{
  "threat_severity" : "Important",
  "public_date" : "2019-06-20T12:00:00Z",
  "bugzilla" : {
    "description" : "libvirt: arbitrary file read/exec via virDomainSaveImageGetXMLDesc API",
    "id" : "1720115",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1720115"
  },
  "cvss3" : {
    "cvss3_base_score" : "8.8",
    "cvss3_scoring_vector" : "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-284",
  "details" : [ "It was discovered that libvirtd before versions 4.10.1 and 5.4.1 would permit read-only clients to use the virDomainSaveImageGetXMLDesc() API, specifying an arbitrary path which would be accessed with the permissions of the libvirtd process. An attacker with access to the libvirtd socket could use this to probe the existence of arbitrary files, cause denial of service or cause libvirtd to execute arbitrary programs.", "It was discovered that libvirtd would permit read-only clients to use the virDomainSaveImageGetXMLDesc() API, specifying an arbitrary path which would be accessed with the permissions of the libvirtd process. An attacker with access to the libvirtd socket could use this to probe the existence of arbitrary files, cause denial of service or cause libvirtd to execute arbitrary programs." ],
  "statement" : "* This vulnerability requires access to the libvirt socket, normally in /var/run/libvirt/libvirt_sock_ro.  Typically in hypervisor environments, local user accounts are not supported so no untrusted users should be able to access this socket.\n* Red Hat Gluster Storage 3 is not affected by this vulnerability as libvirtd daemon is not shipped in Gluster.\n* On Red Hat Enterprise Linux 6, the impact of this vulnerability is limited to denial of service or disclosing the existence of arbitrary files.  Privilege escalation is not possible.  For RHEL6, this CVE is rated as Moderate severity with 7.3/CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:H",
  "acknowledgement" : "Red Hat would like to thank Matthias Gerstner (SUSE) for reporting this issue.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "release_date" : "2019-06-20T00:00:00Z",
    "advisory" : "RHSA-2019:1578",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6",
    "package" : "libvirt-0:0.10.2-64.el6_10.2",
    "impact" : "moderate"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "release_date" : "2019-06-20T00:00:00Z",
    "advisory" : "RHSA-2019:1579",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7",
    "package" : "libvirt-0:4.5.0-10.el7_6.12"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2019-06-20T00:00:00Z",
    "advisory" : "RHSA-2019:1580",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "virt:rhel-8000020190618154454.f8e95b4e"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8 Advanced Virtualization",
    "release_date" : "2019-07-11T00:00:00Z",
    "advisory" : "RHSA-2019:1762",
    "cpe" : "cpe:/a:redhat:advanced_virtualization:8::el8",
    "package" : "virt:8.0.0-8000020190620145550.f8e95b4e"
  }, {
    "product_name" : "Red Hat Virtualization 4 for Red Hat Enterprise Linux 7",
    "release_date" : "2019-07-08T00:00:00Z",
    "advisory" : "RHSA-2019:1699",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7::hypervisor",
    "package" : "redhat-release-virtualization-host-0:4.3.4-1.el7ev"
  }, {
    "product_name" : "Red Hat Virtualization 4 for Red Hat Enterprise Linux 7",
    "release_date" : "2019-07-08T00:00:00Z",
    "advisory" : "RHSA-2019:1699",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7::hypervisor",
    "package" : "redhat-virtualization-host-0:4.3.4-20190620.3.el7_6"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 5",
    "fix_state" : "Not affected",
    "package_name" : "libvirt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:5"
  }, {
    "product_name" : "Red Hat Storage 3",
    "fix_state" : "Not affected",
    "package_name" : "libvirt",
    "cpe" : "cpe:/a:redhat:storage:3"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2019-10161\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-10161\nhttps://access.redhat.com/libvirt-privesc-vulnerabilities" ],
  "csaw" : true,
  "name" : "CVE-2019-10161",
  "mitigation" : {
    "value" : "The Unix permissions of libvirt's read-only socket can be made more restrictive than the default (0777) by editing `/etc/libvirt/libvirtd.conf`.  The settings `unix_sock_group = libvirt` and `unix_sock_ro_perms = 0770` will restrict access to only members of `libvirt`, who already have management access to virtual machines.",
    "lang" : "en:us"
  }
}