Bugzilla – Bug 1197636
VUL-0: CVE-2022-0897: libvirt: missing locking in nwfilterConnectNumOfNWFilters can lead to denial of service
Last modified: 2022-09-01 11:58:37 UTC
rh#2063883 The virNWFilterObjListNumOfNWFilters method iterates over the driver->nwfilters, accessing virNWFilterObj instances. However, it fails to acquire the driver mutex, thus there is no protection to stop another thread from concurrently modifying the driver->nwfilters object. An unprivileged user could exploit this issue via libvirt API virConnectNumOfNWFilters to crash the libvirtd/virtnwfilterd daemon. References: https://bugzilla.redhat.com/show_bug.cgi?id=2063883 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-0897 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0897 https://gitlab.com/libvirt/libvirt/-/commit/a4947e8f63c3e6b7b067b444f3d6cf674c0d7f36
Upstream fix commit: https://gitlab.com/libvirt/libvirt/-/commit/a4947e8f63c3e6b7b067b444f3d6cf674c0d7f36 I think the following codestreams are affected: - SUSE:SLE-11-SP4:Update - SUSE:SLE-12-SP2:Update - SUSE:SLE-12-SP3:Update - SUSE:SLE-12-SP4:Update - SUSE:SLE-12-SP5:Update - SUSE:SLE-15:Update - SUSE:SLE-15-SP1:Update - SUSE:SLE-15-SP2:Update - SUSE:SLE-15-SP3:Update - SUSE:SLE-15-SP4:Update However, I am not sure for SUSE:SLE-11-SP3:Update
(In reply to Thomas Leroy from comment #1) > Upstream fix commit: > https://gitlab.com/libvirt/libvirt/-/commit/ > a4947e8f63c3e6b7b067b444f3d6cf674c0d7f36 > > > I think the following codestreams are affected: > > - SUSE:SLE-11-SP4:Update AIUI, this is by customer request only. Nothing proactive. > - SUSE:SLE-12-SP2:Update > - SUSE:SLE-12-SP3:Update > - SUSE:SLE-12-SP4:Update > - SUSE:SLE-12-SP5:Update > - SUSE:SLE-15:Update > - SUSE:SLE-15-SP1:Update > - SUSE:SLE-15-SP2:Update > - SUSE:SLE-15-SP3:Update > - SUSE:SLE-15-SP4:Update Can this go into SP4 before GA? Is the security score high enough? > However, I am not sure for SUSE:SLE-11-SP3:Update Same as 11-SP4, by customer request only.
Note to self: Backport to SLE15 SP{2,3.4} done and queued in respective Devel:Virt:SLE-15-SPn project.
(In reply to James Fehlig from comment #2) > (In reply to Thomas Leroy from comment #1) > > Upstream fix commit: > > https://gitlab.com/libvirt/libvirt/-/commit/ > > a4947e8f63c3e6b7b067b444f3d6cf674c0d7f36 > > > > > > I think the following codestreams are affected: > > > > - SUSE:SLE-11-SP4:Update > > AIUI, this is by customer request only. Nothing proactive. 11sp3 contain Teradata channels, that should get all the fixes... But 11sp4 contains only LTSS channels, where it is indeed on customer request only. > Can this go into SP4 before GA? Is the security score high enough? I think you can only submit to GA, and the fix will go to SP4 from GA after that :) The CVSS is 5.5, so this is not a LTSS worthy bug. You can skip the codestreams that *only* contain LTSS channels.
(In reply to Thomas Leroy from comment #4) > 11sp3 contain Teradata channels, that should get all the fixes... ... > The CVSS is 5.5, so this is not a LTSS worthy bug. You can skip the > codestreams that *only* contain LTSS channels. So just to be clear, that means this fix is only needed for the following code streams? - SUSE:SLE-11-SP3:Update - SUSE:SLE-12-SP5:Update - SUSE:SLE-15-SP3:Update - SUSE:SLE-15-SP4:GA Or perhaps a better question: How do I determine "codestreams that *only* contain LTSS channels"? FYI, already submitted for SP4:GA along with another bug fix https://build.suse.de/request/show/268802
I've backported the patch all around and submitted an updated libvirt package to SUSE:SLE-11-SP3:Update, SUSE:SLE-12-SP3:Update, SUSE:SLE-12-SP5:Update, and SUSE:SLE-15-SP3:Update. That should do it for me. Passing to the security team.
SUSE-SU-2022:1540-1: An update that solves one vulnerability and has one errata is now available. Category: security (moderate) Bug References: 1191668,1197636 CVE References: CVE-2022-0897 JIRA References: Sources used: SUSE Linux Enterprise Software Development Kit 12-SP5 (src): libvirt-5.1.0-13.31.1 SUSE Linux Enterprise Server 12-SP5 (src): libvirt-5.1.0-13.31.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:1549-1: An update that solves one vulnerability and has two fixes is now available. Category: security (moderate) Bug References: 1193364,1196625,1197636 CVE References: CVE-2022-0897 JIRA References: Sources used: openSUSE Leap 15.4 (src): libvirt-7.1.0-150300.6.29.1 openSUSE Leap 15.3 (src): libvirt-7.1.0-150300.6.29.1 SUSE Linux Enterprise Module for Server Applications 15-SP4 (src): libvirt-7.1.0-150300.6.29.1 SUSE Linux Enterprise Module for Server Applications 15-SP3 (src): libvirt-7.1.0-150300.6.29.1 SUSE Linux Enterprise Module for Basesystem 15-SP3 (src): libvirt-7.1.0-150300.6.29.1 SUSE Linux Enterprise Micro 5.2 (src): libvirt-7.1.0-150300.6.29.1 SUSE Linux Enterprise Micro 5.1 (src): libvirt-7.1.0-150300.6.29.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
The following are LTSS-only, so since CVSS is < 7, setting to Won't Fix: - SUSE:SLE-12-SP2:Update - SUSE:SLE-12-SP4:Update - SUSE:SLE-15:Update - SUSE:SLE-15-SP1:Update - SUSE:SLE-15-SP2:Update Everything else is released, so all done. Closing.