An update for qemu-kvm-rhev is now available for Red Hat Enterprise LinuxOpenStack Platform 5.0 (Icehouse) for RHEL 6.Red Hat Product Security has rated this update as having a security impact ofModerate. A Common Vulnerability Scoring System (CVSS) base score, which gives adetailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.
KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linuxon AMD64 and Intel 64 systems. The qemu-kvm-rhev package provides the user-spacecomponent for running virtual machines using KVM in environments managed by RedHat Enterprise Virtualization Manager.Security Fix(es):* Quick emulator(Qemu) built with the virtio framework is vulnerable to anunbounded memory allocation issue. It was found that a malicious guest usercould submit more requests than the virtqueue size permits. Processing a requestallocates a VirtQueueElement and therefore causes unbounded memory allocation onthe host controlled by the guest. (CVE-2016-5403)Red Hat would like to thank hongzhenhao (Marvel Team) for reporting this issue.
For details on how to apply this update, which includes the changes described inthis advisory, refer to: installing this update, shut down all running virtual machines. Once allvirtual machines have shut down, start them again for this update to takeeffect.Red Hat OpenStack 5.0 for RHEL 6

    MD5: 8c1eccc7104b05002873b3878162d968SHA-256: d4647df0eae12399431cfbed9970101576f0356b581fe3ee001c3342c9ff9378
    MD5: 70bb255dc71aa02be4083e62cc817107SHA-256: 9a1daad0b7dcb7a29ce40bfd6de03b3662dae3a3111815539cfe69485942d902
    MD5: ee56349e8709765e9f5011ba2f3409a4SHA-256: 4b5c377626441343a78763b75717dc267baa5fffe1a631f390df268d97571048
    MD5: 1e3698ca942da1bfd944b8aa735b6e31SHA-256: d46df1ca84c21fe43c43fed13ea343a336d553046b7d6b3ed94d837e728b69e6
    MD5: 1678171a69d510a9c031b5e11a93b94bSHA-256: 684c5348555013a4dfb3fb504988e1ff563114eaf66073d8828de3a3e04c7c0c
(The unlinked packages above are only available from the Red Hat Network)

1358359 – CVE-2016-5403 Qemu: virtio: unbounded memory allocation on host via guest leading to DoS

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:

Leave a Reply