Skip to navigation Skip to main content

Utilities

  • Subscriptions
  • Downloads
  • Containers
  • Support Cases
Red Hat Customer Portal
  • Subscriptions
  • Downloads
  • Containers
  • Support Cases
  • Products & Services

    Products

    Support

    • Production Support
    • Development Support
    • Product Life Cycles

    Services

    • Consulting
    • Technical Account Management
    • Training & Certifications

    Documentation

    • Red Hat Enterprise Linux
    • Red Hat JBoss Enterprise Application Platform
    • Red Hat OpenStack Platform
    • Red Hat OpenShift Container Platform
    All Documentation

    Ecosystem Catalog

    • Red Hat Partner Ecosystem
    • Partner Resources
  • Tools

    Tools

    • Troubleshoot a product issue
    • Packages
    • Errata

    Customer Portal Labs

    • Configuration
    • Deployment
    • Security
    • Troubleshoot
    All labs

    Red Hat Insights

    Increase visibility into IT operations to detect and resolve technical issues before they impact your business.

    Learn More
    Go to Insights
  • Security

    Red Hat Product Security Center

    Engage with our Red Hat Product Security team, access security updates, and ensure your environments are not exposed to any known security vulnerabilities.

    Product Security Center

    Security Updates

    • Security Advisories
    • Red Hat CVE Database
    • Security Labs

    Keep your systems secure with Red Hat's specialized responses to security vulnerabilities.

    View Responses

    Resources

    • Security Blog
    • Security Measurement
    • Severity Ratings
    • Backporting Policies
    • Product Signing (GPG) Keys
  • Community

    Customer Portal Community

    • Discussions
    • Private Groups
    Community Activity

    Customer Events

    • Red Hat Convergence
    • Red Hat Summit

    Stories

    • Red Hat Subscription Value
    • You Asked. We Acted.
    • Open Source Communities
Or troubleshoot an issue.

Select Your Language

  • English
  • 한국어
  • 日本語
  • 中文 (中国)

Infrastructure and Management

  • Red Hat Enterprise Linux
  • Red Hat Virtualization
  • Red Hat Identity Management
  • Red Hat Directory Server
  • Red Hat Certificate System
  • Red Hat Satellite
  • Red Hat Subscription Management
  • Red Hat Update Infrastructure
  • Red Hat Insights
  • Red Hat Ansible Automation Platform

Cloud Computing

  • Red Hat OpenShift
  • Red Hat CloudForms
  • Red Hat OpenStack Platform
  • Red Hat OpenShift Container Platform
  • Red Hat OpenShift Data Science
  • Red Hat OpenShift Online
  • Red Hat OpenShift Dedicated
  • Red Hat Advanced Cluster Security for Kubernetes
  • Red Hat Advanced Cluster Management for Kubernetes
  • Red Hat Quay
  • OpenShift Dev Spaces
  • Red Hat OpenShift Service on AWS

Storage

  • Red Hat Gluster Storage
  • Red Hat Hyperconverged Infrastructure
  • Red Hat Ceph Storage
  • Red Hat OpenShift Data Foundation

Runtimes

  • Red Hat Runtimes
  • Red Hat JBoss Enterprise Application Platform
  • Red Hat Data Grid
  • Red Hat JBoss Web Server
  • Red Hat Single Sign On
  • Red Hat support for Spring Boot
  • Red Hat build of Node.js
  • Red Hat build of Thorntail
  • Red Hat build of Eclipse Vert.x
  • Red Hat build of OpenJDK
  • Red Hat build of Quarkus

Integration and Automation

  • Red Hat Integration
  • Red Hat Fuse
  • Red Hat AMQ
  • Red Hat 3scale API Management
  • Red Hat JBoss Data Virtualization
  • Red Hat Process Automation
  • Red Hat Process Automation Manager
  • Red Hat Decision Manager
All Products
Red Hat Product Errata RHSA-2018:1369 - Security Advisory
Issued:
2018-05-10
Updated:
2018-05-10

RHSA-2018:1369 - Security Advisory

  • Overview
  • Updated Packages

Synopsis

Moderate: qemu-kvm-rhev security and bug fix update

Type/Severity

Security Advisory: Moderate

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for qemu-kvm-rhev is now available for Red Hat Virtualization 4 for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm-rhev packages provide the user-space component for running virtual machines that use KVM in environments managed by Red Hat products.

Security Fix(es):

  • QEMU: i386: multiboot OOB access while loading kernel image (CVE-2018-7550)
  • QEMU: cirrus: OOB access when updating VGA display (CVE-2018-7858)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Red Hat would like to thank Cyrille Chatras (Orange.com) and CERT-CC (Orange.com) for reporting CVE-2018-7550 and Ross Lagerwall (Citrix.com) for reporting CVE-2018-7858.

Bug Fix(es):

  • In certain Red Hat Virtualization (RHV) guest configurations, virtual pass-through devices could not be removed properly. A reference count leak in the QEMU emulator has been removed, and the affected devices are now removed reliably. (BZ#1555213)
  • Previously, a raw disk image that was using the "--preallocation=full" option in some cases could not be resized. This problem has been fixed and no longer occurs. (BZ#1566587)
  • Due to race conditions in the virtio-blk and virtio-scsi services, the QEMU emulator sometimes terminated unexpectedly when shutting down. The race conditions have been removed, and QEMU now exits gracefully. (BZ#1566586)
  • Prior to this update, deleting guest snapshots using the RHV GUI in some cases failed due to an incorrect image-seeking algorithm. This update fixes the underlying code, and guest snapshots in RHV can now be deleted successfully. (BZ#1566369)

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing this update, shut down all running virtual machines. Once all virtual machines have shut down, start them again for this update to take effect.

Affected Products

  • Red Hat Virtualization 4 for RHEL 7 x86_64
  • Red Hat Virtualization for IBM Power LE 4 for RHEL 7 ppc64le

Fixes

  • BZ - 1549798 - CVE-2018-7550 QEMU: i386: multiboot OOB access while loading kernel image
  • BZ - 1553402 - CVE-2018-7858 QEMU: cirrus: OOB access when updating VGA display
  • BZ - 1555213 - [Q35] "DEVICE_DELETED" event didn't return after delete the second passthrough vf device [rhel-7.5.z]
  • BZ - 1566369 - qemu-img commit fails with "block/file-posix.c:1774: find_allocation: Assertion `offs >= start' failed" [rhel-7.5.z]
  • BZ - 1566586 - Occurred core dump with multi-object when quitted qemu during doing IO [rhel-7.5.z]
  • BZ - 1566587 - Unable to resize image with preallocation=full mode [rhel-7.5.z]

CVEs

  • CVE-2018-7550
  • CVE-2018-7858

References

  • https://access.redhat.com/security/updates/classification/#moderate
Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat Virtualization 4 for RHEL 7

SRPM
qemu-kvm-rhev-2.10.0-21.el7_5.2.src.rpm SHA-256: 234fe2afcedb33a903081ef15109c80dcde3281c55a874e89a966dd14a56018b
x86_64
qemu-img-rhev-2.10.0-21.el7_5.2.x86_64.rpm SHA-256: e595db1d47aa26dd2833c96c2f7f1206265f63a00e6b6abece6a15756ce7e857
qemu-kvm-common-rhev-2.10.0-21.el7_5.2.x86_64.rpm SHA-256: 1e71bec0e4caec86e4c05c4f368b0e1e45ca01e2a2d73346e413028755d10561
qemu-kvm-rhev-2.10.0-21.el7_5.2.x86_64.rpm SHA-256: e8119684b2ac9040a7a5f92ecdf4ac245fb6cda14421dd1c97a3fe5774a62c3a
qemu-kvm-rhev-debuginfo-2.10.0-21.el7_5.2.x86_64.rpm SHA-256: fb4ad634b046630c77c1a5d2e5487c9d5c3179bf76a9a90e42f63263bb884007
qemu-kvm-tools-rhev-2.10.0-21.el7_5.2.x86_64.rpm SHA-256: 3d17bca9db06d6aae69dcec32e7719cd64f1d732fe34a72ba1232c0131028e1e

Red Hat Virtualization for IBM Power LE 4 for RHEL 7

SRPM
qemu-kvm-rhev-2.10.0-21.el7_5.2.src.rpm SHA-256: 234fe2afcedb33a903081ef15109c80dcde3281c55a874e89a966dd14a56018b
ppc64le
qemu-img-rhev-2.10.0-21.el7_5.2.ppc64le.rpm SHA-256: d7a8c572b1580afca454432d5a85b58c9593257eda33887730ca133282e90b80
qemu-kvm-common-rhev-2.10.0-21.el7_5.2.ppc64le.rpm SHA-256: 970a0c9a5d18d4dfc7767980e9b7737daddd0d971c781e3dc454e3297fb8e89a
qemu-kvm-rhev-2.10.0-21.el7_5.2.ppc64le.rpm SHA-256: cfb897d94df43966a95bff50bc1280336837ced287228610ab6c086b021d33df
qemu-kvm-rhev-debuginfo-2.10.0-21.el7_5.2.ppc64le.rpm SHA-256: e85ec75be3571d74d7567e9e29ced33b44928b1b159de58044537e5dcfeca849
qemu-kvm-tools-rhev-2.10.0-21.el7_5.2.ppc64le.rpm SHA-256: a09e0e52467bb582ca9a312a6bc187a2587c818511a0daa60dc8da81cdd79910

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Red Hat

Quick Links

  • Downloads
  • Subscriptions
  • Support Cases
  • Customer Service
  • Product Documentation

Help

  • Contact Us
  • Customer Portal FAQ
  • Log-in Assistance

Site Info

  • Trust Red Hat
  • Browser Support Policy
  • Accessibility
  • Awards and Recognition
  • Colophon

Related Sites

  • redhat.com
  • developers.redhat.com
  • connect.redhat.com
  • cloud.redhat.com

About

  • Red Hat Subscription Value
  • About Red Hat
  • Red Hat Jobs
Copyright © 2023 Red Hat, Inc.
  • Privacy Statement
  • Customer Portal Terms of Use
  • All Policies and Guidelines
Red Hat Summit
Twitter