Red Hat Product Errata RHSA-2018:2404 - Security Advisory

Issued:: 2018-08-15
Updated:: 2018-08-15

RHSA-2018:2404 - Security Advisory

Overview
Updated Packages

Synopsis

Important: rhev-hypervisor7 security update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for rhev-hypervisor7 is now available for RHEV 3.X Hypervisor and Agents for Red Hat Enterprise Linux 6 and RHEV 3.X Hypervisor and Agents Extended Lifecycle Support for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

The rhev-hypervisor7 package provides a Red Hat Enterprise Virtualization Hypervisor ISO disk image. The Red Hat Enterprise Virtualization Hypervisor is a dedicated Kernel-based Virtual Machine (KVM) hypervisor. It includes everything necessary to run and manage virtual machines: A subset of the Red Hat Enterprise Linux operating environment and the Red Hat Enterprise Virtualization Agent.

Security Fix(es):

Modern operating systems implement virtualization of physical memory to efficiently use available system resources and provide inter-domain protection through access control and isolation. The L1TF issue was found in the way the x86 microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimisation) in combination with handling of page-faults caused by terminated virtual to physical address resolving process. As a result, an unprivileged attacker could use this flaw to read privileged memory of the kernel or other processes and/or cross guest/host boundaries to read host memory by conducting targeted cache side-channel attacks. (CVE-2018-3620, CVE-2018-3646)

Red Hat would like to thank Intel OSSIRT (Intel.com) for reporting these issues.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/2974891

Affected Products

Red Hat Virtualization - ELS 7 x86_64
Red Hat Virtualization - ELS 6 x86_64

Fixes

BZ - 1585005 - CVE-2018-3646 CVE-2018-3620 Kernel: hw: cpu: L1 terminal fault (L1TF)
BZ - 1614065 - [Tracker] Tracking bug for RHEV-H 3.6.13 respin

CVEs

References

https://access.redhat.com/security/updates/classification/#important

https://access.redhat.com/security/vulnerabilities/L1TF

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat Virtualization - ELS 7

SRPM
rhev-hypervisor7-7.3-20180813.0.el7ev.src.rpm	SHA-256: 021ca289e2572a6b35e30aa58a54f42e972c2ab6322a2869d2221e8c87f3eafd
x86_64
rhev-hypervisor7-7.3-20180813.0.el7ev.noarch.rpm	SHA-256: 7347c48fe294a000a6c60ee1a8ca2c3644004abece18743b5c7ac9e05d42f5ae

Red Hat Virtualization - ELS 6

SRPM
rhev-hypervisor7-7.3-20180813.0.el6ev.src.rpm	SHA-256: b09e30e70059e198414d70c4ea9b8c2b614e95bfde959b529b1bb88de4472611
x86_64
rhev-hypervisor7-7.3-20180813.0.el6ev.noarch.rpm	SHA-256: 7560bda81db5952ba039e427d6bc924f145fa500d2089c3440df1aa8ca72909d

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Log in to Your Red Hat Account

Red Hat Account

Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

Runtimes

Integration and Automation

Services

Tools

Red Hat Insights

Red Hat Product Security Center

Security Updates

Resources

Customer Portal Community

Customer Events

Stories