I know this is a Mandriva notice but I assume CentOS is also affected. _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2014:097 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : libvirt Date : May 16, 2014 Affected: Business Server 1.0 _______________________________________________________________________ Problem Description: Multiple vulnerabilities has been discovered and corrected in libvirt: The LXC driver (lxc/lxc_driver.c) in libvirt 1.0.1 through 1.2.1 allows local users to (1) delete arbitrary host devices via the virDomainDeviceDettach API and a symlink attack on /dev in the container; (2) create arbitrary nodes (mknod) via the virDomainDeviceAttach API and a symlink attack on /dev in the container; and cause a denial of service (shutdown or reboot host OS) via the (3) virDomainShutdown or (4) virDomainReboot API and a symlink attack on /dev/initctl in the container, related to paths under /proc//root and the virInitctlSetRunLevel function (CVE-2013-6456). libvirt was patched to prevent expansion of entities when parsing XML files. This vulnerability allowed malicious users to read arbitrary files or cause a denial of service (CVE-2014-0179). The updated packages have been upgraded to the 184.108.40.206 version and patched to correct these issues. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6456 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0179 http://security.libvirt.org/2014/0003.html http://lists.opensuse.org/opensuse-updates/2014-05/msg00048.html _______________________________________________________________________
Best answer by shuguet
I'm not from Nutanix, so you may still want to wait for an answer (though if you realy need one, I would raise a support case to have an official statement).
But what I can tell you is that the version of libvirt deployed on the CVM does not seems to be impacted.
The CVEs you mention and the Libvirt advisories both refers to versions 1.0.1 or later of libvirt.
But the CVMs (as of the latest publicly available release, 220.127.116.11) uses the version 0.10.2:
nutanix@cvm$ ls -la /usr/lib64/libvirt.so.0lrwxrwxrwx. 1 root root 17 Apr 3 15:14 /usr/lib64/libvirt.so.0 -> libvirt.so.0.10.2
nutanix@cvm$ virsh --version=longVirsh command line tool of libvirt 0.10.2See web site at http://libvirt.org/
Compiled with support for:Hypervisors: QEMU/KVM LXC ESX TestNetworking: Remote Network Bridging Interface netcf Nwfilter VirtualPortStorage: Dir Disk Filesystem SCSI Multipath iSCSI LVMMiscellaneous: Daemon Nodedev SELinux Secrets Debug DTrace Readline
Edit: There is a dormant flaw starting at version 0.0.5, and activated after 0.7.5, that may allow denial of service. But the major threat is the privileged information disclosure, and that is only after version 1.0.0.
In any case, both flaws can only be activated via local access to the Nutanix configuration.