Red Hat Enterprise Linux 7.4 Extended Update Support update for libvirt
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 4 |
| CVE-ID | CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 CVE-2019-11091 |
| CWE-ID | CWE-200 |
| Exploitation vector | Local |
| Public exploit | N/A |
| Vulnerable software |
Red Hat Enterprise Linux Server - TUS Operating systems & Components / Operating system Red Hat Enterprise Linux for Power, little endian - Extended Update Support Operating systems & Components / Operating system Red Hat Enterprise Linux for Power, big endian - Extended Update Support Operating systems & Components / Operating system Red Hat Enterprise Linux for IBM z Systems - Extended Update Support Operating systems & Components / Operating system Red Hat Enterprise Linux Server - AUS Operating systems & Components / Operating system Red Hat Enterprise Linux Server - Extended Update Support Operating systems & Components / Operating system Red Hat Enterprise Linux EUS Compute Node Operating systems & Components / Operating system libvirt (Red Hat package) Operating systems & Components / Operating system package or component |
| Vendor | Red Hat Inc. |
Security Bulletin
This security bulletin contains information about 4 vulnerabilities.
1) Information disclosure
EUVDB-ID: #VU28397
Risk: Low
CVSSv4.0: 1.9 [CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-12126
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a local authenticated user to gain access to sensitive information.
Microarchitectural Store Buffer Data Sampling (MSBDS): Store buffers on some microprocessors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access. A list of impacted products can be found here: https://www.intel.com/content/dam/www/public/us/en/documents/corporate-information/SA00233-microcode-update-guidance_05132019.pdf
MitigationInstall updates from vendor's website.
Red Hat Enterprise Linux Server - TUS: 7.4
Red Hat Enterprise Linux for Power, little endian - Extended Update Support: 7.4
Red Hat Enterprise Linux for Power, big endian - Extended Update Support: 7.4
Red Hat Enterprise Linux for IBM z Systems - Extended Update Support: 7.4
Red Hat Enterprise Linux Server - AUS: 7.4
Red Hat Enterprise Linux Server - Extended Update Support: 7.4
Red Hat Enterprise Linux EUS Compute Node: 7.4
libvirt (Red Hat package): before 3.2.0-14.el7_4.13
CPE2.3- cpe:2.3:o:red_hat:red_hat_enterprise_linux_server_-_tus:7.4:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:red_hat_enterprise_linux_for_power_little_endian_-_extended_update_support:7.4:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:red_hat_enterprise_linux_for_power_big_endian_-_extended_update_support:7.4:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:red_hat_enterprise_linux_for_ibm_z_systems_-_extended_update_support:7.4:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:red_hat_enterprise_linux_server_-_aus:7.4:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:red_hat_enterprise_linux_server_-_extended_update_support:7.4:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:red_hat_enterprise_linux_eus_compute_node:7.4:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:libvirt_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
https://access.redhat.com/errata/RHSA-2019:1184
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Information disclosure
EUVDB-ID: #VU28395
Risk: Low
CVSSv4.0: 1.9 [CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-12127
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a local authenticated user to gain access to sensitive information.
Microarchitectural Load Port Data Sampling (MLPDS): Load ports on some microprocessors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access. A list of impacted products can be found here: https://www.intel.com/content/dam/www/public/us/en/documents/corporate-information/SA00233-microcode-update-guidance_05132019.pdf
MitigationInstall updates from vendor's website.
Red Hat Enterprise Linux Server - TUS: 7.4
Red Hat Enterprise Linux for Power, little endian - Extended Update Support: 7.4
Red Hat Enterprise Linux for Power, big endian - Extended Update Support: 7.4
Red Hat Enterprise Linux for IBM z Systems - Extended Update Support: 7.4
Red Hat Enterprise Linux Server - AUS: 7.4
Red Hat Enterprise Linux Server - Extended Update Support: 7.4
Red Hat Enterprise Linux EUS Compute Node: 7.4
libvirt (Red Hat package): before 3.2.0-14.el7_4.13
CPE2.3- cpe:2.3:o:red_hat:red_hat_enterprise_linux_server_-_tus:7.4:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:red_hat_enterprise_linux_for_power_little_endian_-_extended_update_support:7.4:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:red_hat_enterprise_linux_for_power_big_endian_-_extended_update_support:7.4:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:red_hat_enterprise_linux_for_ibm_z_systems_-_extended_update_support:7.4:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:red_hat_enterprise_linux_server_-_aus:7.4:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:red_hat_enterprise_linux_server_-_extended_update_support:7.4:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:red_hat_enterprise_linux_eus_compute_node:7.4:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:libvirt_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
https://access.redhat.com/errata/RHSA-2019:1184
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Information disclosure
EUVDB-ID: #VU28396
Risk: Low
CVSSv4.0: 1.9 [CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-12130
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a local authenticated user to gain access to sensitive information.
Microarchitectural Fill Buffer Data Sampling (MFBDS): Fill buffers on some microprocessors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access. A list of impacted products can be found here: https://www.intel.com/content/dam/www/public/us/en/documents/corporate-information/SA00233-microcode-update-guidance_05132019.pdf
MitigationInstall updates from vendor's website.
Red Hat Enterprise Linux Server - TUS: 7.4
Red Hat Enterprise Linux for Power, little endian - Extended Update Support: 7.4
Red Hat Enterprise Linux for Power, big endian - Extended Update Support: 7.4
Red Hat Enterprise Linux for IBM z Systems - Extended Update Support: 7.4
Red Hat Enterprise Linux Server - AUS: 7.4
Red Hat Enterprise Linux Server - Extended Update Support: 7.4
Red Hat Enterprise Linux EUS Compute Node: 7.4
libvirt (Red Hat package): before 3.2.0-14.el7_4.13
CPE2.3- cpe:2.3:o:red_hat:red_hat_enterprise_linux_server_-_tus:7.4:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:red_hat_enterprise_linux_for_power_little_endian_-_extended_update_support:7.4:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:red_hat_enterprise_linux_for_power_big_endian_-_extended_update_support:7.4:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:red_hat_enterprise_linux_for_ibm_z_systems_-_extended_update_support:7.4:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:red_hat_enterprise_linux_server_-_aus:7.4:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:red_hat_enterprise_linux_server_-_extended_update_support:7.4:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:red_hat_enterprise_linux_eus_compute_node:7.4:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:libvirt_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
https://access.redhat.com/errata/RHSA-2019:1184
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Information disclosure
EUVDB-ID: #VU28398
Risk: Low
CVSSv4.0: 1.9 [CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2019-11091
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a local authenticated user to gain access to sensitive information.
Microarchitectural Data Sampling Uncacheable Memory (MDSUM): Uncacheable memory on some microprocessors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access. A list of impacted products can be found here: https://www.intel.com/content/dam/www/public/us/en/documents/corporate-information/SA00233-microcode-update-guidance_05132019.pdf
MitigationInstall updates from vendor's website.
Red Hat Enterprise Linux Server - TUS: 7.4
Red Hat Enterprise Linux for Power, little endian - Extended Update Support: 7.4
Red Hat Enterprise Linux for Power, big endian - Extended Update Support: 7.4
Red Hat Enterprise Linux for IBM z Systems - Extended Update Support: 7.4
Red Hat Enterprise Linux Server - AUS: 7.4
Red Hat Enterprise Linux Server - Extended Update Support: 7.4
Red Hat Enterprise Linux EUS Compute Node: 7.4
libvirt (Red Hat package): before 3.2.0-14.el7_4.13
CPE2.3- cpe:2.3:o:red_hat:red_hat_enterprise_linux_server_-_tus:7.4:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:red_hat_enterprise_linux_for_power_little_endian_-_extended_update_support:7.4:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:red_hat_enterprise_linux_for_power_big_endian_-_extended_update_support:7.4:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:red_hat_enterprise_linux_for_ibm_z_systems_-_extended_update_support:7.4:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:red_hat_enterprise_linux_server_-_aus:7.4:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:red_hat_enterprise_linux_server_-_extended_update_support:7.4:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:red_hat_enterprise_linux_eus_compute_node:7.4:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:libvirt_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
https://access.redhat.com/errata/RHSA-2019:1184
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
