Bug 604752 (CVE-2010-2223) - CVE-2010-2223 vdsm: missing VM post-zeroing after removal
Summary: CVE-2010-2223 vdsm: missing VM post-zeroing after removal
Status: VERIFIED
Alias: CVE-2010-2223
Product: Security Response
Classification: Other
Component: vulnerability   
(Show other bugs)
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: public=20091022,reported=20090922,sou...
Keywords: Security
Depends On: 524809 547684 604841
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-06-16 16:43 UTC by Petr Matousek
Modified: 2010-06-25 11:35 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Previously, the ISO image domain could not be shared with multiple Data Centers. The user had to define an independent ISO domain for each Data Center. With this update, the ISO image domain can be shared between multiple Data Centers.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2010:0473 normal SHIPPED_LIVE Moderate: vdsm security, bug fix, and enhancement update 2010-06-22 12:44:17 UTC
Red Hat Product Errata RHSA-2010:0476 normal SHIPPED_LIVE Important: rhev-hypervisor security, bug fix, and enhancement update 2010-06-22 13:54:04 UTC

Description Petr Matousek 2010-06-16 16:43:15 UTC
A flaw was found in the way the Virtual Desktop Server Manager (VDSM) handled the removal of a virtual machine's (VM) data back end (such as an image or a volume). When removing an image or a volume, it was not securely deleted from its corresponding data domain as expected. A guest user in a new, raw VM, created in a data domain that has had VMs deleted from it, could use this flaw to read limited data from those deleted VMs, potentially disclosing sensitive information.

Comment 2 errata-xmlrpc 2010-06-22 12:44:20 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Virtualization for RHEL-5

Via RHSA-2010:0473 https://rhn.redhat.com/errata/RHSA-2010-0473.html

Comment 3 Mark J. Cox 2010-06-22 13:01:36 UTC
removing embargo.

Comment 4 errata-xmlrpc 2010-06-22 13:54:11 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Virtualization for RHEL-5

Via RHSA-2010:0476 https://rhn.redhat.com/errata/RHSA-2010-0476.html

Comment 5 Martin Prpič 2010-06-25 11:35:50 UTC
Technical note added. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.

New Contents:
Previously, the ISO image domain could not be shared with multiple Data Centers. The user had to define an independent ISO domain for each Data Center. With this update, the ISO image domain can be shared between multiple Data Centers.


Note You need to log in before you can comment on or make changes to this bug.