CVE-2014-0179
It was found that libvirt passes the XML_PARSE_NOENT flag when parsing XML documents using the libxml2 library, in which case all XML entities in the parsed documents are expanded. A user able to force libvirtd to parse an XML document with an entity pointing to a file could use this flaw to read the contents of that file (limited to libvirt as shipped with Red Hat Enterprise Linux 7); parsing an XML document with an entity pointing to a special file that blocks on read access could cause libvirtd to hang indefinitely, resulting in a denial of service on the system.
Find out more about CVE-2014-0179 from the MITRE CVE dictionary dictionary and NIST NVD.
Statement
This issue affects the versions of libvirt as shipped with Red Hat Enterprise Linux 5, however the impact is limited to denial of service since it does not support fine grained access control. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
CVSS v2 metrics
| Base Score | 3.3 |
|---|---|
| Base Metrics | AV:A/AC:L/Au:N/C:N/I:N/A:P |
| Access Vector | Adjacent Network |
| Access Complexity | Low |
| Authentication | None |
| Confidentiality Impact | None |
| Integrity Impact | None |
| Availability Impact | Partial |
Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).
Red Hat Security Errata
| Platform | Errata | Release Date |
|---|---|---|
| Red Hat Enterprise Linux 6 (libvirt) | RHSA-2014:0560 | 2014-05-27 |
| Red Hat Enterprise Linux 7 (libvirt) | RHSA-2014:0914 | 2014-07-22 |
Affected Packages State
| Platform | Package | State |
|---|---|---|
| Red Hat Gluster Storage 2.1 | libvirt | Will not fix |
| Red Hat Gluster Storage 2.0 | libvirt | Will not fix |
| Red Hat Enterprise Linux 5 | libvirt | Fix deferred |