Redhat Libvirt vulnerabilities

CVE-2020-10703 [MEDIUM] CWE-476 CVE-2020-10703: A NULL pointer dereference was found in the libvirt API responsible introduced in upstream version 3 A NULL pointer dereference was found in the libvirt API responsible introduced in upstream version 3.10.0, and fixed in libvirt 6.0.0, for fetching a storage pool based on its target path. In more detail, this flaw affects storage pools created without a target path such as network-based pools like gluster and RBD. Unprivileged users with a read-onl

CVE-2020-12430 [MEDIUM] CWE-401 CVE-2020-12430: An issue was discovered in qemuDomainGetStatsIOThread in qemu/qemu_driver.c in libvirt 4.10.0 though An issue was discovered in qemuDomainGetStatsIOThread in qemu/qemu_driver.c in libvirt 4.10.0 though 6.x before 6.1.0. A memory leak was found in the virDomainListGetStats libvirt API that is responsible for retrieving domain statistics when managing QEMU guests. This flaw allows unprivileged users with a read-only connection to cause a memory leak

CVE-2019-20485 [MEDIUM] CWE-20 CVE-2019-20485: qemu/qemu_driver.c in libvirt before 6.0.0 mishandles the holding of a monitor job during a query to qemu/qemu_driver.c in libvirt before 6.0.0 mishandles the holding of a monitor job during a query to a guest agent, which allows attackers to cause a denial of service (API blockage).

CVE-2019-10166 [HIGH] CWE-284 CVE-2019-10166: It was discovered that libvirtd, versions 4.x.x before 4.10.1 and 5.x.x before 5.4.1, would permit r It was discovered that libvirtd, versions 4.x.x before 4.10.1 and 5.x.x before 5.4.1, would permit readonly clients to use the virDomainManagedSaveDefineXML() API, which would permit them to modify managed save state files. If a managed save had already been created by a privileged user, a local attacker could modify this file such that libvirtd would

CVE-2019-10167 [HIGH] CWE-250 CVE-2019-10167: The virConnectGetDomainCapabilities() libvirt API, versions 4.x.x before 4.10.1 and 5.x.x before 5.4 The virConnectGetDomainCapabilities() libvirt API, versions 4.x.x before 4.10.1 and 5.x.x before 5.4.1, accepts an "emulatorbin" argument to specify the program providing emulation for a domain. Since v1.2.19, libvirt will execute that program to probe the domain's capabilities. Read-only clients could specify an arbitrary path for this argument, caus

CVE-2019-10168 [HIGH] CWE-250 CVE-2019-10168: The virConnectBaselineHypervisorCPU() and virConnectCompareHypervisorCPU() libvirt APIs, 4.x.x befor The virConnectBaselineHypervisorCPU() and virConnectCompareHypervisorCPU() libvirt APIs, 4.x.x before 4.10.1 and 5.x.x before 5.4.1, accept an "emulator" argument to specify the program providing emulation for a domain. Since v1.2.19, libvirt will execute that program to probe the domain's capabilities. Read-only clients could specify an arbitrary pat

CVE-2019-10161 [HIGH] CWE-284 CVE-2019-10161: It was discovered that libvirtd before versions 4.10.1 and 5.4.1 would permit read-only clients to u It was discovered that libvirtd before versions 4.10.1 and 5.4.1 would permit read-only clients to use the virDomainSaveImageGetXMLDesc() API, specifying an arbitrary path which would be accessed with the permissions of the libvirtd process. An attacker with access to the libvirtd socket could use this to probe the existence of arbitrary files, cause

CVE-2019-10132 [HIGH] CWE-732 CVE-2019-10132: A vulnerability was found in libvirt >= 4.1.0 in the virtlockd-admin.socket and virtlogd-admin.socke A vulnerability was found in libvirt >= 4.1.0 in the virtlockd-admin.socket and virtlogd-admin.socket systemd units. A missing SocketMode configuration parameter allows any user on the host to connect using virtlockd-admin-sock or virtlogd-admin-sock and perform administrative tasks against the virtlockd and virtlogd daemons.

[MEDIUM] libvirt update libvirt update Ke Sun, Henrique Kawakami, Kekai Hu, Rodrigo Branco, Giorgi Maisuradze, Dan Horea Lutas, Andrei Lutas, Volodymyr Pikhur, Stephan van Schaik, Alyssa Milburn, Sebastian Österlund, Pietro Frigo, Kaveh Razavi, Herbert Bos, Cristiano Giuffrida, Moritz Lipp, Michael Schwarz, and Daniel Gruss discovered that memory previously stored in microarchitectural fill buffers of an Intel CPU core may be exposed to a malicious process that is executing on the same CPU core

CVE-2016-10746 [HIGH] CWE-254 CVE-2016-10746: libvirt-domain.c in libvirt before 1.3.1 supports virDomainGetTime API calls by guest agents with an libvirt-domain.c in libvirt before 1.3.1 supports virDomainGetTime API calls by guest agents with an RO connection, even though an RW connection was supposed to be required, a different vulnerability than CVE-2019-3886.

CVE-2019-3886 [MEDIUM] CWE-862 CVE-2019-3886: An incorrect permissions check was discovered in libvirt 4.8.0 and above. The readonly permission wa An incorrect permissions check was discovered in libvirt 4.8.0 and above. The readonly permission was allowed to invoke APIs depending on the guest agent, which could lead to potentially disclosing unintended information or denial of service by causing libvirt to block.

CVE-2019-3840 [MEDIUM] CWE-476 CVE-2019-3840: A NULL pointer dereference flaw was discovered in libvirt before version 5.0.0 in the way it gets in A NULL pointer dereference flaw was discovered in libvirt before version 5.0.0 in the way it gets interface information through the QEMU agent. An attacker in a guest VM can use this flaw to crash libvirtd and cause a denial of service.

CVE-2017-2635 [MEDIUM] CWE-476 CVE-2017-2635: A NULL pointer deference flaw was found in the way libvirt from 2.5.0 to 3.0.0 handled empty drives. A NULL pointer deference flaw was found in the way libvirt from 2.5.0 to 3.0.0 handled empty drives. A remote authenticated attacker could use this flaw to crash libvirtd daemon resulting in denial of service.

CVE-2015-5160 [MEDIUM] CVE-2015-5160: libvirt before 2 libvirt before 2.2 includes Ceph credentials on the qemu command line when using RADOS Block Device (aka RBD), which allows local users to obtain sensitive information via a process listing.

CVE-2018-3639 [HIGH] libvirt vulnerability and update libvirt vulnerability and update Ken Johnson and Jann Horn independently discovered that microprocessors utilizing speculative execution of a memory read may allow unauthorized memory reads via sidechannel attacks. An attacker in the guest could use this to expose sensitive guest information, including kernel memory. This update allows libvirt to expose new CPU features added by microcode updates to guests. (CVE-2018-3639) Daniel P. Berrang

CVE-2018-1064 [HIGH] CWE-400 CVE-2018-1064: libvirt version before 4.2.0-rc1 is vulnerable to a resource exhaustion as a result of an incomplete libvirt version before 4.2.0-rc1 is vulnerable to a resource exhaustion as a result of an incomplete fix for CVE-2018-5748 that affects QEMU monitor but now also triggered via QEMU guest agent.

CVE-2018-6764 [HIGH] CVE-2018-6764: util/virlog util/virlog.c in libvirt does not properly determine the hostname on LXC container startup, which allows local guest OS users to bypass an intended container protection mechanism and execute arbitrary commands via a crafted NSS module.

CVE-2018-5748 [HIGH] CVE-2018-5748: qemu/qemu_monitor qemu/qemu_monitor.c in libvirt allows attackers to cause a denial of service (memory consumption) via a large QEMU reply.

CVE-2017-1000256 [HIGH] CWE-295 CVE-2017-1000256: libvirt version 2.3.0 and later is vulnerable to a bad default configuration of "verify-peer=no" pas libvirt version 2.3.0 and later is vulnerable to a bad default configuration of "verify-peer=no" passed to QEMU by libvirt resulting in a failure to validate SSL/TLS certificates by default.

CVE-2016-5008 [CRITICAL] CWE-284 CVE-2016-5008: libvirt before 2.0.0 improperly disables password checking when the password on a VNC server is set libvirt before 2.0.0 improperly disables password checking when the password on a VNC server is set to an empty string, which allows remote attackers to bypass authentication and establish a VNC session by connecting to the server.