What is the vulnerability ID for this update?

The vulnerability ID for this update is CVE-2018-1064.

What is the severity of the vulnerability?

The severity of the vulnerability is not specified.

How does the vulnerability work?

The vulnerability allows unauthorized memory reads via sidechannel attacks on microprocessors utilizing speculative execution of a memory read.

What is the affected software?

The affected software is libvirt-bin and libvirt0 on Ubuntu 14.04, 16.04, 17.10, and 18.04.

How do I fix the vulnerability?

To fix the vulnerability, update the libvirt-bin and libvirt0 packages to version 4.0.0-1ubuntu8.2, 3.6.0-1ubuntu6.8, or 1.3.1-1ubuntu10.24 depending on the Ubuntu version.

Vulnerability/
USN-3680-1

12/6/2018

USN-3680-1: libvirt vulnerability and update

First published: Tue Jun 12 2018(Updated: )

Ken Johnson and Jann Horn independently discovered that microprocessors utilizing speculative execution of a memory read may allow unauthorized memory reads via sidechannel attacks. An attacker in the guest could use this to expose sensitive guest information, including kernel memory. This update allows libvirt to expose new CPU features added by microcode updates to guests. (CVE-2018-3639) Daniel P. Berrange discovered that libvirt incorrectly handled the QEMU guest agent. An attacker could possibly use this issue to consume resources, leading to a denial of service. (CVE-2018-1064)

Affected Software	Affected Version	How to fix
All of
ubuntu/libvirt-bin	<4.0.0-1ubuntu8.2	4.0.0-1ubuntu8.2
Ubuntu Ubuntu	=18.04
All of
ubuntu/libvirt0	<4.0.0-1ubuntu8.2	4.0.0-1ubuntu8.2
Ubuntu Ubuntu	=18.04
All of
ubuntu/libvirt-bin	<3.6.0-1ubuntu6.8	3.6.0-1ubuntu6.8
Ubuntu Ubuntu	=17.10
All of
ubuntu/libvirt0	<3.6.0-1ubuntu6.8	3.6.0-1ubuntu6.8
Ubuntu Ubuntu	=17.10
All of
ubuntu/libvirt-bin	<1.3.1-1ubuntu10.24	1.3.1-1ubuntu10.24
Ubuntu Ubuntu	=16.04
All of
ubuntu/libvirt0	<1.3.1-1ubuntu10.24	1.3.1-1ubuntu10.24
Ubuntu Ubuntu	=16.04
All of
ubuntu/libvirt-bin	<1.2.2-0ubuntu13.1.27	1.2.2-0ubuntu13.1.27
Ubuntu Ubuntu	=14.04
All of
ubuntu/libvirt0	<1.2.2-0ubuntu13.1.27	1.2.2-0ubuntu13.1.27
Ubuntu Ubuntu	=14.04

Never miss a vulnerability like this again

Reference Links

Child vulnerabilities

(Contains the following vulnerabilities)

Frequently Asked Questions

What is the vulnerability ID for this update?
The vulnerability ID for this update is CVE-2018-1064.
What is the severity of the vulnerability?
The severity of the vulnerability is not specified.
How does the vulnerability work?
The vulnerability allows unauthorized memory reads via sidechannel attacks on microprocessors utilizing speculative execution of a memory read.
What is the affected software?
The affected software is libvirt-bin and libvirt0 on Ubuntu 14.04, 16.04, 17.10, and 18.04.
How do I fix the vulnerability?
To fix the vulnerability, update the libvirt-bin and libvirt0 packages to version 4.0.0-1ubuntu8.2, 3.6.0-1ubuntu6.8, or 1.3.1-1ubuntu10.24 depending on the Ubuntu version.

agent/severity
agent/type
agent/references
agent/first-publish-date
agent/last-modified-date
agent/title
agent/softwarecombine
agent/tags
agent/description
agent/event
collector/usn
source/Ubuntu
anchor-related/USN-3653-1
anchor-related/USN-3655-1
anchor-related/USN-3651-1
anchor-related/USN-3654-2
anchor-related/USN-3654-1
anchor-related/USN-3652-1
anchor-related/USN-3756-1
anchor-related/USN-3777-3
anchor-related/USN-3653-2
anchor-related/USN-3679-1
anchor-related/USN-3655-2
agent/software-canonical-lookup
agent/trending
package-manager/ubuntu
vendor/ubuntu
canonical/ubuntu ubuntu
version/ubuntu ubuntu/18.04
version/ubuntu ubuntu/17.10
version/ubuntu ubuntu/16.04
version/ubuntu ubuntu/14.04