Critical product security update: Virtuozzo 6.0 Update 12 Hotfix 3 (6.0.12-3670)

Issue date: 2017-02-21

Applies to: Virtuozzo 6.0

Virtuozzo Advisory ID: VZA-2017-005

1. Overview

The new packages for Virtuozzo 6.0.12 introducing security fixes as well as stability and usability bug fixes.

2. Security Fixes

  • [Critical] A flaw found in the way prl-vzvncserver parsed terminal escape sequences that could allow a remote attacker authenticated with the VNC password or a user logged in to a container as root to execute arbitrary code as host root. (PSBM-58281)

  • [Moderate] A flaw was found in prl-vzvncserver that could allow a remote attacker authenticated with the VNC password or a user logged in to a container as root to crash prl-vzvncserver by exploiting the way it handled overlapping memory areas. (PSBM-58282)

  • [Moderate] A flaw was found in prl-vzvncserver that could allow a remote attacker authenticated with the VNC password or a user logged in to a container as root to crash prl-vzvncserver by executing a specially crafted command to overwrite a small memory region of the prl-vzvncserver process. (PSBM-58280)

  • [Moderate] A flaw was found in prl-vzvncserver that could allow a remote attacker authenticated with the VNC password or a user logged in to a container as root to crash prl-vzvncserver by executing a specially crafted command to cause allocation of a huge amount of memory. (PSBM-58099)

3. Bug Fixes

  • Unable to install OS templates from RPM on Virtuozzo 6 nodes. (PSBM-59994)

  • Attempts to perform certain operations on containers via prlctl (e.g., switching offline management) could fail. (PSBM-58505)

  • Linux VMs with UEFI could not start after restore due to incorrectly generated NVRAM. (PSBM-52430)

4. Installing the Update

Install the update by running ‘yum update’.

The JSON file with the list of new and updated packages is available at http://docs.virtuozzo.com/vza/VZA-2017-005.json.