An updated rhev-hypervisor6 package that fixes multiple security issues isnow available for Red Hat Enterprise Virtualization 3.Red Hat Product Security has rated this update as having Critical securityimpact. Common Vulnerability Scoring System (CVSS) base scores, which givedetailed severity ratings, are available for each vulnerability from theCVE links in the References section.
The rhev-hypervisor6 package provides a Red Hat Enterprise VirtualizationHypervisor ISO disk image. The Red Hat Enterprise Virtualization Hypervisoris a dedicated Kernel-based Virtual Machine (KVM) hypervisor. It includeseverything necessary to run and manage virtual machines: a subset of theRed Hat Enterprise Linux operating environment and the Red Hat EnterpriseVirtualization Agent.Note: Red Hat Enterprise Virtualization Hypervisor is only available forthe Intel 64 and AMD64 architectures with virtualization extensions.A heap-based buffer overflow was found in glibc’s__nss_hostname_digits_dots() function, which is used by the gethostbyname()and gethostbyname2() glibc function calls. A remote attacker able to makean application call either of these functions could use this flaw toexecute arbitrary code with the permissions of the user running theapplication. (CVE-2015-0235)A race condition flaw was found in the way the Linux kernel’s KVM subsystem handled PIT (Programmable Interval Timer) emulation. A guest user who has access to the PIT I/O ports could use this flaw to crash the host. (CVE-2014-3611)A flaw was found in the way OpenSSL handled fragmented handshake packets.A man-in-the-middle attacker could use this flaw to force a TLS/SSL serverusing OpenSSL to use TLS 1.0, even if both the client and the serversupported newer protocol versions. (CVE-2014-3511)A memory leak flaw was found in the way an OpenSSL handled failed sessionticket integrity checks. A remote attacker could exhaust all availablememory of an SSL/TLS or DTLS server by sending a large number of invalidsession tickets to that server. (CVE-2014-3567)It was found that the Linux kernel’s KVM subsystem did not handle the VMexits gracefully for the invept (Invalidate Translations Derived from EPT)and invvpid (Invalidate Translations Based on VPID) instructions. On hostswith an Intel processor and invept/invppid VM exit support, an unprivilegedguest user could use these instructions to crash the guest. (CVE-2014-3645,CVE-2014-3646)Red Hat would like to thank Qualys for reporting the CVE-2015-0235 issue,Lars Bull of Google for reporting the CVE-2014-3611 issue, and the AdvancedThreat Research team at Intel Security for reporting the CVE-2014-3645 andCVE-2014-3646 issues.Users of the Red Hat Enterprise Virtualization Hypervisor are advised toupgrade to this updated package.
1127504 – CVE-2014-3511 openssl: TLS protocol downgrade attack1144825 – CVE-2014-3646 kernel: kvm: vmx: invvpid vm exit not handled1144835 – CVE-2014-3645 kernel: kvm: vmx: invept vm exit not handled1144878 – CVE-2014-3611 kernel: kvm: PIT timer race condition1152563 – Tracker: RHEV-H 6.6 for RHEV 3.4.z build1152961 – CVE-2014-3567 openssl: Invalid TLS/SSL session tickets could cause memory leak leading to server crash1180044 – Incorrect glusterfs package in to RHEVH 6.6 for 3.4.4 and 3.5 build [rhev-3.4.z]1183461 – CVE-2015-0235 glibc: __nss_hostname_digits_dots() heap-based buffer overflow1185720 – Incorrect rhn-virtualization-host and rhn-virtualization-common packages in RHEVH 6.6 for rhev 3.4.5
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from: