RHEL 7 : Virtualization Manager (RHSA-2018:3470)

High Nessus Plugin ID 118790

Synopsis

The remote Red Hat host is missing one or more security updates.

Description

An update for imgbased, redhat-release-virtualization-host, and
redhat-virtualization-host is now available for Red Hat Virtualization
4 for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security
impact of Moderate. A Common Vulnerability Scoring System (CVSS) base
score, which gives a detailed severity rating, is available for each
vulnerability from the CVE link(s) in the References section.

The redhat-virtualization-host packages provide the Red Hat
Virtualization Host. These packages include
redhat-release-virtualization-host, ovirt-node, and rhev-hypervisor.
Red Hat Virtualization Hosts (RHVH) are installed using a special
build of Red Hat Enterprise Linux with only the packages required to
host virtual machines. RHVH features a Cockpit user interface for
monitoring the host's resources and performing administrative tasks.

Security Fix(es) :

* spice: Missing check in demarshal.py:write_validate_array_item()
allows for buffer overflow and denial of service (CVE-2018-10873)

* glusterfs: Multiple flaws (CVE-2018-10904, CVE-2018-10907,
CVE-2018-10923, CVE-2018-10926, CVE-2018-10927, CVE-2018-10928,
CVE-2018-10929, CVE-2018-10930, CVE-2018-10911, CVE-2018-10914,
CVE-2018-14652, CVE-2018-14653, CVE-2018-14654, CVE-2018-14659,
CVE-2018-14660, CVE-2018-14661, CVE-2018-10913)

* samba: Insufficient input validation in libsmbclient
(CVE-2018-10858)

For more details about the security issue(s), including the impact, a
CVSS score, and other related information, refer to the CVE page(s)
listed in the References section.

Red Hat would like to thank Michael Hanselmann (hansmi.ch) for
reporting CVE-2018-10904, CVE-2018-10907, CVE-2018-10923,
CVE-2018-10926, CVE-2018-10927, CVE-2018-10928, CVE-2018-10929,
CVE-2018-10930, CVE-2018-10911, CVE-2018-10914, CVE-2018-14652,
CVE-2018-14653, CVE-2018-14654, CVE-2018-14659, CVE-2018-14660,
CVE-2018-14661, and CVE-2018-10913. The CVE-2018-10873 issue was
discovered by Frediano Ziglio (Red Hat).

Bug Fix(es) :

* When upgrading Red Hat Virtualization Host (RHVH), imgbased fails to
run garbage collection on previous layers, so new logical volumes are
removed, and the boot entry points to a logical volume that was
removed.

If the RHVH upgrade finishes successfully, the hypervisor boots
successfully, even if garbage collection fails. (BZ#1632058)

* During the upgrade process, when lvremove runs garbage collection,
it prompts for user confirmation, causing the upgrade process to fail.
Now the process uses 'lvremove --force' when trying to remove logical
volumes and does not fail even if garbage collection fails, and as a
result, the upgrade process finishes successfully. (BZ#1632585)

Solution

Update the affected packages.

See Also

https://access.redhat.com/errata/RHSA-2018:3470

https://access.redhat.com/security/cve/cve-2018-10858

https://access.redhat.com/security/cve/cve-2018-10873

https://access.redhat.com/security/cve/cve-2018-10904

https://access.redhat.com/security/cve/cve-2018-10907

https://access.redhat.com/security/cve/cve-2018-10911

https://access.redhat.com/security/cve/cve-2018-10913

https://access.redhat.com/security/cve/cve-2018-10914

https://access.redhat.com/security/cve/cve-2018-10923

https://access.redhat.com/security/cve/cve-2018-10926

https://access.redhat.com/security/cve/cve-2018-10927

https://access.redhat.com/security/cve/cve-2018-10928

https://access.redhat.com/security/cve/cve-2018-10929

https://access.redhat.com/security/cve/cve-2018-10930

https://access.redhat.com/security/cve/cve-2018-14652

https://access.redhat.com/security/cve/cve-2018-14653

https://access.redhat.com/security/cve/cve-2018-14654

https://access.redhat.com/security/cve/cve-2018-14659

https://access.redhat.com/security/cve/cve-2018-14660

https://access.redhat.com/security/cve/cve-2018-14661

https://access.redhat.com/security/cve/cve-2018-1000805

Plugin Details

Severity: High

ID: 118790

File Name: redhat-RHSA-2018-3470.nasl

Version: 1.4

Type: local

Agent: unix

Published: 2018/11/07

Modified: 2019/01/02

Dependencies: 12634

Risk Information

Risk Factor: High

CVSS v2.0

Base Score: 8.5

Vector: CVSS2#AV:N/AC:L/Au:S/C:N/I:C/A:C

CVSS v3.0

Base Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Vulnerability Information

CPE: p-cpe:/a:redhat:enterprise_linux:imgbased, p-cpe:/a:redhat:enterprise_linux:python-imgbased, p-cpe:/a:redhat:enterprise_linux:redhat-release-virtualization-host, p-cpe:/a:redhat:enterprise_linux:redhat-virtualization-host-image-update, p-cpe:/a:redhat:enterprise_linux:redhat-virtualization-host-image-update-placeholder, cpe:/o:redhat:enterprise_linux:7

Patch Publication Date: 2018/11/05

Reference Information

CVE: CVE-2018-1000805, CVE-2018-10858, CVE-2018-10873, CVE-2018-10904, CVE-2018-10907, CVE-2018-10911, CVE-2018-10913, CVE-2018-10914, CVE-2018-10923, CVE-2018-10926, CVE-2018-10927, CVE-2018-10928, CVE-2018-10929, CVE-2018-10930, CVE-2018-14652, CVE-2018-14653, CVE-2018-14654, CVE-2018-14659, CVE-2018-14660, CVE-2018-14661

RHSA: 2018:3470