Daniel Erez of Red Hat reports:
RHEV's MLA system allows users with the MANIPULATE_STORAGE_DOMAIN permissions
to attach a storage domain to an initialized data-center, the permissions
check is being only made against the storage domain and not the data-center
allowing faulty storage domains for example to be attached causing a DoS.
Statement:
This issue affects the versions of ovirt-engine-backend as shipped with Red Hat Enterprise Virtualization 3. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.