Security Bulletin: Vulnerabilities in libvirt affect PowerKVM

2018-07-0623:39:30

www.ibm.com

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

JSON

Summary

PowerKVM is affected by vulnerabilities in libvirt. IBM has now addressed these vulnerabilities.

Vulnerability Details

CVEID: CVE-2018-5748 DESCRIPTION: QEMU is vulnerable to a denial of service, caused by an error in qemu/qemu_monitor.c in libvirt. By using a large QEMU reply, a local attacker could exploit this vulnerability to consume an overly large amount of memory resources.
CVSS Base Score: 3.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/138320 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2018-1064 DESCRIPTION: libvirt is vulnerable to a denial of service, caused by a resource exhaustion in the QEMU monitor. A local authenticated attacker could exploit this vulnerability to cause the application to crash.
CVSS Base Score: 3.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/141312 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)