CVE-2014-0179

Name of the Vulnerable Software and Affected Versions libvirt versions 0.7.5 through 1.2.x before 1.2.5

Description The issue allows local users to cause a denial of service (read block and hang) via a crafted XML document containing an XML external entity declaration in conjunction with an entity reference to the (1) virConnectCompareCPU or (2) virConnectBaselineCPU API method, related to an XML External Entity (XXE) issue. This may lead to a disruption of confidentiality, integrity, and availability of protected information.

Recommendations For libvirt versions 0.7.5 through 1.2.x before 1.2.5, consider disabling the virConnectCompareCPU and virConnectBaselineCPU API methods as a temporary workaround until a patch is available. Restrict access to the API endpoints related to these methods to minimize the risk of exploitation. Avoid using crafted XML documents that contain XML external entity declarations in conjunction with entity references to these API methods until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.