Red Hat Bugzilla – Bug 1253882
CVE-2015-5201 RHEV: vdsm spice disable-ticketing and VM suspend and restore allows auth bypass
Last modified: 2016-11-08 11:26:36 EST
Michal Skrivanek of Red Hat reports:
If vdsm is run with -spice disable-ticketing and a VM is suspended and then
restored any remote user will be allowed to connect without authentication.
This issue was discovered by Michal Skrivanek of Red Hat.
not sure if this is going into 220.127.116.11 or 3.5.5, either way 3.4.5 is still not out so it's a moot point right now.
*** Bug 1254661 has been marked as a duplicate of this bug. ***
The libvirt side of this is not a security issue, but the libvirt interaction with vdsm is a problem.
As for the libvirt side, all patches fixing the issue are already upstream and backported in the 7.1.z counterpart (bug 1255859).
Please advice how we should proceed. Is it possible to release the fix in the next z-stream batch release (end of 2015-09)?
(In reply to Jaroslav Suchanek from comment #5)
> As for the libvirt side, all patches fixing the issue are already upstream
> and backported in the 7.1.z counterpart (bug 1255859).
> Please advice how we should proceed. Is it possible to release the fix in
> the next z-stream batch release (end of 2015-09)?
That's fine by me, I have no real say over what happens with non security bugs though, but obviously would appreciate this being fixed sooner rather than later.
Michal, do you know if any additional patches from the vdsm side are required to fix this?
no, just "Requires:" done in https://gerrit.ovirt.org/#/c/46214/ (corresponding bug 1262783)
This issue was fixed in RHSA-2015-2527 (https://rhn.redhat.com/errata/RHEA-2015-2527.html) in the rhev-hypervisor package.