A flaw was found in libvirt while it generates SELinux MCS category pairs for VMs' dynamic labels. This flaw may allow one exploited guest to access files labelled for another guest, thus breaking out of sVirt confinement. Upstream issue: https://gitlab.com/libvirt/libvirt/-/issues/153
Created libvirt tracking bugs for this issue: Affects: fedora-all [bug 1977760]
As noted by Daniel P. Berrangé, the impact of this flaw is minor because: 1) the probability of generating a label with the same MCS category is rather small (0.2%). 2) there needs to be another guest on the same host with a category pair, one of whose categories matches the vulnerable guest configuration. 3) the attacker needs to escape from the guest with some exploit in QEMU first. Under these circumstances this flaw will make it possible for the exploited guest to break out of sVirt confinement and impact another guest. Note that this flaw does *not* allow the exploited guest to impact the host system.
Upstream fix: https://gitlab.com/libvirt/libvirt/-/commit/15073504dbb624d3f6c911e85557019d3620fdb2
This issue has been addressed in the following products: Advanced Virtualization for RHEL 8.4.0.Z Via RHSA-2021:3703 https://access.redhat.com/errata/RHSA-2021:3703
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-3631
This issue has been addressed in the following products: Advanced Virtualization for RHEL 8.2.1 Via RHSA-2021:3704 https://access.redhat.com/errata/RHSA-2021:3704
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4191 https://access.redhat.com/errata/RHSA-2021:4191