Red Hat update for rhvm-setup-plugins



Published: 2019-05-08 | Updated: 2019-05-08
Risk Low
Patch available YES
Number of vulnerabilities 2
CVE-ID CVE-2017-5754
CVE-2018-3639
CWE-ID CWE-200
CWE-362
Exploitation vector Local
Public exploit Public exploit code for vulnerability #1 is available.
Vulnerable software
Subscribe 		Red Hat Virtualization Manager
Client/Desktop applications / Virtualization software

Vendor Red Hat Inc.

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Information disclosure

EUVDB-ID: #VU9882

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2017-5754

CWE-ID: CWE-200 - Information exposure

Exploit availability: Yes

Description

The vulnerability allows a local attacker to obtain potentially sensitive information.

The vulnerability exists in Intel CPU hardware due to side-channel attacks, which are also referred to as Meltdown attacks. A local attacker can execute arbitrary code, perform a side-channel analysis of the data cache and gain access to sensitive information including memory from the CPU cache.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Red Hat Virtualization Manager: 4.3

CPE2.3 External links

http://access.redhat.com/errata/RHSA-2019:1046


Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

2) Speculative Store Bypass

EUVDB-ID: #VU12911

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2018-3639

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Exploit availability: No

Description

The vulnerability allows a local attacker to obtain potentially sensitive information on the target system.

The weakness exists due to race conditions in CPU cache processing. A local attacker can conduct a side-channel attack to exploit a flaw in the speculative execution of Load and Store instructions to read privileged memory.

Note: the vulnerability is referred to as "Spectre variant 4".

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Red Hat Virtualization Manager: 4.3

CPE2.3 External links

http://access.redhat.com/errata/RHSA-2019:1046


Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?



###SIDEBAR###