CVE-2014-5177

Impact:
Moderate
Public Date:
2014-05-06
CWE:
CWE-611
Bugzilla:
1088290: CVE-2014-0179 CVE-2014-5177 libvirt: unsafe parsing of XML documents allows libvirt DoS and/or arbitrary file read
It was found that libvirt passes the XML_PARSE_NOENT flag when parsing XML documents using the libxml2 library, in which case all XML entities in the parsed documents are expanded. A user able to force libvirtd to parse an XML document with an entity pointing to a file could use this flaw to read the contents of that file (limited to libvirt as shipped with Red Hat Enterprise Linux 7); parsing an XML document with an entity pointing to a special file that blocks on read access could cause libvirtd to hang indefinitely, resulting in a denial of service on the system.

Find out more about CVE-2014-5177 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement

This issue affects the versions of libvirt as shipped with Red Hat Enterprise Linux 5, however the impact is limited to denial of service since it does not support fine grained access control. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

CVSS v2 metrics

Base Score 3.3
Base Metrics AV:A/AC:L/Au:N/C:N/I:N/A:P
Access Vector Adjacent Network
Access Complexity Low
Authentication None
Confidentiality Impact None
Integrity Impact None
Availability Impact Partial

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

Red Hat Security Errata

Platform Errata Release Date
Red Hat Enterprise Linux 7 (libvirt) RHSA-2014:0914 2014-07-22

Affected Packages State

Platform Package State
Red Hat Gluster Storage 2.1 libvirt Will not fix
Red Hat Gluster Storage 2.0 libvirt Will not fix
Red Hat Enterprise Linux 6 libvirt Will not fix
Red Hat Enterprise Linux 5 libvirt Fix deferred

Acknowledgements

Red Hat would like to thank the upstream Libvirt project for reporting this issue. Upstream acknowledges Daniel P. Berrange and Richard Jones as the original reporters.

External References

Last Modified
Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.