CVE-2014-3559

CWE-264 CWE-2125 documents5 sources

Severity

3.5LOW

EPSS

0.3%

top 49.23%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Enterprise Virtualization

Timeline

PublishedAug 6

Latest updateMay 17

Description

The oVirt storage backend in Red Hat Enterprise Virtualization 3.4 does not wipe memory snapshots when deleting a VM, even when wipe-after-delete (WAD) is configured for the VM's disk, which allows remote authenticated users with certain credentials to read portions of the deleted VM's memory and obtain sensitive information via an uninitialized storage volume.

CVSS vector

AV:N/AC:M/C:P/I:N/A:NExploitability: 6.8 | Impact: 2.9

Affected Packages1 packages

▶NVDredhat/enterprise_virtualization3.4

🔴Vulnerability Details

GHSA

GHSA-24xc-rjq3-m9pj: The oVirt storage backend in Red Hat Enterprise Virtualization 3↗2022-05-17

▶

CVEList

CVE-2014-3559: The oVirt storage backend in Red Hat Enterprise Virtualization 3↗2014-08-06

▶

📋Vendor Advisories

Red Hat

ovirt-engine-backend: memory snapshots not wiped when deleting a VM with wipe-after-delete (WAD) enabled for its disks↗2014-08-04

▶

💬Community

Bugzilla

CVE-2014-3559 ovirt-engine-backend: memory snapshots not wiped when deleting a VM with wipe-after-delete (WAD) enabled for its disks↗2014-07-22

▶