Virtualization Red Hat Virtualization

Do you want an email whenever new security vulnerabilities are reported in Red Hat Virtualization?

Recent Red Hat Virtualization Security Advisories

Advisory Title Published
RHSA-2021:4725 (RHSA-2021:4725) Moderate: OpenShift Virtualization 2.6.8 Images security and bug fix update November 17, 2021
RHSA-2021:4722 (RHSA-2021:4722) Moderate: OpenShift Virtualization 2.6.8 RPMs security and bug fix update November 17, 2021
RHSA-2021:4103 (RHSA-2021:4103) Moderate: OpenShift Virtualization 4.9.0 RPMs security and bug fix update November 2, 2021
RHSA-2021:4104 (RHSA-2021:4104) Moderate: OpenShift Virtualization 4.9.0 Images security and bug fix update November 2, 2021
RHSA-2021:3943 (RHSA-2021:3943) Moderate: RHV-H security update (redhat-virtualization-host) 4.3.19 October 20, 2021
RHSA-2021:3733 (RHSA-2021:3733) Low: OpenShift Virtualization 2.6.7 Images security and bug fix update October 5, 2021
RHSA-2021:3598 (RHSA-2021:3598) Moderate: OpenShift Virtualization 4.8.2 Images security and bug fix update September 21, 2021
RHSA-2021:3477 (RHSA-2021:3477) Important: RHV-H security update (redhat-virtualization-host) 4.3.18 September 9, 2021
RHSA-2021:3459 (RHSA-2021:3459) Moderate: Red Hat Virtualization Host security and bug fix update [ovirt-4.4.8] September 8, 2021
RHSA-2021:3259 (RHSA-2021:3259) Moderate: OpenShift Virtualization 4.8.1 Images security and bug fix update August 24, 2021

By the Year

In 2021 there have been 4 vulnerabilities in Red Hat Virtualization with an average score of 5.9 out of ten. Last year Virtualization had 4 security vulnerabilities published. At the current rates, it appears that the number of vulnerabilities last year and this year may equal out. Last year, the average CVE base score was greater by 1.15

Year Vulnerabilities Average Score
2021 4 5.90
2020 4 7.05
2019 22 7.57
2018 50 7.40

It may take a day or so for new Virtualization vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Red Hat Virtualization Security Vulnerabilities

A flaw has been found in libssh in versions prior to 0.9.6

CVE-2021-3634 6.5 - Medium - August 31, 2021

A flaw has been found in libssh in versions prior to 0.9.6. The SSH protocol keeps track of two shared secrets during the lifetime of the session. One of them is called secret_hash and the other session_id. Initially, both of them are the same, but after key re-exchange, previous session_id is kept and used as an input to new secret_hash. Historically, both of these buffers had shared length variable, which worked as long as these buffers were same. But the key re-exchange operation can also change the key exchange method, which can be based on hash of different size, eventually creating "secret_hash" of different size than the session_id has. This becomes an issue when the session_id memory is zeroed or when it is used again during second key re-exchange.

Buffer Overflow

A denial of service vulnerability was discovered in nbdkit 1.12.7, 1.14.1 and 1.15.1

CVE-2019-14850 3.7 - Low - March 18, 2021

A denial of service vulnerability was discovered in nbdkit 1.12.7, 1.14.1 and 1.15.1. An attacker could connect to the nbdkit service and cause it to perform a large amount of work in initializing backend plugins, by simply opening a connection to the service. This vulnerability could cause resource consumption and degradation of service in nbdkit, depending on the plugins configured on the server-side.

Network Amplification

A flaw was found in multiple versions of OpenvSwitch

CVE-2020-27827 7.5 - High - March 18, 2021

A flaw was found in multiple versions of OpenvSwitch. Specially crafted LLDP packets can cause memory to be lost when allocating data to handle specific optional TLVs, potentially causing a denial of service. The highest threat from this vulnerability is to system availability.

Resource Exhaustion

A flaw was found in all released versions of m2crypto, where they are vulnerable to Bleichenbacher timing attacks in the RSA decryption API

CVE-2020-25657 5.9 - Medium - January 12, 2021

A flaw was found in all released versions of m2crypto, where they are vulnerable to Bleichenbacher timing attacks in the RSA decryption API via the timed processing of valid PKCS#1 v1.5 Ciphertext. The highest threat from this vulnerability is to confidentiality.

A flaw was found in ovirt-engine 4.4.3 and earlier

CVE-2020-35497 6.5 - Medium - December 21, 2020

A flaw was found in ovirt-engine 4.4.3 and earlier allowing an authenticated user to read other users' personal information, including name, email and public SSH key.

Authorization

A cross-site scripting vulnerability was reported in the oVirt-engine's OAuth authorization endpoint before version 4.3.8

CVE-2019-19336 6.1 - Medium - March 19, 2020

A cross-site scripting vulnerability was reported in the oVirt-engine's OAuth authorization endpoint before version 4.3.8. URL parameters were included in the HTML response without escaping. This flaw would allow an attacker to craft malicious HTML pages that can run scripts in the context of the user's oVirt session.

XSS

A flaw was found in PostgreSQL's "ALTER

CVE-2020-1720 6.5 - Medium - March 17, 2020

A flaw was found in PostgreSQL's "ALTER ... DEPENDS ON EXTENSION", where sub-commands did not perform authorization checks. An authenticated attacker could use this flaw in certain configurations to perform drop objects such as function, triggers, et al., leading to database corruption. This issue affects PostgreSQL versions before 12.2, before 11.7, before 10.12 and before 9.6.17.

AuthZ

A flaw was found in all python-ecdsa versions before 0.13.3, where it did not correctly verify whether signatures used DER encoding

CVE-2019-14859 9.1 - Critical - January 02, 2020

A flaw was found in all python-ecdsa versions before 0.13.3, where it did not correctly verify whether signatures used DER encoding. Without this verification, a malformed signature could be accepted, making the signature malleable. Without proper verification, an attacker could use a malleable signature to create false transactions.

Improper Verification of Cryptographic Signature

A flaw was found in all dpdk version 17.x.x before 17.11.8, 16.x.x before 16.11.10, 18.x.x before 18.11.4 and 19.x.x before 19.08.1 where a malicious master, or a container with access to vhost_user socket

CVE-2019-14818 7.5 - High - November 14, 2019

A flaw was found in all dpdk version 17.x.x before 17.11.8, 16.x.x before 16.11.10, 18.x.x before 18.11.4 and 19.x.x before 19.08.1 where a malicious master, or a container with access to vhost_user socket, can send specially crafted VRING_SET_NUM messages, resulting in a memory leak including file descriptors. This flaw could lead to a denial of service condition.

Memory Leak

There is heap-based buffer overflow in kernel, all versions up to, excluding 5.3, in the marvell wifi chip driver in Linux kernel

CVE-2019-14816 7.8 - High - September 20, 2019

There is heap-based buffer overflow in kernel, all versions up to, excluding 5.3, in the marvell wifi chip driver in Linux kernel, that allows local users to cause a denial of service(system crash) or possibly execute arbitrary code.

Memory Corruption

A buffer overflow flaw was found, in versions from 2.6.34 to 5.2.x, in the way Linux kernel's vhost functionality

CVE-2019-14835 7.8 - High - September 17, 2019

A buffer overflow flaw was found, in versions from 2.6.34 to 5.2.x, in the way Linux kernel's vhost functionality that translates virtqueue buffers to IOVs, logged the buffer descriptors during migration. A privileged guest user able to pass descriptors with invalid length to the host when migration is underway, could use this flaw to increase their privileges on the host.

Classic Buffer Overflow

The virConnectGetDomainCapabilities() libvirt API

CVE-2019-10167 7.8 - High - August 02, 2019

The virConnectGetDomainCapabilities() libvirt API, versions 4.x.x before 4.10.1 and 5.x.x before 5.4.1, accepts an "emulatorbin" argument to specify the program providing emulation for a domain. Since v1.2.19, libvirt will execute that program to probe the domain's capabilities. Read-only clients could specify an arbitrary path for this argument, causing libvirtd to execute a crafted executable with its own privileges.

Authorization

The virConnectBaselineHypervisorCPU() and virConnectCompareHypervisorCPU() libvirt APIs

CVE-2019-10168 7.8 - High - August 02, 2019

The virConnectBaselineHypervisorCPU() and virConnectCompareHypervisorCPU() libvirt APIs, 4.x.x before 4.10.1 and 5.x.x before 5.4.1, accept an "emulator" argument to specify the program providing emulation for a domain. Since v1.2.19, libvirt will execute that program to probe the domain's capabilities. Read-only clients could specify an arbitrary path for this argument, causing libvirtd to execute a crafted executable with its own privileges.

Authorization

It was discovered that libvirtd, versions 4.x.x before 4.10.1 and 5.x.x before 5.4.1, would permit readonly clients to use the virDomainManagedSaveDefineXML() API

CVE-2019-10166 7.8 - High - August 02, 2019

It was discovered that libvirtd, versions 4.x.x before 4.10.1 and 5.x.x before 5.4.1, would permit readonly clients to use the virDomainManagedSaveDefineXML() API, which would permit them to modify managed save state files. If a managed save had already been created by a privileged user, a local attacker could modify this file such that libvirtd would execute an arbitrary program when the domain was resumed.

Authorization

Sensitive passwords used in deployment and configuration of oVirt Metrics, all versions

CVE-2019-10194 5.5 - Medium - July 11, 2019

Sensitive passwords used in deployment and configuration of oVirt Metrics, all versions. were found to be insufficiently protected. Passwords could be disclosed in log files (if playbooks are run with -v) or in playbooks stored on Metrics or Bastion hosts.

Insertion of Sensitive Information into Log File

Jonathan Looney discovered

CVE-2019-11477 7.5 - High - June 19, 2019

Jonathan Looney discovered that the TCP_SKB_CB(skb)->tcp_gso_segs value was subject to an integer overflow in the Linux kernel when handling TCP Selective Acknowledgments (SACKs). A remote attacker could use this to cause a denial of service. This has been fixed in stable kernel releases 4.4.182, 4.9.182, 4.14.127, 4.19.52, 5.1.11, and is fixed in commit 3b4929f65b0d8249f19a50245cd88ed1a2f78cff.

Integer Overflow or Wraparound

Jonathan Looney discovered

CVE-2019-11478 7.5 - High - June 19, 2019

Jonathan Looney discovered that the TCP retransmission queue implementation in tcp_fragment in the Linux kernel could be fragmented when handling certain TCP Selective Acknowledgment (SACK) sequences. A remote attacker could use this to cause a denial of service. This has been fixed in stable kernel releases 4.4.182, 4.9.182, 4.14.127, 4.19.52, 5.1.11, and is fixed in commit f070ef2ac66716357066b683fb0baf55f8191a2e.

Resource Exhaustion

Jonathan Looney discovered that the Linux kernel default MSS is hard-coded to 48 bytes

CVE-2019-11479 7.5 - High - June 19, 2019

Jonathan Looney discovered that the Linux kernel default MSS is hard-coded to 48 bytes. This allows a remote peer to fragment TCP resend queues significantly more than if a larger MSS were enforced. A remote attacker could use this to cause a denial of service. This has been fixed in stable kernel releases 4.4.182, 4.9.182, 4.14.127, 4.19.52, 5.1.11, and is fixed in commits 967c05aee439e6e5d7d805e195b3a20ef5c433d6 and 5f3e2bf008c2221478101ee72f5cb4654b9fc363.

Resource Exhaustion

A flaw was found in the Linux kernel

CVE-2019-10126 9.8 - Critical - June 14, 2019

A flaw was found in the Linux kernel. A heap based buffer overflow in mwifiex_uap_parse_tail_ies function in drivers/net/wireless/marvell/mwifiex/ie.c might lead to memory corruption and possibly other consequences.

Memory Corruption

A vulnerability was found in Undertow web server before 2.0.21

CVE-2019-3888 9.8 - Critical - June 12, 2019

A vulnerability was found in Undertow web server before 2.0.21. An information exposure of plain text credentials through log files because Connectors.executeRootHandler:402 logs the HttpServerExchange object at ERROR level using UndertowLogger.REQUEST_LOGGER.undertowRequestFailed(t, exchange)

Credentials Management Errors

A memory leak in archive_read_format_zip_cleanup in archive_read_support_format_zip.c in libarchive 3.3.4-dev

CVE-2019-11463 6.5 - Medium - April 23, 2019

A memory leak in archive_read_format_zip_cleanup in archive_read_support_format_zip.c in libarchive 3.3.4-dev allows remote attackers to cause a denial of service via a crafted ZIP file because of a HAVE_LZMA_H typo. NOTE: this only affects users who downloaded the development code from GitHub. Users of the product's official releases are unaffected.

Memory Leak

It was found that cockpit before version 184 used glib's base64 decode functionality incorrectly resulting in a denial of service attack

CVE-2019-3804 7.5 - High - March 26, 2019

It was found that cockpit before version 184 used glib's base64 decode functionality incorrectly resulting in a denial of service attack. An unauthenticated attacker could send a specially crafted request with an invalid base64-encoded cookie which could cause the web service to crash.

Missing Initialization of Resource

It was discovered that in the ovirt's REST API before version 4.3.2.1

CVE-2019-3879 6.5 - Medium - March 25, 2019

It was discovered that in the ovirt's REST API before version 4.3.2.1, RemoveDiskCommand is triggered as an internal command, meaning the permission validation that should be performed against the calling user is skipped. A user with low privileges (eg Basic Operations) could exploit this flaw to delete disks attached to guests.

Permission Issues

A flaw was found in sssd Group Policy Objects implementation

CVE-2018-16838 5.4 - Medium - March 25, 2019

A flaw was found in sssd Group Policy Objects implementation. When the GPO is not readable by SSSD due to a too strict permission settings on the server side, SSSD will allow all authenticated users to login instead of denying access.

Improper Privilege Management

The KVM implementation in the Linux kernel through 4.20.5 has a Use-after-Free.

CVE-2019-7221 7.8 - High - March 21, 2019

The KVM implementation in the Linux kernel through 4.20.5 has a Use-after-Free.

Dangling pointer

In the Linux kernel before 4.20.8, kvm_ioctl_create_device in virt/kvm/kvm_main.c mishandles reference counting

CVE-2019-6974 8.1 - High - February 15, 2019

In the Linux kernel before 4.20.8, kvm_ioctl_create_device in virt/kvm/kvm_main.c mishandles reference counting because of a race condition, leading to a use-after-free.

Race Condition

Spice, versions 0.5.2 through 0.14.1, are vulnerable to an out-of-bounds read due to an off-by-one error in memslot_get_virt

CVE-2019-3813 7.5 - High - February 04, 2019

Spice, versions 0.5.2 through 0.14.1, are vulnerable to an out-of-bounds read due to an off-by-one error in memslot_get_virt. This may lead to a denial of service, or, in the worst case, code-execution by unauthenticated attackers.

Out-of-bounds Read

A denial of service vulnerability was found in rsyslog in the imptcp module

CVE-2018-16881 7.5 - High - January 25, 2019

A denial of service vulnerability was found in rsyslog in the imptcp module. An attacker could send a specially crafted message to the imptcp socket, which would cause rsyslog to crash. Versions before 8.27.0 are vulnerable.

Integer Overflow or Wraparound

An allocation of memory without limits

CVE-2018-16865 7.8 - High - January 11, 2019

An allocation of memory without limits, that could result in the stack clashing with another memory region, was discovered in systemd-journald when many entries are sent to the journal socket. A local attacker, or a remote one if systemd-journal-remote is used, may use this flaw to crash systemd-journald or execute code with journald privileges. Versions through v240 are vulnerable.

Allocation of Resources Without Limits or Throttling

An allocation of memory without limits

CVE-2018-16864 7.8 - High - January 11, 2019

An allocation of memory without limits, that could result in the stack clashing with another memory region, was discovered in systemd-journald when a program with long command line arguments calls syslog. A local attacker may use this flaw to crash systemd-journald or escalate his privileges. Versions through v240 are vulnerable.

Allocation of Resources Without Limits or Throttling

In sk_clone_lock of sock.c, there is a possible memory corruption due to type confusion

CVE-2018-9568 7.8 - High - December 06, 2018

In sk_clone_lock of sock.c, there is a possible memory corruption due to type confusion. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android kernel. Android ID: A-113509306. References: Upstream kernel.

Incorrect Type Conversion or Cast

A flaw was found in glusterfs server through versions 4.1.4 and 3.1.2 which allowed repeated usage of GF_META_LOCK_KEY xattr

CVE-2018-14660 6.5 - Medium - November 01, 2018

A flaw was found in glusterfs server through versions 4.1.4 and 3.1.2 which allowed repeated usage of GF_META_LOCK_KEY xattr. A remote, authenticated attacker could use this flaw to create multiple locks for single inode by using setxattr repetitively resulting in memory exhaustion of glusterfs server node.

Resource Exhaustion

In the Linux kernel 4.14.x, 4.15.x, 4.16.x, 4.17.x, and 4.18.x before 4.18.13, faulty computation of numeric bounds in the BPF verifier permits out-of-bounds memory accesses

CVE-2018-18445 7.8 - High - October 17, 2018

In the Linux kernel 4.14.x, 4.15.x, 4.16.x, 4.17.x, and 4.18.x before 4.18.13, faulty computation of numeric bounds in the BPF verifier permits out-of-bounds memory accesses because adjust_scalar_min_max_vals in kernel/bpf/verifier.c mishandles 32-bit right shifts.

Out-of-bounds Read

qemu_deliver_packet_iov in net/net.c in Qemu accepts packet sizes greater than INT_MAX, which

CVE-2018-17963 9.8 - Critical - October 09, 2018

qemu_deliver_packet_iov in net/net.c in Qemu accepts packet sizes greater than INT_MAX, which allows attackers to cause a denial of service or possibly have unspecified other impact.

Integer Overflow or Wraparound

Paramiko version 2.4.1, 2.3.2, 2.2.3, 2.1.5, 2.0.8, 1.18.5, 1.17.6 contains a Incorrect Access Control vulnerability in SSH server

CVE-2018-1000805 8.8 - High - October 08, 2018

Paramiko version 2.4.1, 2.3.2, 2.2.3, 2.1.5, 2.0.8, 1.18.5, 1.17.6 contains a Incorrect Access Control vulnerability in SSH server that can result in RCE. This attack appear to be exploitable via network connectivity.

Incorrect Permission Assignment for Critical Resource

Python Cryptographic Authority pyopenssl version Before 17.5.0 contains a CWE - 401 : Failure to Release Memory Before Removing Last Reference vulnerability in PKCS #12 Store

CVE-2018-1000808 5.9 - Medium - October 08, 2018

Python Cryptographic Authority pyopenssl version Before 17.5.0 contains a CWE - 401 : Failure to Release Memory Before Removing Last Reference vulnerability in PKCS #12 Store that can result in Denial of service if memory runs low or is exhausted. This attack appear to be exploitable via Depends upon calling application, however it could be as simple as initiating a TLS connection. Anything that would cause the calling application to reload certificates from a PKCS #12 store.. This vulnerability appears to have been fixed in 17.5.0.

Improper Resource Shutdown or Release

An issue was discovered in the proc_pid_stack function in fs/proc/base.c in the Linux kernel through 4.18.11

CVE-2018-17972 5.5 - Medium - October 03, 2018

An issue was discovered in the proc_pid_stack function in fs/proc/base.c in the Linux kernel through 4.18.11. It does not ensure that only root may inspect the kernel stack of an arbitrary task, allowing a local attacker to exploit racy stack unwinding and leak kernel task stack contents.

Race Condition

A security flaw was found in the chap_server_compute_md5() function in the ISCSI target code in the Linux kernel in a way an authentication request

CVE-2018-14633 7 - High - September 25, 2018

A security flaw was found in the chap_server_compute_md5() function in the ISCSI target code in the Linux kernel in a way an authentication request from an ISCSI initiator is processed. An unauthenticated remote attacker can cause a stack buffer overflow and smash up to 17 bytes of the stack. The attack requires the iSCSI target to be enabled on the victim host. Depending on how the target's code was built (i.e. depending on a compiler, compile flags and hardware architecture) an attack may lead to a system crash and thus to a denial-of-service or possibly to a non-authorized access to data exported by an iSCSI target. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is highly unlikely. Kernel versions 4.18.x, 4.14.x and 3.10.x are believed to be vulnerable.

Memory Corruption

An issue was discovered in Open vSwitch (OvS) 2.7.x through 2.7.6, affecting ofproto_rule_insert__ in ofproto/ofproto.c

CVE-2018-17205 7.5 - High - September 19, 2018

An issue was discovered in Open vSwitch (OvS) 2.7.x through 2.7.6, affecting ofproto_rule_insert__ in ofproto/ofproto.c. During bundle commit, flows that are added in a bundle are applied to ofproto in order. If a flow cannot be added (e.g., the flow action is a go-to for a group id that does not exist), OvS tries to revert back all previous flows that were successfully applied from the same bundle. This is possible since OvS maintains list of old flows that were replaced by flows from the bundle. While reinserting old flows, OvS has an assertion failure due to a check on rule state != RULE_INITIALIZED. This would work for new flows, but for an old flow the rule state is RULE_REMOVED. The assertion failure causes an OvS crash.

assertion failure

An information leak vulnerability was found in Undertow

CVE-2018-14642 5.3 - Medium - September 18, 2018

An information leak vulnerability was found in Undertow. If all headers are not written out in the first write() call then the code that handles flushing the buffer will always write out the full contents of the writevBuffer buffer, which may contain data from previous requests.

Information Disclosure

It was found that URLResource.getLastModified() in Undertow closes the file descriptors only when they are finalized

CVE-2018-1114 6.5 - Medium - September 11, 2018

It was found that URLResource.getLastModified() in Undertow closes the file descriptors only when they are finalized which can cause file descriptors to exhaust. This leads to a file handler leak.

Resource Exhaustion

A flaw was found in RPC request using gfs3_rename_req in glusterfs server

CVE-2018-10930 6.5 - Medium - September 04, 2018

A flaw was found in RPC request using gfs3_rename_req in glusterfs server. An authenticated attacker could use this flaw to write to a destination outside the gluster volume.

Improper Input Validation

A flaw was found in RPC request using gfs2_create_req in glusterfs server

CVE-2018-10929 8.8 - High - September 04, 2018

A flaw was found in RPC request using gfs2_create_req in glusterfs server. An authenticated attacker could use this flaw to create arbitrary files and execute arbitrary code on glusterfs server nodes.

Improper Input Validation

A flaw was found in RPC request using gfs3_symlink_req in glusterfs server which

CVE-2018-10928 8.8 - High - September 04, 2018

A flaw was found in RPC request using gfs3_symlink_req in glusterfs server which allows symlink destinations to point to file paths outside of the gluster volume. An authenticated attacker could use this flaw to create arbitrary symlinks pointing anywhere on the server and execute arbitrary code on glusterfs server nodes.

insecure temporary file

A flaw was found in RPC request using gfs3_mknod_req supported by glusterfs server

CVE-2018-10926 8.8 - High - September 04, 2018

A flaw was found in RPC request using gfs3_mknod_req supported by glusterfs server. An authenticated attacker could use this flaw to write files to an arbitrary location via path traversal and execute arbitrary code on a glusterfs server node.

Improper Input Validation

A flaw was found in RPC request using gfs3_lookup_req in glusterfs server

CVE-2018-10927 8.1 - High - September 04, 2018

A flaw was found in RPC request using gfs3_lookup_req in glusterfs server. An authenticated attacker could use this flaw to leak information and execute remote denial of service by crashing gluster brick process.

Improper Input Validation

It was found that the "mknod" call derived from mknod(2) can create files pointing to devices on a glusterfs server node

CVE-2018-10923 8.1 - High - September 04, 2018

It was found that the "mknod" call derived from mknod(2) can create files pointing to devices on a glusterfs server node. An authenticated attacker could use this to create an arbitrary device and read data from any device attached to the glusterfs server node.

Improper Input Validation

It was found that an attacker could issue a xattr request

CVE-2018-10914 6.5 - Medium - September 04, 2018

It was found that an attacker could issue a xattr request via glusterfs FUSE to cause gluster brick process to crash which will result in a remote denial of service. If gluster multiplexing is enabled this will result in a crash of multiple bricks and gluster volumes.

NULL Pointer Dereference

An information disclosure vulnerability was discovered in glusterfs server

CVE-2018-10913 6.5 - Medium - September 04, 2018

An information disclosure vulnerability was discovered in glusterfs server. An attacker could issue a xattr request via glusterfs FUSE to determine the existence of any file.

Generation of Error Message Containing Sensitive Information

A flaw was found in the way dic_unserialize function of glusterfs does not handle negative key length values

CVE-2018-10911 7.5 - High - September 04, 2018

A flaw was found in the way dic_unserialize function of glusterfs does not handle negative key length values. An attacker could use this flaw to read memory from other locations into the stored dict value.

Information Disclosure

It was found that glusterfs server is vulnerable to multiple stack based buffer overflows due to functions in server-rpc-fopc.c allocating fixed size buffers using 'alloca(3)'

CVE-2018-10907 8.8 - High - September 04, 2018

It was found that glusterfs server is vulnerable to multiple stack based buffer overflows due to functions in server-rpc-fopc.c allocating fixed size buffers using 'alloca(3)'. An authenticated attacker could exploit this by mounting a gluster volume and sending a string longer that the fixed buffer size to cause crash or potential code execution.

Stack Overflow

It was found that glusterfs server does not properly sanitize file paths in the "trusted.io-stats-dump" extended attribute

CVE-2018-10904 8.8 - High - September 04, 2018

It was found that glusterfs server does not properly sanitize file paths in the "trusted.io-stats-dump" extended attribute which is used by the "debug/io-stats" translator. Attacker can use this flaw to create files and execute arbitrary code. To exploit this attacker would require sufficient access to modify the extended attributes of files on a gluster volume.

Untrusted Path

A weakness was found in postgresql-jdbc before version 42.2.5

CVE-2018-10936 8.1 - High - August 30, 2018

A weakness was found in postgresql-jdbc before version 42.2.5. It was possible to provide an SSL Factory and not check the host name if a host name verifier was not provided to the driver. This could lead to a condition where a man-in-the-middle attacker could masquerade as a trusted server by providing a certificate for the wrong host, as long as it was signed by a trusted CA.

Improper Validation of Certificate with Host Mismatch

A heap-buffer overflow was found in the way samba clients processed extra long filename in a directory listing

CVE-2018-10858 8.8 - High - August 22, 2018

A heap-buffer overflow was found in the way samba clients processed extra long filename in a directory listing. A malicious samba server could use this flaw to cause arbitrary code execution on a samba client. Samba versions before 4.6.16, 4.7.9 and 4.8.4 are vulnerable.

Buffer Overflow

A vulnerability was discovered in SPICE before version 0.14.1 where the generated code used for demarshalling messages lacked sufficient bounds checks

CVE-2018-10873 8.8 - High - August 17, 2018

A vulnerability was discovered in SPICE before version 0.14.1 where the generated code used for demarshalling messages lacked sufficient bounds checks. A malicious client or server, after authentication, could send specially crafted messages to its peer which would result in a crash or, potentially, other impacts.

Improper Input Validation

A vulnerability was found in libpq

CVE-2018-10915 7.5 - High - August 09, 2018

A vulnerability was found in libpq, the default PostgreSQL client library where libpq failed to properly reset its internal state between connections. If an affected version of libpq was used with "host" or "hostaddr" connection parameters from untrusted input, attackers could bypass client-side connection security features, obtain access to higher privileged connections or potentially cause other impact through SQL injection, by causing the PQescape() functions to malfunction. Postgresql versions before 10.5, 9.6.10, 9.5.14, 9.4.19, and 9.3.24 are affected.

SQL Injection

It was found that vdsm before version 4.20.37 invokes qemu-img on untrusted inputs without limiting resources

CVE-2018-10908 6.3 - Medium - August 09, 2018

It was found that vdsm before version 4.20.37 invokes qemu-img on untrusted inputs without limiting resources. By uploading a specially crafted image, an attacker could cause the qemu-img process to consume unbounded amounts of memory of CPU time, causing a denial of service condition that could potentially impact other users of the host.

Allocation of Resources Without Limits or Throttling

Linux kernel versions 4.9+ can be forced to make very expensive calls to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() for every incoming packet

CVE-2018-5390 7.5 - High - August 06, 2018

Linux kernel versions 4.9+ can be forced to make very expensive calls to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() for every incoming packet which can lead to a denial of service.

Resource Exhaustion

A directory traversal issue was found in reposync

CVE-2018-10897 8.1 - High - August 01, 2018

A directory traversal issue was found in reposync, a part of yum-utils, where reposync fails to sanitize paths in remote repository configuration files. If an attacker controls a repository, they may be able to copy files outside of the destination directory on the targeted system via path traversal. If reposync is running with heightened privileges on a targeted system, this flaw could potentially result in system compromise via the overwriting of critical system files. Version 1.1.31 and older are believed to be affected.

Directory traversal

WildFly Core before version 6.0.0.Alpha3 does not properly validate file paths in .war archives

CVE-2018-10862 5.5 - Medium - July 27, 2018

WildFly Core before version 6.0.0.Alpha3 does not properly validate file paths in .war archives, allowing for the extraction of crafted .war archives to overwrite arbitrary files. This is an instance of the 'Zip Slip' vulnerability.

Directory traversal

An assertion-failure flaw was found in Qemu before 2.10.1

CVE-2017-7539 7.5 - High - July 26, 2018

An assertion-failure flaw was found in Qemu before 2.10.1, in the Network Block Device (NBD) server's initial connection negotiation, where the I/O coroutine was undefined. This could crash the qemu-nbd server if a client sent unexpected data during connection negotiation. A remote user or process could use this flaw to crash the qemu-nbd server resulting in denial of service.

Improper Input Validation

Ansible before versions 2.3.1.0 and 2.4.0.0 fails to properly mark lookup-plugin results as unsafe

CVE-2017-7481 9.8 - Critical - July 19, 2018

Ansible before versions 2.3.1.0 and 2.4.0.0 fails to properly mark lookup-plugin results as unsafe. If an attacker could control the results of lookup() calls, they could inject Unicode strings to be parsed by the jinja2 templating system, resulting in code execution. By default, the jinja2 templating language is now marked as 'unsafe' and is not evaluated.

Improper Input Validation

A flaw was found in ansible

CVE-2018-10875 7.8 - High - July 13, 2018

A flaw was found in ansible. ansible.cfg is read from the current working directory which can be altered to make it point to a plugin or a module path under the control of an attacker, thus allowing the attacker to execute arbitrary code.

Untrusted Path

Systems with microprocessors utilizing speculative execution and branch prediction may

CVE-2018-3693 5.6 - Medium - July 10, 2018

Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a speculative buffer overflow and side-channel analysis.

Ansible 2.5 prior to 2.5.5, and 2.4 prior to 2.4.5, do not honor the no_log task flag for failed tasks

CVE-2018-10855 5.9 - Medium - July 03, 2018

Ansible 2.5 prior to 2.5.5, and 2.4 prior to 2.4.5, do not honor the no_log task flag for failed tasks. When the no_log flag has been used to protect sensitive data passed to a task from being logged, and that task does not run successfully, Ansible will expose sensitive data in log files and on the terminal of the user running Ansible.

Insertion of Sensitive Information into Log File

In ansible it was found

CVE-2018-10874 7.8 - High - July 02, 2018

In ansible it was found that inventory variables are loaded from current working directory when running ad-hoc command which are under attacker's control, allowing to run arbitrary code as a result.

Improper Input Validation

The web console login form in ovirt-engine before version 4.2.3 returned different errors for non-existent users and invalid passwords

CVE-2018-1073 5.3 - Medium - June 19, 2018

The web console login form in ovirt-engine before version 4.2.3 returned different errors for non-existent users and invalid passwords, allowing an attacker to discover the names of valid user accounts.

Information Disclosure

Bouncy Castle BC 1.54 - 1.59

CVE-2018-1000180 7.5 - High - June 05, 2018

Bouncy Castle BC 1.54 - 1.59, BC-FJA 1.0.0, BC-FJA 1.0.1 and earlier have a flaw in the Low-level interface to RSA key pair generator, specifically RSA Key Pairs generated in low-level API with added certainty may have less M-R tests than expected. This appears to be fixed in versions BC 1.60 beta 4 and later, BC-FJA 1.0.2 and later.

Use of a Broken or Risky Cryptographic Algorithm

Systems with microprocessors utilizing speculative execution and speculative execution of memory reads before the addresses of all prior memory writes are known may

CVE-2018-3639 5.5 - Medium - May 22, 2018

Systems with microprocessors utilizing speculative execution and speculative execution of memory reads before the addresses of all prior memory writes are known may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis, aka Speculative Store Bypass (SSB), Variant 4.

Side Channel Attack

Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers

CVE-2018-10237 5.9 - Medium - April 26, 2018

Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.

Allocation of Resources Without Limits or Throttling

The DPDK vhost-user interface does not check to verify

CVE-2018-1059 6.1 - Medium - April 24, 2018

The DPDK vhost-user interface does not check to verify that all the requested guest physical range is mapped and contiguous when performing Guest Physical Addresses to Host Virtual Addresses translations. This may lead to a malicious guest exposing vhost-user backend process memory. All versions before 18.02.1 are vulnerable.

Information Disclosure

A privilege escalation flaw was found in gluster 3.x snapshot scheduler

CVE-2018-1088 8.1 - High - April 18, 2018

A privilege escalation flaw was found in gluster 3.x snapshot scheduler. Any gluster client allowed to mount gluster volumes could also mount shared gluster storage volume and escalate privileges by scheduling malicious cronjob via symlink.

Incorrect Privilege Assignment

transport.py in the SSH server implementation of Paramiko before 1.17.6

CVE-2018-7750 9.8 - Critical - March 13, 2018

transport.py in the SSH server implementation of Paramiko before 1.17.6, 1.18.x before 1.18.5, 2.0.x before 2.0.8, 2.1.x before 2.1.5, 2.2.x before 2.2.3, 2.3.x before 2.3.2, and 2.4.x before 2.4.1 does not properly check whether authentication is completed before processing other requests, as demonstrated by channel-open. A customized SSH client can simply skip the authentication step.

authentification

Quick Emulator (aka QEMU), when built with the Cirrus CLGD 54xx VGA Emulator support

CVE-2018-7858 5.5 - Medium - March 12, 2018

Quick Emulator (aka QEMU), when built with the Cirrus CLGD 54xx VGA Emulator support, allows local guest OS privileged users to cause a denial of service (out-of-bounds access and QEMU process crash) by leveraging incorrect region calculation when updating VGA display.

Out-of-bounds Read

The load_multiboot function in hw/i386/multiboot.c in Quick Emulator (aka QEMU)

CVE-2018-7550 8.8 - High - March 01, 2018

The load_multiboot function in hw/i386/multiboot.c in Quick Emulator (aka QEMU) allows local guest OS users to execute arbitrary code on the QEMU host via a mh_load_end_addr value greater than mh_bss_end_addr, which triggers an out-of-bounds read or write memory access.

Memory Corruption

util/virlog.c in libvirt does not properly determine the hostname on LXC container startup, which

CVE-2018-6764 7.8 - High - February 23, 2018

util/virlog.c in libvirt does not properly determine the hostname on LXC container startup, which allows local guest OS users to bypass an intended container protection mechanism and execute arbitrary commands via a crafted NSS module.

Origin Validation Error

Linux Linux kernel version at least v4.8 onwards, probably well before contains a Insufficient input validation vulnerability in bnx2x network card driver

CVE-2018-1000026 7.7 - High - February 09, 2018

Linux Linux kernel version at least v4.8 onwards, probably well before contains a Insufficient input validation vulnerability in bnx2x network card driver that can result in DoS: Network card firmware assertion takes card off-line. This attack appear to be exploitable via An attacker on a must pass a very large, specially crafted packet to the bnx2x card. This can be done from an untrusted guest VM..

Improper Input Validation

qemu/qemu_monitor.c in libvirt

CVE-2018-5748 7.5 - High - January 25, 2018

qemu/qemu_monitor.c in libvirt allows attackers to cause a denial of service (memory consumption) via a large QEMU reply.

Resource Exhaustion

The vga_draw_text function in Qemu

CVE-2018-5683 6 - Medium - January 23, 2018

The vga_draw_text function in Qemu allows local OS guest privileged users to cause a denial of service (out-of-bounds read and QEMU process crash) by leveraging improper memory address validation.

Out-of-bounds Read

In the Linux kernel through 4.14.13, drivers/block/loop.c mishandles lo_release serialization, which

CVE-2018-5344 7.8 - High - January 12, 2018

In the Linux kernel through 4.14.13, drivers/block/loop.c mishandles lo_release serialization, which allows attackers to cause a denial of service (__lock_acquire use-after-free) or possibly have unspecified other impact.

Race Condition

In Open vSwitch (OvS) 2.7.0, while parsing an OFPT_QUEUE_GET_CONFIG_REPLY type OFP 1.0 message, there is a buffer over-read

CVE-2017-9214 9.8 - Critical - May 23, 2017

In Open vSwitch (OvS) 2.7.0, while parsing an OFPT_QUEUE_GET_CONFIG_REPLY type OFP 1.0 message, there is a buffer over-read that is caused by an unsigned integer underflow in the function `ofputil_pull_queue_get_config_reply10` in `lib/ofp-util.c`.

Integer underflow

The virtqueue_pop function in hw/virtio/virtio.c in QEMU

CVE-2016-5403 5.5 - Medium - August 02, 2016

The virtqueue_pop function in hw/virtio/virtio.c in QEMU allows local guest OS administrators to cause a denial of service (memory consumption and QEMU process crash) by submitting requests without waiting for completion.

Resource Exhaustion

The VGA module in QEMU improperly performs bounds checking on banked access to video memory, which

CVE-2016-3710 8.8 - High - May 11, 2016

The VGA module in QEMU improperly performs bounds checking on banked access to video memory, which allows local guest OS administrators to execute arbitrary code on the host by changing access modes after setting the bank register, aka the "Dark Portal" issue.

Buffer Overflow

Heap-based buffer overflow in the __nss_hostname_digits_dots function in glibc 2.2, and other 2.x versions before 2.18

CVE-2015-0235 - January 28, 2015

Heap-based buffer overflow in the __nss_hostname_digits_dots function in glibc 2.2, and other 2.x versions before 2.18, allows context-dependent attackers to execute arbitrary code via vectors related to the (1) gethostbyname or (2) gethostbyname2 function, aka "GHOST."

Memory Corruption

The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets

CVE-2014-0160 7.5 - High - April 07, 2014

The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.CVSS V2 scoring evaluates the impact of the vulnerability on the host where the vulnerability is located. When evaluating the impact of this vulnerability to your organization, take into account the nature of the data that is being protected and act according to your organizations risk acceptance. While CVE-2014-0160 does not allow unrestricted access to memory on the targeted host, a successful exploit does leak information from memory locations which have the potential to contain particularly sensitive information, e.g., cryptographic keys and passwords. Theft of this information could enable other attacks on the information system, the impact of which would depend on the sensitivity of the data and functions of that system.

Buffer Overflow

Qemu, as used in Xen 4.0, 4.1 and possibly other products, when emulating certain devices with a virtual console backend, allows local OS guest users to gain privileges via a crafted escape VT100 sequence

CVE-2012-3515 - November 23, 2012

Qemu, as used in Xen 4.0, 4.1 and possibly other products, when emulating certain devices with a virtual console backend, allows local OS guest users to gain privileges via a crafted escape VT100 sequence that triggers the overwrite of a "device model's address space."

Improper Input Validation

Array index error in the gdth_read_event function in drivers/scsi/gdth.c in the Linux kernel before 2.6.32-rc8

CVE-2009-3080 - November 20, 2009

Array index error in the gdth_read_event function in drivers/scsi/gdth.c in the Linux kernel before 2.6.32-rc8 allows local users to cause a denial of service or possibly gain privileges via a negative event index in an IOCTL request.

out-of-bounds array index

arch/x86/ia32/ia32entry.S in the Linux kernel before 2.6.31.4 on the x86_64 platform does not clear certain kernel registers before a return to user mode, which

CVE-2009-2910 - October 20, 2009

arch/x86/ia32/ia32entry.S in the Linux kernel before 2.6.31.4 on the x86_64 platform does not clear certain kernel registers before a return to user mode, which allows local users to read register values from an earlier process by switching an ia32 process to 64-bit mode.

Information Disclosure

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Suse Linux Enterprise Software Development Kit or by Red Hat? Click the Watch button to subscribe.

Red Hat
Vendor

subscribe