SUSE update for libvirt



Risk Medium
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2022-0897
CWE-ID CWE-667
Exploitation vector Local
Public exploit N/A
Vulnerable software
SUSE Linux Enterprise Software Development Kit
Operating systems & Components / Operating system

SUSE Linux Enterprise Server for SAP Applications
Operating systems & Components / Operating system

SUSE Linux Enterprise Server
Operating systems & Components / Operating system

libvirt-daemon-xen
Operating systems & Components / Operating system package or component

libvirt-daemon-driver-libxl-debuginfo
Operating systems & Components / Operating system package or component

libvirt-daemon-driver-libxl
Operating systems & Components / Operating system package or component

libvirt-daemon-driver-storage-rbd-debuginfo
Operating systems & Components / Operating system package or component

libvirt-daemon-driver-storage-rbd
Operating systems & Components / Operating system package or component

libvirt-nss-debuginfo
Operating systems & Components / Operating system package or component

libvirt-nss
Operating systems & Components / Operating system package or component

libvirt-lock-sanlock-debuginfo
Operating systems & Components / Operating system package or component

libvirt-lock-sanlock
Operating systems & Components / Operating system package or component

libvirt-libs-debuginfo
Operating systems & Components / Operating system package or component

libvirt-libs
Operating systems & Components / Operating system package or component

libvirt-doc
Operating systems & Components / Operating system package or component

libvirt-daemon-qemu
Operating systems & Components / Operating system package or component

libvirt-daemon-lxc
Operating systems & Components / Operating system package or component

libvirt-daemon-hooks
Operating systems & Components / Operating system package or component

libvirt-daemon-driver-storage-scsi-debuginfo
Operating systems & Components / Operating system package or component

libvirt-daemon-driver-storage-scsi
Operating systems & Components / Operating system package or component

libvirt-daemon-driver-storage-mpath-debuginfo
Operating systems & Components / Operating system package or component

libvirt-daemon-driver-storage-mpath
Operating systems & Components / Operating system package or component

libvirt-daemon-driver-storage-logical-debuginfo
Operating systems & Components / Operating system package or component

libvirt-daemon-driver-storage-logical
Operating systems & Components / Operating system package or component

libvirt-daemon-driver-storage-iscsi-debuginfo
Operating systems & Components / Operating system package or component

libvirt-daemon-driver-storage-iscsi
Operating systems & Components / Operating system package or component

libvirt-daemon-driver-storage-disk-debuginfo
Operating systems & Components / Operating system package or component

libvirt-daemon-driver-storage-disk
Operating systems & Components / Operating system package or component

libvirt-daemon-driver-storage-core-debuginfo
Operating systems & Components / Operating system package or component

libvirt-daemon-driver-storage-core
Operating systems & Components / Operating system package or component

libvirt-daemon-driver-storage
Operating systems & Components / Operating system package or component

libvirt-daemon-driver-secret-debuginfo
Operating systems & Components / Operating system package or component

libvirt-daemon-driver-secret
Operating systems & Components / Operating system package or component

libvirt-daemon-driver-qemu-debuginfo
Operating systems & Components / Operating system package or component

libvirt-daemon-driver-qemu
Operating systems & Components / Operating system package or component

libvirt-daemon-driver-nwfilter-debuginfo
Operating systems & Components / Operating system package or component

libvirt-daemon-driver-nwfilter
Operating systems & Components / Operating system package or component

libvirt-daemon-driver-nodedev-debuginfo
Operating systems & Components / Operating system package or component

libvirt-daemon-driver-nodedev
Operating systems & Components / Operating system package or component

libvirt-daemon-driver-network-debuginfo
Operating systems & Components / Operating system package or component

libvirt-daemon-driver-network
Operating systems & Components / Operating system package or component

libvirt-daemon-driver-lxc-debuginfo
Operating systems & Components / Operating system package or component

libvirt-daemon-driver-lxc
Operating systems & Components / Operating system package or component

libvirt-daemon-driver-interface-debuginfo
Operating systems & Components / Operating system package or component

libvirt-daemon-driver-interface
Operating systems & Components / Operating system package or component

libvirt-daemon-debuginfo
Operating systems & Components / Operating system package or component

libvirt-daemon-config-nwfilter
Operating systems & Components / Operating system package or component

libvirt-daemon-config-network
Operating systems & Components / Operating system package or component

libvirt-daemon
Operating systems & Components / Operating system package or component

libvirt-client-debuginfo
Operating systems & Components / Operating system package or component

libvirt-client
Operating systems & Components / Operating system package or component

libvirt-admin-debuginfo
Operating systems & Components / Operating system package or component

libvirt-admin
Operating systems & Components / Operating system package or component

libvirt
Operating systems & Components / Operating system package or component

libvirt-devel
Operating systems & Components / Operating system package or component

libvirt-debugsource
Operating systems & Components / Operating system package or component

Vendor SUSE

Security Bulletin

This security bulletin contains one medium risk vulnerability.

1) Improper locking

EUVDB-ID: #VU62739

Risk: Medium

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2022-0897

CWE-ID: CWE-667 - Improper Locking

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service attack (DoS).

The vulnerability exists due to double-locking error within the nwfilterConnectNumOfNWFilters() function in nwfilter/nwfilter_driver.c in libvirt. An local user can abuse the libvirt API virConnectNumOfNWFilters to crash the network filter management daemon (libvirtd/virtnwfilterd).

Mitigation

Update the affected package libvirt to the latest version.

Vulnerable software versions

SUSE Linux Enterprise Software Development Kit: 12-SP5

SUSE Linux Enterprise Server for SAP Applications: 12-SP5

SUSE Linux Enterprise Server: 12-SP5

libvirt-daemon-xen: before 5.1.0-13.31.1

libvirt-daemon-driver-libxl-debuginfo: before 5.1.0-13.31.1

libvirt-daemon-driver-libxl: before 5.1.0-13.31.1

libvirt-daemon-driver-storage-rbd-debuginfo: before 5.1.0-13.31.1

libvirt-daemon-driver-storage-rbd: before 5.1.0-13.31.1

libvirt-nss-debuginfo: before 5.1.0-13.31.1

libvirt-nss: before 5.1.0-13.31.1

libvirt-lock-sanlock-debuginfo: before 5.1.0-13.31.1

libvirt-lock-sanlock: before 5.1.0-13.31.1

libvirt-libs-debuginfo: before 5.1.0-13.31.1

libvirt-libs: before 5.1.0-13.31.1

libvirt-doc: before 5.1.0-13.31.1

libvirt-daemon-qemu: before 5.1.0-13.31.1

libvirt-daemon-lxc: before 5.1.0-13.31.1

libvirt-daemon-hooks: before 5.1.0-13.31.1

libvirt-daemon-driver-storage-scsi-debuginfo: before 5.1.0-13.31.1

libvirt-daemon-driver-storage-scsi: before 5.1.0-13.31.1

libvirt-daemon-driver-storage-mpath-debuginfo: before 5.1.0-13.31.1

libvirt-daemon-driver-storage-mpath: before 5.1.0-13.31.1

libvirt-daemon-driver-storage-logical-debuginfo: before 5.1.0-13.31.1

libvirt-daemon-driver-storage-logical: before 5.1.0-13.31.1

libvirt-daemon-driver-storage-iscsi-debuginfo: before 5.1.0-13.31.1

libvirt-daemon-driver-storage-iscsi: before 5.1.0-13.31.1

libvirt-daemon-driver-storage-disk-debuginfo: before 5.1.0-13.31.1

libvirt-daemon-driver-storage-disk: before 5.1.0-13.31.1

libvirt-daemon-driver-storage-core-debuginfo: before 5.1.0-13.31.1

libvirt-daemon-driver-storage-core: before 5.1.0-13.31.1

libvirt-daemon-driver-storage: before 5.1.0-13.31.1

libvirt-daemon-driver-secret-debuginfo: before 5.1.0-13.31.1

libvirt-daemon-driver-secret: before 5.1.0-13.31.1

libvirt-daemon-driver-qemu-debuginfo: before 5.1.0-13.31.1

libvirt-daemon-driver-qemu: before 5.1.0-13.31.1

libvirt-daemon-driver-nwfilter-debuginfo: before 5.1.0-13.31.1

libvirt-daemon-driver-nwfilter: before 5.1.0-13.31.1

libvirt-daemon-driver-nodedev-debuginfo: before 5.1.0-13.31.1

libvirt-daemon-driver-nodedev: before 5.1.0-13.31.1

libvirt-daemon-driver-network-debuginfo: before 5.1.0-13.31.1

libvirt-daemon-driver-network: before 5.1.0-13.31.1

libvirt-daemon-driver-lxc-debuginfo: before 5.1.0-13.31.1

libvirt-daemon-driver-lxc: before 5.1.0-13.31.1

libvirt-daemon-driver-interface-debuginfo: before 5.1.0-13.31.1

libvirt-daemon-driver-interface: before 5.1.0-13.31.1

libvirt-daemon-debuginfo: before 5.1.0-13.31.1

libvirt-daemon-config-nwfilter: before 5.1.0-13.31.1

libvirt-daemon-config-network: before 5.1.0-13.31.1

libvirt-daemon: before 5.1.0-13.31.1

libvirt-client-debuginfo: before 5.1.0-13.31.1

libvirt-client: before 5.1.0-13.31.1

libvirt-admin-debuginfo: before 5.1.0-13.31.1

libvirt-admin: before 5.1.0-13.31.1

libvirt: before 5.1.0-13.31.1

libvirt-devel: before 5.1.0-13.31.1

libvirt-debugsource: before 5.1.0-13.31.1

CPE2.3 External links

https://www.suse.com/support/update/announcement/2022/suse-su-20221540-1/


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###