Alerts This Week
Warning Icon 1 714
Alerts This Week
Warning Icon 1 714

Ubuntu: USN-2017-1347-1 Low: qemu-kvm Security Vulnerability Exploit

red hat
Calendar Grey November 14, 2016
Dist Redhat Esm H88
A recent RedHat OS update tackles moderate out-of-bounds vulnerabilities in qemu-kvm-rhev, which could lead to elevated privileges or crashes
An update for qemu-kvm-rhev is now available for Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing this update, shut down all running virtual machines. Once all virtual machines have shut down, start them again for this update to take effect.

Summary

KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm-rhev package provides the user-space component for running virtual machines using KVM in environments managed by Red Hat Enterprise Virtualization Manager.
The following packages have been upgraded to a newer upstream version: qemu-kvm-rhev (2.6.0). (BZ#1386381)
Security Fix(es):
* An out-of-bounds flaw was found in the QEMU emulator built using 'address_space_translate' to map an address to a MemoryRegionSection. The flaw could occur while doing pci_dma_read/write calls, resulting in an out-of-bounds read-write access error. A privileged user inside a guest could use this flaw to crash the guest instance (denial of service). (CVE-2015-8817, CVE-2015-8818)
Red Hat would like to thank Donghai Zdh of Alibaba Inc. for reporting this issue.

Topics%20covered

Topics Covered

security advisory Red Hat update qemu-kvm-rhev DOS

References

https://access.redhat.com/security/cve/CVE-2015-8817 https://access.redhat.com/security/cve/CVE-2015-8818 https://access.redhat.com/security/updates/classification/#moderate

Package List

Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7:
Source: qemu-kvm-rhev-2.6.0-27.el7.src.rpm
x86_64: qemu-img-rhev-2.6.0-27.el7.x86_64.rpm qemu-kvm-common-rhev-2.6.0-27.el7.x86_64.rpm qemu-kvm-rhev-2.6.0-27.el7.x86_64.rpm qemu-kvm-rhev-debuginfo-2.6.0-27.el7.x86_64.rpm qemu-kvm-tools-rhev-2.6.0-27.el7.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/


Advisory ID: RHSA-2016:2704-01
Product: Red Hat Enterprise Linux OpenStack Platform
Advisory URL: https://access.redhat.com/errata/RHSA-2016:2704.html
Issue date: 2016-11-14

Topic

An update for qemu-kvm-rhev is now available for Red Hat Enterprise LinuxOpenStack Platform 7.0 (Kilo) for RHEL 7.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.

Topics%20covered

Topics Covered

security advisory Red Hat update qemu-kvm-rhev DOS

Relevant Releases Architectures

Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7 - x86_64

Bugs Fixed

1300771 - CVE-2015-8817 CVE-2015-8818 Qemu: OOB access in address_space_rw leads to segmentation fault

1374367 - RHSA-2016-1756 breaks migration of instances [OSP7]

1386381 - Rebase qemu-kvm-rhev to 2.6.0

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here