Red hat has released important security update for libvirt package.
libvirt: wrong permissions in systemd admin-sock due to missing SocketMode parameter (CVE-2019-10132)
The libvirt library contains a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remote management of virtualized systems.
Date Reported: 03-May-2019
Fix Released On: 24-May-2019
Severity Level: Medium
Affected Packages: libvirt, virt:rhel module
Affected Operating System & Version:
- Red Hat Enterprise Linux Server 7
- Red Hat Enterprise Linux Workstation 7
- Red Hat Enterprise Linux Server 8
- Red Hat Enterprise Linux Workstation 8
Details:
A vulnerability was found in libvirt >= 4.1.0 in the virtlockd-admin.socket and virtlogd-admin.socket systemd units. A missing SocketMode configuration parameter allows any user on the host to connect using virtlockd-admin-sock or virtlogd-admin-sock and perform administrative tasks against the virtlockd and virtlogd daemons.
Find out more about CVE-2019-10132 from the MITRE CVE dictionary.
For more details about the security issues, and other related information, refer to the CVE pages.
Also, virt:rhel module packages was affected in this flaw. The virt:rhel module contains packages which provide user-space components used to run virtual machines using KVM. The packages also provide APIs for managing and interacting with the virtualized systems.
Refer the following Link for installing security updates to Red hat (RHEL) and CentOS Systems.
Red hat Security Advisory References:
Security Database References (CVE):
Solution:
This issue is fixed in libvirt-4.5.0-10
This update upgrades libvirt to version 4.5.0-10.
After installing the updated packages, libvirtd will be restarted automatically.
