Vulnerability Details : CVE-2014-3559
The oVirt storage backend in Red Hat Enterprise Virtualization 3.4 does not wipe memory snapshots when deleting a VM, even when wipe-after-delete (WAD) is configured for the VM's disk, which allows remote authenticated users with certain credentials to read portions of the deleted VM's memory and obtain sensitive information via an uninitialized storage volume.
Products affected by CVE-2014-3559
- cpe:2.3:a:redhat:enterprise_virtualization:3.4:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2014-3559
0.16%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 52 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2014-3559
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
3.5
|
LOW | AV:N/AC:M/Au:S/C:P/I:N/A:N |
6.8
|
2.9
|
NIST |
CWE ids for CVE-2014-3559
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2014-3559
-
http://rhn.redhat.com/errata/RHSA-2014-1002.html
RHSA-2014:1002 - Security Advisory - Red Hat Customer PortalVendor Advisory
-
https://bugzilla.redhat.com/show_bug.cgi?id=1121925
1121925 – (CVE-2014-3559) CVE-2014-3559 ovirt-engine-backend: memory snapshots not wiped when deleting a VM with wipe-after-delete (WAD) enabled for its disks
-
http://www.securitytracker.com/id/1030664
Red Hat Enterprise Virtualization Manager Snapshot Deletion Flaw Lets Remote Authenticated Users Obtain Potentially Sensitive Information - SecurityTracker
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/95098
Red Hat Enterprise Virtualization Manager oVirt storage back end information disclosure CVE-2014-3559 Vulnerability Report
Jump to