Skip to navigation

Security Advisory Important: rhev-hypervisor6 security and bug fix update

Advisory: RHSA-2013:1527-1
Type: Security Advisory
Severity: Important
Issued on: 2013-11-21
Last updated on: 2013-11-21
Affected Products: Red Hat Enterprise Virtualization 3
CVEs (cve.mitre.org): CVE-2010-5107
CVE-2013-2888
CVE-2013-2889
CVE-2013-2892
CVE-2013-4238
CVE-2013-4344

Details

An updated rhev-hypervisor6 package that fixes multiple security issues and
one bug is now available.

The Red Hat Security Response Team has rated this update as having
important security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.

The rhev-hypervisor6 package provides a Red Hat Enterprise Virtualization
Hypervisor ISO disk image. The Red Hat Enterprise Virtualization Hypervisor
is a dedicated Kernel-based Virtual Machine (KVM) hypervisor. It includes
everything necessary to run and manage virtual machines: a subset of the
Red Hat Enterprise Linux operating environment and the Red Hat Enterprise
Virtualization Agent.

Note: Red Hat Enterprise Virtualization Hypervisor is only available for
the Intel 64 and AMD64 architectures with virtualization extensions.

Upgrade Note: If you upgrade the Red Hat Enterprise Virtualization
Hypervisor through the 3.2 Manager administration portal, the Host may
appear with the status of "Install Failed". If this happens, place the host
into maintenance mode, then activate it again to get the host back to an
"Up" state.

A buffer overflow flaw was found in the way QEMU processed the SCSI "REPORT
LUNS" command when more than 256 LUNs were specified for a single SCSI
target. A privileged guest user could use this flaw to corrupt QEMU process
memory on the host, which could potentially result in arbitrary code
execution on the host with the privileges of the QEMU process.
(CVE-2013-4344)

Multiple flaws were found in the way Linux kernel handled HID (Human
Interface Device) reports. An attacker with physical access to the system
could use this flaw to crash the system or, potentially, escalate their
privileges on the system. (CVE-2013-2888, CVE-2013-2889, CVE-2013-2892)

A flaw was found in the way the Python SSL module handled X.509 certificate
fields that contain a NULL byte. An attacker could potentially exploit this
flaw to conduct man-in-the-middle attacks to spoof SSL servers. Note that
to exploit this issue, an attacker would need to obtain a carefully crafted
certificate signed by an authority that the client trusts. (CVE-2013-4238)

The default OpenSSH configuration made it easy for remote attackers to
exhaust unauthorized connection slots and prevent other users from being
able to log in to a system. This flaw has been addressed by enabling random
early connection drops by setting MaxStartups to 10:30:100 by default.
For more information, refer to the sshd_config(5) man page. (CVE-2010-5107)

The CVE-2013-4344 issue was discovered by Asias He of Red Hat.

This updated package provides updated components that include fixes for
various security issues. These issues have no security impact on Red Hat
Enterprise Virtualization Hypervisor itself, however. The security fixes
included in this update address the following CVE numbers:

CVE-2012-0786 and CVE-2012-0787 (augeas issues)

CVE-2013-1813 (busybox issue)

CVE-2013-0221, CVE-2013-0222, and CVE-2013-0223 (coreutils issues)

CVE-2012-4453 (dracut issue)

CVE-2013-4332, CVE-2013-0242, and CVE-2013-1914 (glibc issues)

CVE-2013-4387, CVE-2013-0343, CVE-2013-4345, CVE-2013-4591, CVE-2013-4592,
CVE-2012-6542, CVE-2013-3231, CVE-2013-1929, CVE-2012-6545, CVE-2013-1928,
CVE-2013-2164, CVE-2013-2234, and CVE-2013-2851 (kernel issues)

CVE-2013-4242 (libgcrypt issue)

CVE-2013-4419 (libguestfs issue)

CVE-2013-1775, CVE-2013-2776, and CVE-2013-2777 (sudo issues)

This update also fixes the following bug:

* A previous version of the rhev-hypervisor6 package did not contain the
latest vhostmd package, which provides a "metrics communication channel"
between a host and its hosted virtual machines, allowing limited
introspection of host resource usage from within virtual machines. This has
been fixed, and rhev-hypervisor6 now includes the latest vhostmd package.
(BZ#1026703)

This update also contains the fixes from the following errata:

* ovirt-node: https://rhn.redhat.com/errata/RHBA-2013-1528.html

Users of the Red Hat Enterprise Virtualization Hypervisor are advised to
upgrade to this updated package, which corrects these issues.


Solution

This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at
https://access.redhat.com/site/articles/11258

To upgrade Hypervisors in Red Hat Enterprise Virtualization environments
using the disk image provided by this package, refer to:

https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Hypervisor_Deployment_Guide/chap-Deployment_Guide-Upgrading_Red_Hat_Enterprise_Virtualization_Hypervisors.html

Updated packages

Red Hat Enterprise Virtualization 3

x86_64:
rhev-hypervisor6-6.5-20131115.0.3.2.el6_5.noarch.rpm
File outdated by:  RHSA-2014:0378
    MD5: 7573077520d72a892972ccd3612d952d
SHA-256: a729ccb1e8cb2a7e9ffb76f5378a5660d1b701fc80c591e41cb4c42cf29eb5bc
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

1000429 - CVE-2013-2892 Kernel: HID: pantherlord: heap overflow flaw
1000451 - CVE-2013-2888 Kernel: HID: memory corruption flaw
1007330 - CVE-2013-4344 qemu: buffer overflow in scsi_target_emulate_report_luns
1026703 - Latest vhostmd package is not built in
908060 - rhev-hypervisor 6.5 release
908707 - CVE-2010-5107 openssh: Prevent connection slot exhaustion attacks
996381 - CVE-2013-4238 python: hostname check bypassing vulnerability in SSL module
999890 - CVE-2013-2889 Kernel: HID: zeroplus: heap overflow flaw


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/