Issued:
2018-05-21
Updated:
2018-05-21

RHSA-2018:1662 - Security Advisory

Synopsis

Important: qemu-kvm security update

Type/Severity

Security Advisory: Important

Topic

An update for qemu-kvm is now available for Red Hat Enterprise Linux 7.3 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Kernel-based Virtual Machine (KVM) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM.

Security Fix(es):

  • An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of Load & Store instructions (a commonly used performance optimization). It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory read from address to which a recent memory write has occurred may see an older value and subsequently cause an update into the microprocessor's data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to read privileged memory by conducting targeted cache side-channel attacks. (CVE-2018-3639)

Note: This is the qemu-kvm side of the CVE-2018-3639 mitigation.

Red Hat would like to thank Ken Johnson (Microsoft Security Response Center) and Jann Horn (Google Project Zero) for reporting this issue.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing this update, shut down all running virtual machines. Once all virtual machines have shut down, start them again for this update to take effect.

Affected Products

  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 7.3 x86_64
  • Red Hat Enterprise Linux for Power, big endian - Extended Update Support 7.3 ppc64
  • Red Hat Enterprise Linux EUS Compute Node 7.3 x86_64
  • Red Hat Enterprise Linux Server - AUS 7.3 x86_64
  • Red Hat Enterprise Linux for Power, little endian - Extended Update Support 7.3 ppc64le
  • Red Hat Enterprise Linux Server - TUS 7.3 x86_64
  • Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 7.3 ppc64le
  • Red Hat Enterprise Linux Server - Update Services for SAP Solutions 7.3 x86_64

Fixes

  • BZ - 1566890 - CVE-2018-3639 hw: cpu: speculative store bypass

CVEs

References

Red Hat Enterprise Linux for x86_64 - Extended Update Support 7.3

SRPM
qemu-kvm-1.5.3-126.el7_3.14.src.rpm SHA-256: c90a7e9499d7bbd7390b33e747fe9444066c42e72229cb069c44f3ef9ab37bfd
x86_64
qemu-img-1.5.3-126.el7_3.14.x86_64.rpm SHA-256: b1e7f1b3040088fa53631ee5ad0cd705f8b13a39f9ff0615d5f78e8c15831967
qemu-kvm-1.5.3-126.el7_3.14.x86_64.rpm SHA-256: a7981f407b263c4442c26794c36d9c1f0e39d05419cf118fbf85def7285bcd6d
qemu-kvm-common-1.5.3-126.el7_3.14.x86_64.rpm SHA-256: b0d3a6ad55c4c57f3930acbadc90100346dbef597b5a1fc0ef95d661310243d6
qemu-kvm-debuginfo-1.5.3-126.el7_3.14.x86_64.rpm SHA-256: 659ea1389dd01e04386fc929b5249d519934e1ca69cb2653bec142da05dea19b
qemu-kvm-tools-1.5.3-126.el7_3.14.x86_64.rpm SHA-256: 9a2682ed09aee1585551dab752de914fe52a40902fcee0524df1809f0c35f3ac

Red Hat Enterprise Linux Server - AUS 7.3

SRPM
qemu-kvm-1.5.3-126.el7_3.14.src.rpm SHA-256: c90a7e9499d7bbd7390b33e747fe9444066c42e72229cb069c44f3ef9ab37bfd
x86_64
qemu-img-1.5.3-126.el7_3.14.x86_64.rpm SHA-256: b1e7f1b3040088fa53631ee5ad0cd705f8b13a39f9ff0615d5f78e8c15831967
qemu-kvm-1.5.3-126.el7_3.14.x86_64.rpm SHA-256: a7981f407b263c4442c26794c36d9c1f0e39d05419cf118fbf85def7285bcd6d
qemu-kvm-common-1.5.3-126.el7_3.14.x86_64.rpm SHA-256: b0d3a6ad55c4c57f3930acbadc90100346dbef597b5a1fc0ef95d661310243d6
qemu-kvm-debuginfo-1.5.3-126.el7_3.14.x86_64.rpm SHA-256: 659ea1389dd01e04386fc929b5249d519934e1ca69cb2653bec142da05dea19b
qemu-kvm-tools-1.5.3-126.el7_3.14.x86_64.rpm SHA-256: 9a2682ed09aee1585551dab752de914fe52a40902fcee0524df1809f0c35f3ac

Red Hat Enterprise Linux for Power, big endian - Extended Update Support 7.3

SRPM
qemu-kvm-1.5.3-126.el7_3.14.src.rpm SHA-256: c90a7e9499d7bbd7390b33e747fe9444066c42e72229cb069c44f3ef9ab37bfd
ppc64
qemu-img-1.5.3-126.el7_3.14.ppc64.rpm SHA-256: 7b0b7e8422b97afe6c6153e8553b83eeadfa6029a045eff64eec99ed8bcb0c85
qemu-kvm-debuginfo-1.5.3-126.el7_3.14.ppc64.rpm SHA-256: 017590c51205e5195c918543c8f0fbc13b66e8e9fc8e30471e96a1638256d8bf

Red Hat Enterprise Linux EUS Compute Node 7.3

SRPM
qemu-kvm-1.5.3-126.el7_3.14.src.rpm SHA-256: c90a7e9499d7bbd7390b33e747fe9444066c42e72229cb069c44f3ef9ab37bfd
x86_64
qemu-img-1.5.3-126.el7_3.14.x86_64.rpm SHA-256: b1e7f1b3040088fa53631ee5ad0cd705f8b13a39f9ff0615d5f78e8c15831967
qemu-kvm-1.5.3-126.el7_3.14.x86_64.rpm SHA-256: a7981f407b263c4442c26794c36d9c1f0e39d05419cf118fbf85def7285bcd6d
qemu-kvm-common-1.5.3-126.el7_3.14.x86_64.rpm SHA-256: b0d3a6ad55c4c57f3930acbadc90100346dbef597b5a1fc0ef95d661310243d6
qemu-kvm-debuginfo-1.5.3-126.el7_3.14.x86_64.rpm SHA-256: 659ea1389dd01e04386fc929b5249d519934e1ca69cb2653bec142da05dea19b
qemu-kvm-tools-1.5.3-126.el7_3.14.x86_64.rpm SHA-256: 9a2682ed09aee1585551dab752de914fe52a40902fcee0524df1809f0c35f3ac

Red Hat Enterprise Linux for Power, little endian - Extended Update Support 7.3

SRPM
qemu-kvm-1.5.3-126.el7_3.14.src.rpm SHA-256: c90a7e9499d7bbd7390b33e747fe9444066c42e72229cb069c44f3ef9ab37bfd
ppc64le
qemu-img-1.5.3-126.el7_3.14.ppc64le.rpm SHA-256: ed5becffab7a4a53b52cd7bed1e304cb9490f3e89b51ddf72f2ff405ab26d393
qemu-kvm-debuginfo-1.5.3-126.el7_3.14.ppc64le.rpm SHA-256: b1411b4445691423924879fbcfc55055ba11b6af7a8cf9b3da39f5be3d7a343b

Red Hat Enterprise Linux Server - TUS 7.3

SRPM
qemu-kvm-1.5.3-126.el7_3.14.src.rpm SHA-256: c90a7e9499d7bbd7390b33e747fe9444066c42e72229cb069c44f3ef9ab37bfd
x86_64
qemu-img-1.5.3-126.el7_3.14.x86_64.rpm SHA-256: b1e7f1b3040088fa53631ee5ad0cd705f8b13a39f9ff0615d5f78e8c15831967
qemu-kvm-1.5.3-126.el7_3.14.x86_64.rpm SHA-256: a7981f407b263c4442c26794c36d9c1f0e39d05419cf118fbf85def7285bcd6d
qemu-kvm-common-1.5.3-126.el7_3.14.x86_64.rpm SHA-256: b0d3a6ad55c4c57f3930acbadc90100346dbef597b5a1fc0ef95d661310243d6
qemu-kvm-debuginfo-1.5.3-126.el7_3.14.x86_64.rpm SHA-256: 659ea1389dd01e04386fc929b5249d519934e1ca69cb2653bec142da05dea19b
qemu-kvm-tools-1.5.3-126.el7_3.14.x86_64.rpm SHA-256: 9a2682ed09aee1585551dab752de914fe52a40902fcee0524df1809f0c35f3ac

Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 7.3

SRPM
qemu-kvm-1.5.3-126.el7_3.14.src.rpm SHA-256: c90a7e9499d7bbd7390b33e747fe9444066c42e72229cb069c44f3ef9ab37bfd
ppc64le
qemu-img-1.5.3-126.el7_3.14.ppc64le.rpm SHA-256: ed5becffab7a4a53b52cd7bed1e304cb9490f3e89b51ddf72f2ff405ab26d393
qemu-kvm-debuginfo-1.5.3-126.el7_3.14.ppc64le.rpm SHA-256: b1411b4445691423924879fbcfc55055ba11b6af7a8cf9b3da39f5be3d7a343b

Red Hat Enterprise Linux Server - Update Services for SAP Solutions 7.3

SRPM
qemu-kvm-1.5.3-126.el7_3.14.src.rpm SHA-256: c90a7e9499d7bbd7390b33e747fe9444066c42e72229cb069c44f3ef9ab37bfd
x86_64
qemu-img-1.5.3-126.el7_3.14.x86_64.rpm SHA-256: b1e7f1b3040088fa53631ee5ad0cd705f8b13a39f9ff0615d5f78e8c15831967
qemu-kvm-1.5.3-126.el7_3.14.x86_64.rpm SHA-256: a7981f407b263c4442c26794c36d9c1f0e39d05419cf118fbf85def7285bcd6d
qemu-kvm-common-1.5.3-126.el7_3.14.x86_64.rpm SHA-256: b0d3a6ad55c4c57f3930acbadc90100346dbef597b5a1fc0ef95d661310243d6
qemu-kvm-debuginfo-1.5.3-126.el7_3.14.x86_64.rpm SHA-256: 659ea1389dd01e04386fc929b5249d519934e1ca69cb2653bec142da05dea19b
qemu-kvm-tools-1.5.3-126.el7_3.14.x86_64.rpm SHA-256: 9a2682ed09aee1585551dab752de914fe52a40902fcee0524df1809f0c35f3ac

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.