Issued:
2018-05-21
Updated:
2018-05-21

RHSA-2018:1630 - Security Advisory

Synopsis

Important: kernel-rt security update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for kernel-rt is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.

Security Fix(es):

  • An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of Load & Store instructions (a commonly used performance optimization). It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory read from address to which a recent memory write has occurred may see an older value and subsequently cause an update into the microprocessor's data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to read privileged memory by conducting targeted cache side-channel attacks. (CVE-2018-3639)

Note: This issue is present in hardware and cannot be fully fixed via software update. The updated kernel packages provide software side of the mitigation for this hardware issue. To be fully functional, up-to-date CPU microcode applied on the system is required. Please refer to References section for further information about this issue, CPU microcode requirements and the potential performance impact.

Red Hat would like to thank Ken Johnson (Microsoft Security Response Center) and Jann Horn (Google Project Zero) for reporting this issue.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

The system must be rebooted for this update to take effect.

Affected Products

  • Red Hat Enterprise Linux for Real Time 7 x86_64
  • Red Hat Enterprise Linux for Real Time for NFV 7 x86_64

Fixes

  • BZ - 1566890 - CVE-2018-3639 hw: cpu: speculative store bypass

Red Hat Enterprise Linux for Real Time 7

SRPM
kernel-rt-3.10.0-862.3.2.rt56.808.el7.src.rpm SHA-256: 75c8bc74b4e21964e4e9ae117a6b92caa87ab798528a17e2439ac6ec24a2e8ca
x86_64
kernel-rt-3.10.0-862.3.2.rt56.808.el7.x86_64.rpm SHA-256: 1020057de30591ce54bc1b6d48fa2f759530c8d41f940a57451ffcc4ade9c20b
kernel-rt-debug-3.10.0-862.3.2.rt56.808.el7.x86_64.rpm SHA-256: b8c09784a1324e39dacaff6ccdde9bc05e45e27cb7599c87201bc859f306c63f
kernel-rt-debug-devel-3.10.0-862.3.2.rt56.808.el7.x86_64.rpm SHA-256: 5e69c5ce6dcbf5ce1a5cd778500be8a0db232fa5625da958992c50feb2ff0a54
kernel-rt-devel-3.10.0-862.3.2.rt56.808.el7.x86_64.rpm SHA-256: 6505556eb50067bce48dee8654753a5480cfa3b14812aba9f81b02a01549da9b
kernel-rt-doc-3.10.0-862.3.2.rt56.808.el7.noarch.rpm SHA-256: 692170ae82723e84de408abf3d4da16892b674ca1d311ac9229c0b65ff2fca14
kernel-rt-trace-3.10.0-862.3.2.rt56.808.el7.x86_64.rpm SHA-256: 3dc60062eac1e315356e329390b9d1e148a1c69996dacb886f7caecc14f5d0aa
kernel-rt-trace-devel-3.10.0-862.3.2.rt56.808.el7.x86_64.rpm SHA-256: 8b4bb765b56e1c52b05ff15bfc8645e8a56bef430247ddecd7d0c0fabf6be1a4

Red Hat Enterprise Linux for Real Time for NFV 7

SRPM
kernel-rt-3.10.0-862.3.2.rt56.808.el7.src.rpm SHA-256: 75c8bc74b4e21964e4e9ae117a6b92caa87ab798528a17e2439ac6ec24a2e8ca
x86_64
kernel-rt-3.10.0-862.3.2.rt56.808.el7.x86_64.rpm SHA-256: 1020057de30591ce54bc1b6d48fa2f759530c8d41f940a57451ffcc4ade9c20b
kernel-rt-debug-3.10.0-862.3.2.rt56.808.el7.x86_64.rpm SHA-256: b8c09784a1324e39dacaff6ccdde9bc05e45e27cb7599c87201bc859f306c63f
kernel-rt-debug-debuginfo-3.10.0-862.3.2.rt56.808.el7.x86_64.rpm SHA-256: 4d65a78e7d9af947458a64a3e476e916d13ebbe86a6b0f6b90df969916127f01
kernel-rt-debug-devel-3.10.0-862.3.2.rt56.808.el7.x86_64.rpm SHA-256: 5e69c5ce6dcbf5ce1a5cd778500be8a0db232fa5625da958992c50feb2ff0a54
kernel-rt-debug-kvm-3.10.0-862.3.2.rt56.808.el7.x86_64.rpm SHA-256: 6713fea30573b571aa5f854ec770ef8a38f014ef9c42240a95b9eea42e9c0867
kernel-rt-debug-kvm-debuginfo-3.10.0-862.3.2.rt56.808.el7.x86_64.rpm SHA-256: 0c46b980b1c71f25bdf2a9b4a248a6e59d1d33b697bb66756aa889d5b2a16f55
kernel-rt-debuginfo-3.10.0-862.3.2.rt56.808.el7.x86_64.rpm SHA-256: edfbcc2d148802ca70d66a98c19ef9122b358c1b58b619d37aa25a104b6525b3
kernel-rt-debuginfo-common-x86_64-3.10.0-862.3.2.rt56.808.el7.x86_64.rpm SHA-256: 5ea08e08ea7e02175d41cc426dafde51dae0acf20709e0eed8c20b8a7732e578
kernel-rt-devel-3.10.0-862.3.2.rt56.808.el7.x86_64.rpm SHA-256: 6505556eb50067bce48dee8654753a5480cfa3b14812aba9f81b02a01549da9b
kernel-rt-doc-3.10.0-862.3.2.rt56.808.el7.noarch.rpm SHA-256: 692170ae82723e84de408abf3d4da16892b674ca1d311ac9229c0b65ff2fca14
kernel-rt-kvm-3.10.0-862.3.2.rt56.808.el7.x86_64.rpm SHA-256: e22745eb964de245be29f14f3c1e7f693aeae99e9305b49c79342b406a780388
kernel-rt-kvm-debuginfo-3.10.0-862.3.2.rt56.808.el7.x86_64.rpm SHA-256: 3b51d89d0e211d878e4af35c3d4bbd5db439fdb526bc05ffde228eaedefecdb1
kernel-rt-trace-3.10.0-862.3.2.rt56.808.el7.x86_64.rpm SHA-256: 3dc60062eac1e315356e329390b9d1e148a1c69996dacb886f7caecc14f5d0aa
kernel-rt-trace-debuginfo-3.10.0-862.3.2.rt56.808.el7.x86_64.rpm SHA-256: 01d2d12dd9439eb4fb708075e7dcebb9d544cb03593a57298569935f053f89c3
kernel-rt-trace-devel-3.10.0-862.3.2.rt56.808.el7.x86_64.rpm SHA-256: 8b4bb765b56e1c52b05ff15bfc8645e8a56bef430247ddecd7d0c0fabf6be1a4
kernel-rt-trace-kvm-3.10.0-862.3.2.rt56.808.el7.x86_64.rpm SHA-256: 479620a0ce9eb1bc1fe1fbe5684ac1fc1f2cc3d44b8707922fc463cf50206810
kernel-rt-trace-kvm-debuginfo-3.10.0-862.3.2.rt56.808.el7.x86_64.rpm SHA-256: 323565d2dde5f6ceffca15754d30eec14bf962d9d7e4fb6a27d6e9f76497fda7

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.