It was found that parsing complicated kernel version numbers leads to array index out-of-bounds exception in VersionMapper.fromKernelVersionString method. A malicious user with access to VM could configure it so that it reports a version number that causes API to crash. When the VM with crafted kernel version number is reported among with other VMs, the representation retrieving operation will fail also for all other VMs.
Created ovirt-engine-sdk-java tracking bugs for this issue:
Affects: fedora-all [bug 1321974]
Affects: epel-all [bug 1321975]
Consider closing this bug, as the issue doesn't affect any Fedora component, only the oVirt engine server side, which isn't part of fedora.