Redhat Libvirt vulnerabilities

CVE-2015-5247 [MEDIUM] CWE-284 CVE-2015-5247: The virStorageVolCreateXML API in libvirt 1.2.14 through 1.2.19 allows remote authenticated users wi The virStorageVolCreateXML API in libvirt 1.2.14 through 1.2.19 allows remote authenticated users with a read-write connection to cause a denial of service (libvirtd crash) by triggering a failed unlink after creating a volume on a root_squash NFS pool.

CVE-2011-4600 [MEDIUM] CWE-284 CVE-2011-4600: The networkReloadIptablesRules function in network/bridge_driver.c in libvirt before 0.9.9 does not The networkReloadIptablesRules function in network/bridge_driver.c in libvirt before 0.9.9 does not properly handle firewall rules on bridge networks when libvirtd is restarted, which might allow remote attackers to bypass intended access restrictions via a (1) DNS or (2) DHCP query.

CVE-2015-5313 [LOW] CVE-2015-5313: Directory traversal vulnerability in the virStorageBackendFileSystemVolCreate function in storage/storage_backend_fs Directory traversal vulnerability in the virStorageBackendFileSystemVolCreate function in storage/storage_backend_fs.c in libvirt, when fine-grained Access Control Lists (ACL) are in effect, allows local users with storage_vol:create ACL but not domain:write permission to write to arbitrary files via a .. (dot dot) in a volume name.

CVE-2015-0236 [LOW] CWE-200 CVE-2015-0236: libvirt before 1.2.12 allow remote authenticated users to obtain the VNC password by using the VIR_D libvirt before 1.2.12 allow remote authenticated users to obtain the VNC password by using the VIR_DOMAIN_XML_SECURE flag with a crafted (1) snapshot to the virDomainSnapshotGetXMLDesc interface or (2) image to the virDomainSaveImageGetXMLDesc interface.

CVE-2014-8131 [MEDIUM] CWE-264 CVE-2014-8131: The qemu implementation of virConnectGetAllDomainStats in libvirt before 1.2.11 does not properly ha The qemu implementation of virConnectGetAllDomainStats in libvirt before 1.2.11 does not properly handle locks when a domain is skipped due to ACL restrictions, which allows a remote authenticated users to cause a denial of service (deadlock or segmentation fault and crash) via a request to access the users does not have privileges to access.

CVE-2014-8135 [LOW] CVE-2014-8135: The storageVolUpload function in storage/storage_driver The storageVolUpload function in storage/storage_driver.c in libvirt before 1.2.11 does not check a certain return value, which allows local users to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted offset value in a "virsh vol-upload" command.

CVE-2014-8136 [LOW] CVE-2014-8136: The (1) qemuDomainMigratePerform and (2) qemuDomainMigrateFinish2 functions in qemu/qemu_driver The (1) qemuDomainMigratePerform and (2) qemuDomainMigrateFinish2 functions in qemu/qemu_driver.c in libvirt do not unlock the domain when an ACL check fails, which allow local users to cause a denial of service via unspecified vectors.

CVE-2013-4399 [MEDIUM] CVE-2013-4399: The remoteClientFreeFunc function in daemon/remote.c in libvirt before 1.1.3, when ACLs are used, do The remoteClientFreeFunc function in daemon/remote.c in libvirt before 1.1.3, when ACLs are used, does not set an identity, which causes event handler removal to be denied and remote attackers to cause a denial of service (use-after-free and crash) by registering an event handler and then closing the connection.

CVE-2014-7823 [MEDIUM] CWE-255 CVE-2014-7823: The virDomainGetXMLDesc API in Libvirt before 1.2.11 allows remote read-only users to obtain the VNC The virDomainGetXMLDesc API in Libvirt before 1.2.11 allows remote read-only users to obtain the VNC password by using the VIR_DOMAIN_XML_MIGRATABLE flag, which triggers the use of the VIR_DOMAIN_XML_SECURE flag.

CVE-2014-3633 [MEDIUM] CVE-2014-3633: The qemuDomainGetBlockIoTune function in qemu/qemu_driver The qemuDomainGetBlockIoTune function in qemu/qemu_driver.c in libvirt before 1.2.9, when a disk has been hot-plugged or removed from the live image, allows remote attackers to cause a denial of service (crash) or read sensitive heap information via a crafted blkiotune query, which triggers an out-of-bounds read.

CVE-2014-3657 [MEDIUM] CVE-2014-3657: The virDomainListPopulate function in conf/domain_conf The virDomainListPopulate function in conf/domain_conf.c in libvirt before 1.2.9 does not clean up the lock on the list of domains, which allows remote attackers to cause a denial of service (deadlock) via a NULL value in the second parameter in the virConnectListAllDomains API command.

CVE-2014-0179 [LOW] CWE-20 CVE-2014-0179: libvirt 0.7.5 through 1.2.x before 1.2.5 allows local users to cause a denial of service (read block libvirt 0.7.5 through 1.2.x before 1.2.5 allows local users to cause a denial of service (read block and hang) via a crafted XML document containing an XML external entity declaration in conjunction with an entity reference to the (1) virConnectCompareCPU or (2) virConnectBaselineCPU API method, related to an XML External Entity (XXE) issue. NOTE: this is

CVE-2014-5177 [LOW] CVE-2014-5177: libvirt 1.0.0 through 1.2.x before 1.2.5, when fine grained access control is enabled, allows local libvirt 1.0.0 through 1.2.x before 1.2.5, when fine grained access control is enabled, allows local users to read arbitrary files via a crafted XML document containing an XML external entity declaration in conjunction with an entity reference to the (1) virDomainDefineXML, (2) virNetworkCreateXML, (3) virNetworkDefineXML, (4) virStoragePoolCreateXML, (5) virStora

CVE-2013-7336 [LOW] CVE-2013-7336: The qemuMigrationWaitForSpice function in qemu/qemu_migration.c in libvirt before 1.1.3 does not pro The qemuMigrationWaitForSpice function in qemu/qemu_migration.c in libvirt before 1.1.3 does not properly enter a monitor when performing seamless SPICE migration, which allows local users to cause a denial of service (NULL pointer dereference and libvirtd crash) by causing domblkstat to be called at the same time as the qemuMonitorGetSpiceMigrationStatus functi

CVE-2013-6456 [MEDIUM] CWE-59 CVE-2013-6456: The LXC driver (lxc/lxc_driver.c) in libvirt 1.0.1 through 1.2.1 allows local users to (1) delete ar The LXC driver (lxc/lxc_driver.c) in libvirt 1.0.1 through 1.2.1 allows local users to (1) delete arbitrary host devices via the virDomainDeviceDettach API and a symlink attack on /dev in the container; (2) create arbitrary nodes (mknod) via the virDomainDeviceAttach API and a symlink attack on /dev in the container; and cause a denial of service (shut

CVE-2013-6457 [MEDIUM] CWE-264 CVE-2013-6457: The libxlDomainGetNumaParameters function in the libxl driver (libxl/libxl_driver.c) in libvirt befo The libxlDomainGetNumaParameters function in the libxl driver (libxl/libxl_driver.c) in libvirt before 1.2.1 does not properly initialize the nodemap, which allows local users to cause a denial of service (invalid free operation and crash) or possibly execute arbitrary code via an inactive domain to the virsh numatune command.

CVE-2013-6458 [MEDIUM] CWE-362 CVE-2013-6458: Multiple race conditions in the (1) virDomainBlockStats, (2) virDomainGetBlockInf, (3) qemuDomainBlo Multiple race conditions in the (1) virDomainBlockStats, (2) virDomainGetBlockInf, (3) qemuDomainBlockJobImpl, and (4) virDomainGetBlockIoTune functions in libvirt before 1.2.1 do not properly verify that the disk is attached, which allows remote read-only attackers to cause a denial of service (libvirtd crash) via the virDomainDetachDeviceFlags comma

CVE-2014-0028 [MEDIUM] CWE-264 CVE-2014-0028: libvirt 1.1.1 through 1.2.0 allows context-dependent attackers to bypass the domain:getattr and conn libvirt 1.1.1 through 1.2.0 allows context-dependent attackers to bypass the domain:getattr and connect:search_domains restrictions in ACLs and obtain sensitive domain object information via a request to the (1) virConnectDomainEventRegister and (2) virConnectDomainEventRegisterAny functions in the event registration API.

CVE-2014-1447 [LOW] CWE-362 CVE-2014-1447: Race condition in the virNetServerClientStartKeepAlive function in libvirt before 1.2.1 allows remot Race condition in the virNetServerClientStartKeepAlive function in libvirt before 1.2.1 allows remote attackers to cause a denial of service (libvirtd crash) by closing a connection before a keepalive response is sent.

CVE-2013-6436 [LOW] CWE-264 CVE-2013-6436: The lxcDomainGetMemoryParameters method in lxc/lxc_driver.c in libvirt 1.0.5 through 1.2.0 does not The lxcDomainGetMemoryParameters method in lxc/lxc_driver.c in libvirt 1.0.5 through 1.2.0 does not properly check the status of LXC guests when reading memory tunables, which allows local users to cause a denial of service (NULL pointer dereference and libvirtd crash) via a guest in the shutdown status, as demonstrated by the "virsh memtune" command.