Test ID:	1.3.6.1.4.1.25623.1.0.871710
Category:	Red Hat Local Security Checks
Title:	RedHat Update for libvirt RHSA-2016:2577-02
Summary:	The remote host is missing an update for the 'libvirt'; package(s) announced via the referenced advisory.
Description:	Summary: The remote host is missing an update for the 'libvirt' package(s) announced via the referenced advisory. Vulnerability Insight: The libvirt library contains a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remote management of virtualized systems. The following packages have been upgraded to a newer upstream version: libvirt (2.0.0). (BZ#830971, BZ#1286679) Security Fix(es): * It was found that the libvirt daemon, when using RBD (RADOS Block Device), leaked private credentials to the process list. A local attacker could use this flaw to perform certain privileged operations within the cluster. (CVE-2015-5160) * A path-traversal flaw was found in the way the libvirt daemon handled filesystem names for storage volumes. A libvirt user with privileges to create storage volumes and without privileges to create and modify domains could possibly use this flaw to escalate their privileges. (CVE-2015-5313) * It was found that setting a VNC password to an empty string in libvirt did not disable all access to the VNC server as documented, instead it allowed access with no authentication required. An attacker could use this flaw to access a VNC server with an empty VNC password without any authentication. (CVE-2016-5008) Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section. Affected Software/OS: libvirt on Red Hat Enterprise Linux Server (v. 7) Solution: Please Install the Updated Packages. CVSS Score: 4.3 CVSS Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2015-5160 RHSA-2016:2577 http://rhn.redhat.com/errata/RHSA-2016-2577.html [oss-security] 20170721 [OSSN-0078] Ceph credentials included in logs using older versions of libvirt/qemu http://www.openwall.com/lists/oss-security/2017/07/21/3 https://bugs.launchpad.net/ossn/+bug/1686743 https://bugzilla.redhat.com/show_bug.cgi?id=1245647 https://wiki.openstack.org/wiki/OSSN/OSSN-0079 Common Vulnerability Exposure (CVE) ID: CVE-2015-5313 90913 http://www.securityfocus.com/bid/90913 FEDORA-2015-30b347dff1 http://lists.fedoraproject.org/pipermail/package-announce/2015-December/174404.html GLSA-201612-10 https://security.gentoo.org/glsa/201612-10 [libvirt] 20151211 [PATCH] CVE-2015-5313: storage: don't allow '/' in filesystem volume names https://www.redhat.com/archives/libvir-list/2015-December/msg00473.html http://libvirt.org/git/?p=libvirt.git%3Ba=commit%3Bh=034e47c338b13a95cf02106a3af912c1c5f818d7 http://security.libvirt.org/2015/0004.html Common Vulnerability Exposure (CVE) ID: CVE-2016-5008 91562 http://www.securityfocus.com/bid/91562 DSA-3613 http://www.debian.org/security/2016/dsa-3613 FEDORA-2016-65cc608ebe https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DZZMOMRXNPALA34XDF5NK363KDLAYSTL/ FEDORA-2016-7b7e16a39e https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QTQF6LXKEEMJG4VOOCIAPJAD6ACBYP4W/ USN-3576-1 https://usn.ubuntu.com/3576-1/ http://security.libvirt.org/2016/0001.html https://bugzilla.redhat.com/show_bug.cgi?id=1180092 openSUSE-SU-2016:1809 http://lists.opensuse.org/opensuse-updates/2016-07/msg00054.html openSUSE-SU-2016:1810 http://lists.opensuse.org/opensuse-updates/2016-07/msg00055.html openSUSE-SU-2016:1975 http://lists.opensuse.org/opensuse-updates/2016-08/msg00024.html
Copyright	Copyright (C) 2016 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below.