{
  "threat_severity" : "Moderate",
  "public_date" : "2018-08-08T00:00:00Z",
  "bugzilla" : {
    "description" : "vdsm: calls to qemu-img are not protected by prlimit/ulimit",
    "id" : "1605065",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1605065"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.5",
    "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-770",
  "details" : [ "It was found that vdsm before version 4.20.37 invokes qemu-img on untrusted inputs without limiting resources. By uploading a specially crafted image, an attacker could cause the qemu-img process to consume unbounded amounts of memory of CPU time, causing a denial of service condition that could potentially impact other users of the host.", "It was found that vdsm would invoke qemu-img on untrusted inputs without limiting resources. By uploading a specially crafted image, an attacker could cause the qemu-img process to consume unbounded amounts of memory of CPU time, causing a denial of service condition that could potentially impact other users of the host." ],
  "statement" : "Red Hat Enterprise Virtualization 3 is now in Extended Life Phase of the support and maintenance lifecycle. Red Hat Product Security has rated this issue as having a security impact of Moderate, and it is not currently planned to be addressed in future updates of Red Hat Virtualization 3. For additional information, refer to the Red Hat Virtualization Life Cycle: https://access.redhat.com/support/policy/updates/rhev/",
  "acknowledgement" : "This issue was discovered by Nir Soffer (Red Hat).",
  "affected_release" : [ {
    "product_name" : "Red Hat Virtualization 4 for Red Hat Enterprise Linux 7",
    "release_date" : "2018-09-04T00:00:00Z",
    "advisory" : "RHEA-2018:2624",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7::hypervisor",
    "package" : "vdsm-0:4.20.39-1.el7ev"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Storage 3",
    "fix_state" : "Not affected",
    "package_name" : "vdsm",
    "cpe" : "cpe:/a:redhat:storage:3"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2018-10908\nhttps://nvd.nist.gov/vuln/detail/CVE-2018-10908\nhttps://gerrit.ovirt.org/#/c/93195/" ],
  "name" : "CVE-2018-10908",
  "csaw" : false
}