Red Hat Product Errata RHSA-2016:1652 - Security Advisory

Issued:: 2016-08-23
Updated:: 2016-08-23

RHSA-2016:1652 - Security Advisory

Overview
Updated Packages

Synopsis

Moderate: qemu-kvm-rhev security update

Type/Severity

Security Advisory: Moderate

Topic

An update for qemu-kvm-rhev is now available for Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm-rhev package provides the user-space component for running virtual machines using KVM in environments managed by Red Hat Enterprise Virtualization Manager.

Security Fix(es):

Quick emulator(Qemu) built with the virtio framework is vulnerable to an unbounded memory allocation issue. It was found that a malicious guest user could submit more requests than the virtqueue size permits. Processing a request allocates a VirtQueueElement and therefore causes unbounded memory allocation on the host controlled by the guest. (CVE-2016-5403)

Red Hat would like to thank hongzhenhao (Marvel Team) for reporting this issue.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing this update, shut down all running virtual machines. Once all virtual machines have shut down, start them again for this update to take effect.

Affected Products

Red Hat OpenStack 5.0 for RHEL 6 x86_64

Fixes

BZ - 1358359 - CVE-2016-5403 Qemu: virtio: unbounded memory allocation on host via guest leading to DoS

CVEs

CVE-2016-5403

References

http://www.redhat.com/security/updates/classification/#normal

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat OpenStack 5.0 for RHEL 6

SRPM
qemu-kvm-rhev-0.12.1.2-2.491.el6_8.3.src.rpm	SHA-256: d4647df0eae12399431cfbed9970101576f0356b581fe3ee001c3342c9ff9378
x86_64
qemu-img-rhev-0.12.1.2-2.491.el6_8.3.x86_64.rpm	SHA-256: 9a1daad0b7dcb7a29ce40bfd6de03b3662dae3a3111815539cfe69485942d902
qemu-kvm-rhev-0.12.1.2-2.491.el6_8.3.x86_64.rpm	SHA-256: 4b5c377626441343a78763b75717dc267baa5fffe1a631f390df268d97571048
qemu-kvm-rhev-debuginfo-0.12.1.2-2.491.el6_8.3.x86_64.rpm	SHA-256: d46df1ca84c21fe43c43fed13ea343a336d553046b7d6b3ed94d837e728b69e6
qemu-kvm-rhev-tools-0.12.1.2-2.491.el6_8.3.x86_64.rpm	SHA-256: 684c5348555013a4dfb3fb504988e1ff563114eaf66073d8828de3a3e04c7c0c

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Log in to Your Red Hat Account

Red Hat Account

Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

JBoss Development and Management

JBoss Integration and Automation

Mobile

Services

Tools

Red Hat Product Security Center

Security Updates

Resources

Customer Portal Community

Customer Events

Stories