An update for qemu-kvm-rhev is now available for Red Hat Enterprise LinuxOpenStack Platform 5.0 (Icehouse) for RHEL 6.Red Hat Product Security has rated this update as having a security impact ofImportant.

A Common Vulnerability Scoring System (CVSS) base score, which givesa detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.

KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linuxon AMD64 and Intel 64 systems.

The qemu-kvm-rhev package provides the user-spacecomponent for running virtual machines using KVM in environments managed by RedHat Enterprise Virtualization Manager.Security Fix(es):* An out-of-bounds read/write access flaw was found in the way QEMU’s VGAemulation with VESA BIOS Extensions (VBE) support performed read/writeoperations via I/O port methods.

A privileged guest user could use this flaw toexecute arbitrary code on the host with the privileges of the host’s QEMUprocess. (CVE-2016-3710)Red Hat would like to thank Wei Xiao (360 Marvel Team) and Qinghao Tang (360Marvel Team) for reporting this issue.
For details on how to apply this update, which includes the changes described inthis advisory, refer to: installing this update, shut down all running virtual machines. Once allvirtual machines have shut down, start them again for this update to takeeffect.Red Hat OpenStack 5.0 for RHEL 6

    MD5: 4f94a6f0d911ae3e07ff038023bf7957SHA-256: ffb544c68f7bcd2be00958177022172dcd9c1a21a2a0f2857dd77586911e18a2
    MD5: 12b5c502d5241de3917cd0a8344ed370SHA-256: 0ca5faadc554437bbac7e323dd1d6d0ae4dcff074a660d171dd2de9f3e0d3f3c
    MD5: fcc4fe80b32ec60f040facac91977758SHA-256: 3856e0bd04565c356896446c190b283a76148f0ce8ce03dff31d9e924f88b589
    MD5: 424f40ba6149fb12f7afc0a13430bc92SHA-256: 61434bcf40d1575ccca27dcbe556e4a31db79782fb03af95d09ed9c2816f036f
    MD5: 70512d8a7113c427081fe96392436d57SHA-256: 83123d758823f77a3541bacac09e9b6ebe67512b8e42da28be327c33071aecf1
(The unlinked packages above are only available from the Red Hat Network)
1331401 – CVE-2016-3710 qemu: incorrect banked access bounds checking in vga module

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from: