RHSA-2012:1508
Vulnerability from csaf_redhat - Published: 2012-12-04 18:44 - Updated: 2025-11-21 17:41Summary
Red Hat Security Advisory: rhev-3.1.0 vdsm security, bug fix, and enhancement update
Severity
Important
Notes
Topic: Updated vdsm packages are now available for Red Hat Enterprise Linux 6.3.
The Red Hat Security Response Team has rated this update as having
important security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.
Details: VDSM is a management module that serves as a Red Hat Enterprise
Virtualization Manager agent on Red Hat Enterprise Virtualization
Hypervisor or Red Hat Enterprise Linux 6.3 hosts.
A flaw was found in the way Red Hat Enterprise Linux hosts were added to
the Red Hat Enterprise Virtualization environment. The Python scripts
needed to configure the host for Red Hat Enterprise Virtualization were
stored in the "/tmp/" directory and could be pre-created by an attacker. A
local, unprivileged user on the host to be added to the Red Hat Enterprise
Virtualization environment could use this flaw to escalate their
privileges. This update provides the VDSM part of the fix. The
RHSA-2012:1506 Red Hat Enterprise Virtualization Manager update must also
be installed to completely fix this issue. (CVE-2012-0860)
A flaw was found in the way Red Hat Enterprise Linux and Red Hat Enterprise
Virtualization Hypervisor hosts were added to the Red Hat Enterprise
Virtualization environment. The Python scripts needed to configure the host
for Red Hat Enterprise Virtualization were downloaded in an insecure way,
that is, without properly validating SSL certificates during HTTPS
connections. An attacker on the local network could use this flaw to
conduct a man-in-the-middle attack, potentially gaining root access to the
host being added to the Red Hat Enterprise Virtualization environment. This
update provides the VDSM part of the fix. The RHSA-2012:1506 Red Hat
Enterprise Virtualization Manager update must also be installed to
completely fix this issue. (CVE-2012-0861)
The CVE-2012-0860 and CVE-2012-0861 issues were discovered by Red Hat.
In addition to resolving the above security issues these updated VDSM
packages fix various bugs, and add various enhancements.
Documentation for these bug fixes and enhancements is available in the
Technical Notes:
https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Virtualization/3.1/html/Technical_Notes/index.html
All users who require VDSM are advised to install these updated packages
which resolve these security issues, fix these bugs, and add these
enhancements.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Multiple untrusted search path vulnerabilities in Red Hat Enterprise Virtualization Manager (RHEV-M) before 3.1, when adding a host, allow local users to gain privileges via a Trojan horse (1) deployUtil.py or (2) vds_bootstrap.py Python module in /tmp/.
6.2 ()
Vendor Fix
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258
https://access.redhat.com/errata/RHSA-2012:1508
The vds_installer in Red Hat Enterprise Virtualization Manager (RHEV-M) before 3.1, when adding a host, uses the -k curl parameter when downloading deployUtil.py and vds_bootstrap.py, which prevents SSL certificates from being validated and allows remote attackers to execute arbitrary Python code via a man-in-the-middle attack.
6.8 ()
Vendor Fix
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258
https://access.redhat.com/errata/RHSA-2012:1508
References
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated vdsm packages are now available for Red Hat Enterprise Linux 6.3.\n\nThe Red Hat Security Response Team has rated this update as having\nimportant security impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "VDSM is a management module that serves as a Red Hat Enterprise\nVirtualization Manager agent on Red Hat Enterprise Virtualization\nHypervisor or Red Hat Enterprise Linux 6.3 hosts.\n\nA flaw was found in the way Red Hat Enterprise Linux hosts were added to\nthe Red Hat Enterprise Virtualization environment. The Python scripts\nneeded to configure the host for Red Hat Enterprise Virtualization were\nstored in the \"/tmp/\" directory and could be pre-created by an attacker. A\nlocal, unprivileged user on the host to be added to the Red Hat Enterprise\nVirtualization environment could use this flaw to escalate their\nprivileges. This update provides the VDSM part of the fix. The\nRHSA-2012:1506 Red Hat Enterprise Virtualization Manager update must also\nbe installed to completely fix this issue. (CVE-2012-0860)\n\nA flaw was found in the way Red Hat Enterprise Linux and Red Hat Enterprise\nVirtualization Hypervisor hosts were added to the Red Hat Enterprise\nVirtualization environment. The Python scripts needed to configure the host\nfor Red Hat Enterprise Virtualization were downloaded in an insecure way,\nthat is, without properly validating SSL certificates during HTTPS\nconnections. An attacker on the local network could use this flaw to\nconduct a man-in-the-middle attack, potentially gaining root access to the\nhost being added to the Red Hat Enterprise Virtualization environment. This\nupdate provides the VDSM part of the fix. The RHSA-2012:1506 Red Hat\nEnterprise Virtualization Manager update must also be installed to\ncompletely fix this issue. (CVE-2012-0861)\n\nThe CVE-2012-0860 and CVE-2012-0861 issues were discovered by Red Hat.\n\nIn addition to resolving the above security issues these updated VDSM\npackages fix various bugs, and add various enhancements.\n\nDocumentation for these bug fixes and enhancements is available in the\nTechnical Notes:\n\nhttps://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Virtualization/3.1/html/Technical_Notes/index.html\n\nAll users who require VDSM are advised to install these updated packages\nwhich resolve these security issues, fix these bugs, and add these\nenhancements.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2012:1508",
"url": "https://access.redhat.com/errata/RHSA-2012:1508"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Virtualization/3.1/html/Technical_Notes/index.html",
"url": "https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Virtualization/3.1/html/Technical_Notes/index.html"
},
{
"category": "external",
"summary": "734847",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=734847"
},
{
"category": "external",
"summary": "744704",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=744704"
},
{
"category": "external",
"summary": "766281",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=766281"
},
{
"category": "external",
"summary": "772556",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=772556"
},
{
"category": "external",
"summary": "783383",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=783383"
},
{
"category": "external",
"summary": "790730",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=790730"
},
{
"category": "external",
"summary": "790754",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=790754"
},
{
"category": "external",
"summary": "797526",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=797526"
},
{
"category": "external",
"summary": "798635",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=798635"
},
{
"category": "external",
"summary": "800367",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=800367"
},
{
"category": "external",
"summary": "802759",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=802759"
},
{
"category": "external",
"summary": "806625",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=806625"
},
{
"category": "external",
"summary": "806757",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=806757"
},
{
"category": "external",
"summary": "807351",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=807351"
},
{
"category": "external",
"summary": "807687",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=807687"
},
{
"category": "external",
"summary": "811807",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=811807"
},
{
"category": "external",
"summary": "812793",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=812793"
},
{
"category": "external",
"summary": "813423",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=813423"
},
{
"category": "external",
"summary": "814435",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=814435"
},
{
"category": "external",
"summary": "815359",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=815359"
},
{
"category": "external",
"summary": "826467",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=826467"
},
{
"category": "external",
"summary": "826873",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=826873"
},
{
"category": "external",
"summary": "826921",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=826921"
},
{
"category": "external",
"summary": "829037",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=829037"
},
{
"category": "external",
"summary": "829645",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=829645"
},
{
"category": "external",
"summary": "829710",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=829710"
},
{
"category": "external",
"summary": "830485",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=830485"
},
{
"category": "external",
"summary": "830486",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=830486"
},
{
"category": "external",
"summary": "831528",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=831528"
},
{
"category": "external",
"summary": "832765",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=832765"
},
{
"category": "external",
"summary": "832798",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=832798"
},
{
"category": "external",
"summary": "833084",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=833084"
},
{
"category": "external",
"summary": "833099",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=833099"
},
{
"category": "external",
"summary": "833119",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=833119"
},
{
"category": "external",
"summary": "833425",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=833425"
},
{
"category": "external",
"summary": "833803",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=833803"
},
{
"category": "external",
"summary": "834008",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=834008"
},
{
"category": "external",
"summary": "834105",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=834105"
},
{
"category": "external",
"summary": "834205",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=834205"
},
{
"category": "external",
"summary": "835478",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=835478"
},
{
"category": "external",
"summary": "835784",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=835784"
},
{
"category": "external",
"summary": "835900",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=835900"
},
{
"category": "external",
"summary": "835920",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=835920"
},
{
"category": "external",
"summary": "836161",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=836161"
},
{
"category": "external",
"summary": "836562",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=836562"
},
{
"category": "external",
"summary": "836954",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=836954"
},
{
"category": "external",
"summary": "837054",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=837054"
},
{
"category": "external",
"summary": "837836",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=837836"
},
{
"category": "external",
"summary": "838347",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=838347"
},
{
"category": "external",
"summary": "838547",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=838547"
},
{
"category": "external",
"summary": "838802",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=838802"
},
{
"category": "external",
"summary": "838924",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=838924"
},
{
"category": "external",
"summary": "840294",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=840294"
},
{
"category": "external",
"summary": "840300",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=840300"
},
{
"category": "external",
"summary": "840386",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=840386"
},
{
"category": "external",
"summary": "840594",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=840594"
},
{
"category": "external",
"summary": "841863",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=841863"
},
{
"category": "external",
"summary": "842115",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=842115"
},
{
"category": "external",
"summary": "842146",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=842146"
},
{
"category": "external",
"summary": "842338",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=842338"
},
{
"category": "external",
"summary": "842662",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=842662"
},
{
"category": "external",
"summary": "842771",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=842771"
},
{
"category": "external",
"summary": "843076",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=843076"
},
{
"category": "external",
"summary": "843387",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=843387"
},
{
"category": "external",
"summary": "843498",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=843498"
},
{
"category": "external",
"summary": "844180",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=844180"
},
{
"category": "external",
"summary": "844294",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=844294"
},
{
"category": "external",
"summary": "844347",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=844347"
},
{
"category": "external",
"summary": "845193",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=845193"
},
{
"category": "external",
"summary": "845346",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=845346"
},
{
"category": "external",
"summary": "845525",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=845525"
},
{
"category": "external",
"summary": "845830",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=845830"
},
{
"category": "external",
"summary": "846004",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=846004"
},
{
"category": "external",
"summary": "846014",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=846014"
},
{
"category": "external",
"summary": "846307",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=846307"
},
{
"category": "external",
"summary": "846312",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=846312"
},
{
"category": "external",
"summary": "846323",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=846323"
},
{
"category": "external",
"summary": "846376",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=846376"
},
{
"category": "external",
"summary": "847518",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=847518"
},
{
"category": "external",
"summary": "847733",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=847733"
},
{
"category": "external",
"summary": "847744",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=847744"
},
{
"category": "external",
"summary": "848101",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=848101"
},
{
"category": "external",
"summary": "848299",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=848299"
},
{
"category": "external",
"summary": "848616",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=848616"
},
{
"category": "external",
"summary": "848728",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=848728"
},
{
"category": "external",
"summary": "849315",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=849315"
},
{
"category": "external",
"summary": "849542",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=849542"
},
{
"category": "external",
"summary": "851146",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=851146"
},
{
"category": "external",
"summary": "851839",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=851839"
},
{
"category": "external",
"summary": "852989",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=852989"
},
{
"category": "external",
"summary": "853011",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=853011"
},
{
"category": "external",
"summary": "853040",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=853040"
},
{
"category": "external",
"summary": "853703",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=853703"
},
{
"category": "external",
"summary": "853710",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=853710"
},
{
"category": "external",
"summary": "853910",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=853910"
},
{
"category": "external",
"summary": "853968",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=853968"
},
{
"category": "external",
"summary": "854027",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=854027"
},
{
"category": "external",
"summary": "854151",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=854151"
},
{
"category": "external",
"summary": "854212",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=854212"
},
{
"category": "external",
"summary": "854242",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=854242"
},
{
"category": "external",
"summary": "854457",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=854457"
},
{
"category": "external",
"summary": "854748",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=854748"
},
{
"category": "external",
"summary": "854763",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=854763"
},
{
"category": "external",
"summary": "854765",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=854765"
},
{
"category": "external",
"summary": "854919",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=854919"
},
{
"category": "external",
"summary": "854953",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=854953"
},
{
"category": "external",
"summary": "855049",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=855049"
},
{
"category": "external",
"summary": "855425",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=855425"
},
{
"category": "external",
"summary": "855729",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=855729"
},
{
"category": "external",
"summary": "855887",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=855887"
},
{
"category": "external",
"summary": "855918",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=855918"
},
{
"category": "external",
"summary": "855922",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=855922"
},
{
"category": "external",
"summary": "855924",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=855924"
},
{
"category": "external",
"summary": "856163",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=856163"
},
{
"category": "external",
"summary": "856167",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=856167"
},
{
"category": "external",
"summary": "857112",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=857112"
},
{
"category": "external",
"summary": "859109",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=859109"
},
{
"category": "external",
"summary": "862002",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=862002"
},
{
"category": "external",
"summary": "863265",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=863265"
},
{
"category": "external",
"summary": "865386",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=865386"
},
{
"category": "external",
"summary": "866163",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=866163"
},
{
"category": "external",
"summary": "866533",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=866533"
},
{
"category": "external",
"summary": "867354",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=867354"
},
{
"category": "external",
"summary": "867806",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=867806"
},
{
"category": "external",
"summary": "867813",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=867813"
},
{
"category": "external",
"summary": "867922",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=867922"
},
{
"category": "external",
"summary": "868272",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=868272"
},
{
"category": "external",
"summary": "868681",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=868681"
},
{
"category": "external",
"summary": "868721",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=868721"
},
{
"category": "external",
"summary": "870024",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=870024"
},
{
"category": "external",
"summary": "870079",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=870079"
},
{
"category": "external",
"summary": "870734",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=870734"
},
{
"category": "external",
"summary": "870768",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=870768"
},
{
"category": "external",
"summary": "871355",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=871355"
},
{
"category": "external",
"summary": "871811",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=871811"
},
{
"category": "external",
"summary": "872270",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=872270"
},
{
"category": "external",
"summary": "872935",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=872935"
},
{
"category": "external",
"summary": "874481",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=874481"
},
{
"category": "external",
"summary": "876115",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=876115"
},
{
"category": "external",
"summary": "876558",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=876558"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2012/rhsa-2012_1508.json"
}
],
"title": "Red Hat Security Advisory: rhev-3.1.0 vdsm security, bug fix, and enhancement update",
"tracking": {
"current_release_date": "2025-11-21T17:41:35+00:00",
"generator": {
"date": "2025-11-21T17:41:35+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.12"
}
},
"id": "RHSA-2012:1508",
"initial_release_date": "2012-12-04T18:44:00+00:00",
"revision_history": [
{
"date": "2012-12-04T18:44:00+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2012-12-04T18:48:05+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-11-21T17:41:35+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "RHEV Agents (vdsm)",
"product": {
"name": "RHEV Agents (vdsm)",
"product_id": "6Server-RHEV-Agents",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:enterprise_linux:6::hypervisor"
}
}
}
],
"category": "product_family",
"name": "Red Hat Virtualization"
},
{
"branches": [
{
"category": "product_version",
"name": "vdsm-python-0:4.9.6-44.0.el6_3.x86_64",
"product": {
"name": "vdsm-python-0:4.9.6-44.0.el6_3.x86_64",
"product_id": "vdsm-python-0:4.9.6-44.0.el6_3.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/vdsm-python@4.9.6-44.0.el6_3?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "vdsm-0:4.9.6-44.0.el6_3.x86_64",
"product": {
"name": "vdsm-0:4.9.6-44.0.el6_3.x86_64",
"product_id": "vdsm-0:4.9.6-44.0.el6_3.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/vdsm@4.9.6-44.0.el6_3?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "vdsm-debuginfo-0:4.9.6-44.0.el6_3.x86_64",
"product": {
"name": "vdsm-debuginfo-0:4.9.6-44.0.el6_3.x86_64",
"product_id": "vdsm-debuginfo-0:4.9.6-44.0.el6_3.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/vdsm-debuginfo@4.9.6-44.0.el6_3?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "vdsm-cli-0:4.9.6-44.0.el6_3.noarch",
"product": {
"name": "vdsm-cli-0:4.9.6-44.0.el6_3.noarch",
"product_id": "vdsm-cli-0:4.9.6-44.0.el6_3.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/vdsm-cli@4.9.6-44.0.el6_3?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "vdsm-hook-vhostmd-0:4.9.6-44.0.el6_3.noarch",
"product": {
"name": "vdsm-hook-vhostmd-0:4.9.6-44.0.el6_3.noarch",
"product_id": "vdsm-hook-vhostmd-0:4.9.6-44.0.el6_3.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/vdsm-hook-vhostmd@4.9.6-44.0.el6_3?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "vdsm-reg-0:4.9.6-44.0.el6_3.noarch",
"product": {
"name": "vdsm-reg-0:4.9.6-44.0.el6_3.noarch",
"product_id": "vdsm-reg-0:4.9.6-44.0.el6_3.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/vdsm-reg@4.9.6-44.0.el6_3?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "vdsm-0:4.9.6-44.0.el6_3.src",
"product": {
"name": "vdsm-0:4.9.6-44.0.el6_3.src",
"product_id": "vdsm-0:4.9.6-44.0.el6_3.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/vdsm@4.9.6-44.0.el6_3?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "vdsm-0:4.9.6-44.0.el6_3.src as a component of RHEV Agents (vdsm)",
"product_id": "6Server-RHEV-Agents:vdsm-0:4.9.6-44.0.el6_3.src"
},
"product_reference": "vdsm-0:4.9.6-44.0.el6_3.src",
"relates_to_product_reference": "6Server-RHEV-Agents"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vdsm-0:4.9.6-44.0.el6_3.x86_64 as a component of RHEV Agents (vdsm)",
"product_id": "6Server-RHEV-Agents:vdsm-0:4.9.6-44.0.el6_3.x86_64"
},
"product_reference": "vdsm-0:4.9.6-44.0.el6_3.x86_64",
"relates_to_product_reference": "6Server-RHEV-Agents"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vdsm-cli-0:4.9.6-44.0.el6_3.noarch as a component of RHEV Agents (vdsm)",
"product_id": "6Server-RHEV-Agents:vdsm-cli-0:4.9.6-44.0.el6_3.noarch"
},
"product_reference": "vdsm-cli-0:4.9.6-44.0.el6_3.noarch",
"relates_to_product_reference": "6Server-RHEV-Agents"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vdsm-debuginfo-0:4.9.6-44.0.el6_3.x86_64 as a component of RHEV Agents (vdsm)",
"product_id": "6Server-RHEV-Agents:vdsm-debuginfo-0:4.9.6-44.0.el6_3.x86_64"
},
"product_reference": "vdsm-debuginfo-0:4.9.6-44.0.el6_3.x86_64",
"relates_to_product_reference": "6Server-RHEV-Agents"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vdsm-hook-vhostmd-0:4.9.6-44.0.el6_3.noarch as a component of RHEV Agents (vdsm)",
"product_id": "6Server-RHEV-Agents:vdsm-hook-vhostmd-0:4.9.6-44.0.el6_3.noarch"
},
"product_reference": "vdsm-hook-vhostmd-0:4.9.6-44.0.el6_3.noarch",
"relates_to_product_reference": "6Server-RHEV-Agents"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vdsm-python-0:4.9.6-44.0.el6_3.x86_64 as a component of RHEV Agents (vdsm)",
"product_id": "6Server-RHEV-Agents:vdsm-python-0:4.9.6-44.0.el6_3.x86_64"
},
"product_reference": "vdsm-python-0:4.9.6-44.0.el6_3.x86_64",
"relates_to_product_reference": "6Server-RHEV-Agents"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vdsm-reg-0:4.9.6-44.0.el6_3.noarch as a component of RHEV Agents (vdsm)",
"product_id": "6Server-RHEV-Agents:vdsm-reg-0:4.9.6-44.0.el6_3.noarch"
},
"product_reference": "vdsm-reg-0:4.9.6-44.0.el6_3.noarch",
"relates_to_product_reference": "6Server-RHEV-Agents"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2012-0860",
"cwe": {
"id": "CWE-377",
"name": "Insecure Temporary File"
},
"discovery_date": "2012-02-14T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "790730"
}
],
"notes": [
{
"category": "description",
"text": "Multiple untrusted search path vulnerabilities in Red Hat Enterprise Virtualization Manager (RHEV-M) before 3.1, when adding a host, allow local users to gain privileges via a Trojan horse (1) deployUtil.py or (2) vds_bootstrap.py Python module in /tmp/.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "rhev: vds_installer insecure /tmp use",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue does affect Red Hat Enterprise Virtualization 2 and 3.\n\nRed Hat Enterprise Virtualization 2 is now in Production 2 phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Virtualization Life Cycle: https://access.redhat.com/support/policy/updates/rhev/.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-RHEV-Agents:vdsm-0:4.9.6-44.0.el6_3.src",
"6Server-RHEV-Agents:vdsm-0:4.9.6-44.0.el6_3.x86_64",
"6Server-RHEV-Agents:vdsm-cli-0:4.9.6-44.0.el6_3.noarch",
"6Server-RHEV-Agents:vdsm-debuginfo-0:4.9.6-44.0.el6_3.x86_64",
"6Server-RHEV-Agents:vdsm-hook-vhostmd-0:4.9.6-44.0.el6_3.noarch",
"6Server-RHEV-Agents:vdsm-python-0:4.9.6-44.0.el6_3.x86_64",
"6Server-RHEV-Agents:vdsm-reg-0:4.9.6-44.0.el6_3.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2012-0860"
},
{
"category": "external",
"summary": "RHBZ#790730",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=790730"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2012-0860",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-0860"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2012-0860",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-0860"
}
],
"release_date": "2012-12-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2012-12-04T18:44:00+00:00",
"details": "Before applying this update, make sure all previously-released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/knowledge/articles/11258",
"product_ids": [
"6Server-RHEV-Agents:vdsm-0:4.9.6-44.0.el6_3.src",
"6Server-RHEV-Agents:vdsm-0:4.9.6-44.0.el6_3.x86_64",
"6Server-RHEV-Agents:vdsm-cli-0:4.9.6-44.0.el6_3.noarch",
"6Server-RHEV-Agents:vdsm-debuginfo-0:4.9.6-44.0.el6_3.x86_64",
"6Server-RHEV-Agents:vdsm-hook-vhostmd-0:4.9.6-44.0.el6_3.noarch",
"6Server-RHEV-Agents:vdsm-python-0:4.9.6-44.0.el6_3.x86_64",
"6Server-RHEV-Agents:vdsm-reg-0:4.9.6-44.0.el6_3.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2012:1508"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "HIGH",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 6.2,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:L/AC:H/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"products": [
"6Server-RHEV-Agents:vdsm-0:4.9.6-44.0.el6_3.src",
"6Server-RHEV-Agents:vdsm-0:4.9.6-44.0.el6_3.x86_64",
"6Server-RHEV-Agents:vdsm-cli-0:4.9.6-44.0.el6_3.noarch",
"6Server-RHEV-Agents:vdsm-debuginfo-0:4.9.6-44.0.el6_3.x86_64",
"6Server-RHEV-Agents:vdsm-hook-vhostmd-0:4.9.6-44.0.el6_3.noarch",
"6Server-RHEV-Agents:vdsm-python-0:4.9.6-44.0.el6_3.x86_64",
"6Server-RHEV-Agents:vdsm-reg-0:4.9.6-44.0.el6_3.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "rhev: vds_installer insecure /tmp use"
},
{
"cve": "CVE-2012-0861",
"cwe": {
"id": "CWE-295",
"name": "Improper Certificate Validation"
},
"discovery_date": "2012-02-15T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "790754"
}
],
"notes": [
{
"category": "description",
"text": "The vds_installer in Red Hat Enterprise Virtualization Manager (RHEV-M) before 3.1, when adding a host, uses the -k curl parameter when downloading deployUtil.py and vds_bootstrap.py, which prevents SSL certificates from being validated and allows remote attackers to execute arbitrary Python code via a man-in-the-middle attack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "rhev: vds_installer is prone to MITM when downloading 2nd stage installer",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue does affect Red Hat Enterprise Virtualization 2 and 3.\n\nRed Hat Enterprise Virtualization 2 is now in Production 2 phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Virtualization Life Cycle: https://access.redhat.com/support/policy/updates/rhev/.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-RHEV-Agents:vdsm-0:4.9.6-44.0.el6_3.src",
"6Server-RHEV-Agents:vdsm-0:4.9.6-44.0.el6_3.x86_64",
"6Server-RHEV-Agents:vdsm-cli-0:4.9.6-44.0.el6_3.noarch",
"6Server-RHEV-Agents:vdsm-debuginfo-0:4.9.6-44.0.el6_3.x86_64",
"6Server-RHEV-Agents:vdsm-hook-vhostmd-0:4.9.6-44.0.el6_3.noarch",
"6Server-RHEV-Agents:vdsm-python-0:4.9.6-44.0.el6_3.x86_64",
"6Server-RHEV-Agents:vdsm-reg-0:4.9.6-44.0.el6_3.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2012-0861"
},
{
"category": "external",
"summary": "RHBZ#790754",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=790754"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2012-0861",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-0861"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2012-0861",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-0861"
}
],
"release_date": "2012-12-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2012-12-04T18:44:00+00:00",
"details": "Before applying this update, make sure all previously-released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/knowledge/articles/11258",
"product_ids": [
"6Server-RHEV-Agents:vdsm-0:4.9.6-44.0.el6_3.src",
"6Server-RHEV-Agents:vdsm-0:4.9.6-44.0.el6_3.x86_64",
"6Server-RHEV-Agents:vdsm-cli-0:4.9.6-44.0.el6_3.noarch",
"6Server-RHEV-Agents:vdsm-debuginfo-0:4.9.6-44.0.el6_3.x86_64",
"6Server-RHEV-Agents:vdsm-hook-vhostmd-0:4.9.6-44.0.el6_3.noarch",
"6Server-RHEV-Agents:vdsm-python-0:4.9.6-44.0.el6_3.x86_64",
"6Server-RHEV-Agents:vdsm-reg-0:4.9.6-44.0.el6_3.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2012:1508"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "HIGH",
"accessVector": "ADJACENT_NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 6.8,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:A/AC:H/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"products": [
"6Server-RHEV-Agents:vdsm-0:4.9.6-44.0.el6_3.src",
"6Server-RHEV-Agents:vdsm-0:4.9.6-44.0.el6_3.x86_64",
"6Server-RHEV-Agents:vdsm-cli-0:4.9.6-44.0.el6_3.noarch",
"6Server-RHEV-Agents:vdsm-debuginfo-0:4.9.6-44.0.el6_3.x86_64",
"6Server-RHEV-Agents:vdsm-hook-vhostmd-0:4.9.6-44.0.el6_3.noarch",
"6Server-RHEV-Agents:vdsm-python-0:4.9.6-44.0.el6_3.x86_64",
"6Server-RHEV-Agents:vdsm-reg-0:4.9.6-44.0.el6_3.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "rhev: vds_installer is prone to MITM when downloading 2nd stage installer"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…