Univention Bugzilla – Bug 41719
libvirt: Authentication issue (4.1)
Last modified: 2019-04-11 19:24:58 CEST
It was discovered that there was a password policy issue in libvirt, a library for interfacing with different virtualization systems. Setting an empty graphics password is documented as a way to disable VNC/SPICE access, but QEMU does not always behave like that. VNC would happily accept the empty password. We enforce the behavior by setting password expiration to "now". (CVE-2016-5008) For Debian 7 "Wheezy", this issue has been fixed in libvirt version 0.9.12.3-1+deb7u2.
In UCS 4.1 we shipped 1.2.9-9~bpo70+1 from wheezy-backports, so none of the above applies. Instead we have to monitor the Debian jessie version here and backport patches if applicable. In errata4.1-1 we patched the package to deb8u2. Upstream Debian package version 1.2.9-9+deb8u3 fixed: * Let empty default VNC password work as documented (CVE-2016-5008)
This issue has been filed against UCS 4.1. UCS 4.1 is out of maintenance and many UCS components have vastly changed in later releases. Thus, this issue is now being closed. If this issue still occurs in newer UCS versions, please use "Clone this bug" or reopen this issue. In this case please provide detailed information on how this issue is affecting you.