CVE-2020-14339

medium

Published 2020-11-03 · Modified 2020-11-04

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

5.5

Description

RHSA-2020:4676: virt:rhel and virt-devel:rhel security, bug fix, and enhancement update (Moderate)

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

Mitigation details

Source: Red Hat Errata — Red Hat Inc. · View original ↗ · Open-Errata-API

Description libvirt: leak of /dev/mapper/control into QEMU guests Red Hat statement This flaw was introduced in `libvirt` version 6.2.0. Red Hat Enterprise Linux 5, 6, 7, and 8 are not affected by this issue as they shipped an older version of the `libvirt` package which did not include the vulnerable code. This issue affects versions of the `libvirt` package as shipped with Red Hat Enterprise…

Description

libvirt: leak of /dev/mapper/control into QEMU guests

Red Hat statement

This flaw was introduced in `libvirt` version 6.2.0. Red Hat Enterprise Linux 5, 6, 7, and 8 are not affected by this issue as they shipped an older version of the `libvirt` package which did not include the vulnerable code. This issue affects versions of the `libvirt` package as shipped with Red Hat Enterprise Linux Advanced Virtualization 8. Future `libvirt` package updates for Red Hat Enterprise Linux Advanced Virtualization 8 may address this issue.

CVSS v3: 8.8 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)

Errata / fixed releases

Product	Package	Advisory	Released
Advanced Virtualization for RHEL 8.2.1	`virt:8.2-8020120200820190722.863bb0db`	RHSA-2020:3586	2020-09-01T00:00:00Z
Advanced Virtualization for RHEL 8.2.1	`virt-devel:8.2-8020120200820190722.863bb0db`	RHSA-2020:3586	2020-09-01T00:00:00Z
Red Hat Enterprise Linux 8	`virt-devel:rhel-8030020200909014558.30b713e6`	RHSA-2020:4676	2020-11-04T00:00:00Z
Red Hat Enterprise Linux 8	`virt:rhel-8030020200909014558.30b713e6`	RHSA-2020:4676	2020-11-04T00:00:00Z

Package state

Product	Package	State
Red Hat Enterprise Linux 5	`libvirt`	Not affected
Red Hat Enterprise Linux 6	`libvirt`	Not affected
Red Hat Enterprise Linux 7	`libvirt`	Not affected
Red Hat Enterprise Linux 8 Advanced Virtualization	`virt:8.1/libvirt`	Not affected
Red Hat Enterprise Linux 8 Advanced Virtualization	`virt:8.2/libvirt`	Affected
Red Hat Enterprise Linux 8 Advanced Virtualization	`virt:8.3/libvirt`	Affected
Red Hat Enterprise Linux 9	`libvirt`	Not affected

Apply commands

bash fix

Apply RHSA-2020:3586 for Advanced Virtualization for RHEL 8.2.1

yum update -y virt:8
# or:
dnf upgrade -y virt:8

Affected

Vendor	Product	Version
redhat	Red Hat Enterprise Linux 5	`Not affected`
redhat	Red Hat Enterprise Linux 6	`Not affected`
redhat	Red Hat Enterprise Linux 7	`Not affected`
redhat	Red Hat Enterprise Linux 8 Advanced Virtualization	`Not affected`
redhat	Red Hat Enterprise Linux 8 Advanced Virtualization	`Affected`
redhat	Red Hat Enterprise Linux 8 Advanced Virtualization	`Affected`
redhat	Red Hat Enterprise Linux 9	`Not affected`

OS impact

SUSE Affected 1 release

Version	Status	Fixed in
—	Affected	—

Arch Fixed 1 release

Version	Status	Fixed in
—	Fixed	`6.5.0-2`

Debian Fixed 5 releases

Version	Status	Fixed in
trixie	Fixed	`6.6.0-1`
sid	Fixed	`6.6.0-1`
forky	Fixed	`6.6.0-1`
bullseye	Fixed	`6.6.0-1`
bookworm	Fixed	`6.6.0-1`

Red Hat Fixed 1 release

Version	Status	Fixed in
8	Fixed	—

Rocky Linux Fixed 1 release

Version	Status	Fixed in
8	Fixed	—

References

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.