Business

News

 
More...

Alerts

 
More...

Events

 
More...
 
     
 

Information Disclosure Vulnerability in RHEVM

 

Systems Affected


Red Hat Enterprise Virtualization 3.4

Threat Level


Medium


Overview


A vulnerability has been reported in Red Hat Enterprise Virtualization Manager which could be exploited by a remote authenticated attacker to access files on the target system.


Description


This vulnerability is caused as the entities in XML API calls are resolved by the ovirt-engine REST API.

An authenticated remote attacker with credentials to call the REST API could successfully exploit this vulnerability by supplying specially crafted XML External Entity (XXE) data to the ovirt-engine REST API and access files available to the user using ovirt-engine JBoss server.


Impact



Solution/ Workarounds


Install updated software as mentioned by the vendor
https://rhn.redhat.com/errata/RHSA-2014-0814.html


References


http://www.cert-in.org.in/


Disclaimer


The information provided herein is on "as is" basis, without warranty of any kind.


 
     

© Copyright Sri Lanka CERT|CC. All Rights Reserved.