Bug 1986094 (CVE-2021-3667)
| Summary: | CVE-2021-3667 libvirt: Improper locking on ACL failure in virStoragePoolLookupByTargetPath API | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Mauro Matteo Cascella <mcascell> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | agedosier, berrange, clalancette, crobinso, eblake, jdenemar, jforbes, jsuchane, knoel, laine, libvirt-maint, pkrempa, veillard, virt-maint, virt-maint |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
An improper locking issue was found in the virStoragePoolLookupByTargetPath API of libvirt. It occurs in the storagePoolLookupByTargetPath function where a locked virStoragePoolObj object is not properly released on ACL permission failure. Clients connecting to the read-write socket with limited ACL permissions could use this flaw to acquire the lock and prevent other users from accessing storage pool/volume APIs, resulting in a denial of service condition. The highest threat from this vulnerability is to system availability.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-09-30 18:21:11 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1984318, 1986113, 1986456, 1986457, 1986458, 1986459, 1993310 | ||
| Bug Blocks: | 1986096, 1986384, 1986808 | ||
|
Description
Mauro Matteo Cascella
2021-07-26 16:31:37 UTC
Created libvirt tracking bugs for this issue: Affects: fedora-all [bug 1986113] This bug was introduced in libvirt-4.1.0 when virStoragePoolLookupByTargetPath was exported as a public API with commit: https://libvirt.org/git/?p=libvirt.git;a=commit;h=7aa0e8c0cb8a6293d0c6f7e3d29c13b96dec2129 By default no access control checks are done once a client has authenticated with libvirtd. An authenticated user is allowed access to all libvirt API calls. Libvirt provides support for fine grained per-API access control via polkit, by enabling the 'polkit' access control driver. This issue allows a denial of service on a libvirt socket that has been configured with polkit fine grained access controls. The attack vector is "Network" since libvirt can be optionally enabled for remote access over TCP (together with polkit access control). This issue has been addressed in the following products: Advanced Virtualization for RHEL 8.4.0.Z Via RHSA-2021:3703 https://access.redhat.com/errata/RHSA-2021:3703 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-3667 This issue has been addressed in the following products: Advanced Virtualization for RHEL 8.2.1 Via RHSA-2021:3704 https://access.redhat.com/errata/RHSA-2021:3704 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4191 https://access.redhat.com/errata/RHSA-2021:4191 |