It was discovered that, when loading XML/RSDL documents, the oVirt Engine back end module used an insecure DocumentBuilderFactory. A remote, authenticated attacker could use this flaw to read files accessible to the user running the ovirt-engine server, and potentially perform other more advanced XML External Entity (XXE) attacks.
This issue was discovered by Arun Babu Neelicattu of Red Hat Product Security.
This issue has been addressed in following products:
RHEV Manager version 3.4
Via RHSA-2014:1161 https://rhn.redhat.com/errata/RHSA-2014-1161.html