Your submission was sent successfully! Close

CVE-2019-20485

Published: 19 March 2020

qemu/qemu_driver.c in libvirt before 6.0.0 mishandles the holding of a monitor job during a query to a guest agent, which allows attackers to cause a denial of service (API blockage).

Priority

Low

CVSS 3 base score: 5.7

Status

Package Release Status
libvirt
Launchpad, Ubuntu, Debian
bionic Not vulnerable
(4.0.0-1ubuntu8.17)
eoan Ignored
(reached end-of-life)
focal Not vulnerable
(6.0.0-0ubuntu4)
precise Not vulnerable

trusty Not vulnerable

upstream Needs triage

xenial Not vulnerable
(1.3.1-1ubuntu10.30)

Notes

AuthorNote
mdeslaur
it appears this CVE is only for the suspend job because it is
the only one that doesn't require write permissions.

In libvirt in bionic and older, there was no support for running
both agent monitor jobs and normal monitor jobs at the same.
Support for doing so was introduced in the following commit:
https://gitlab.com/libvirt/libvirt/-/commit/4621350f6d3dbca57bbd97829ff5d4efc3a51c97
As such, it would not appear that a malicious guest agent would
be able to block jobs in bionic and earlier, so marking as
not-affected.

References

Bugs