Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Summary
Title Red Hat Virtualization security update
Informations
Name RHSA-2019:2437 First vendor Publication 2019-08-12
Vendor RedHat Last vendor Modification 2019-08-12
Severity (Vendor) N/A Revision 01

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:S/C:P/I:P/A:N)
Cvss Base Score 5.5 Attack Range Network
Cvss Impact Score 4.9 Attack Complexity Low
Cvss Expoit Score 8 Authentication Requires single instance
Calculate full CVSS 2.0 Vectors scores

Detail

Problem Description:

An update for redhat-virtualization-host is now available for Red Hat Virtualization 4 for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

2. Relevant releases/architectures:

RHEL 7-based RHEV-H for RHEV 4 (build requirements) - noarch, x86_64 Red Hat Virtualization 4 Hypervisor for RHEL 7 - noarch

3. Description:

The redhat-virtualization-host packages provide the Red Hat Virtualization Host. These packages include redhat-release-virtualization-host, ovirt-node, and rhev-hypervisor. Red Hat Virtualization Hosts (RHVH) are installed using a special build of Red Hat Enterprise Linux with only the packages required to host virtual machines. RHVH features a Cockpit user interface for monitoring the host's resources and performing administrative tasks.

The following packages have been upgraded to a later upstream version: imgbased (1.1.9), ovirt-node-ng (4.3.5), redhat-release-virtualization-host (4.3.5), redhat-virtualization-host (4.3.5). (BZ#1669357, BZ#1669365, BZ#1684986, BZ#1711193, BZ#1717250, BZ#1726917)

Security Fix(es):

* python: regression of CVE-2019-9636 due to functional fix to allow port numbers in netloc (CVE-2019-10160)

* rsyslog: imptcp: integer overflow when Octet-Counted TCP Framing is enabled (CVE-2018-16881)

* edk2: stack overflow in XHCI causing denial of service (CVE-2019-0161)

* openssl: 0-byte record padding oracle (CVE-2019-1559)

* cockpit-ovirt: admin and appliance passwords saved in plain text variable file during HE deployment (CVE-2019-10139)

* sssd: improper implementation of GPOs due to too restrictive permissions (CVE-2018-16838)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/2974891

5. Bugs fixed (https://bugzilla.redhat.com/):

1640820 - CVE-2018-16838 sssd: improper implementation of GPOs due to too restrictive permissions 1658366 - CVE-2018-16881 rsyslog: imptcp: integer overflow when Octet-Counted TCP Framing is enabled 1683804 - CVE-2019-1559 openssl: 0-byte record padding oracle 1687920 - RHVH fails to reinstall if required size is exceeding the available disk space due to anaconda bug 1694065 - CVE-2019-0161 edk2: stack overflow in XHCI causing denial of service 1702223 - Rebase RHV-H on RHEL 7.7 1709829 - CVE-2019-10139 cockpit-ovirt: admin and appliance passwords saved in plain text variable file during HE deployment 1718388 - CVE-2019-10160 python: regression of CVE-2019-9636 due to functional fix to allow port numbers in netloc 1720156 - RHVH 4.3.4 version info is incorrect in plymouth and "/etc/os-release" 1720160 - RHVH 4.3.4: Incorrect info in /etc/system-release-cpe 1720310 - RHV-H post-installation scripts failing, due to existing tags 1720434 - RHVH 7.7 brand is wrong in Anaconda GUI. 1720435 - Failed to install RHVH 7.7 1720436 - RHVH 7.7 should based on RHEL 7.7 server but not workstation. 1724044 - Failed dependencies occur during install systemtap package. 1726534 - dhclient fails to load libdns-export.so.1102 after upgrade if the user installed library is not persisted on the new layer 1727007 - Update RHVH 7.7 branding with new Red Hat logo 1727859 - Failed to boot after upgrading a host with a custom kernel 1728998 - "nodectl info" displays error after RHVH installation 1729023 - The error message is inappropriate when run `imgbase layout --init` on current layout

Original Source

Url : https://rhn.redhat.com/errata/RHSA-2019-2437.html

CWE : Common Weakness Enumeration

% Id Name
17 % CWE-787 Out-of-bounds Write (CWE/SANS Top 25)
17 % CWE-522 Insufficiently Protected Credentials (CWE/SANS Top 25)
17 % CWE-269 Improper Privilege Management
17 % CWE-203 Information Exposure Through Discrepancy
17 % CWE-190 Integer Overflow or Wraparound (CWE/SANS Top 25)
17 % CWE-172 Encoding Error

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 135
Application 123
Application 125
Application 118
Application 144
Application 120
Application 88
Application 112
Application 137
Application 134
Application 138
Application 123
Application 98
Application 6
Application 3
Application 1
Application 8
Application 2
Application 19
Application 4
Application 3
Application 1
Application 1
Application 1
Application 1
Application 1
Application 1
Application 1
Application 1
Application 2
Application 1
Application 1
Application 1
Application 1
Application 1
Application 1
Application 1
Application 1
Application 2
Application 1
Application 1
Application 1
Application 1
Application 2
Application 205
Application 327
Application 1
Application 3
Application 5
Application 1
Application 5
Application 5
Application 2
Application 1
Application 3
Application 2
Application 1
Application 3
Application 472
Application 23
Application 1
Application 3
Application 1
Application 1
Application 1
Application 1
Application 289
Application 1
Application 1
Application 173
Application 93
Application 1
Hardware 7
Hardware 6
Hardware 1
Os 6
Os 2
Os 4
Os 3
Os 215
Os 3
Os 2
Os 6
Os 1
Os 1
Os 1
Os 1
Os 2
Os 4
Os 1
Os 5
Os 2

Alert History

If you want to see full details history, please login or register.
0
Date Informations
2020-03-19 13:18:58
  • First insertion