Bug 1131595 - (CVE-2019-3886) VUL-0: CVE-2019-3886: libvirt: virsh domhostname command discloses guest hostname in readonly mode
(CVE-2019-3886)
VUL-0: CVE-2019-3886: libvirt: virsh domhostname command discloses guest host...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/228875/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-04-04 17:08 UTC by Alexandros Toptsoglou
Modified: 2020-07-10 13:47 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexandros Toptsoglou 2019-04-04 17:08:01 UTC
A vulnerability was found in libvirt versions >= 4.8.0. An information exposure allows to retrieve the guest hostname under readonly mode


References:
https://bugzilla.redhat.com/show_bug.cgi?id=1692619

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1694880
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-3886
Comment 1 Alexandros Toptsoglou 2019-04-04 17:19:24 UTC
Two patches [1] [2] that fix the issues are available. 
After a code review it seems that all our codestreams are affected from SLE-11-SP3 and on. Before SLE11SP3 I failed to locate the vulnerable function. 
In SLE11-SP3, I am not sure whether [2] can be applied.  
In libvirt 1.0.5 and 1.2.5 the  virDomainGetHostname function is located in the file libvirt.c. 
In the rest vulnerable versions is located in libvirt-domain.c

[1] https://www.redhat.com/archives/libvir-list/2019-April/msg00340.html
[2] https://www.redhat.com/archives/libvir-list/2019-April/msg00341.html
Comment 2 James Fehlig 2019-04-04 22:28:02 UTC
From what I've read thus far, only libvirt >= 4.8.0 is affected, which means only TW and SLE15 SP1 are affected. I'll verify this later.
Comment 3 James Fehlig 2019-04-05 17:34:38 UTC
(In reply to Alexandros Toptsoglou from comment #1)
> After a code review it seems that all our codestreams are affected from
> SLE-11-SP3 and on. Before SLE11SP3 I failed to locate the vulnerable
> function.

You are correct. The virDomainGetHostname API was introduced in libvirt 0.10.0 and virDomainGetTime in 1.2.5. I'm not sure why the RH bug and CVE claim 4.8.0 and above. That's nonsense.

> In SLE11-SP3, I am not sure whether [2] can be applied. 

No, it is not needed. Support for fine-grained ACL was added in libvirt 1.1.0.
 
> In libvirt 1.0.5 and 1.2.5 the  virDomainGetHostname function is located in
> the file libvirt.c. 
> In the rest vulnerable versions is located in libvirt-domain.c

libvirt.c was becoming unwieldy and was split into several libvirt-*.c files.

I'll backport the patches, where necessary, to all affected products. Thanks for the analysis!
Comment 12 Swamp Workflow Management 2019-04-15 13:14:06 UTC
SUSE-SU-2019:0948-1: An update that solves two vulnerabilities and has 6 fixes is now available.

Category: security (moderate)
Bug References: 1081516,1102604,1112182,1120813,1125665,1126325,1127458,1131595
CVE References: CVE-2019-3840,CVE-2019-3886
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    libvirt-4.0.0-8.9.1
SUSE Linux Enterprise Server 12-SP4 (src):    libvirt-4.0.0-8.9.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    libvirt-4.0.0-8.9.1

*** NOTE: This information is not intended to be used for external
    communication, because this may only be a partial fix.
    If you have questions please reach out to maintenance coordination.
Comment 13 Swamp Workflow Management 2019-04-29 13:12:48 UTC
openSUSE-SU-2019:1294-1: An update that solves two vulnerabilities and has three fixes is now available.

Category: security (moderate)
Bug References: 1120813,1126325,1127458,1131595,1131955
CVE References: CVE-2019-3840,CVE-2019-3886
Sources used:
openSUSE Leap 42.3 (src):    libvirt-3.3.0-24.1
Comment 15 Swamp Workflow Management 2019-05-17 22:09:13 UTC
SUSE-SU-2019:1285-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1131595
CVE References: CVE-2019-3886
Sources used:
SUSE Linux Enterprise Module for Server Applications 15 (src):    libvirt-4.0.0-9.19.4
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    libvirt-4.0.0-9.19.4
SUSE Linux Enterprise Module for Basesystem 15 (src):    libvirt-4.0.0-9.19.4

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 Swamp Workflow Management 2019-05-21 06:20:16 UTC
SUSE-SU-2019:1042-1: An update that solves two vulnerabilities and has three fixes is now available.

Category: security (moderate)
Bug References: 1120813,1126325,1127458,1131595,1131955
CVE References: CVE-2019-3840,CVE-2019-3886
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    libvirt-3.3.0-5.30.1
SUSE Linux Enterprise Server 12-SP3 (src):    libvirt-3.3.0-5.30.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    libvirt-3.3.0-5.30.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 19 Swamp Workflow Management 2019-06-06 19:11:23 UTC
SUSE-SU-2019:1438-1: An update that fixes 5 vulnerabilities is now available.

Category: security (important)
Bug References: 1111331,1131595,1135273
CVE References: CVE-2018-12126,CVE-2018-12127,CVE-2018-12130,CVE-2019-11091,CVE-2019-3886
Sources used:
SUSE OpenStack Cloud 7 (src):    libvirt-2.0.0-27.54.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    libvirt-2.0.0-27.54.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    libvirt-2.0.0-27.54.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    libvirt-2.0.0-27.54.1
SUSE Enterprise Storage 4 (src):    libvirt-2.0.0-27.54.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 22 Swamp Workflow Management 2019-06-21 13:23:36 UTC
SUSE-SU-2019:14097-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1131595,1138301
CVE References: CVE-2019-10161,CVE-2019-3886
Sources used:
SUSE Linux Enterprise Server 11-SP4-LTSS (src):    libvirt-1.2.5-23.20.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    libvirt-1.2.5-23.20.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 23 Alexandros Toptsoglou 2020-07-10 13:47:20 UTC
Done