RHSA-2019:2437
Vulnerability from csaf_redhat - Published: 2019-08-12 11:56 - Updated: 2026-03-13 01:05Summary
Red Hat Security Advisory: Red Hat Virtualization security update
Severity
Important
Notes
Topic: An update for redhat-virtualization-host is now available for Red Hat Virtualization 4 for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: The redhat-virtualization-host packages provide the Red Hat Virtualization Host. These packages include redhat-release-virtualization-host, ovirt-node, and rhev-hypervisor. Red Hat Virtualization Hosts (RHVH) are installed using a special build of Red Hat Enterprise Linux with only the packages required to host virtual machines. RHVH features a Cockpit user interface for monitoring the host's resources and performing administrative tasks.
The following packages have been upgraded to a later upstream version: imgbased (1.1.9), ovirt-node-ng (4.3.5), redhat-release-virtualization-host (4.3.5), redhat-virtualization-host (4.3.5). (BZ#1669357, BZ#1669365, BZ#1684986, BZ#1711193, BZ#1717250, BZ#1726917)
Security Fix(es):
* python: regression of CVE-2019-9636 due to functional fix to allow port numbers in netloc (CVE-2019-10160)
* rsyslog: imptcp: integer overflow when Octet-Counted TCP Framing is enabled (CVE-2018-16881)
* edk2: stack overflow in XHCI causing denial of service (CVE-2019-0161)
* openssl: 0-byte record padding oracle (CVE-2019-1559)
* cockpit-ovirt: admin and appliance passwords saved in plain text variable file during HE deployment (CVE-2019-10139)
* sssd: improper implementation of GPOs due to too restrictive permissions (CVE-2018-16838)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in sssd Group Policy Objects implementation. When the GPO is not readable by SSSD due to a too strict permission settings on the server side, SSSD will allow all authenticated users to login instead of denying access.
5.4 (Medium)
Vendor Fix
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/2974891
https://access.redhat.com/errata/RHSA-2019:2437
A denial of service vulnerability was found in rsyslog in the imptcp module. An attacker could send a specially crafted message to the imptcp socket, which would cause rsyslog to crash.
5.3 (Medium)
Vendor Fix
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/2974891
https://access.redhat.com/errata/RHSA-2019:2437
Workaround
This vulnerability requires the "imptcp" module to be enabled, and listening on a port that can potentially be reached by attackers. This module is not enabled by default in Red Hat Enterprise Linux 7. To check if imptcp is enabled, look for the string `$InputPTCPServerRun`in your rsyslog configuration.
Stack overflow in XHCI for EDK II may allow an unauthenticated user to potentially enable denial of service via local access.
5.9 (Medium)
Vendor Fix
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/2974891
https://access.redhat.com/errata/RHSA-2019:2437
If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable "non-stitched" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q).
5.9 (Medium)
Vendor Fix
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/2974891
https://access.redhat.com/errata/RHSA-2019:2437
Workaround
As a workaround you can disable SHA384 if applications (compiled with OpenSSL) allow for adjustment of the ciphersuite string configuration.
A credential-protection flaw was found in cockpit-ovirt. During deployment, it generated an ansible variable file `/var/lib/ovirt-hosted-engine-setup/cockpit/ansibleVarFileXXXXXX.var` which contained both admin and appliance passwords as plain-text. Although these files are deleted at the end of the deployment procedure, a local attacker could exploit this flaw to access the passwords.
5.6 (Medium)
Vendor Fix
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/2974891
https://access.redhat.com/errata/RHSA-2019:2437
A security regression of CVE-2019-9636 was discovered in python, since commit d537ab0ff9767ef024f26246899728f0116b1ec3, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application.
9.8 (Critical)
Vendor Fix
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/2974891
https://access.redhat.com/errata/RHSA-2019:2437
References
Acknowledgments
Pennsylvania Higher Education Assistance Agency
Joel Miller
Red Hat
Riccardo Schirone
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for redhat-virtualization-host is now available for Red Hat Virtualization 4 for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "The redhat-virtualization-host packages provide the Red Hat Virtualization Host. These packages include redhat-release-virtualization-host, ovirt-node, and rhev-hypervisor. Red Hat Virtualization Hosts (RHVH) are installed using a special build of Red Hat Enterprise Linux with only the packages required to host virtual machines. RHVH features a Cockpit user interface for monitoring the host\u0027s resources and performing administrative tasks.\n\nThe following packages have been upgraded to a later upstream version: imgbased (1.1.9), ovirt-node-ng (4.3.5), redhat-release-virtualization-host (4.3.5), redhat-virtualization-host (4.3.5). (BZ#1669357, BZ#1669365, BZ#1684986, BZ#1711193, BZ#1717250, BZ#1726917)\n\nSecurity Fix(es):\n\n* python: regression of CVE-2019-9636 due to functional fix to allow port numbers in netloc (CVE-2019-10160)\n\n* rsyslog: imptcp: integer overflow when Octet-Counted TCP Framing is enabled (CVE-2018-16881)\n\n* edk2: stack overflow in XHCI causing denial of service (CVE-2019-0161)\n\n* openssl: 0-byte record padding oracle (CVE-2019-1559)\n\n* cockpit-ovirt: admin and appliance passwords saved in plain text variable file during HE deployment (CVE-2019-10139)\n\n* sssd: improper implementation of GPOs due to too restrictive permissions (CVE-2018-16838)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2019:2437",
"url": "https://access.redhat.com/errata/RHSA-2019:2437"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "1640820",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1640820"
},
{
"category": "external",
"summary": "1658366",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1658366"
},
{
"category": "external",
"summary": "1683804",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1683804"
},
{
"category": "external",
"summary": "1687920",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1687920"
},
{
"category": "external",
"summary": "1694065",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1694065"
},
{
"category": "external",
"summary": "1702223",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1702223"
},
{
"category": "external",
"summary": "1709829",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1709829"
},
{
"category": "external",
"summary": "1718388",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1718388"
},
{
"category": "external",
"summary": "1720156",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1720156"
},
{
"category": "external",
"summary": "1720160",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1720160"
},
{
"category": "external",
"summary": "1720310",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1720310"
},
{
"category": "external",
"summary": "1720434",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1720434"
},
{
"category": "external",
"summary": "1720435",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1720435"
},
{
"category": "external",
"summary": "1720436",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1720436"
},
{
"category": "external",
"summary": "1724044",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1724044"
},
{
"category": "external",
"summary": "1726534",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1726534"
},
{
"category": "external",
"summary": "1727007",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1727007"
},
{
"category": "external",
"summary": "1727859",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1727859"
},
{
"category": "external",
"summary": "1728998",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1728998"
},
{
"category": "external",
"summary": "1729023",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1729023"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2019/rhsa-2019_2437.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Virtualization security update",
"tracking": {
"current_release_date": "2026-03-13T01:05:00+00:00",
"generator": {
"date": "2026-03-13T01:05:00+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.3"
}
},
"id": "RHSA-2019:2437",
"initial_release_date": "2019-08-12T11:56:35+00:00",
"revision_history": [
{
"date": "2019-08-12T11:56:35+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2019-08-12T11:56:35+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-03-13T01:05:00+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "RHEL 7-based RHEV-H for RHEV 4 (build requirements)",
"product": {
"name": "RHEL 7-based RHEV-H for RHEV 4 (build requirements)",
"product_id": "7Server-RHEV-4-HypervisorBuild-7",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:7::hypervisor"
}
}
},
{
"category": "product_name",
"name": "Red Hat Virtualization 4 Hypervisor for RHEL 7",
"product": {
"name": "Red Hat Virtualization 4 Hypervisor for RHEL 7",
"product_id": "7Server-RHEV-4-Hypervisor-7",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:7::hypervisor"
}
}
}
],
"category": "product_family",
"name": "Red Hat Virtualization"
},
{
"branches": [
{
"category": "product_version",
"name": "redhat-virtualization-host-image-update-placeholder-0:4.3.5-2.el7ev.noarch",
"product": {
"name": "redhat-virtualization-host-image-update-placeholder-0:4.3.5-2.el7ev.noarch",
"product_id": "redhat-virtualization-host-image-update-placeholder-0:4.3.5-2.el7ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/redhat-virtualization-host-image-update-placeholder@4.3.5-2.el7ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "python-imgbased-0:1.1.9-0.1.el7ev.noarch",
"product": {
"name": "python-imgbased-0:1.1.9-0.1.el7ev.noarch",
"product_id": "python-imgbased-0:1.1.9-0.1.el7ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-imgbased@1.1.9-0.1.el7ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "imgbased-0:1.1.9-0.1.el7ev.noarch",
"product": {
"name": "imgbased-0:1.1.9-0.1.el7ev.noarch",
"product_id": "imgbased-0:1.1.9-0.1.el7ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/imgbased@1.1.9-0.1.el7ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "python2-ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"product": {
"name": "python2-ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"product_id": "python2-ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python2-ovirt-node-ng-nodectl@4.3.5-0.20190717.0.el7ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"product": {
"name": "ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"product_id": "ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ovirt-node-ng-nodectl@4.3.5-0.20190717.0.el7ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "redhat-virtualization-host-image-update-0:4.3.5-20190722.0.el7_7.noarch",
"product": {
"name": "redhat-virtualization-host-image-update-0:4.3.5-20190722.0.el7_7.noarch",
"product_id": "redhat-virtualization-host-image-update-0:4.3.5-20190722.0.el7_7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/redhat-virtualization-host-image-update@4.3.5-20190722.0.el7_7?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "redhat-release-virtualization-host-0:4.3.5-2.el7ev.x86_64",
"product": {
"name": "redhat-release-virtualization-host-0:4.3.5-2.el7ev.x86_64",
"product_id": "redhat-release-virtualization-host-0:4.3.5-2.el7ev.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/redhat-release-virtualization-host@4.3.5-2.el7ev?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "redhat-release-virtualization-host-0:4.3.5-2.el7ev.src",
"product": {
"name": "redhat-release-virtualization-host-0:4.3.5-2.el7ev.src",
"product_id": "redhat-release-virtualization-host-0:4.3.5-2.el7ev.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/redhat-release-virtualization-host@4.3.5-2.el7ev?arch=src"
}
}
},
{
"category": "product_version",
"name": "imgbased-0:1.1.9-0.1.el7ev.src",
"product": {
"name": "imgbased-0:1.1.9-0.1.el7ev.src",
"product_id": "imgbased-0:1.1.9-0.1.el7ev.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/imgbased@1.1.9-0.1.el7ev?arch=src"
}
}
},
{
"category": "product_version",
"name": "ovirt-node-ng-0:4.3.5-0.20190717.0.el7ev.src",
"product": {
"name": "ovirt-node-ng-0:4.3.5-0.20190717.0.el7ev.src",
"product_id": "ovirt-node-ng-0:4.3.5-0.20190717.0.el7ev.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ovirt-node-ng@4.3.5-0.20190717.0.el7ev?arch=src"
}
}
},
{
"category": "product_version",
"name": "redhat-virtualization-host-0:4.3.5-20190722.0.el7_7.src",
"product": {
"name": "redhat-virtualization-host-0:4.3.5-20190722.0.el7_7.src",
"product_id": "redhat-virtualization-host-0:4.3.5-20190722.0.el7_7.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/redhat-virtualization-host@4.3.5-20190722.0.el7_7?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "redhat-virtualization-host-0:4.3.5-20190722.0.el7_7.src as a component of Red Hat Virtualization 4 Hypervisor for RHEL 7",
"product_id": "7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-0:4.3.5-20190722.0.el7_7.src"
},
"product_reference": "redhat-virtualization-host-0:4.3.5-20190722.0.el7_7.src",
"relates_to_product_reference": "7Server-RHEV-4-Hypervisor-7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "redhat-virtualization-host-image-update-0:4.3.5-20190722.0.el7_7.noarch as a component of Red Hat Virtualization 4 Hypervisor for RHEL 7",
"product_id": "7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-image-update-0:4.3.5-20190722.0.el7_7.noarch"
},
"product_reference": "redhat-virtualization-host-image-update-0:4.3.5-20190722.0.el7_7.noarch",
"relates_to_product_reference": "7Server-RHEV-4-Hypervisor-7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "imgbased-0:1.1.9-0.1.el7ev.noarch as a component of RHEL 7-based RHEV-H for RHEV 4 (build requirements)",
"product_id": "7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.noarch"
},
"product_reference": "imgbased-0:1.1.9-0.1.el7ev.noarch",
"relates_to_product_reference": "7Server-RHEV-4-HypervisorBuild-7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "imgbased-0:1.1.9-0.1.el7ev.src as a component of RHEL 7-based RHEV-H for RHEV 4 (build requirements)",
"product_id": "7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.src"
},
"product_reference": "imgbased-0:1.1.9-0.1.el7ev.src",
"relates_to_product_reference": "7Server-RHEV-4-HypervisorBuild-7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ovirt-node-ng-0:4.3.5-0.20190717.0.el7ev.src as a component of RHEL 7-based RHEV-H for RHEV 4 (build requirements)",
"product_id": "7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-0:4.3.5-0.20190717.0.el7ev.src"
},
"product_reference": "ovirt-node-ng-0:4.3.5-0.20190717.0.el7ev.src",
"relates_to_product_reference": "7Server-RHEV-4-HypervisorBuild-7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch as a component of RHEL 7-based RHEV-H for RHEV 4 (build requirements)",
"product_id": "7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch"
},
"product_reference": "ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"relates_to_product_reference": "7Server-RHEV-4-HypervisorBuild-7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-imgbased-0:1.1.9-0.1.el7ev.noarch as a component of RHEL 7-based RHEV-H for RHEV 4 (build requirements)",
"product_id": "7Server-RHEV-4-HypervisorBuild-7:python-imgbased-0:1.1.9-0.1.el7ev.noarch"
},
"product_reference": "python-imgbased-0:1.1.9-0.1.el7ev.noarch",
"relates_to_product_reference": "7Server-RHEV-4-HypervisorBuild-7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python2-ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch as a component of RHEL 7-based RHEV-H for RHEV 4 (build requirements)",
"product_id": "7Server-RHEV-4-HypervisorBuild-7:python2-ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch"
},
"product_reference": "python2-ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"relates_to_product_reference": "7Server-RHEV-4-HypervisorBuild-7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "redhat-release-virtualization-host-0:4.3.5-2.el7ev.src as a component of RHEL 7-based RHEV-H for RHEV 4 (build requirements)",
"product_id": "7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.src"
},
"product_reference": "redhat-release-virtualization-host-0:4.3.5-2.el7ev.src",
"relates_to_product_reference": "7Server-RHEV-4-HypervisorBuild-7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "redhat-release-virtualization-host-0:4.3.5-2.el7ev.x86_64 as a component of RHEL 7-based RHEV-H for RHEV 4 (build requirements)",
"product_id": "7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.x86_64"
},
"product_reference": "redhat-release-virtualization-host-0:4.3.5-2.el7ev.x86_64",
"relates_to_product_reference": "7Server-RHEV-4-HypervisorBuild-7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "redhat-virtualization-host-image-update-placeholder-0:4.3.5-2.el7ev.noarch as a component of RHEL 7-based RHEV-H for RHEV 4 (build requirements)",
"product_id": "7Server-RHEV-4-HypervisorBuild-7:redhat-virtualization-host-image-update-placeholder-0:4.3.5-2.el7ev.noarch"
},
"product_reference": "redhat-virtualization-host-image-update-placeholder-0:4.3.5-2.el7ev.noarch",
"relates_to_product_reference": "7Server-RHEV-4-HypervisorBuild-7"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2018-16838",
"cwe": {
"id": "CWE-269",
"name": "Improper Privilege Management"
},
"discovery_date": "2018-10-18T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1640820"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in sssd Group Policy Objects implementation. When the GPO is not readable by SSSD due to a too strict permission settings on the server side, SSSD will allow all authenticated users to login instead of denying access.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "sssd: improper implementation of GPOs due to too restrictive permissions",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-0:4.3.5-20190722.0.el7_7.src",
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-image-update-0:4.3.5-20190722.0.el7_7.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-0:4.3.5-0.20190717.0.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python-imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python2-ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.x86_64",
"7Server-RHEV-4-HypervisorBuild-7:redhat-virtualization-host-image-update-placeholder-0:4.3.5-2.el7ev.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-16838"
},
{
"category": "external",
"summary": "RHBZ#1640820",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1640820"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-16838",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-16838"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-16838",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16838"
}
],
"release_date": "2019-02-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-08-12T11:56:35+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/2974891",
"product_ids": [
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-0:4.3.5-20190722.0.el7_7.src",
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-image-update-0:4.3.5-20190722.0.el7_7.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-0:4.3.5-0.20190717.0.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python-imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python2-ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.x86_64",
"7Server-RHEV-4-HypervisorBuild-7:redhat-virtualization-host-image-update-placeholder-0:4.3.5-2.el7ev.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:2437"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-0:4.3.5-20190722.0.el7_7.src",
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-image-update-0:4.3.5-20190722.0.el7_7.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-0:4.3.5-0.20190717.0.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python-imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python2-ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.x86_64",
"7Server-RHEV-4-HypervisorBuild-7:redhat-virtualization-host-image-update-placeholder-0:4.3.5-2.el7ev.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "sssd: improper implementation of GPOs due to too restrictive permissions"
},
{
"acknowledgments": [
{
"names": [
"Joel Miller"
],
"organization": "Pennsylvania Higher Education Assistance Agency"
}
],
"cve": "CVE-2018-16881",
"cwe": {
"id": "CWE-190",
"name": "Integer Overflow or Wraparound"
},
"discovery_date": "2018-12-11T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1658366"
}
],
"notes": [
{
"category": "description",
"text": "A denial of service vulnerability was found in rsyslog in the imptcp module. An attacker could send a specially crafted message to the imptcp socket, which would cause rsyslog to crash.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "rsyslog: imptcp: integer overflow when Octet-Counted TCP Framing is enabled",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-0:4.3.5-20190722.0.el7_7.src",
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-image-update-0:4.3.5-20190722.0.el7_7.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-0:4.3.5-0.20190717.0.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python-imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python2-ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.x86_64",
"7Server-RHEV-4-HypervisorBuild-7:redhat-virtualization-host-image-update-placeholder-0:4.3.5-2.el7ev.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-16881"
},
{
"category": "external",
"summary": "RHBZ#1658366",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1658366"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-16881",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-16881"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-16881",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16881"
}
],
"release_date": "2017-04-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-08-12T11:56:35+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/2974891",
"product_ids": [
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-0:4.3.5-20190722.0.el7_7.src",
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-image-update-0:4.3.5-20190722.0.el7_7.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-0:4.3.5-0.20190717.0.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python-imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python2-ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.x86_64",
"7Server-RHEV-4-HypervisorBuild-7:redhat-virtualization-host-image-update-placeholder-0:4.3.5-2.el7ev.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:2437"
},
{
"category": "workaround",
"details": "This vulnerability requires the \"imptcp\" module to be enabled, and listening on a port that can potentially be reached by attackers. This module is not enabled by default in Red Hat Enterprise Linux 7. To check if imptcp is enabled, look for the string `$InputPTCPServerRun`in your rsyslog configuration.",
"product_ids": [
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-0:4.3.5-20190722.0.el7_7.src",
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-image-update-0:4.3.5-20190722.0.el7_7.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-0:4.3.5-0.20190717.0.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python-imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python2-ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.x86_64",
"7Server-RHEV-4-HypervisorBuild-7:redhat-virtualization-host-image-update-placeholder-0:4.3.5-2.el7ev.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.0"
},
"products": [
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-0:4.3.5-20190722.0.el7_7.src",
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-image-update-0:4.3.5-20190722.0.el7_7.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-0:4.3.5-0.20190717.0.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python-imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python2-ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.x86_64",
"7Server-RHEV-4-HypervisorBuild-7:redhat-virtualization-host-image-update-placeholder-0:4.3.5-2.el7ev.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "rsyslog: imptcp: integer overflow when Octet-Counted TCP Framing is enabled"
},
{
"cve": "CVE-2019-0161",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2019-03-28T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1694065"
}
],
"notes": [
{
"category": "description",
"text": "Stack overflow in XHCI for EDK II may allow an unauthenticated user to potentially enable denial of service via local access.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "edk2: stack overflow in XHCI causing denial of service",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-0:4.3.5-20190722.0.el7_7.src",
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-image-update-0:4.3.5-20190722.0.el7_7.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-0:4.3.5-0.20190717.0.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python-imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python2-ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.x86_64",
"7Server-RHEV-4-HypervisorBuild-7:redhat-virtualization-host-image-update-placeholder-0:4.3.5-2.el7ev.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-0161"
},
{
"category": "external",
"summary": "RHBZ#1694065",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1694065"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-0161",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-0161"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-0161",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-0161"
},
{
"category": "external",
"summary": "https://edk2-docs.gitbooks.io/security-advisory/content/xhci-stack-local-stack-overflow.html",
"url": "https://edk2-docs.gitbooks.io/security-advisory/content/xhci-stack-local-stack-overflow.html"
}
],
"release_date": "2018-06-05T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-08-12T11:56:35+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/2974891",
"product_ids": [
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-0:4.3.5-20190722.0.el7_7.src",
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-image-update-0:4.3.5-20190722.0.el7_7.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-0:4.3.5-0.20190717.0.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python-imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python2-ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.x86_64",
"7Server-RHEV-4-HypervisorBuild-7:redhat-virtualization-host-image-update-placeholder-0:4.3.5-2.el7ev.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:2437"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-0:4.3.5-20190722.0.el7_7.src",
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-image-update-0:4.3.5-20190722.0.el7_7.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-0:4.3.5-0.20190717.0.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python-imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python2-ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.x86_64",
"7Server-RHEV-4-HypervisorBuild-7:redhat-virtualization-host-image-update-placeholder-0:4.3.5-2.el7ev.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "edk2: stack overflow in XHCI causing denial of service"
},
{
"cve": "CVE-2019-1559",
"cwe": {
"id": "CWE-325",
"name": "Missing Cryptographic Step"
},
"discovery_date": "2019-02-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1683804"
}
],
"notes": [
{
"category": "description",
"text": "If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable \"non-stitched\" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "openssl: 0-byte record padding oracle",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "1 For this issue to be exploitable, the (server) application using the OpenSSL library needs to use it incorrectly.\n2. There are multiple other requirements for the attack to succeed: \n - The ciphersuite used must be obsolete CBC cipher without a stitched implementation (or the system be in FIPS mode)\n - the attacker has to be a MITM\n - the attacker has to be able to control the client side to send requests to the buggy server on demand",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-0:4.3.5-20190722.0.el7_7.src",
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-image-update-0:4.3.5-20190722.0.el7_7.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-0:4.3.5-0.20190717.0.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python-imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python2-ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.x86_64",
"7Server-RHEV-4-HypervisorBuild-7:redhat-virtualization-host-image-update-placeholder-0:4.3.5-2.el7ev.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-1559"
},
{
"category": "external",
"summary": "RHBZ#1683804",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1683804"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-1559",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-1559"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-1559",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1559"
},
{
"category": "external",
"summary": "https://github.com/RUB-NDS/TLS-Padding-Oracles",
"url": "https://github.com/RUB-NDS/TLS-Padding-Oracles"
},
{
"category": "external",
"summary": "https://www.openssl.org/news/secadv/20190226.txt",
"url": "https://www.openssl.org/news/secadv/20190226.txt"
}
],
"release_date": "2019-02-26T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-08-12T11:56:35+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/2974891",
"product_ids": [
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-0:4.3.5-20190722.0.el7_7.src",
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-image-update-0:4.3.5-20190722.0.el7_7.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-0:4.3.5-0.20190717.0.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python-imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python2-ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.x86_64",
"7Server-RHEV-4-HypervisorBuild-7:redhat-virtualization-host-image-update-placeholder-0:4.3.5-2.el7ev.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:2437"
},
{
"category": "workaround",
"details": "As a workaround you can disable SHA384 if applications (compiled with OpenSSL) allow for adjustment of the ciphersuite string configuration.",
"product_ids": [
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-0:4.3.5-20190722.0.el7_7.src",
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-image-update-0:4.3.5-20190722.0.el7_7.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-0:4.3.5-0.20190717.0.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python-imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python2-ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.x86_64",
"7Server-RHEV-4-HypervisorBuild-7:redhat-virtualization-host-image-update-placeholder-0:4.3.5-2.el7ev.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-0:4.3.5-20190722.0.el7_7.src",
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-image-update-0:4.3.5-20190722.0.el7_7.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-0:4.3.5-0.20190717.0.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python-imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python2-ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.x86_64",
"7Server-RHEV-4-HypervisorBuild-7:redhat-virtualization-host-image-update-placeholder-0:4.3.5-2.el7ev.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "openssl: 0-byte record padding oracle"
},
{
"cve": "CVE-2019-10139",
"cwe": {
"id": "CWE-522",
"name": "Insufficiently Protected Credentials"
},
"discovery_date": "2019-05-02T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1709829"
}
],
"notes": [
{
"category": "description",
"text": "A credential-protection flaw was found in cockpit-ovirt. During deployment, it generated an ansible variable file `/var/lib/ovirt-hosted-engine-setup/cockpit/ansibleVarFileXXXXXX.var` which contained both admin and appliance passwords as plain-text. Although these files are deleted at the end of the deployment procedure, a local attacker could exploit this flaw to access the passwords.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "cockpit-ovirt: admin and appliance passwords saved in plain text variable file during HE deployment",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-0:4.3.5-20190722.0.el7_7.src",
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-image-update-0:4.3.5-20190722.0.el7_7.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-0:4.3.5-0.20190717.0.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python-imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python2-ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.x86_64",
"7Server-RHEV-4-HypervisorBuild-7:redhat-virtualization-host-image-update-placeholder-0:4.3.5-2.el7ev.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-10139"
},
{
"category": "external",
"summary": "RHBZ#1709829",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1709829"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-10139",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-10139"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-10139",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10139"
}
],
"release_date": "2019-05-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-08-12T11:56:35+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/2974891",
"product_ids": [
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-0:4.3.5-20190722.0.el7_7.src",
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-image-update-0:4.3.5-20190722.0.el7_7.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-0:4.3.5-0.20190717.0.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python-imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python2-ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.x86_64",
"7Server-RHEV-4-HypervisorBuild-7:redhat-virtualization-host-image-update-placeholder-0:4.3.5-2.el7ev.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:2437"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.0"
},
"products": [
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-0:4.3.5-20190722.0.el7_7.src",
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-image-update-0:4.3.5-20190722.0.el7_7.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-0:4.3.5-0.20190717.0.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python-imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python2-ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.x86_64",
"7Server-RHEV-4-HypervisorBuild-7:redhat-virtualization-host-image-update-placeholder-0:4.3.5-2.el7ev.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "cockpit-ovirt: admin and appliance passwords saved in plain text variable file during HE deployment"
},
{
"acknowledgments": [
{
"names": [
"Riccardo Schirone"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2019-10160",
"cwe": {
"id": "CWE-172",
"name": "Encoding Error"
},
"discovery_date": "2019-06-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1718388"
}
],
"notes": [
{
"category": "description",
"text": "A security regression of CVE-2019-9636 was discovered in python, since commit d537ab0ff9767ef024f26246899728f0116b1ec3, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "python: regression of CVE-2019-9636 due to functional fix to allow port numbers in netloc",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue did not affect the versions of python as shipped with Red Hat Enterprise Linux 5 and 6 as the security regression was not introduced in those versions. See CVE-2019-9636 for more details about the how these versions of Red Hat Enterprise Linux are affected with regard to the original flaw.\n\nThis issue did not affect the versions of python as shipped with Red Hat Enterprise Linux 8 as the security regression was not introduced in those versions. See CVE-2019-9636 for more details about the how these versions of Red Hat Enterprise Linux are affected with regard to the original flaw.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-0:4.3.5-20190722.0.el7_7.src",
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-image-update-0:4.3.5-20190722.0.el7_7.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-0:4.3.5-0.20190717.0.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python-imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python2-ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.x86_64",
"7Server-RHEV-4-HypervisorBuild-7:redhat-virtualization-host-image-update-placeholder-0:4.3.5-2.el7ev.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-10160"
},
{
"category": "external",
"summary": "RHBZ#1718388",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1718388"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-10160",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-10160"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-10160",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10160"
},
{
"category": "external",
"summary": "https://python-security.readthedocs.io/vuln/urlsplit-nfkc-normalization2.html",
"url": "https://python-security.readthedocs.io/vuln/urlsplit-nfkc-normalization2.html"
}
],
"release_date": "2019-06-03T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-08-12T11:56:35+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/2974891",
"product_ids": [
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-0:4.3.5-20190722.0.el7_7.src",
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-image-update-0:4.3.5-20190722.0.el7_7.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-0:4.3.5-0.20190717.0.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python-imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python2-ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.x86_64",
"7Server-RHEV-4-HypervisorBuild-7:redhat-virtualization-host-image-update-placeholder-0:4.3.5-2.el7ev.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:2437"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-0:4.3.5-20190722.0.el7_7.src",
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-image-update-0:4.3.5-20190722.0.el7_7.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-0:4.3.5-0.20190717.0.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python-imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python2-ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.x86_64",
"7Server-RHEV-4-HypervisorBuild-7:redhat-virtualization-host-image-update-placeholder-0:4.3.5-2.el7ev.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "python: regression of CVE-2019-9636 due to functional fix to allow port numbers in netloc"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…