ALAS2-2020-1557 --- libvirtID: oval:org.secpod.oval:def:1700468 | Date: (C)2020-11-24 (M)2024-04-03 |
Class: PATCH | Family: unix |
A flaw was found in the way the libvirtd daemon issued the "suspend" command to a QEMU guest-agent running inside a guest, where it holds a monitor job while issuing the "suspend" command to a guest-agent. A malicious guest-agent may use this flaw to block the libvirt daemon indefinitely, resulting in a denial of service. A NULL pointer dereference was found in the libvirt API responsible for fetching a storage pool based on its target path. In more detail, this flaw affects storage pools created without a target path such as network-based pools like gluster and RBD. Unprivileged users with a read-only connection could abuse this flaw to crash the libvirt daemon, resulting in a potential denial of service