Lucene search

K
centosCentOS ProjectCESA-2009:1465
HistoryOct 30, 2009 - 2:43 p.m.

kmod, kvm security update

2009-10-3014:43:52
CentOS Project
lists.centos.org
53

CVSS2

7.2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

EPSS

0.001

Percentile

26.7%

CentOS Errata and Security Advisory CESA-2009:1465

KVM (Kernel-based Virtual Machine) is a full virtualization solution for
Linux on AMD64 and Intel 64 systems. KVM is a Linux kernel module built for
the standard Red Hat Enterprise Linux kernel.

The kvm_emulate_hypercall() implementation was missing a check for the
Current Privilege Level (CPL). A local, unprivileged user in a virtual
machine could use this flaw to cause a local denial of service or escalate
their privileges within that virtual machine. (CVE-2009-3290)

This update also fixes the following bugs:

  • non-maskable interrupts (NMI) were not supported on systems with AMD
    processors. As a consequence, Windows Server 2008 R2 guests running with
    more than one virtual CPU assigned on systems with AMD processors would
    hang at the Windows shut down screen when a restart was attempted. This
    update adds support for NMI filtering on systems with AMD processors,
    allowing clean restarts of Windows Server 2008 R2 guests running with
    multiple virtual CPUs. (BZ#520694)

  • significant performance issues for guests running 64-bit editions of
    Windows. This update improves performance for guests running 64-bit
    editions of Windows. (BZ#521793)

  • Windows guests may have experienced time drift. (BZ#521794)

  • removing the Red Hat VirtIO Ethernet Adapter from a guest running Windows
    Server 2008 R2 caused KVM to crash. With this update, device removal should
    not cause this issue. (BZ#524557)

All KVM users should upgrade to these updated packages, which contain
backported patches to resolve these issues. Note: The procedure in the
Solution section must be performed before this update takes effect.

Merged security bulletin from advisories:
https://lists.centos.org/pipermail/centos-announce/2009-October/078400.html
https://lists.centos.org/pipermail/centos-announce/2009-October/078401.html

Affected packages:
kmod-kvm
kvm
kvm-qemu-img
kvm-tools

Upstream details at:
https://access.redhat.com/errata/RHSA-2009:1465

CVSS2

7.2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

EPSS

0.001

Percentile

26.7%