Rapid7 Vulnerability & Exploit Database

RHSA-2011:0439: rhev-hypervisor security and bug fix update

Back to Search

RHSA-2011:0439: rhev-hypervisor security and bug fix update

Severity
6
CVSS
(AV:A/AC:M/Au:N/C:N/I:N/A:C)
Published
10/23/2011
Created
07/25/2018
Added
10/23/2011
Modified
07/04/2017

Description

An updated rhev-hypervisor package that fixes one security issue and one bug is now available. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

The rhev-hypervisor package provides a Red Hat Enterprise Virtualization Hypervisor ISO disk image. The Red Hat Enterprise Virtualization Hypervisor is a dedicated Kernel-based Virtual Machine (KVM) hypervisor. It includes everything necessary to run and manage virtual machines: A subset of the Red Hat Enterprise Linux operating environment and the Red Hat Enterprise Virtualization Agent. Note: Red Hat Enterprise Virtualization Hypervisor is only available for the Intel 64 and AMD64 architectures with virtualization extensions. A NULL pointer dereference flaw was found in the Generic Receive Offload (GRO) functionality in the Linux kernel's networking implementation. If both GRO and promiscuous mode were enabled on an interface in a virtual LAN (VLAN), it could result in a denial of service when a malformed VLAN frame is received on that interface. (CVE-2011-1478) Red Hat would like to thank Ryan Sweat for reporting CVE-2011-1478. This updated package provides updated components that include fixes for security issues; however, these issues have no security impact for Red Hat Enterprise Virtualization Hypervisor. These fixes are for dbus issue CVE-2010-4352; kernel issues CVE-2010-4346, CVE-2011-0521, CVE-2011-0710, CVE-2011-1010, and CVE-2011-1090; libvirt issue CVE-2011-1146; and openldap issue CVE-2011-1024. This update also fixes the following bug: * Previously, network drivers that had Large Receive Offload (LRO) enabled by default caused the system to run slow when using software bridging. With this update, Red Hat Enterprise Virtualization Hypervisor disables LRO as a part of a modprobe configuration. (BZ#692864) Also in this erratum, the rhev-hypervisor-pxe RPM has been dropped. As Red Hat Enterprise Virtualization Hypervisor includes Red Hat Enterprise Virtualization Manager Agent (VDSM), the bug fixes from the VDSM update RHBA-2011:0424 have been included in this update: https://rhn.redhat.com/errata/RHBA-2011-0424.html Users of Red Hat Enterprise Virtualization Hypervisor are advised to upgrade to this updated package, which resolves these issues.

Solution(s)

  • redhat-upgrade-rhev-hypervisor

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;