Starting with version 6.2.0, libvirt makes it possible to pass one or more cookies to access disk images via http/https network protocols: <disk type="network" device="cdrom"> <source protocol="https" name="/path/to/image.iso"> <cookies> <cookie name="cookie_name">"cookie_value"</cookie> </cookies> </disk> The 'cookie' element is included in the XML dump of the guest domain, resulting in a possible information disclosure. An attacker could abuse this flaw to leak the cookie's value via the virsh dumpxml command. Since cookies typically contain sensitive information, they should only be included in the XML dump when using the --security-info attribute. Upstream fix: https://github.com/libvirt/libvirt/commit/a5b064bf4b17a9884d7d361733737fb614ad8979 https://github.com/libvirt/libvirt/commit/524de6cc35d3b222f0e940bb0fd027f5482572c5
Acknowledgments: Name: Han Han (Red Hat)
Statement: Support for cookies for HTTP based disks was introduced in `libvirt` upstream version 6.2.0. Red Hat Enterprise Linux 5, 6, 7 and 8 are not affected by this issue, as they ship older versions of the `libvirt` package. Red Hat Enterprise Linux Advanced Virtualization 8 is the only affected product.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-14301
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4676 https://access.redhat.com/errata/RHSA-2020:4676