Bug 1253882 (CVE-2015-5201) - CVE-2015-5201 RHEV: vdsm spice disable-ticketing and VM suspend and restore allows auth bypass
Summary: CVE-2015-5201 RHEV: vdsm spice disable-ticketing and VM suspend and restore a...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2015-5201
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
: 1254661 (view as bug list)
Depends On: 1234197 1254164
Blocks: 1253883
TreeView+ depends on / blocked
 
Reported: 2015-08-15 00:36 UTC by Kurt Seifried
Modified: 2023-05-12 14:09 UTC (History)
35 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2015-12-23 04:14:49 UTC
Embargoed:


Attachments (Terms of Use)

Description Kurt Seifried 2015-08-15 00:36:01 UTC
Michal Skrivanek of Red Hat reports:

If vdsm is run with -spice disable-ticketing and a VM is suspended and then
restored any remote user will be allowed to connect without authentication.

Comment 1 Kurt Seifried 2015-08-15 00:51:03 UTC
Acknowledgement:

This issue was discovered by Michal Skrivanek of Red Hat.

Comment 2 Kurt Seifried 2015-08-19 22:52:02 UTC
not sure if this is going into 3.4.5.1 or 3.5.5, either way 3.4.5 is still not out so it's a moot point right now.

Comment 3 Kurt Seifried 2015-08-21 17:22:08 UTC
*** Bug 1254661 has been marked as a duplicate of this bug. ***

Comment 4 Kurt Seifried 2015-08-22 02:24:42 UTC
The libvirt side of this is not a security issue, but the libvirt interaction with vdsm is a problem.

Comment 5 Jaroslav Suchanek 2015-08-25 13:42:12 UTC
As for the libvirt side, all patches fixing the issue are already upstream and backported in the 7.1.z counterpart (bug 1255859).

Please advice how we should proceed. Is it possible to release the fix in the next z-stream batch release (end of 2015-09)?

Comment 6 Kurt Seifried 2015-08-27 14:59:13 UTC
(In reply to Jaroslav Suchanek from comment #5)
> As for the libvirt side, all patches fixing the issue are already upstream
> and backported in the 7.1.z counterpart (bug 1255859).
> 
> Please advice how we should proceed. Is it possible to release the fix in
> the next z-stream batch release (end of 2015-09)?

That's fine by me, I have no real say over what happens with non security bugs though, but obviously would appreciate this being fixed sooner rather than later.

Comment 7 Fabian Deutsch 2015-10-06 17:43:06 UTC
Michal, do you know if any additional patches from the vdsm side are required to fix this?

Comment 8 Michal Skrivanek 2015-10-09 10:37:31 UTC
no, just "Requires:" done in https://gerrit.ovirt.org/#/c/46214/ (corresponding bug 1262783)

Comment 9 Kurt Seifried 2015-12-23 04:14:49 UTC
Statement:

This issue was fixed in RHSA-2015-2527 (https://rhn.redhat.com/errata/RHEA-2015-2527.html) in the rhev-hypervisor package.


Note You need to log in before you can comment on or make changes to this bug.