RHEL 6 : rhev 3.2.2 - vdsm (RHSA-2013:1155)

critical Nessus Plugin ID 78968

Language:

Synopsis

The remote Red Hat host is missing a security update for rhev 3.2.2 - vdsm.

Description

The remote Redhat Enterprise Linux 6 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2013:1155 advisory.

VDSM is a management module that serves as a Red Hat Enterprise Virtualization Manager agent on Red Hat Enterprise Virtualization Hypervisor or Red Hat Enterprise Linux hosts.

It was found that the fix for CVE-2013-0167 released via RHSA-2013:0886 was incomplete. A privileged guest user could potentially use this flaw to make the host the guest is running on unavailable to the management server. (CVE-2013-4236)

This issue was found by David Gibson of Red Hat.

This update also fixes the following bugs:

* Previously, failure to move a disk produced a 'truesize' exit message, which was not informative. Now, failure to move a disk produces a more helpful error message explaining that the volume is corrupted or missing.
(BZ#985556)

* The LVM filter has been updated to only access physical volumes by full /dev/mapper paths in order to improve performance. This replaces the previous behavior of scanning all devices including logical volumes on physical volumes. (BZ#983599)

* The log collector now collects /var/log/sanlock.log from Hypervisors, to assist in debugging sanlock errors. (BZ#987042)

* When the poollist parameter was not defined, dumpStorageTable crashed, causing SOS report generation to fail with the error 'IndexError: list index out of range'. VDSM now handles this exception, so the log collector can generate host SOS reports. (BZ#985069)

* Previously, VDSM used the memAvailable parameter to report available memory on a host, which could return negative values if memory overcommitment was in use. Now, the new memFree parameter returns the actual amount of free memory on a host. (BZ#982639)

All users managing Red Hat Enterprise Linux Virtualization hosts using Red Hat Enterprise Virtualization Manager are advised to install these updated packages, which fix these issues.

These updated packages will be provided to users of Red Hat Enterprise Virtualization Hypervisor in the next rhev-hypervisor6 errata package.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Update the RHEL rhev 3.2.2 - vdsm package based on the guidance in RHSA-2013:1155.

Plugin Details

Severity: Critical

ID: 78968

File Name: redhat-RHSA-2013-1155.nasl

Version: 1.12

Type: local

Agent: unix

Family: Red Hat Local Security Checks

Published: 11/8/2014

Updated: 4/15/2025

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

Vendor

Vendor Severity: Moderate

CVSS v2

Risk Factor: Low

Base Score: 2.7

Temporal Score: 2

Vector: CVSS2#AV:A/AC:L/Au:S/C:N/I:N/A:P

CVSS Score Source: CVE-2013-4236

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:redhat:enterprise_linux:vdsm-hook-vhostmd, p-cpe:/a:redhat:enterprise_linux:vdsm-xmlrpc, cpe:/o:redhat:enterprise_linux:6, p-cpe:/a:redhat:enterprise_linux:vdsm-reg, p-cpe:/a:redhat:enterprise_linux:vdsm-cli, p-cpe:/a:redhat:enterprise_linux:vdsm, p-cpe:/a:redhat:enterprise_linux:vdsm-python

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu

Patch Publication Date: 8/21/2013

Vulnerability Publication Date: 8/19/2013

Reference Information

CVE: CVE-2013-4236

RHSA: 2013:1155

Detections

Analytics