Bugzilla – Bug 1139671
VUL-0: CVE-2019-12929: kvm,qemu: qemu: QEMU guest agent guest_exec command execution
Last modified: 2019-10-24 08:55:16 UTC
The QMP guest_exec command in QEMU 4.0.0 and earlier is prone to OS command injection, which allows the attacker to achieve code execution, denial of service, or information disclosure by sending a crafted QMP command to the listening server.
SLE 12 SP2 qemu and newer.
This one has also been modified as "DISPUTED".
Red Hat thought Guest Agent should be used by trust users and applications. TCP server socket is the only transport option supported by QMP, local UNIX socket could not used and more secure.
If one could run 'guest_exec' command, it means the user already has the access to the VM, so it should not be a security issue, or say security issue already existed.
The other sides, loca Unix Socket for libvirt, the socket also has the same user as qemu process managed by libvirt. Libvirt also provide a unique per-VM sVirt label to distinguish users even has same system user-id.
We agree with the dispute.