Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 1450904 Details for
Bug 1568047
Insights-client fails during analyzing of docker image
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
output.json
output.json (text/plain), 31.49 KB, created by
Eduard
on 2018-06-13 13:09:30 UTC
(
hide
)
Description:
output.json
Filename:
MIME Type:
Creator:
Eduard
Created:
2018-06-13 13:09:30 UTC
Size:
31.49 KB
patch
obsolete
>{"version": "0.3", "system": {"hostname": "esakaiev-rhel75-test2", "metadata": {"timezone_information": {"timezone": "EDT", "utcoffset": -14400}, "system_information": {"virtual_machine": true, "product_name": "OpenStack Compute", "family": "Virtual Machine", "manufacturer": "Red Hat"}, "docker_images": {"sha256:9c7b3825758aa4cda6abb4d05381e78032bdb34f21a51ba6022c36ee25effa76": ["docker.io/richxsl/rhel7:latest"], "sha256:fd1ba0b398a82d56900bb798c8b099fbe3166bc49e2c5e947f7973cd38ff1a90": ["registry.access.redhat.com/rhel7:latest", "registry.access.redhat.com/rhel7/rhel:latest"], "sha256:87da7e5ff6956a91866816c499c07708d1933551d496cd565a5c1d8dab32eafd": [], "sha256:91a95b26e58ee5d7199f63db698c9ef2d427873d8e951e20f13491d31dc9a8cd": ["docker.io/lovato/python-2.6.6:latest"], "sha256:ddb20f8825f0a8bb3a053e4a22f6086bddfa304ebbeede98114b41d8955e8f4f": ["docker.io/eduardomcerqueira/paws:0.3.8.1-centos-latest"], "sha256:46cd043842d510f504bc384f798338845d3e7b576100c3d01027999b2b10c8a3": [], "sha256:cc510acfcd701a409014118d5f417f0022520802a26c650866b8a9594d75f3a7": ["docker.io/fedora:latest"], "sha256:9110ae7f579f35ee0c3938696f23fe0f5fbe641738ea52eb83c2df7e9995fa17": ["docker.io/fedora:27"], "sha256:7900f3cdec545072548ac618a98089ceb2e5bb5bf79c4e0afba5bdf88501e02b": []}, "listening_processes": [{"process_name": "master", "ip_addr": "", "port": ":1:25"}, {"process_name": "sshd", "ip_addr": "", "port": "::22"}], "docker_image_count": "9", "docker_container_count": "22", "rhel_version": "-1.-1", "docker_containers": {"caafa9d30d3c4839a7cc50ddd1148840112467ec86183d5249ac90a42cc35f4d": "ddb20f8825f0", "ea82cc0ee91c9b2155e41397fcc3147e228a3347e5201f5623a9a7ab3d0b4574": "ddb20f8825f0", "2e0c8c8d619aa209f138417ff5906550e12573a67d4d78411a8c1cb68f315233": "fd1ba0b398a8", "26d9405793fde065b28e7e58849c494cfb5507e11b89884aeaf95397eb5bb03d": "9110ae7f579f", "52996bf3a9cc7b181d1865e7ecaa403291a5e840865970072d7ee0545805cf57": "9110ae7f579f", "b7c8ae18b0f4672aa4e718580d834b7bf02a600533fd7b40ea3e88b0bbe6535e": "docker.io/lovato/python-2.6.6:latest", "6175b6b6248fe0419a526f774a686774e664f1ded3887e3d279b63568cc5fb5c": "ddb20f8825f0", "246ada7752d6d62ea0e4c0bfa87b724e166045ffbc2cc94fa5fcc738d91e4b72": "ddb20f8825f0", "356b2a3a9be3080ce490f5eeca3e0c3f1bc5299593377d7685655cd9acd3de29": "ddb20f8825f0", "c0fa9ed1fbf4602e5fe8504be54f2f3313eebc65a2bc2664f317283124d34412": "9110ae7f579f", "c6625454a296646d7b7fd79dfcaa722b9c6ca40b2ab51518b5db62132b905f03": "docker.io/lovato/python-2.6.6:latest", "7148b92f49547131d2029eb839c1f40b5aacf6b67b3273604f2ae34f749c0a22": "docker.io/richxsl/rhel7:latest", "c2ef58c9f9892a74f7b14eb6c1d59c3a2b7cd621cd875ca16184317f0ced5f48": "9110ae7f579f", "260617edcab7c63b3cd7ae286e72f53210c1f6310c91eb7961b5984bf8b8ac49": "9c7b3825758a", "9de9ad95fe87aa0627dcc409d2345c19d4fc42513814b87e27b3871c4c2cf41b": "9110ae7f579f", "07a0ed33a8a51c17a6568f5679b3497382bcd99c424e93597a2f9476b8f34c28": "cc510acfcd70", "e9296cebbd469e18f9723908dd778d5d87b1bd10f4ffb15d785d3f1b45d5cc4d": "docker.io/lovato/python-2.6.6:latest", "42043a324ffc0b6a3f2a84468d5b2d4bda54a495c6cd0b28e56314ea0a13c749": "docker.io/lovato/python-2.6.6:latest", "57b0d93bfdddbb335085266bfc254336b1005ca364c809132fb95dba62420032": "ddb20f8825f0", "97c17cc8864e185ec837e030f108dd6fd639c62d809f014525c4b15e87747204": "fd1ba0b398a8", "65b61c498ea4ec273b460e6ed9713f17948985120b3fd33a0990a61df4a77564": "ddb20f8825f0", "9a673d3f84fcde052c7b645b6943e610ffd00b5ff100bd4084927aeeb372566f": "docker.io/lovato/python-2.6.6:latest"}, "bios_information": {"bios_revision": "0.0", "version": "1.11.0-2.el7", "vendor": "SeaBIOS", "release_date": "04/01/2014"}, "host_system_id": "86a3dc8a-dcfd-4245-88d9-fe4226c9d178"}}, "reports": {"CVE_2017_5715_cpu_virt|VIRT_CVE_2017_5715_CPU_3_ONLYKERNEL": {"category": "Security", "impact": 3, "description": {"plain": "An industry-wide issue was found in the manner many modern microprocessors have implemented speculative execution of instructions. There are three primary variants of the issue which differ in the way the speculative execution can be exploited.\n\nAll three rely upon the fact that modern high performance microprocessors implement both speculative execution, and utilize VIPT (Virtually Indexed, Physically Tagged) level 1 data caches that may become allocated with data in the kernel virtual address space during such speculation.\n\nAn unprivileged attacker could use these to read privileged memory by conducting targeted cache side-channel attacks, including memory locations that cross the syscall boundary or the guest/host boundary, or potentially arbitrary host memory addresses.\n", "html": "<p>An industry-wide issue was found in the manner many modern microprocessors have implemented speculative execution of instructions. There are three primary variants of the issue which differ in the way the speculative execution can be exploited.</p>\n<p>All three rely upon the fact that modern high performance microprocessors implement both speculative execution, and utilize VIPT (Virtually Indexed, Physically Tagged) level 1 data caches that may become allocated with data in the kernel virtual address space during such speculation.</p>\n<p>An unprivileged attacker could use these to read privileged memory by conducting targeted cache side-channel attacks, including memory locations that cross the syscall boundary or the guest/host boundary, or potentially arbitrary host memory addresses.</p>\n"}, "reference": {"plain": "* For more information about the flaw, see [Kernel Side-Channel Attacks](https://access.redhat.com/security/vulnerabilities/speculativeexecution) and [CVE-2017-5715](https://access.redhat.com/security/cve/CVE-2017-5715).\n* For possible performance impact of kernel updates, see [Speculative Execution Exploit Performance Impacts](https://access.redhat.com/articles/3307751)\n* Extensive details can be found at the [Project Zero blog](https://googleprojectzero.blogspot.ca/2018/01/reading-privileged-memory-with-side.html) and [Meltdown and Spectre Attack webpage](https://meltdownattack.com/).\n* The Customer Portal page for the [Red Hat Security Team](https://access.redhat.com/security/) contains more information about policies, procedures, and alerts for Red Hat products.\n* The Security Team also maintains a frequently updated blog at [securityblog.redhat.com](https://securityblog.redhat.com).\n", "html": "<ul>\n<li>For more information about the flaw, see <a href=\"https://access.redhat.com/security/vulnerabilities/speculativeexecution\">Kernel Side-Channel Attacks</a> and <a href=\"https://access.redhat.com/security/cve/CVE-2017-5715\">CVE-2017-5715</a>.</li>\n<li>For possible performance impact of kernel updates, see <a href=\"https://access.redhat.com/articles/3307751\">Speculative Execution Exploit Performance Impacts</a></li>\n<li>Extensive details can be found at the <a href=\"https://googleprojectzero.blogspot.ca/2018/01/reading-privileged-memory-with-side.html\">Project Zero blog</a> and <a href=\"https://meltdownattack.com/\">Meltdown and Spectre Attack webpage</a>.</li>\n<li>The Customer Portal page for the <a href=\"https://access.redhat.com/security/\">Red Hat Security Team</a> contains more information about policies, procedures, and alerts for Red Hat products.</li>\n<li>The Security Team also maintains a frequently updated blog at <a href=\"https://securityblog.redhat.com\">securityblog.redhat.com</a>.</li>\n</ul>\n"}, "title": {"plain": "Kernel vulnerable to side-channel attacks in modern microprocessors (CVE-2017-5715/Spectre)", "html": "<p>Kernel vulnerable to side-channel attacks in modern microprocessors (CVE-2017-5715/Spectre)</p>\n"}, "likelihood": 2, "reboot_required": true, "summary": {"plain": "A vulnerability was discovered in modern microprocessors supported by the kernel, whereby an unprivileged attacker can use this flaw to bypass restrictions to gain read access to privileged memory.\nThe issue was reported as [CVE-2017-5715 / Spectre](https://access.redhat.com/security/cve/CVE-2017-5715).\n", "html": "<p>A vulnerability was discovered in modern microprocessors supported by the kernel, whereby an unprivileged attacker can use this flaw to bypass restrictions to gain read access to privileged memory.\nThe issue was reported as <a href=\"https://access.redhat.com/security/cve/CVE-2017-5715\">CVE-2017-5715 / Spectre</a>.</p>\n"}, "rule_data": {"affected_amd_family": false, "kernel_pkg_name": "kernel", "type": "rule", "error_key": "VIRT_CVE_2017_5715_CPU_3_ONLYKERNEL"}, "details": {"plain": "<p>This machine is vulnerable, because it runs a vulnerable kernel.</p>\n<!--\n\nThe information about dracut is displayed only when the list of vulnerable packages is limited to solely dracut-related packages. Even though the message is applicable also to all other cases where a dracut-related package is vulnerable, it is not displayed in those cases, because it is clear that this Insights rule informs about the vulnerability that is specifically relevant to virtualization. After the prescribed actions would be taken, the potentially detected Dracut version would be updated with it, and the paragraph about Dracut might be more of a noise than relevant information, given the presumed presence of virtualization-related packages with more complex changes and impact in that particual report. However, in a case where no virtualization-related packages are detected as vulnerable, it ceases to be so clear that the Dracut update might help resolve the Variant 2 of the issue, which also affects any virtualization that might be used on the system, even though Dracut itself has little to do with virtualization. \n\nAlso note that the dracut-related packages are detected as vulnerable for the particular machine only if the machine has CPU of the particular applicable AMD family, as the relevant dracut update fixes behavior only for a limited set of AMD families.\n\n-->\n<p>An unprivileged attacker could use the vulnerability to read privileged memory by conducting targeted cache side-channel attacks, including memory locations that cross the syscall boundary or the guest/host boundary, or potentially arbitrary host memory addresses.</p>\n", "html": "<p>This machine is vulnerable, because it runs a vulnerable kernel.</p>\n<!--\n\nThe information about dracut is displayed only when the list of vulnerable packages is limited to solely dracut-related packages. Even though the message is applicable also to all other cases where a dracut-related package is vulnerable, it is not displayed in those cases, because it is clear that this Insights rule informs about the vulnerability that is specifically relevant to virtualization. After the prescribed actions would be taken, the potentially detected Dracut version would be updated with it, and the paragraph about Dracut might be more of a noise than relevant information, given the presumed presence of virtualization-related packages with more complex changes and impact in that particual report. However, in a case where no virtualization-related packages are detected as vulnerable, it ceases to be so clear that the Dracut update might help resolve the Variant 2 of the issue, which also affects any virtualization that might be used on the system, even though Dracut itself has little to do with virtualization. \n\nAlso note that the dracut-related packages are detected as vulnerable for the particular machine only if the machine has CPU of the particular applicable AMD family, as the relevant dracut update fixes behavior only for a limited set of AMD families.\n\n-->\n<p>An unprivileged attacker could use the vulnerability to read privileged memory by conducting targeted cache side-channel attacks, including memory locations that cross the syscall boundary or the guest/host boundary, or potentially arbitrary host memory addresses.</p>\n"}, "acks": [], "resolution": {"plain": "<p>Red Hat recommends that you update the kernel:</p>\n<pre><code># yum update kernel\n# reboot\n</code></pre><p>If additional steps to update the kernel are necessary, they are detailed in the separate insights rule <em>Kernel vulnerable to side-channel attacks in modern microprocessors (CVE-2017-5753/Spectre, CVE-2017-5715/Spectre, CVE-2017-5754/Meltdown)</em>.</p>\n<p>Fixes require CPU microcode/firmware to activate.</p>\n<p><strong>In addition:</strong></p>\n<p>Subscribers are advised to contact their hardware OEM to receive the appropriate microcode/firmware for their processor. Red Hat may be providing <code>microcode_ctl</code> and <code>linux_firmware</code> packages that will cover the limited subset of chipsets we were able to test, but this will <strong>not</strong> address many CPUs that you may have in use in your server fleet. Again, contacting your hardware vendor will ensure you have the appropriate software to enable the protections for Variant 2 of this issue.</p>\n", "html": "<p>Red Hat recommends that you update the kernel:</p>\n<pre><code># yum update kernel\n# reboot\n</code></pre><p>If additional steps to update the kernel are necessary, they are detailed in the separate insights rule <em>Kernel vulnerable to side-channel attacks in modern microprocessors (CVE-2017-5753/Spectre, CVE-2017-5715/Spectre, CVE-2017-5754/Meltdown)</em>.</p>\n<p>Fixes require CPU microcode/firmware to activate.</p>\n<p><strong>In addition:</strong></p>\n<p>Subscribers are advised to contact their hardware OEM to receive the appropriate microcode/firmware for their processor. Red Hat may be providing <code>microcode_ctl</code> and <code>linux_firmware</code> packages that will cover the limited subset of chipsets we were able to test, but this will <strong>not</strong> address many CPUs that you may have in use in your server fleet. Again, contacting your hardware vendor will ensure you have the appropriate software to enable the protections for Variant 2 of this issue.</p>\n"}, "severity": "WARN"}, "CVE_2018_3639_cpu_kernel|CVE_2018_3639_CPU_BAD_KERNEL": {"category": "Security", "impact": 2, "description": {"plain": "An industry-wide issue was found in the manner in which many modern microprocessors have implemented speculative execution of instructions. The flaw is similar to CVE-2017-5753 (aka \"Spectre v1\"), except it leverages Speculative Store Bypass memory optimization in place of the Branch Misprediction used by Spectre v1.\n\nAn unprivileged attacker can use this flaw to bypass restrictions in order to gain read access to privileged memory that would otherwise be inaccessible, e.g. to memory outside of a sandboxed environments like web browsers or JIT execution runtimes.\n\nMitigations for this vulnerability require firmware/microcode updates from hardware vendors.\n\nRed Hat recommends that you update the kernel and update firmware.\n", "html": "<p>An industry-wide issue was found in the manner in which many modern microprocessors have implemented speculative execution of instructions. The flaw is similar to CVE-2017-5753 (aka "Spectre v1"), except it leverages Speculative Store Bypass memory optimization in place of the Branch Misprediction used by Spectre v1.</p>\n<p>An unprivileged attacker can use this flaw to bypass restrictions in order to gain read access to privileged memory that would otherwise be inaccessible, e.g. to memory outside of a sandboxed environments like web browsers or JIT execution runtimes.</p>\n<p>Mitigations for this vulnerability require firmware/microcode updates from hardware vendors.</p>\n<p>Red Hat recommends that you update the kernel and update firmware.</p>\n"}, "reference": {"plain": "* For more information about the flaw, see [the vulnerability article](https://access.redhat.com/security/vulnerabilities/ssbd).\n* To learn how to upgrade packages, see [What is yum and how do I use it?](https://access.redhat.com/solutions/9934).\n* The Customer Portal page for the [Red Hat Security Team](https://access.redhat.com/security/) contains more information about policies, procedures, and alerts for Red Hat products.\n* The Security Team also maintains a frequently updated blog at [securityblog.redhat.com](https://securityblog.redhat.com).\n", "html": "<ul>\n<li>For more information about the flaw, see <a href=\"https://access.redhat.com/security/vulnerabilities/ssbd\">the vulnerability article</a>.</li>\n<li>To learn how to upgrade packages, see <a href=\"https://access.redhat.com/solutions/9934\">What is yum and how do I use it?</a>.</li>\n<li>The Customer Portal page for the <a href=\"https://access.redhat.com/security/\">Red Hat Security Team</a> contains more information about policies, procedures, and alerts for Red Hat products.</li>\n<li>The Security Team also maintains a frequently updated blog at <a href=\"https://securityblog.redhat.com\">securityblog.redhat.com</a>.</li>\n</ul>\n"}, "title": {"plain": "Kernel vulnerable to side-channel attacks in modern microprocessors using Speculative Store Bypass when CPU microcode is outdated (CVE-2018-3639)", "html": "<p>Kernel vulnerable to side-channel attacks in modern microprocessors using Speculative Store Bypass when CPU microcode is outdated (CVE-2018-3639)</p>\n"}, "likelihood": 2, "reboot_required": true, "summary": {"plain": "An industry-wide issue was found in the manner in which many modern microprocessors have implemented speculative execution of instructions. It has been assigned [CVE-2018-3639](https://access.redhat.com/security/cve/CVE-2018-3639). Mitigations for this vulnerability require firmware/microcode updates from hardware vendors.\n\nAn unprivileged attacker can use this flaw to bypass restrictions in order to gain read access to privileged memory that would otherwise be inaccessible.\n", "html": "<p>An industry-wide issue was found in the manner in which many modern microprocessors have implemented speculative execution of instructions. It has been assigned <a href=\"https://access.redhat.com/security/cve/CVE-2018-3639\">CVE-2018-3639</a>. Mitigations for this vulnerability require firmware/microcode updates from hardware vendors.</p>\n<p>An unprivileged attacker can use this flaw to bypass restrictions in order to gain read access to privileged memory that would otherwise be inaccessible.</p>\n"}, "rule_data": {"rt": false, "running_kernel": "3.10.0-860.el7.x86_64", "error_key": "CVE_2018_3639_CPU_BAD_KERNEL", "cmd_ssbd_off": false, "cmd_avail": true, "cmd_no_ssd": false, "type": "rule", "vuln_file_present": false}, "details": {"plain": "<p>The system is vulnerable because:</p>\n<ul>\n<li>It is running a vulnerable kernel.</li>\n<li>CPU microcode may require an update</li>\n</ul>\n", "html": "<p>The system is vulnerable because:</p>\n<ul>\n<li>It is running a vulnerable kernel.</li>\n<li>CPU microcode may require an update</li>\n</ul>\n"}, "acks": [], "resolution": {"plain": "<p>This system is running a vulnerable kernel. Update the kernel package and reboot:</p>\n<pre><code># yum update kernel\n# reboot\n</code></pre><p>Some information is not available. To determine whether the system needs a firmware update, reboot with an updated kernel.</p>\n<p>This system might need a firmware update. Contact your system hardware vendor for more information.</p>\n", "html": "<p>This system is running a vulnerable kernel. Update the kernel package and reboot:</p>\n<pre><code># yum update kernel\n# reboot\n</code></pre><p>Some information is not available. To determine whether the system needs a firmware update, reboot with an updated kernel.</p>\n<p>This system might need a firmware update. Contact your system hardware vendor for more information.</p>\n"}, "severity": "WARN"}, "vm_io_scheduler|VM_IO_SCHEDULER_V1": {"category": "Performance", "impact": 2, "description": {"plain": "If the I/O scheduler of `noop` or `deadline` is not used on virtual disks of VM guest, degraded disk performance can occur.", "html": "<p>If the I/O scheduler of <code>noop</code> or <code>deadline</code> is not used on virtual disks of VM guest, degraded disk performance can occur.</p>\n"}, "reference": {"plain": "", "html": ""}, "title": {"plain": "Decreased performance when not using 'noop' or 'deadline' I/O scheduler on VM", "html": "<p>Decreased performance when not using 'noop' or 'deadline' I/O scheduler on VM</p>\n"}, "likelihood": 2, "reboot_required": false, "summary": {"plain": "VM guest using improper I/O scheduler can lead to degraded disk performance.\n", "html": "<p>VM guest using improper I/O scheduler can lead to degraded disk performance.</p>\n"}, "rule_data": {"rhel_version": 7, "type": "rule", "devices": {"vda": "mq-deadline"}, "error_key": "VM_IO_SCHEDULER_V1"}, "details": {"plain": "<p>This virtual guest is using a disk I/O scheduler other than <code>noop</code> or <code>deadline</code> on the following devices:</p>\n<table>\n<tr>\n<th>Device</th>\n<th>Active Scheduler</th>\n\n<tr>\n<td>vda</td>\n<td>mq-deadline</td>\n</tr>\n\n</table>\n\n\n\n\n\n<p>This can result in degraded disk performance.</p>\n", "html": "<p>This virtual guest is using a disk I/O scheduler other than <code>noop</code> or <code>deadline</code> on the following devices:</p>\n<table>\n<tr>\n<th>Device</th>\n<th>Active Scheduler</th>\n\n<tr>\n<td>vda</td>\n<td>mq-deadline</td>\n</tr>\n\n</table>\n\n\n\n\n\n<p>This can result in degraded disk performance.</p>\n"}, "acks": [], "resolution": {"plain": "<p>Red Hat recommends that you use the <code>virtual-guest</code> tuned profile on all virtual machines to fix this issue. This profile will enable the proper I/O scheduler, as well as optimize other virtual machine tunables to provide the best practices for the virtual guest.</p>\n<ol>\n<pre>\n<code>\n # tuned-adm profile virtual-guest\n</code>\n</pre>\n</ol>\n\n<p><strong>OR</strong></p>\n<p>In the event you simply want to enable the <code>noop</code> I/O scheduler on all virtual disks, completing the following steps:</p>\n<ol>\n<pre>\n<code>\n # echo noop > /sys/block/vda/queue/scheduler\n\n</code>\n</pre>\n</ol> \n\n<p>In order for the change to survive a reboot, you must add a kernel parameter using <code>grubby</code>:</p>\n<ol>\n<pre>\n<code>\n # grubby --update-kernel=ALL --args=elevator=noop\n</code>\n</pre>\n</ol>\n\n<p>Some workloads may benefit from using the <code>deadline</code> scheduler. Analysis of storage performance is required. In addition, any devices being passed through to the VM should <strong>not</strong> use <code>noop</code> scheduler due to the VM, rather than the hypervisor, having direct control over the device.</p>\n", "html": "<p>Red Hat recommends that you use the <code>virtual-guest</code> tuned profile on all virtual machines to fix this issue. This profile will enable the proper I/O scheduler, as well as optimize other virtual machine tunables to provide the best practices for the virtual guest.</p>\n<ol>\n<pre>\n<code>\n # tuned-adm profile virtual-guest\n</code>\n</pre>\n</ol>\n\n<p><strong>OR</strong></p>\n<p>In the event you simply want to enable the <code>noop</code> I/O scheduler on all virtual disks, completing the following steps:</p>\n<ol>\n<pre>\n<code>\n # echo noop > /sys/block/vda/queue/scheduler\n\n</code>\n</pre>\n</ol> \n\n<p>In order for the change to survive a reboot, you must add a kernel parameter using <code>grubby</code>:</p>\n<ol>\n<pre>\n<code>\n # grubby --update-kernel=ALL --args=elevator=noop\n</code>\n</pre>\n</ol>\n\n<p>Some workloads may benefit from using the <code>deadline</code> scheduler. Analysis of storage performance is required. In addition, any devices being passed through to the VM should <strong>not</strong> use <code>noop</code> scheduler due to the VM, rather than the hypervisor, having direct control over the device.</p>\n"}, "severity": "WARN"}, "CVE_2017_5753_4_cpu_kernel|KERNEL_CVE_2017_5753_4_CPU_ERROR_3": {"category": "Security", "impact": 3, "description": {"plain": "An industry-wide issue was found in the manner many modern microprocessors have implemented speculative execution of instructions. There are three primary variants of the issue which differ in the way the speculative execution can be exploited.\n\nAll three rely upon the fact that modern high performance microprocessors implement both speculative execution, and utilize VIPT (Virtually Indexed, Physically Tagged) level 1 data caches that may become allocated with data in the kernel virtual address space during such speculation.\n\nAn unprivileged attacker could use these to read privileged memory by conducting targeted cache side-channel attacks, including memory locations that cross the syscall boundary or the guest/host boundary, or potentially arbitrary host memory addresses.\n\nMitigations for these vulnerabilities additionally require firmware/microcode updates from hardware vendors.\n", "html": "<p>An industry-wide issue was found in the manner many modern microprocessors have implemented speculative execution of instructions. There are three primary variants of the issue which differ in the way the speculative execution can be exploited.</p>\n<p>All three rely upon the fact that modern high performance microprocessors implement both speculative execution, and utilize VIPT (Virtually Indexed, Physically Tagged) level 1 data caches that may become allocated with data in the kernel virtual address space during such speculation.</p>\n<p>An unprivileged attacker could use these to read privileged memory by conducting targeted cache side-channel attacks, including memory locations that cross the syscall boundary or the guest/host boundary, or potentially arbitrary host memory addresses.</p>\n<p>Mitigations for these vulnerabilities additionally require firmware/microcode updates from hardware vendors.</p>\n"}, "reference": {"plain": "* For more information about the flaws, see [Kernel Side-Channel Attacks](https://access.redhat.com/security/vulnerabilities/speculativeexecution), [CVE-2017-5754](https://access.redhat.com/security/cve/CVE-2017-5754), [CVE-2017-5753](https://access.redhat.com/security/cve/CVE-2017-5753), and [CVE-2017-5715](https://access.redhat.com/security/cve/CVE-2017-5715).\n* For possible performance impact of kernel updates, see [Speculative Execution Exploit Performance Impacts](https://access.redhat.com/articles/3307751).\n* For information related to VMs, see [How do I enable Markdown/Spectre mitigations in my virtualised machines?](https://access.redhat.com/articles/3331571)\n* Extensive details can be found at the [Project Zero blog](https://googleprojectzero.blogspot.ca/2018/01/reading-privileged-memory-with-side.html) and [Meltdown and Spectre Attack webpage](https://meltdownattack.com/).\n* The Customer Portal page for the [Red Hat Security Team](https://access.redhat.com/security/) contains more information about policies, procedures, and alerts for Red Hat products.\n* The Security Team also maintains a frequently updated blog at [securityblog.redhat.com](https://securityblog.redhat.com).\n", "html": "<ul>\n<li>For more information about the flaws, see <a href=\"https://access.redhat.com/security/vulnerabilities/speculativeexecution\">Kernel Side-Channel Attacks</a>, <a href=\"https://access.redhat.com/security/cve/CVE-2017-5754\">CVE-2017-5754</a>, <a href=\"https://access.redhat.com/security/cve/CVE-2017-5753\">CVE-2017-5753</a>, and <a href=\"https://access.redhat.com/security/cve/CVE-2017-5715\">CVE-2017-5715</a>.</li>\n<li>For possible performance impact of kernel updates, see <a href=\"https://access.redhat.com/articles/3307751\">Speculative Execution Exploit Performance Impacts</a>.</li>\n<li>For information related to VMs, see <a href=\"https://access.redhat.com/articles/3331571\">How do I enable Markdown/Spectre mitigations in my virtualised machines?</a></li>\n<li>Extensive details can be found at the <a href=\"https://googleprojectzero.blogspot.ca/2018/01/reading-privileged-memory-with-side.html\">Project Zero blog</a> and <a href=\"https://meltdownattack.com/\">Meltdown and Spectre Attack webpage</a>.</li>\n<li>The Customer Portal page for the <a href=\"https://access.redhat.com/security/\">Red Hat Security Team</a> contains more information about policies, procedures, and alerts for Red Hat products.</li>\n<li>The Security Team also maintains a frequently updated blog at <a href=\"https://securityblog.redhat.com\">securityblog.redhat.com</a>.</li>\n</ul>\n"}, "title": {"plain": "Kernel vulnerable to side-channel attacks in modern microprocessors (CVE-2017-5753/Spectre, CVE-2017-5715/Spectre, CVE-2017-5754/Meltdown)", "html": "<p>Kernel vulnerable to side-channel attacks in modern microprocessors (CVE-2017-5753/Spectre, CVE-2017-5715/Spectre, CVE-2017-5754/Meltdown)</p>\n"}, "likelihood": 2, "reboot_required": true, "summary": {"plain": "A vulnerability was discovered in modern microprocessors supported by the kernel, whereby an unprivileged attacker can use this flaw to bypass restrictions to gain read access to privileged memory.\nThe issue was reported as [CVE-2017-5753 / CVE-2017-5715 / Spectre](https://access.redhat.com/security/cve/CVE-2017-5753) and [CVE-2017-5754 / Meltdown](https://access.redhat.com/security/cve/CVE-2017-5754).\n", "html": "<p>A vulnerability was discovered in modern microprocessors supported by the kernel, whereby an unprivileged attacker can use this flaw to bypass restrictions to gain read access to privileged memory.\nThe issue was reported as <a href=\"https://access.redhat.com/security/cve/CVE-2017-5753\">CVE-2017-5753 / CVE-2017-5715 / Spectre</a> and <a href=\"https://access.redhat.com/security/cve/CVE-2017-5754\">CVE-2017-5754 / Meltdown</a>.</p>\n"}, "rule_data": {"debugfs_available": true, "dmesg_available": true, "retpo_kernel_but_no_sys_cpu_vuln": true, "package_name": "kernel", "running_kernel": "3.10.0-860.el7.x86_64", "sysfs_vuln_s1": null, "dmesg_wrapped": false, "problems": {"v2_vulnerable": true, "ibpb_cmdline_spectre_v2_disabled": false, "v3_vulnerable": false, "firmware_supports_features": false, "v1_vulnerable": false, "pti_cmdline_disabled": false, "rfi_flush_cmdline_disabled": false, "spectre_v2_disabling_cmdline": null, "ibpb_cmdline_disabled": false, "ibrs_cmdline_disabled": false, "kernel_supports_features": true, "ibrs_cmdline_spectre_v2_disabled": false}, "sysfs_vuln_md": null, "old_specs_on_client": true, "mfr": "Intel", "release_major": "7", "sysfs_vuln_s2": null, "error_key": "KERNEL_CVE_2017_5753_4_CPU_ERROR_3", "type": "rule"}, "details": {"plain": "<p>This system is vulnerable to the following variant(s):</p>\n<ul>\n<li>Variant 2 (Spectre/CVE-2017-5715)</li>\n</ul>\n<p>Factors contributing to these vulnerabilities are:</p>\n<ul>\n<li>This system needs a firmware update.</li>\n</ul>\n<p>Some diagnostic information was unavailable to Insights.</p>\n<ul>\n<li><code>/sys/devices/system/cpu/vulnerabilities</code> was not available to Insights, even though the kernel provides it.</li>\n</ul>\n", "html": "<p>This system is vulnerable to the following variant(s):</p>\n<ul>\n<li>Variant 2 (Spectre/CVE-2017-5715)</li>\n</ul>\n<p>Factors contributing to these vulnerabilities are:</p>\n<ul>\n<li>This system needs a firmware update.</li>\n</ul>\n<p>Some diagnostic information was unavailable to Insights.</p>\n<ul>\n<li><code>/sys/devices/system/cpu/vulnerabilities</code> was not available to Insights, even though the kernel provides it.</li>\n</ul>\n"}, "acks": [], "resolution": {"plain": "<p><strong>To improve detection reliability:</strong></p>\n<ul>\n<li>Allow Insights to collect <code>/sys/devices/system/cpu/vulnerabilities</code>.</li>\n</ul>\n<p><strong>To mitigate the vulnerability:</strong></p>\n<ul>\n<li>This system needs a firmware update. Contact your system hardware vendor for more information.</li>\n</ul>\n", "html": "<p><strong>To improve detection reliability:</strong></p>\n<ul>\n<li>Allow Insights to collect <code>/sys/devices/system/cpu/vulnerabilities</code>.</li>\n</ul>\n<p><strong>To mitigate the vulnerability:</strong></p>\n<ul>\n<li>This system needs a firmware update. Contact your system hardware vendor for more information.</li>\n</ul>\n"}, "severity": "WARN"}}, "upload": {"engine_rule_count": 4, "client": "insights-client/3.0.4", "uuid": "01133e60-6f08-11e8-b1f7-8df1fb265274", "size": 0}}
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=1450904">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 1568047
:
1450903
| 1450904