RHEL 6 : rhev 3.2.2 - vdsm (RHSA-2013:1155)

low Nessus Plugin ID 78968

Synopsis

The remote Red Hat host is missing one or more security updates.

Description

Updated vdsm packages that fix one security issue and various bugs are now available.

The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

[Updated 21 August 2013] The packages list in this erratum has been updated to include missing packages for the 'Red Hat Enterprise Virt Management Agent (v 6 x86_64)' channel (also known as 'rhel-x86_64-rhev-mgmt-agent-6'). No changes have been made to the original packages.

VDSM is a management module that serves as a Red Hat Enterprise Virtualization Manager agent on Red Hat Enterprise Virtualization Hypervisor or Red Hat Enterprise Linux hosts.

It was found that the fix for CVE-2013-0167 released via RHSA-2013:0886 was incomplete. A privileged guest user could potentially use this flaw to make the host the guest is running on unavailable to the management server. (CVE-2013-4236)

This issue was found by David Gibson of Red Hat.

This update also fixes the following bugs :

* Previously, failure to move a disk produced a 'truesize' exit message, which was not informative. Now, failure to move a disk produces a more helpful error message explaining that the volume is corrupted or missing. (BZ#985556)

* The LVM filter has been updated to only access physical volumes by full /dev/mapper paths in order to improve performance. This replaces the previous behavior of scanning all devices including logical volumes on physical volumes. (BZ#983599)

* The log collector now collects /var/log/sanlock.log from Hypervisors, to assist in debugging sanlock errors. (BZ#987042)

* When the poollist parameter was not defined, dumpStorageTable crashed, causing SOS report generation to fail with the error 'IndexError: list index out of range'. VDSM now handles this exception, so the log collector can generate host SOS reports.
(BZ#985069)

* Previously, VDSM used the memAvailable parameter to report available memory on a host, which could return negative values if memory overcommitment was in use. Now, the new memFree parameter returns the actual amount of free memory on a host. (BZ#982639)

All users managing Red Hat Enterprise Linux Virtualization hosts using Red Hat Enterprise Virtualization Manager are advised to install these updated packages, which fix these issues.

These updated packages will be provided to users of Red Hat Enterprise Virtualization Hypervisor in the next rhev-hypervisor6 errata package.

Solution

Update the affected packages.

See Also

https://access.redhat.com/errata/RHSA-2013:0886

https://access.redhat.com/errata/RHSA-2013:1155

https://access.redhat.com/security/cve/cve-2013-4236

Plugin Details

Severity: Low

ID: 78968

File Name: redhat-RHSA-2013-1155.nasl

Version: 1.11

Type: local

Agent: unix

Published: 11/8/2014

Updated: 1/14/2021

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.0

CVSS v2

Risk Factor: Low

Base Score: 2.7

Vector: CVSS2#AV:A/AC:L/Au:S/C:N/I:N/A:P

Vulnerability Information

CPE: p-cpe:/a:redhat:enterprise_linux:vdsm, p-cpe:/a:redhat:enterprise_linux:vdsm-cli, p-cpe:/a:redhat:enterprise_linux:vdsm-debuginfo, p-cpe:/a:redhat:enterprise_linux:vdsm-hook-vhostmd, p-cpe:/a:redhat:enterprise_linux:vdsm-python, p-cpe:/a:redhat:enterprise_linux:vdsm-reg, p-cpe:/a:redhat:enterprise_linux:vdsm-xmlrpc, cpe:/o:redhat:enterprise_linux:6

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu

Patch Publication Date: 8/21/2013

Vulnerability Publication Date: 8/19/2013

Reference Information

CVE: CVE-2013-4236

RHSA: 2013:1155