Skip to navigation Skip to main content

Utilities

  • Subscriptions
  • Downloads
  • Containers
  • Support Cases
Red Hat Customer Portal
  • Subscriptions
  • Downloads
  • Containers
  • Support Cases
  • Products & Services

    Products

    Support

    • Production Support
    • Development Support
    • Product Life Cycles

    Services

    • Consulting
    • Technical Account Management
    • Training & Certifications

    Documentation

    • Red Hat Enterprise Linux
    • Red Hat JBoss Enterprise Application Platform
    • Red Hat OpenStack Platform
    • Red Hat OpenShift Container Platform
    All Documentation

    Ecosystem Catalog

    • Red Hat Partner Ecosystem
    • Partner Resources
  • Tools

    Tools

    • Troubleshoot a product issue
    • Packages
    • Errata

    Customer Portal Labs

    • Configuration
    • Deployment
    • Security
    • Troubleshoot
    All labs

    Red Hat Insights

    Increase visibility into IT operations to detect and resolve technical issues before they impact your business.

    Learn More
    Go to Insights
  • Security

    Red Hat Product Security Center

    Engage with our Red Hat Product Security team, access security updates, and ensure your environments are not exposed to any known security vulnerabilities.

    Product Security Center

    Security Updates

    • Security Advisories
    • Red Hat CVE Database
    • Security Labs

    Keep your systems secure with Red Hat's specialized responses to security vulnerabilities.

    View Responses

    Resources

    • Security Blog
    • Security Measurement
    • Severity Ratings
    • Backporting Policies
    • Product Signing (GPG) Keys
  • Community

    Customer Portal Community

    • Discussions
    • Private Groups
    Community Activity

    Customer Events

    • Red Hat Convergence
    • Red Hat Summit

    Stories

    • Red Hat Subscription Value
    • You Asked. We Acted.
    • Open Source Communities
Or troubleshoot an issue.

Select Your Language

  • English
  • Français
  • 한국어
  • 日本語
  • 中文 (中国)

Infrastructure and Management

  • Red Hat Enterprise Linux
  • Red Hat Satellite
  • Red Hat Subscription Management
  • Red Hat Insights
  • Red Hat Ansible Automation Platform

Cloud Computing

  • Red Hat OpenShift
  • Red Hat OpenStack Platform
  • Red Hat OpenShift Container Platform
  • Red Hat OpenShift Data Science
  • Red Hat OpenShift Dedicated
  • Red Hat Advanced Cluster Security for Kubernetes
  • Red Hat Advanced Cluster Management for Kubernetes
  • Red Hat Quay
  • OpenShift Dev Spaces
  • Red Hat OpenShift Service on AWS

Storage

  • Red Hat Gluster Storage
  • Red Hat Hyperconverged Infrastructure
  • Red Hat Ceph Storage
  • Red Hat OpenShift Data Foundation

Runtimes

  • Red Hat Runtimes
  • Red Hat JBoss Enterprise Application Platform
  • Red Hat Data Grid
  • Red Hat JBoss Web Server
  • Red Hat Single Sign On
  • Red Hat support for Spring Boot
  • Red Hat build of Node.js
  • Red Hat build of Quarkus

Integration and Automation

  • Red Hat Application Foundations
  • Red Hat Fuse
  • Red Hat AMQ
  • Red Hat 3scale API Management
All Products
Red Hat Product Errata RHSA-2018:3470 - Security Advisory
Issued:
2018-11-05
Updated:
2018-11-05

RHSA-2018:3470 - Security Advisory

  • Overview
  • Updated Packages

Synopsis

Moderate: Red Hat Virtualization security and bug fix update

Type/Severity

Security Advisory: Moderate

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for imgbased, redhat-release-virtualization-host, and redhat-virtualization-host is now available for Red Hat Virtualization 4 for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

The redhat-virtualization-host packages provide the Red Hat Virtualization Host. These packages include redhat-release-virtualization-host, ovirt-node, and rhev-hypervisor. Red Hat Virtualization Hosts (RHVH) are installed using a special build of Red Hat Enterprise Linux with only the packages required to host virtual machines. RHVH features a Cockpit user interface for monitoring the host's resources and performing administrative tasks.

Security Fix(es):

  • spice: Missing check in demarshal.py:write_validate_array_item() allows for buffer overflow and denial of service (CVE-2018-10873)
  • glusterfs: Multiple flaws (CVE-2018-10904, CVE-2018-10907, CVE-2018-10923, CVE-2018-10926, CVE-2018-10927, CVE-2018-10928, CVE-2018-10929, CVE-2018-10930, CVE-2018-10911, CVE-2018-10914, CVE-2018-14652, CVE-2018-14653, CVE-2018-14654, CVE-2018-14659, CVE-2018-14660, CVE-2018-14661, CVE-2018-10913)
  • samba: Insufficient input validation in libsmbclient (CVE-2018-10858)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Red Hat would like to thank Michael Hanselmann (hansmi.ch) for reporting CVE-2018-10904, CVE-2018-10907, CVE-2018-10923, CVE-2018-10926, CVE-2018-10927, CVE-2018-10928, CVE-2018-10929, CVE-2018-10930, CVE-2018-10911, CVE-2018-10914, CVE-2018-14652, CVE-2018-14653, CVE-2018-14654, CVE-2018-14659, CVE-2018-14660, CVE-2018-14661, and CVE-2018-10913. The CVE-2018-10873 issue was discovered by Frediano Ziglio (Red Hat).

Bug Fix(es):

  • When upgrading Red Hat Virtualization Host (RHVH), imgbased fails to run garbage collection on previous layers, so new logical volumes are removed, and the boot entry points to a logical volume that was removed.

If the RHVH upgrade finishes successfully, the hypervisor boots successfully, even if garbage collection fails. (BZ#1632058)

  • During the upgrade process, when lvremove runs garbage collection, it prompts for user confirmation, causing the upgrade process to fail. Now the process uses "lvremove --force" when trying to remove logical volumes and does not fail even if garbage collection fails, and as a result, the upgrade process finishes successfully. (BZ#1632585)

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/2974891

Affected Products

  • Red Hat Virtualization 4 for RHEL 7 x86_64
  • Red Hat Virtualization Host 4 for RHEL 7 x86_64

Fixes

  • BZ - 1501276 - RHVH 4.2 should include RHGS 3.4 Batch #1 packages
  • BZ - 1593731 - [downstream clone - 4.2.7] Rpm verify fails for newly installed libvirt-daemon-config-nwfilter package .
  • BZ - 1596008 - CVE-2018-10873 spice: Missing check in demarshal.py:write_validate_array_item() allows for buffer overflow and denial of service
  • BZ - 1601298 - CVE-2018-10904 glusterfs: Unsanitized file names in debug/io-stats translator can allow remote attackers to execute arbitrary code
  • BZ - 1601642 - CVE-2018-10907 glusterfs: Stack-based buffer overflow in server-rpc-fops.c allows remote attackers to execute arbitrary code
  • BZ - 1601657 - CVE-2018-10911 glusterfs: Improper deserialization in dict.c:dict_unserialize() can allow attackers to read arbitrary memory
  • BZ - 1607617 - CVE-2018-10914 glusterfs: remote denial of service of gluster volumes via posix_get_file_contents function in posix-helpers.c
  • BZ - 1607618 - CVE-2018-10913 glusterfs: Information Exposure in posix_get_file_contents function in posix-helpers.c
  • BZ - 1610659 - CVE-2018-10923 glusterfs: I/O to arbitrary devices on storage server
  • BZ - 1612658 - CVE-2018-10927 glusterfs: File status information leak and denial of service
  • BZ - 1612659 - CVE-2018-10928 glusterfs: Improper resolution of symlinks allows for privilege escalation
  • BZ - 1612660 - CVE-2018-10929 glusterfs: Arbitrary file creation on storage server allows for execution of arbitrary code
  • BZ - 1612664 - CVE-2018-10930 glusterfs: Files can be renamed outside volume
  • BZ - 1612805 - CVE-2018-10858 samba: Insufficient input validation in libsmbclient
  • BZ - 1613143 - CVE-2018-10926 glusterfs: Device files can be created in arbitrary locations
  • BZ - 1613231 - goferd errors in /var/log/messages of Red Hat Virtualization Host
  • BZ - 1614971 - Upgrading RHV-H from 4.0.X to 4.2 is failing during migrate_var
  • BZ - 1619590 - Rebase RHV-H on RHEL 7.6
  • BZ - 1624453 - Host "hostname" moved to Non-Operational state as host does not meet the cluster's minimum CPU level. Missing CPU features : ssbd, spec_ctrl
  • BZ - 1626960 - [el7.6]Network parameters IPv4/route/ovirtmgmt are missing during deploying Hosted-Engine
  • BZ - 1631576 - CVE-2018-14654 glusterfs: "features/index" translator can create arbitrary, empty files
  • BZ - 1632585 - lvremove command will fail if it asks for confirmation while removing old RHV-H layers
  • BZ - 1632974 - CVE-2018-14652 glusterfs: Buffer overflow in "features/locks" translator allows for denial of service
  • BZ - 1633431 - CVE-2018-14653 glusterfs: Heap-based buffer overflow via "gf_getspec_req" RPC message
  • BZ - 1635926 - CVE-2018-14660 glusterfs: Repeat use of "GF_META_LOCK_KEY" xattr allows for memory exhaustion
  • BZ - 1635929 - CVE-2018-14659 glusterfs: Unlimited file creation via "GF_XATTR_IOSTATS_DUMP_KEY" xattr allows for denial of service
  • BZ - 1636880 - CVE-2018-14661 glusterfs: features/locks translator passes an user-controlled string to snprintf without a proper format string resulting in a denial of service

CVEs

  • CVE-2018-10858
  • CVE-2018-10873
  • CVE-2018-10904
  • CVE-2018-10907
  • CVE-2018-10911
  • CVE-2018-10913
  • CVE-2018-10914
  • CVE-2018-10923
  • CVE-2018-10926
  • CVE-2018-10927
  • CVE-2018-10928
  • CVE-2018-10929
  • CVE-2018-10930
  • CVE-2018-14652
  • CVE-2018-14653
  • CVE-2018-14654
  • CVE-2018-14659
  • CVE-2018-14660
  • CVE-2018-14661
  • CVE-2018-1000805

References

  • https://access.redhat.com/security/updates/classification/#moderate
Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat Virtualization 4 for RHEL 7

SRPM
imgbased-1.0.29-1.el7ev.src.rpm SHA-256: 2d7f8d2b569e6d0864087896011c994693b9371c541cb443832252d863b4810c
redhat-release-virtualization-host-4.2-7.3.el7.src.rpm SHA-256: 470b8eba77fe93cce6bbc5e149fff9fae49999f6fd3f55bec654e92f4ada058c
x86_64
imgbased-1.0.29-1.el7ev.noarch.rpm SHA-256: 54708bacb20a36d3f65f424181695d6b028f6a534353becfc9240e4fa9c331d3
python-imgbased-1.0.29-1.el7ev.noarch.rpm SHA-256: 2b4114b17c12cdf11970978fea4d5a6ed6402b2f87b71889779efd415f7f3bf7
redhat-release-virtualization-host-4.2-7.3.el7.x86_64.rpm SHA-256: c8cb59b3663da646682dfe09fa44d92971bcb8bb237f72af3b2b0fd250e9b3e1
redhat-virtualization-host-image-update-placeholder-4.2-7.3.el7.noarch.rpm SHA-256: c94125cf06484ea1ac58ddcbac9857dca6593d10836f6e0d71c6dcb97199df79

Red Hat Virtualization Host 4 for RHEL 7

SRPM
redhat-virtualization-host-4.2-20181026.0.el7_6.src.rpm SHA-256: d8942531e54cbf54be924ec07d3f2a4e67fe0f40d1627c0430dc06c5bd704d5b
x86_64
redhat-virtualization-host-image-update-4.2-20181026.0.el7_6.noarch.rpm SHA-256: f0101beaf442bba273da8463cc98ff733b3e500fd451087814c60a281febc101

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Red Hat

Quick Links

  • Downloads
  • Subscriptions
  • Support Cases
  • Customer Service
  • Product Documentation

Help

  • Contact Us
  • Customer Portal FAQ
  • Log-in Assistance

Site Info

  • Trust Red Hat
  • Browser Support Policy
  • Accessibility
  • Awards and Recognition
  • Colophon

Related Sites

  • redhat.com
  • developers.redhat.com
  • connect.redhat.com
  • cloud.redhat.com

About

  • Red Hat Subscription Value
  • About Red Hat
  • Red Hat Jobs
2023
  • Privacy Statement
  • Terms of Use
  • All Policies and Guidelines
We've updated our Privacy Statement effective September 15, 2023.
Red Hat Summit Red Hat Summit
Twitter