Executive Summary
Summary | |
---|---|
Title | libvirt vulnerabilities |
Informations | |||
---|---|---|---|
Name | USN-1152-1 | First vendor Publication | 2011-06-16 |
Vendor | Ubuntu | Last vendor Modification | 2011-06-16 |
Severity (Vendor) | N/A | Revision | N/A |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:L/AC:M/Au:S/C:C/I:N/A:N) | |||
---|---|---|---|
Cvss Base Score | 4.4 | Attack Range | Local |
Cvss Impact Score | 6.9 | Attack Complexity | Medium |
Cvss Expoit Score | 2.7 | Authentication | Requires single instance |
Calculate full CVSS 2.0 Vectors scores |
Detail
A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 11.04 - Ubuntu 10.10 - Ubuntu 10.04 LTS Summary: Libvirt could be made to crash or read arbitrary files on the host. Software Description: - libvirt: Libvirt virtualization toolkit Details: It was discovered that libvirt did not use thread-safe error reporting. A remote attacker could exploit this to cause a denial of service via application crash. (CVE-2011-1486) Eric Blake discovered that libvirt had an off-by-one error which could be used to reopen disk probing and bypass the fix for CVE-2010-2238. A privileged attacker in the guest could exploit this to read arbitrary files on the host. This issue only affected Ubuntu 11.04. By default, guests are confined by an AppArmor profile which provided partial protection against this flaw. (CVE-2011-2178) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 11.04: Ubuntu 10.10: Ubuntu 10.04 LTS: In general, a standard system update will make all the necessary changes. References: Package Information: |
Original Source
Url : http://www.ubuntu.com/usn/USN-1152-1 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
50 % | CWE-399 | Resource Management Errors |
50 % | CWE-264 | Permissions, Privileges, and Access Controls |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:13022 | |||
Oval ID: | oval:org.mitre.oval:def:13022 | ||
Title: | DSA-2280-1 libvirt -- several | ||
Description: | It was discovered that libvirt, a library for interfacing with different virtualization systems, is prone to an integer overflow. Additionally, the stable version is prone to a denial of service, because its error reporting is not thread-safe. For the stable distribution, these problems have been fixed in version 0.8.3-5+squeeze2. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-2280-1 CVE-2011-2511 CVE-2011-1486 | Version: | 5 |
Platform(s): | Debian GNU/Linux 5.0 Debian GNU/Linux 6.0 Debian GNU/kFreeBSD 6.0 | Product(s): | libvirt |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:13975 | |||
Oval ID: | oval:org.mitre.oval:def:13975 | ||
Title: | USN-1152-1 -- libvirt vulnerabilities | ||
Description: | libvirt: Libvirt virtualization toolkit Libvirt could be made to crash or read arbitrary files on the host. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-1152-1 CVE-2011-1486 CVE-2010-2238 CVE-2011-2178 | Version: | 5 |
Platform(s): | Ubuntu 11.04 Ubuntu 10.04 Ubuntu 10.10 | Product(s): | libvirt |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:21916 | |||
Oval ID: | oval:org.mitre.oval:def:21916 | ||
Title: | RHSA-2011:0478: libvirt security update (Moderate) | ||
Description: | libvirtd in libvirt before 0.9.0 does not use thread-safe error reporting, which allows remote attackers to cause a denial of service (crash) by causing multiple threads to report errors at the same time. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2011:0478-01 CESA-2011:0478 CVE-2011-1486 | Version: | 4 |
Platform(s): | Red Hat Enterprise Linux 5 CentOS Linux 5 | Product(s): | libvirt |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:21945 | |||
Oval ID: | oval:org.mitre.oval:def:21945 | ||
Title: | RHSA-2011:0479: libvirt security and bug fix update (Moderate) | ||
Description: | libvirtd in libvirt before 0.9.0 does not use thread-safe error reporting, which allows remote attackers to cause a denial of service (crash) by causing multiple threads to report errors at the same time. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2011:0479-01 CVE-2011-1486 | Version: | 4 |
Platform(s): | Red Hat Enterprise Linux 6 | Product(s): | libvirt |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:22520 | |||
Oval ID: | oval:org.mitre.oval:def:22520 | ||
Title: | ELSA-2011:0478: libvirt security update (Moderate) | ||
Description: | libvirtd in libvirt before 0.9.0 does not use thread-safe error reporting, which allows remote attackers to cause a denial of service (crash) by causing multiple threads to report errors at the same time. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2011:0478-01 CVE-2011-1486 | Version: | 6 |
Platform(s): | Oracle Linux 5 | Product(s): | libvirt |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:23542 | |||
Oval ID: | oval:org.mitre.oval:def:23542 | ||
Title: | ELSA-2011:0479: libvirt security and bug fix update (Moderate) | ||
Description: | libvirtd in libvirt before 0.9.0 does not use thread-safe error reporting, which allows remote attackers to cause a denial of service (crash) by causing multiple threads to report errors at the same time. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2011:0479-01 CVE-2011-1486 | Version: | 6 |
Platform(s): | Oracle Linux 6 | Product(s): | libvirt |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:27967 | |||
Oval ID: | oval:org.mitre.oval:def:27967 | ||
Title: | DEPRECATED: ELSA-2011-0479 -- libvirt security and bug fix update (moderate) | ||
Description: | [0.8.1-27.0.1.el6_0.6] - Replace docs/et.png in tarball with blank image [0.8.1-27.el6_0.6] - Properly initialize supplementary groups for qemu process (rhbz#668692) - Make error reporting in libvirtd thread safe (CVE-2011-1486) | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2011-0479 CVE-2011-1486 | Version: | 4 |
Platform(s): | Oracle Linux 6 | Product(s): | libvirt |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:27997 | |||
Oval ID: | oval:org.mitre.oval:def:27997 | ||
Title: | DEPRECATED: ELSA-2011-0478 -- libvirt security update (moderate) | ||
Description: | [0.8.2-15.0.1.el5_6.4] - Replaced docs/et.png in tarball [0.8.2-15.el5_6.4] - Make error reporting in libvirtd thread safe (CVE-2011-1486) | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2011-0478 CVE-2011-1486 | Version: | 4 |
Platform(s): | Oracle Linux 5 | Product(s): | libvirt |
Definition Synopsis: | |||
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2012-07-30 | Name : CentOS Update for libvirt CESA-2011:0478 centos5 x86_64 File : nvt/gb_CESA-2011_0478_libvirt_centos5_x86_64.nasl |
2012-06-06 | Name : RedHat Update for libvirt RHSA-2011:0479-01 File : nvt/gb_RHSA-2011_0479-01_libvirt.nasl |
2012-03-12 | Name : Gentoo Security Advisory GLSA 201202-07 (libvirt) File : nvt/glsa_201202_07.nasl |
2011-08-09 | Name : CentOS Update for libvirt CESA-2011:0478 centos5 i386 File : nvt/gb_CESA-2011_0478_libvirt_centos5_i386.nasl |
2011-08-03 | Name : Debian Security Advisory DSA 2280-1 (libvirt) File : nvt/deb_2280_1.nasl |
2011-07-27 | Name : Fedora Update for libvirt FEDORA-2011-9062 File : nvt/gb_fedora_2011_9062_libvirt_fc14.nasl |
2011-07-18 | Name : Fedora Update for libvirt FEDORA-2011-9091 File : nvt/gb_fedora_2011_9091_libvirt_fc15.nasl |
2011-06-20 | Name : Ubuntu Update for libvirt USN-1152-1 File : nvt/gb_ubuntu_USN_1152_1.nasl |
2011-04-21 | Name : Fedora Update for libvirt FEDORA-2011-4870 File : nvt/gb_fedora_2011_4870_libvirt_fc13.nasl |
2011-04-19 | Name : Fedora Update for libvirt FEDORA-2011-4896 File : nvt/gb_fedora_2011_4896_libvirt_fc14.nasl |
2010-11-16 | Name : Ubuntu Update for libvirt regression USN-1008-4 File : nvt/gb_ubuntu_USN_1008_4.nasl |
2010-10-26 | Name : Ubuntu Update for libvirt update USN-1008-3 File : nvt/gb_ubuntu_USN_1008_3.nasl |
2010-10-22 | Name : Ubuntu Update for libvirt vulnerabilities USN-1008-1 File : nvt/gb_ubuntu_USN_1008_1.nasl |
2010-10-22 | Name : Ubuntu Update for virtinst update USN-1008-2 File : nvt/gb_ubuntu_USN_1008_2.nasl |
2010-07-30 | Name : Fedora Update for libvirt FEDORA-2010-10960 File : nvt/gb_fedora_2010_10960_libvirt_fc13.nasl |
2010-07-30 | Name : Fedora Update for libvirt FEDORA-2010-11021 File : nvt/gb_fedora_2010_11021_libvirt_fc12.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
74559 | libvirt security/security_manager.c virSecurityManagerGetPrivateData Function... |
72643 | libvirt libvirtd Multiple Thread Error Reporting Remote DoS libvirtd in libvirt contains a flaw that may allow a remote denial of service. The issue is triggered when multiple threads report errors simultaneously, and will result in loss of availability for the service. |
67298 | libvirt on Red Hat Disk Backing-store Format Disk-image Backing Stores Recurs... |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : suse_11_4_xen-201105-110510.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : suse_11_4_libvirt-110614.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : suse_11_4_libvirt-110407.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : suse_11_3_xen-201105-110510.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : suse_11_3_libvirt-110407.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : suse_11_3_libvirt-100810.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2011-0478.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2011-0479.nasl - Type : ACT_GATHER_INFO |
2013-01-24 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2011-0478.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20110502_libvirt_on_SL5_x.nasl - Type : ACT_GATHER_INFO |
2012-02-28 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201202-07.nasl - Type : ACT_GATHER_INFO |
2011-07-20 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2280.nasl - Type : ACT_GATHER_INFO |
2011-07-12 | Name : The remote Fedora host is missing a security update. File : fedora_2011-9091.nasl - Type : ACT_GATHER_INFO |
2011-06-17 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-1152-1.nasl - Type : ACT_GATHER_INFO |
2011-06-01 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_xen-201105-110505.nasl - Type : ACT_GATHER_INFO |
2011-05-05 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2011-0478.nasl - Type : ACT_GATHER_INFO |
2011-05-05 | Name : The remote openSUSE host is missing a security update. File : suse_11_2_libvirt-110407.nasl - Type : ACT_GATHER_INFO |
2011-05-03 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2011-0479.nasl - Type : ACT_GATHER_INFO |
2011-04-19 | Name : The remote Fedora host is missing a security update. File : fedora_2011-4870.nasl - Type : ACT_GATHER_INFO |
2011-04-18 | Name : The remote Fedora host is missing a security update. File : fedora_2011-4964.nasl - Type : ACT_GATHER_INFO |
2011-04-12 | Name : The remote Fedora host is missing a security update. File : fedora_2011-4896.nasl - Type : ACT_GATHER_INFO |
2011-01-21 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_libvirt-100819.nasl - Type : ACT_GATHER_INFO |
2010-11-09 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-1008-4.nasl - Type : ACT_GATHER_INFO |
2010-10-24 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-1008-3.nasl - Type : ACT_GATHER_INFO |
2010-10-22 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-1008-1.nasl - Type : ACT_GATHER_INFO |
2010-10-22 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-1008-2.nasl - Type : ACT_GATHER_INFO |
2010-09-17 | Name : The remote openSUSE host is missing a security update. File : suse_11_2_libvirt-100730.nasl - Type : ACT_GATHER_INFO |
2010-07-27 | Name : The remote Fedora host is missing a security update. File : fedora_2010-11021.nasl - Type : ACT_GATHER_INFO |
2010-07-27 | Name : The remote Fedora host is missing a security update. File : fedora_2010-10960.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:58:42 |
|