Bug 1253882 - (CVE-2015-5201) CVE-2015-5201 RHEV: vdsm spice disable-ticketing and VM suspend and restore allows auth bypass
CVE-2015-5201 RHEV: vdsm spice disable-ticketing and VM suspend and restore a...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20150915,repor...
: Security
: 1254661 (view as bug list)
Depends On: 1234197 1254164
Blocks: 1253883
  Show dependency treegraph
 
Reported: 2015-08-14 20:36 EDT by Kurt Seifried
Modified: 2016-11-08 11:26 EST (History)
35 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-12-22 23:14:49 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Kurt Seifried 2015-08-14 20:36:01 EDT
Michal Skrivanek of Red Hat reports:

If vdsm is run with -spice disable-ticketing and a VM is suspended and then
restored any remote user will be allowed to connect without authentication.
Comment 1 Kurt Seifried 2015-08-14 20:51:03 EDT
Acknowledgement:

This issue was discovered by Michal Skrivanek of Red Hat.
Comment 2 Kurt Seifried 2015-08-19 18:52:02 EDT
not sure if this is going into 3.4.5.1 or 3.5.5, either way 3.4.5 is still not out so it's a moot point right now.
Comment 3 Kurt Seifried 2015-08-21 13:22:08 EDT
*** Bug 1254661 has been marked as a duplicate of this bug. ***
Comment 4 Kurt Seifried 2015-08-21 22:24:42 EDT
The libvirt side of this is not a security issue, but the libvirt interaction with vdsm is a problem.
Comment 5 Jaroslav Suchanek 2015-08-25 09:42:12 EDT
As for the libvirt side, all patches fixing the issue are already upstream and backported in the 7.1.z counterpart (bug 1255859).

Please advice how we should proceed. Is it possible to release the fix in the next z-stream batch release (end of 2015-09)?
Comment 6 Kurt Seifried 2015-08-27 10:59:13 EDT
(In reply to Jaroslav Suchanek from comment #5)
> As for the libvirt side, all patches fixing the issue are already upstream
> and backported in the 7.1.z counterpart (bug 1255859).
> 
> Please advice how we should proceed. Is it possible to release the fix in
> the next z-stream batch release (end of 2015-09)?

That's fine by me, I have no real say over what happens with non security bugs though, but obviously would appreciate this being fixed sooner rather than later.
Comment 7 Fabian Deutsch 2015-10-06 13:43:06 EDT
Michal, do you know if any additional patches from the vdsm side are required to fix this?
Comment 8 Michal Skrivanek 2015-10-09 06:37:31 EDT
no, just "Requires:" done in https://gerrit.ovirt.org/#/c/46214/ (corresponding bug 1262783)
Comment 9 Kurt Seifried 2015-12-22 23:14:49 EST
Statement:

This issue was fixed in RHSA-2015-2527 (https://rhn.redhat.com/errata/RHEA-2015-2527.html) in the rhev-hypervisor package.

Note You need to log in before you can comment on or make changes to this bug.