CVE-2010-2239
First published: Thu Jun 24 2010(Updated: )
It was found that libvirt did not explicitly set the user defined backing store format when creating new image. This results in images being created with an potentialy insecure configuration, preventing applications from opening backing stores without resorting to probing. A priviledged guest user could use this flaw to access arbitrary files on the host.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Oracle Libvirt | =0.6.0 | |
| Oracle Libvirt | =0.6.1 | |
| Oracle Libvirt | =0.6.2 | |
| Oracle Libvirt | =0.6.3 | |
| Oracle Libvirt | =0.6.4 | |
| Oracle Libvirt | =0.6.5 | |
| Oracle Libvirt | =0.7.0 | |
| Oracle Libvirt | =0.7.1 | |
| Oracle Libvirt | =0.7.2 | |
| Oracle Libvirt | =0.7.3 | |
| Oracle Libvirt | =0.7.4 | |
| Oracle Libvirt | =0.7.5 | |
| Oracle Libvirt | =0.7.6 | |
| Oracle Libvirt | =0.7.7 | |
| Oracle Libvirt | =0.8.0 | |
| Oracle Libvirt | =0.8.1 | |
| Oracle Libvirt | =0.8.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi?id=607812
- http://www.vupen.com/english/advisories/2010/2062
- http://lists.fedoraproject.org/pipermail/package-announce/2010-July/044579.html
- http://libvirt.org/news.html
- http://lists.fedoraproject.org/pipermail/package-announce/2010-July/044520.html
- http://www.redhat.com/support/errata/RHSA-2010-0615.html
- http://lists.opensuse.org/opensuse-security-announce/2010-09/msg00006.html
- http://ubuntu.com/usn/usn-1008-2
- http://ubuntu.com/usn/usn-1008-1
- http://www.vupen.com/english/advisories/2010/2763
- http://ubuntu.com/usn/usn-1008-3
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=613625
- https://rhn.redhat.com/errata/RHSA-2010-0615.html
Frequently Asked Questions
What is the severity of CVE-2010-2239?
CVE-2010-2239 has a moderate severity rating due to the potential for insecure image configurations in libvirt.
How do I fix CVE-2010-2239?
To fix CVE-2010-2239, you should upgrade your libvirt installation to a version above 0.8.2 that explicitly sets the backing store format.
What versions of libvirt are affected by CVE-2010-2239?
CVE-2010-2239 affects libvirt versions from 0.6.0 to 0.8.2.
Can CVE-2010-2239 be exploited by a guest user?
Yes, a privileged guest user may exploit CVE-2010-2239 to create images in an insecure manner.
What potential risks does CVE-2010-2239 pose to my virtual environment?
CVE-2010-2239 can lead to security liabilities where applications cannot reliably open backing stores due to the insecure configuration.
- agent/type
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/last-modified-date
- agent/author
- agent/references
- agent/weakness
- agent/description
- agent/event
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2010-2239
- agent/trending
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-historical
- vendor/libvirt
- canonical/oracle libvirt
- version/oracle libvirt/0.6.0
- version/oracle libvirt/0.6.1
- version/oracle libvirt/0.6.2
- version/oracle libvirt/0.6.3
- version/oracle libvirt/0.6.4
- version/oracle libvirt/0.6.5
- version/oracle libvirt/0.7.0
- version/oracle libvirt/0.7.1
- version/oracle libvirt/0.7.2
- version/oracle libvirt/0.7.3
- version/oracle libvirt/0.7.4
- version/oracle libvirt/0.7.5
- version/oracle libvirt/0.7.6
- version/oracle libvirt/0.7.7
- version/oracle libvirt/0.8.0
- version/oracle libvirt/0.8.1
- version/oracle libvirt/0.8.2