Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
amazonAmazonALAS2-2018-1049
HistoryJul 24, 2018 - 4:05 p.m.

Important: libvirt

2018-07-2416:05:00
alas.aws.amazon.com
30

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

6.7 Medium

AI Score

Confidence

High

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.023 Low

EPSS

Percentile

89.5%

JSON

Issue Overview:

An incomplete fix for CVE-2018-5748 that affects QEMU monitor leading to a resource exhaustion but now also triggered via QEMU guest agent.(CVE-2018-1064)

qemu/qemu_monitor.c in libvirt allows attackers to cause a denial of service (memory consumption) via a large QEMU reply.(CVE-2018-5748)

An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of Load & Store instructions (a commonly used performance optimization). It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory read from address to which a recent memory write has occurred may see an older value and subsequently cause an update into the microprocessor’s data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to read privileged memory by conducting targeted cache side-channel attacks.(CVE-2018-3639)

Affected Packages:

libvirt

Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.

Issue Correction:
Run yum update libvirt to update your system.

New Packages:

src:  
    libvirt-3.9.0-14.amzn2.6.src  
  
x86_64:  
    libvirt-3.9.0-14.amzn2.6.x86_64  
    libvirt-docs-3.9.0-14.amzn2.6.x86_64  
    libvirt-daemon-3.9.0-14.amzn2.6.x86_64  
    libvirt-daemon-config-network-3.9.0-14.amzn2.6.x86_64  
    libvirt-daemon-config-nwfilter-3.9.0-14.amzn2.6.x86_64  
    libvirt-daemon-driver-network-3.9.0-14.amzn2.6.x86_64  
    libvirt-daemon-driver-nwfilter-3.9.0-14.amzn2.6.x86_64  
    libvirt-daemon-driver-nodedev-3.9.0-14.amzn2.6.x86_64  
    libvirt-daemon-driver-interface-3.9.0-14.amzn2.6.x86_64  
    libvirt-daemon-driver-secret-3.9.0-14.amzn2.6.x86_64  
    libvirt-daemon-driver-storage-core-3.9.0-14.amzn2.6.x86_64  
    libvirt-daemon-driver-storage-logical-3.9.0-14.amzn2.6.x86_64  
    libvirt-daemon-driver-storage-disk-3.9.0-14.amzn2.6.x86_64  
    libvirt-daemon-driver-storage-scsi-3.9.0-14.amzn2.6.x86_64  
    libvirt-daemon-driver-storage-iscsi-3.9.0-14.amzn2.6.x86_64  
    libvirt-daemon-driver-storage-mpath-3.9.0-14.amzn2.6.x86_64  
    libvirt-daemon-driver-storage-gluster-3.9.0-14.amzn2.6.x86_64  
    libvirt-daemon-driver-storage-rbd-3.9.0-14.amzn2.6.x86_64  
    libvirt-daemon-driver-storage-3.9.0-14.amzn2.6.x86_64  
    libvirt-daemon-driver-qemu-3.9.0-14.amzn2.6.x86_64  
    libvirt-daemon-driver-lxc-3.9.0-14.amzn2.6.x86_64  
    libvirt-daemon-kvm-3.9.0-14.amzn2.6.x86_64  
    libvirt-daemon-lxc-3.9.0-14.amzn2.6.x86_64  
    libvirt-client-3.9.0-14.amzn2.6.x86_64  
    libvirt-libs-3.9.0-14.amzn2.6.x86_64  
    libvirt-admin-3.9.0-14.amzn2.6.x86_64  
    libvirt-login-shell-3.9.0-14.amzn2.6.x86_64  
    libvirt-devel-3.9.0-14.amzn2.6.x86_64  
    libvirt-lock-sanlock-3.9.0-14.amzn2.6.x86_64  
    libvirt-nss-3.9.0-14.amzn2.6.x86_64  
    libvirt-debuginfo-3.9.0-14.amzn2.6.x86_64

Additional References

Red Hat: CVE-2018-1064, CVE-2018-3639, CVE-2018-5748

Mitre: CVE-2018-1064, CVE-2018-3639, CVE-2018-5748

OSVersionArchitecturePackageVersionFilename
Amazon Linux2x86_64libvirt< 3.9.0-14.amzn2.6libvirt-3.9.0-14.amzn2.6.x86_64.rpm
Amazon Linux2x86_64libvirt-docs< 3.9.0-14.amzn2.6libvirt-docs-3.9.0-14.amzn2.6.x86_64.rpm
Amazon Linux2x86_64libvirt-daemon< 3.9.0-14.amzn2.6libvirt-daemon-3.9.0-14.amzn2.6.x86_64.rpm
Amazon Linux2x86_64libvirt-daemon-config-network< 3.9.0-14.amzn2.6libvirt-daemon-config-network-3.9.0-14.amzn2.6.x86_64.rpm
Amazon Linux2x86_64libvirt-daemon-config-nwfilter< 3.9.0-14.amzn2.6libvirt-daemon-config-nwfilter-3.9.0-14.amzn2.6.x86_64.rpm
Amazon Linux2x86_64libvirt-daemon-driver-network< 3.9.0-14.amzn2.6libvirt-daemon-driver-network-3.9.0-14.amzn2.6.x86_64.rpm
Amazon Linux2x86_64libvirt-daemon-driver-nwfilter< 3.9.0-14.amzn2.6libvirt-daemon-driver-nwfilter-3.9.0-14.amzn2.6.x86_64.rpm
Amazon Linux2x86_64libvirt-daemon-driver-nodedev< 3.9.0-14.amzn2.6libvirt-daemon-driver-nodedev-3.9.0-14.amzn2.6.x86_64.rpm
Amazon Linux2x86_64libvirt-daemon-driver-interface< 3.9.0-14.amzn2.6libvirt-daemon-driver-interface-3.9.0-14.amzn2.6.x86_64.rpm
Amazon Linux2x86_64libvirt-daemon-driver-secret< 3.9.0-14.amzn2.6libvirt-daemon-driver-secret-3.9.0-14.amzn2.6.x86_64.rpm
Rows per page:
1-10 of 311

Related

oraclelinux 9
nessus 87
openvas 32
osv 3
ibm 4
ubuntucve 2
veracode 2
debian 3
redhat 26
cve 2
centos 6
prion 2
redhatcve 2
debiancve 3
ubuntu 1
suse 3
fedora 4
mageia 2
citrix 1
f5 1
virtuozzo 1
photon 1
kaspersky 1
zdt 1
oraclelinux
oraclelinux
libvirt security update
2018-06-25 00:00:00
libvirt security and bug fix update
2018-05-14 00:00:00
libvirt security update
2018-05-22 00:00:00
nessus
nessus
EulerOS 2.0 SP3 : libvirt (EulerOS-SA-2018-1197)
2018-07-03 00:00:00
Amazon Linux 2 : libvirt (ALAS-2018-1049) (Spectre)
2018-07-26 00:00:00
NewStart CGSL MAIN 4.05 : libvirt Multiple Vulnerabilities (NS-SA-2019-0132)
2019-08-12 00:00:00
openvas
openvas
Huawei EulerOS: Security Advisory for libvirt (EulerOS-SA-2018-1197)
2020-01-23 00:00:00
SUSE: Security Advisory (SUSE-SU-2018:2082-1)
2021-04-19 00:00:00
CentOS Update for libvirt CESA-2018:1396 centos7
2018-06-05 00:00:00
osv
osv
libvirt - security update
2018-03-24 00:00:00
libvirt - security update
2018-03-14 00:00:00
xen - security update
2018-05-25 00:00:00
ibm
ibm
Security Bulletin: Vulnerabilities in libvirt affect PowerKVM
2018-07-06 23:39:30
Security Bulletin: IBM Netezza Host Management is affected by the vulnerability known as Variant 4 or SpectreNG.
2019-10-18 03:36:34
Security Bulletin: IBM Cloud Manager is affected by the vulnerabilities known as SpectreNG (CVE-2018-3639)
2018-08-08 04:13:55
ubuntucve
ubuntucve
CVE-2018-1064
2018-03-28 00:00:00
CVE-2018-5748
2018-01-25 00:00:00
veracode
veracode
Denial Of Service (DoS)
2019-01-15 09:23:06
Denial Of Service (DoS)
2018-05-03 05:13:55
debian
debian
[SECURITY] [DLA 1315-1] libvirt security update
2018-03-24 16:24:47
[SECURITY] [DSA 4137-1] libvirt security update
2018-03-14 21:50:24
[SECURITY] [DSA 4210-1] xen security update
2018-05-25 05:00:47
redhat
redhat
(RHSA-2018:1929) Low: libvirt security update
2018-06-19 02:12:46
(RHSA-2018:1396) Low: libvirt security and bug fix update
2018-05-14 12:57:03
(RHSA-2018:2171) Important: kernel security update
2018-07-11 15:14:50
cve
cve
CVE-2018-1064
2018-03-28 18:29:00
CVE-2018-5748
2018-01-25 16:29:00
centos
centos
libvirt security update
2018-05-30 18:24:07
libvirt security update
2018-06-21 11:55:48
qemu security update
2018-07-03 18:54:02
prion
prion
Code injection
2018-03-28 18:29:00
Design/Logic Flaw
2018-01-25 16:29:00
redhatcve
redhatcve
CVE-2018-1064
2019-10-08 22:28:17
CVE-2018-5748
2018-01-18 06:19:50
debiancve
debiancve
CVE-2018-1064
2018-03-28 18:29:00
CVE-2018-5748
2018-01-25 16:29:00
CVE-2018-3639
2018-05-22 12:29:00
ubuntu
ubuntu
libvirt vulnerability and update
2018-06-12 00:00:00
suse
suse
Security update for libvirt (important)
2018-03-29 12:11:46
Security update for libvirt (moderate)
2018-08-13 12:07:25
Security update for libvirt (important)
2018-06-09 15:07:56
fedora
fedora
[SECURITY] Fedora 27 Update: libvirt-3.7.0-6.fc27
2018-08-01 17:55:42
[SECURITY] Fedora 29 Update: java-1.8.0-openjdk-1.8.0.201.b09-2.fc29
2019-02-11 01:57:50
[SECURITY] Fedora 28 Update: java-1.8.0-openjdk-1.8.0.201.b09-2.fc28
2019-02-25 01:34:09
mageia
mageia
Updated libvirt packages fix CVE-2018-1064
2018-03-30 00:00:32
Updated libvirt packages fix security vulnerability
2018-05-31 23:34:08
citrix
citrix
CVE-2018-3639 - Citrix XenServer Security Update
2018-05-22 04:00:00
f5
f5
K29146534 : SSB Variant 4 vulnerability CVE-2018-3639
2018-07-10 00:00:00
virtuozzo
virtuozzo
Important kernel security update: CVE-2018-3639; new kernel 2.6.32-042stab130.1; Virtuozzo 6.0 Update 12 Hotfix 25 (6.0.12-3705)
2018-05-23 00:00:00
photon
photon
Home Download Photon OS User Documentation FAQ Security Advisories Related Information Lightwave - PHSA-2018-1.0-0151
2018-06-22 00:00:00
kaspersky
kaspersky
KLA11893 Microsoft Advisory for Microsoft Products (ESU)
2018-05-21 00:00:00
zdt
zdt
AMD / ARM / Intel - Speculative Execution Variant 4 Speculative Store Bypass Exploit
2018-05-23 00:00:00

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

6.7 Medium

AI Score

Confidence

High

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.023 Low

EPSS

Percentile

89.5%

JSON
Related for ALAS2-2018-1049
oraclelinux9nessus87openvas32osv3ibm4ubuntucve2veracode2debian3redhat26cve2centos6prion2redhatcve2debiancve3ubuntu1suse3fedora4mageia2citrix1f51virtuozzo1photon1kaspersky1zdt1