Alerts This Week
Warning Icon 1 535
Alerts This Week
Warning Icon 1 535

RHEV 3.6 RHSA-2018-1689-01 Important: RHEVM Plugins Security Fix

Calendar May 22, 2018 User Avatar LinuxSecurity Advisories
2 - 3 min read
Redhat Large Esm H500
Topics%20covered

Topics Covered

security advisory security update Red Hat critical virtualization cache attack rhevm-setup-plugins
An update for rhevm-setup-plugins is now available for RHEV Manager version 3.6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   Red Hat Security Advisory

Synopsis:          Important: rhevm-setup-plugins security update
Advisory ID:       RHSA-2018:1689-01
Product:           Red Hat Virtualization
Advisory URL:      https://access.redhat.com/errata/RHSA-2018:1689
Issue date:        2018-05-22
CVE Names:         CVE-2018-3639 
====================================================================
1. Summary:

An update for rhevm-setup-plugins is now available for RHEV Manager version
3.6.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

RHEV-M 3.6 ELS - noarch

3. Description:

The rhevm-setup-plugins package adds functionality exclusive only to Red
Hat Virtualization Manager, and is not available for the upstream
ovirt-engine. It includes the configuration of the Red Hat Support plugin,
copying downstream-only artifacts to the ISO domain, and links to the
knowledgebase and other support material.

The following packages have been upgraded to a later upstream version:
rhevm-setup-plugins (3.6.7). (BZ#1579010)

Security Fix(es):

* An industry-wide issue was found in the way many modern microprocessor
designs have implemented speculative execution of Load & Store instructions
(a commonly used performance optimization). It relies on the presence of a
precisely-defined instruction sequence in the privileged code as well as
the fact that memory read from address to which a recent memory write has
occurred may see an older value and subsequently cause an update into the
microprocessor's data cache even for speculatively executed instructions
that never actually commit (retire). As a result, an unprivileged attacker
could use this flaw to read privileged memory by conducting targeted cache
side-channel attacks. (CVE-2018-3639)

Note: This is the rhevm-setup-plugins side of the CVE-2018-3639 mitigation.

Red Hat would like to thank Ken Johnson (Microsoft Security Response
Center) and Jann Horn (Google Project Zero) for reporting this issue.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1566890 - CVE-2018-3639 hw: cpu: speculative store bypass

6. Package List:

RHEV-M 3.6 ELS:

Source:
rhevm-setup-plugins-3.6.7-1.el6ev.src.rpm

noarch:
rhevm-setup-plugins-3.6.7-1.el6ev.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2018-3639
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/security/vulnerabilities/ssbd

8. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2018 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBWwQw0dzjgjWX9erEAQjmSQ/+IcLTw6PSZi/3QDmxTGd7wBHfR5QKHZqh
nrb3NtkeNQ5sKsIx1h6V9siu6nuiX6hMK+P6IWPf5xCbIQG7pFsCr/FlpeDPxvZd
Jj/010M8RzU/90gzVmfKqxOu2UwcRKidBmLL5nsrrAjTR/O1JZqj78szAe0hfKbI
klyZzNXvoQw9DVXvsuiZ6FjWvumUIgg5L8u0yHf1OyDS7Zj1Rv5i5OyY2J3GwOlU
Yg5C92icsW7Pt2+0kn6N2rf8c+zd3XcmCaurUEd9oHwuNh1E9kpQ0eoVBHXyRO45
1fYzzv9nCJb4dShFXweVD5Ht6VOUtUcG1RXj2Ka2XyBGbwctqNcA59N/TseXDxph
f/LcmkgGuEBuzNAr/7QvQGT1o6PcS/Kgh22wcJ0RcEDYaZZFoIpJoor51lPFMyZU
MOM7UMskrtldcf3wT62QbyGbZFHec1uazjKFlvISWRcuLi4yuaxJ70u/M63GTw6v
2nAtDICE3+o51c+QUieLTzA+Gl8hsbNynn99+CzJQs5dyXRP8gznluoeUoQg7tns
lJSe0QecqbifitFOklJBe93KFNqHEiXSfNnJ9ROXLdC3/BZp0hECXflbeiKrDi0G
7C9+FHy7KQ8qlJ+3wp7wNwHRP7DnFyTINBPIQbq4iNyjMSiYwe6hL6n/V2i6acYU
FSHJ7WwnRmo=yb7v
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
This email address is being protected from spambots. You need JavaScript enabled to view it.

RHEV 3.6 RHSA-2018-1689-01 Important: RHEVM Plugins Security Fix

red hat
Calendar Grey May 22, 2018
Dist Redhat Esm H88
Vital security patch issued for RHEV Manager's rhevm-setup-plugins, tackling significant cache side-channel vulnerabilities.
An update for rhevm-setup-plugins is now available for RHEV Manager version 3.6

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Summary

The rhevm-setup-plugins package adds functionality exclusive only to Red Hat Virtualization Manager, and is not available for the upstream ovirt-engine. It includes the configuration of the Red Hat Support plugin, copying downstream-only artifacts to the ISO domain, and links to the knowledgebase and other support material.
The following packages have been upgraded to a later upstream version: rhevm-setup-plugins (3.6.7). (BZ#1579010)
Security Fix(es):
* An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of Load & Store instructions (a commonly used performance optimization). It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory read from address to which a recent memory write has occurred may see an older value and subsequently cause an update into the microprocessor's data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to read privileged memory by conducting targeted cache side-channel attacks. (CVE-2018-3639)
Note: This is the rhevm-setup-plugins side of the CVE-2018-3639 mitigation.
Red Hat would like to thank Ken Johnson (Microsoft Security Response Center) and Jann Horn (Google Project Zero) for reporting this issue.

Topics%20covered

Topics Covered

security advisory security update Red Hat critical virtualization cache attack rhevm-setup-plugins

References

https://access.redhat.com/security/cve/CVE-2018-3639 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/security/vulnerabilities/ssbd

Package List

RHEV-M 3.6 ELS:
Source: rhevm-setup-plugins-3.6.7-1.el6ev.src.rpm
noarch: rhevm-setup-plugins-3.6.7-1.el6ev.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/


Severity
important
Lowest
Low
Medium
High
Critical

Advisory ID: RHSA-2018:1689-01
Product: Red Hat Virtualization
Advisory URL: https://access.redhat.com/errata/RHSA-2018:1689
Issue date: 2018-05-22

Topic

An update for rhevm-setup-plugins is now available for RHEV Manager version3.6.Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.

Topics%20covered

Topics Covered

security advisory security update Red Hat critical virtualization cache attack rhevm-setup-plugins

Relevant Releases Architectures

RHEV-M 3.6 ELS - noarch

Bugs Fixed

1566890 - CVE-2018-3639 hw: cpu: speculative store bypass

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here