Bug 606774 (CVE-2010-2224)

Summary: CVE-2010-2224 rhev-m: merge snapshot does not pass postzero parameter for deleted volumes
Product: [Other] Security Response Reporter: Mark J. Cox <mjc>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Windows   
Whiteboard: public=20100622,reported=20091229,source=redhat,impact=moderate,cvss2=2.1/AV:L/AC:L/Au:N/C:P/I:N/A:N
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 551209    
Bug Blocks:    

Description Mark J. Cox 2010-06-22 09:12:43 EDT
It was found that Red Hat Enterprise Virtualization Manager did not correctly pass the postzero parameter for deleted volumes after snapshot merging. This resulted in such volumes not being securely deleted as expected. A guest user in a new, raw virtual machine (VM), created in a data domain that has had VMs deleted from it, could use this flaw to read limited data from those deleted VMs, potentially disclosing sensitive information. (CVE-2010-2224)
Comment 1 errata-xmlrpc 2010-06-22 09:47:45 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Virtualization Manager 2.2

Via RHSA-2010:0478 https://rhn.redhat.com/errata/RHSA-2010-0478.html