-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   Red Hat Security Advisory

Synopsis:          Important: org.ovirt.engine-root security update
Advisory ID:       RHSA-2018:1676-01
Product:           Red Hat Virtualization
Advisory URL:      https://access.redhat.com/errata/RHSA-2018:1676
Issue date:        2018-05-21
CVE Names:         CVE-2018-3639 
====================================================================
1. Summary:

An update for org.ovirt.engine-root is now available for Red Hat
Virtualization Engine 4.2.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

RHV-M 4.2 - noarch

3. Description:

The org.ovirt.engine-root is a core component of oVirt.

Security Fix(es):

* An industry-wide issue was found in the way many modern microprocessor
designs have implemented speculative execution of Load & Store instructions
(a commonly used performance optimization). It relies on the presence of a
precisely-defined instruction sequence in the privileged code as well as
the fact that memory read from address to which a recent memory write has
occurred may see an older value and subsequently cause an update into the
microprocessor's data cache even for speculatively executed instructions
that never actually commit (retire). As a result, an unprivileged attacker
could use this flaw to read privileged memory by conducting targeted cache
side-channel attacks. (CVE-2018-3639)

Note: This is the org.ovirt.engine-root side of the CVE-2018-3639
mitigation.

Red Hat would like to thank Ken Johnson (Microsoft Security Response
Center) and Jann Horn (Google Project Zero) for reporting this issue.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1566890 - CVE-2018-3639 hw: cpu: speculative store bypass

6. Package List:

RHV-M 4.2:

Source:
ovirt-engine-4.2.3.6-0.1.el7.src.rpm

noarch:
ovirt-engine-4.2.3.6-0.1.el7.noarch.rpm
ovirt-engine-backend-4.2.3.6-0.1.el7.noarch.rpm
ovirt-engine-dbscripts-4.2.3.6-0.1.el7.noarch.rpm
ovirt-engine-extensions-api-impl-4.2.3.6-0.1.el7.noarch.rpm
ovirt-engine-extensions-api-impl-javadoc-4.2.3.6-0.1.el7.noarch.rpm
ovirt-engine-health-check-bundler-4.2.3.6-0.1.el7.noarch.rpm
ovirt-engine-lib-4.2.3.6-0.1.el7.noarch.rpm
ovirt-engine-restapi-4.2.3.6-0.1.el7.noarch.rpm
ovirt-engine-setup-4.2.3.6-0.1.el7.noarch.rpm
ovirt-engine-setup-base-4.2.3.6-0.1.el7.noarch.rpm
ovirt-engine-setup-plugin-ovirt-engine-4.2.3.6-0.1.el7.noarch.rpm
ovirt-engine-setup-plugin-ovirt-engine-common-4.2.3.6-0.1.el7.noarch.rpm
ovirt-engine-setup-plugin-vmconsole-proxy-helper-4.2.3.6-0.1.el7.noarch.rpm
ovirt-engine-setup-plugin-websocket-proxy-4.2.3.6-0.1.el7.noarch.rpm
ovirt-engine-tools-4.2.3.6-0.1.el7.noarch.rpm
ovirt-engine-tools-backup-4.2.3.6-0.1.el7.noarch.rpm
ovirt-engine-vmconsole-proxy-helper-4.2.3.6-0.1.el7.noarch.rpm
ovirt-engine-webadmin-portal-4.2.3.6-0.1.el7.noarch.rpm
ovirt-engine-websocket-proxy-4.2.3.6-0.1.el7.noarch.rpm
rhvm-4.2.3.6-0.1.el7.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2018-3639
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/security/vulnerabilities/ssbd

8. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2018 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBWwQp09zjgjWX9erEAQi6Zg//fD2O5k/IPd+elj2l3z6KXEUeXNB9S5+6
CUSXUPSze8xO7PZ/OZymgjyWPa9mfCCOQfCYctu+mzs+qrq0WQb2rmVpGvbygDPh
dAvXXQ9wc0lTlzS3Bra8A6tPZ8XDtWF2m7W/8n/Mh11McbDTOhof6h/64JprH0Oq
ZLzHJUDXNun6Hug6Ii3QcJakDlBeQ/VQ7yR1NOEuqn5vxJzn019lL6nXwoNgkB0k
W9SJ22b51w9N22YvplKVnLS5PaOvL/ZHCVDq03YAGo57QRQKByEGbRhExiakvKJU
kpkupEbGXGX6UZ6bn+f1GRQH18qw+DslT+uJRFlPpKbO4k8Nr7AaCIhiu+jf2pBm
SAnPZKEurIZh9BmTzs9umDLWScFqBKPS9BiwE7fo/q3o1P9aptwyAPfgwzdkrDsd
8Q2whnyo8uOEOY+kgl2F5kF8T7Iehkj/I0nEiZe1+xwYMPdN7zt1yFjNem7X2QKr
btO+5aw4XeQzIsEF8P49ws9BeeEdU11+dizG26hBMmIsu8X01Mya3Ikj0+Ct7VfE
LVy5Dxnc5KFAHLuO+6VXY1GM5XZEqg4xrWXq77v+0qjqfY81uEo4lihxYt4g2/0C
BDDAqPAK61mX/2OIaNgjGqOVJz/M41o6iUelZbO6rs5NE3cwdwy1ORs2fYMCwvw2
pt3zckp3TYk=8GKI
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2018-1676:01 Important: org.ovirt.engine-root security update

An update for org.ovirt.engine-root is now available for Red Hat Virtualization Engine 4.2

Summary

The org.ovirt.engine-root is a core component of oVirt.
Security Fix(es):
* An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of Load & Store instructions (a commonly used performance optimization). It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory read from address to which a recent memory write has occurred may see an older value and subsequently cause an update into the microprocessor's data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to read privileged memory by conducting targeted cache side-channel attacks. (CVE-2018-3639)
Note: This is the org.ovirt.engine-root side of the CVE-2018-3639 mitigation.
Red Hat would like to thank Ken Johnson (Microsoft Security Response Center) and Jann Horn (Google Project Zero) for reporting this issue.

Summary

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258

References

https://access.redhat.com/security/cve/CVE-2018-3639 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/security/vulnerabilities/ssbd

Package List

RHV-M 4.2:
Source: ovirt-engine-4.2.3.6-0.1.el7.src.rpm
noarch: ovirt-engine-4.2.3.6-0.1.el7.noarch.rpm ovirt-engine-backend-4.2.3.6-0.1.el7.noarch.rpm ovirt-engine-dbscripts-4.2.3.6-0.1.el7.noarch.rpm ovirt-engine-extensions-api-impl-4.2.3.6-0.1.el7.noarch.rpm ovirt-engine-extensions-api-impl-javadoc-4.2.3.6-0.1.el7.noarch.rpm ovirt-engine-health-check-bundler-4.2.3.6-0.1.el7.noarch.rpm ovirt-engine-lib-4.2.3.6-0.1.el7.noarch.rpm ovirt-engine-restapi-4.2.3.6-0.1.el7.noarch.rpm ovirt-engine-setup-4.2.3.6-0.1.el7.noarch.rpm ovirt-engine-setup-base-4.2.3.6-0.1.el7.noarch.rpm ovirt-engine-setup-plugin-ovirt-engine-4.2.3.6-0.1.el7.noarch.rpm ovirt-engine-setup-plugin-ovirt-engine-common-4.2.3.6-0.1.el7.noarch.rpm ovirt-engine-setup-plugin-vmconsole-proxy-helper-4.2.3.6-0.1.el7.noarch.rpm ovirt-engine-setup-plugin-websocket-proxy-4.2.3.6-0.1.el7.noarch.rpm ovirt-engine-tools-4.2.3.6-0.1.el7.noarch.rpm ovirt-engine-tools-backup-4.2.3.6-0.1.el7.noarch.rpm ovirt-engine-vmconsole-proxy-helper-4.2.3.6-0.1.el7.noarch.rpm ovirt-engine-webadmin-portal-4.2.3.6-0.1.el7.noarch.rpm ovirt-engine-websocket-proxy-4.2.3.6-0.1.el7.noarch.rpm rhvm-4.2.3.6-0.1.el7.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/

Severity

Advisory ID: RHSA-2018:1676-01

Product: Red Hat Virtualization

Advisory URL: https://access.redhat.com/errata/RHSA-2018:1676

Issued Date: : 2018-05-21

CVE Names: CVE-2018-3639

Topic

An update for org.ovirt.engine-root is now available for Red HatVirtualization Engine 4.2.Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.

Topic

Relevant Releases Architectures

RHV-M 4.2 - noarch

Bugs Fixed

1566890 - CVE-2018-3639 hw: cpu: speculative store bypass

Related News

Google Chrome 129: Addressing Crucial Vulnerabilities and Enhancing Security

Google Chrome 129: Addressing Crucial Vulnerabilities and Enhancing Security

2 - 4 min read

Sep 19, 2024

Google Chrome remains the crown jewel in the browser market, with an impressive user base of approximately 3.45 billion. However, this immense

Fighting Back Against Hadooken Malware by Strengthening WebLogic Security

Fighting Back Against Hadooken Malware by Strengthening WebLogic Security

2 - 4 min read

Sep 16, 2024

Cybercriminals have been relentlessly attacking the digital landscape, aiming to exploit vulnerabilities in well-known systems. One such exploit is

CISA Sounds Alarm on Newly Exploited Vulnerabilities: Is Your System at Risk?

CISA Sounds Alarm on Newly Exploited Vulnerabilities: Is Your System at Risk?

3 - 5 min read

Sep 15, 2024

CISA regularly publishes updates regarding vulnerabilities that present severe threats to global cybersecurity. Recently, CISA added three

Defending Against Remote Code Execution in Google Chrome: A Critical Update

Defending Against Remote Code Execution in Google Chrome: A Critical Update

2 - 3 min read

Sep 15, 2024

Google Chrome, a widely used web browser, serves millions of internet users by connecting them to the online world. Unfortunately, severe

Navigating the Linux Kernel

Navigating the Linux Kernel's Latest DMA Security Vulnerability

2 - 4 min read

Sep 10, 2024

The Linux operating system, widely acclaimed for its robustness and security , recently received widespread media attention due to a significant

Staying a Step Ahead of Adversaries: Mitigating Chromium

Staying a Step Ahead of Adversaries: Mitigating Chromium's Security Flaws on Linux

2 - 4 min read

Sep 04, 2024

Google Chrome, one of the world's most widely used web browsers, has recently been scrutinized due to the discovery of multiple Chromium

Unmasking Cicada3301: Examining the Threat of the New Rust-Based Ransomware

Unmasking Cicada3301: Examining the Threat of the New Rust-Based Ransomware

2 - 4 min read

Sep 03, 2024

Ransomware has long been a severe threat to organizations and admins alike. Recently, cybersecurity researchers discovered a new variant called

Buffer Overflow Exploits in Linux: Origins, Impact, and Countermeasures

Buffer Overflow Exploits in Linux: Origins, Impact, and Countermeasures

3 - 6 min read

Sep 02, 2024

Buffer overflow vulnerabilities have long been one of the biggest headaches in computer security, especially on Linux operating systems that power

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

News

Cloud Security Cryptography Desktop Security Firewall Government Hacks/Cracks IoT Security Network Security Organizations/Events Privacy Security Projects Security Trends Security Vulnerabilities Server Security Vendors/Products
Advisories

Debian Debian LTS Fedora Gentoo Mageia Oracle openSUSE RockyLinux Slackware SuSE Ubuntu
HOWTOs

Harden My Filesystem Learn Tips and Tricks Secure My E-mail Secure My Firewall Secure My Network Secure My Webserver Strengthen My Privacy
Features

Best Secure Linux Distros for Enhanced Privacy & Security The Truth About Linux Malware & How to Protect Your System Is Linux A More Secure Option Than Windows For Businesses? How Secure Is Linux? Top Tips for Securing Your Linux System
About Us

Advertise Contribute Your Article Legal Notice RSS Feeds Contact Us Terms of Service Privacy Policy
Powered By

Linux Security - Your source for Top Linux News, Advisories, HowTo's and Feature Release.

© 2024 Guardian Digital, Inc All Rights Reserved