numbers >= 0x8000_0000_0000_0000

765733 - Error reporting when qemu terminates unexpectedly is inconsistent and sometimes unhelpful

823535 - Libvirt is sensitive to the order in which the video devices are passed

872628 - List available LXC consoles using container_ttys env variable

874418 - clear the error message when dump a guest with pass-through device

876829 - create external checkpoint snapshot will change the guest pmsuspended state and guest hang forever

877244 - Virsh command will delay a long time if restart libvirtd with many virtual networks running

878394 - virsh iface-dumpxml or virt-manager reports "bond interface misses the bond element" for inactive bond interfaces

880483 - Guest can use inactive macvtap-passthrough network

921094 - Missing auditing for serial, parallel, channel, console and smartcard devices

924853 - blockcopy to cifs fails

956506 - virsh snapshot-delete --children-only bypasses safety check for deleting disk-only children

957293 - support libiscsi for SCSI passthrough devices

963817 - Stable SCSI host addressing

964177 - virConnectDomainEventRTCChangeCallback returns wrong offset

967493 - Lockfailure action Ignore will lead to sanlock rem_lockspace stuck

967494 - Lockfailure action Restart can shutdown the guest but fail to start it

972964 - WWN option for Hot Attaching SCSI Disks

Read the Full Advisory

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.