Bugzilla – Bug 1187871
VUL-1: CVE-2021-3631: libvirt: insecure sVirt label generation
Last modified: 2021-11-12 10:21:01 UTC
A flaw was found in libvirt while it generates SELinux MCS category pairs for VMs' dynamic labels. This flaw may allow one exploited guest to access files labelled for another guest, thus breaking out of sVirt confinement. Upstream issue: https://gitlab.com/libvirt/libvirt/-/issues/153 References: https://bugzilla.redhat.com/show_bug.cgi?id=1977726 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3631
This vulnerability has not yet been addressed by the upstream. As soon as a patch will be ready I will update this issue.
In theory this vulnerability does not affect SUSE since we don't use selinux. In practice we provide enough selinux that someone could piece together an environment protected by selinux, but I'm not aware of any such environments and have never seen a libvirt+selinux bug against SUSE distros.
The fix for this issue should be pushed to libvirt.git master shortly https://listman.redhat.com/archives/libvir-list/2021-June/msg00831.html
Affected packages: - SUSE:SLE-15-SP2:Update/libvirt 6.0.0 - SUSE:SLE-15-SP3:Update/libvirt 7.1.0 - openSUSE:Factory/libvirt 7.4.0 Upstream patch [0]. [0] https://gitlab.com/libvirt/libvirt/-/commit/15073504dbb624d3f6c911e85557019d3620fdb2.patch
Do we even care about this fix? As per my comment in #2, it seems more like a WONTFIX or INVALID.
(In reply to James Fehlig from comment #5) > Do we even care about this fix? As per my comment in #2, it seems more like > a WONTFIX or INVALID. Hi James, Since we can't be sure about our customer's environments and because we do ship both SELinux and libvirt, then we need to ensure its safety in any possible configuration. Please submit the patch for the affected packages I mentioned in comment 4.
This bugs has been fixed in version 7.5.0.
7.5.0 has already hit Factory. I've submitted MR for SLE15 SP2 (#244295) and SLE15 SP3 (#244296). Passing the bug to security-team now...
SUSE-SU-2021:2471-1: An update that solves one vulnerability and has one errata is now available. Category: security (moderate) Bug References: 1184253,1187871 CVE References: CVE-2021-3631 JIRA References: Sources used: SUSE MicroOS 5.0 (src): libvirt-6.0.0-13.16.2 SUSE Linux Enterprise Module for Server Applications 15-SP2 (src): libvirt-6.0.0-13.16.2 SUSE Linux Enterprise Module for Basesystem 15-SP2 (src): libvirt-6.0.0-13.16.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2021:1119-1: An update that solves one vulnerability and has one errata is now available. Category: security (moderate) Bug References: 1184253,1187871 CVE References: CVE-2021-3631 JIRA References: Sources used: openSUSE Leap 15.2 (src): libvirt-6.0.0-lp152.9.12.1
# maintenance_jira_update_notice openSUSE-SU-2021:2812-1: An update that solves two vulnerabilities and has two fixes is now available. Category: security (moderate) Bug References: 1184253,1187871,1188232,1188843 CVE References: CVE-2021-3631,CVE-2021-3667 JIRA References: Sources used: openSUSE Leap 15.3 (src): libvirt-7.1.0-6.5.1
# maintenance_jira_update_notice SUSE-SU-2021:2812-1: An update that solves two vulnerabilities and has two fixes is now available. Category: security (moderate) Bug References: 1184253,1187871,1188232,1188843 CVE References: CVE-2021-3631,CVE-2021-3667 JIRA References: Sources used: SUSE Linux Enterprise Module for Server Applications 15-SP3 (src): libvirt-7.1.0-6.5.1 SUSE Linux Enterprise Module for Basesystem 15-SP3 (src): libvirt-7.1.0-6.5.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
released