ALAS2-2018-1049

Amazon Linux 2 Security Advisory: ALAS2-2018-1049
Advisory Released Date: 2018-07-24
Advisory Updated Date: 2025-09-23

Severity: Low

References: CVE-2018-1064 CVE-2018-5748
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

An incomplete fix for CVE-2018-5748 that affects QEMU monitor leading to a resource exhaustion but now also triggered via QEMU guest agent.(CVE-2018-1064)

qemu/qemu_monitor.c in libvirt allows attackers to cause a denial of service (memory consumption) via a large QEMU reply.(CVE-2018-5748)

Affected Packages:

libvirt

Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.

Issue Correction:
Run yum update libvirt or yum update --advisory ALAS2-2018-1049 to update your system.

New Packages:

src:
    libvirt-3.9.0-14.amzn2.6.src

x86_64:
    libvirt-3.9.0-14.amzn2.6.x86_64
    libvirt-docs-3.9.0-14.amzn2.6.x86_64
    libvirt-daemon-3.9.0-14.amzn2.6.x86_64
    libvirt-daemon-config-network-3.9.0-14.amzn2.6.x86_64
    libvirt-daemon-config-nwfilter-3.9.0-14.amzn2.6.x86_64
    libvirt-daemon-driver-network-3.9.0-14.amzn2.6.x86_64
    libvirt-daemon-driver-nwfilter-3.9.0-14.amzn2.6.x86_64
    libvirt-daemon-driver-nodedev-3.9.0-14.amzn2.6.x86_64
    libvirt-daemon-driver-interface-3.9.0-14.amzn2.6.x86_64
    libvirt-daemon-driver-secret-3.9.0-14.amzn2.6.x86_64
    libvirt-daemon-driver-storage-core-3.9.0-14.amzn2.6.x86_64
    libvirt-daemon-driver-storage-logical-3.9.0-14.amzn2.6.x86_64
    libvirt-daemon-driver-storage-disk-3.9.0-14.amzn2.6.x86_64
    libvirt-daemon-driver-storage-scsi-3.9.0-14.amzn2.6.x86_64
    libvirt-daemon-driver-storage-iscsi-3.9.0-14.amzn2.6.x86_64
    libvirt-daemon-driver-storage-mpath-3.9.0-14.amzn2.6.x86_64
    libvirt-daemon-driver-storage-gluster-3.9.0-14.amzn2.6.x86_64
    libvirt-daemon-driver-storage-rbd-3.9.0-14.amzn2.6.x86_64
    libvirt-daemon-driver-storage-3.9.0-14.amzn2.6.x86_64
    libvirt-daemon-driver-qemu-3.9.0-14.amzn2.6.x86_64
    libvirt-daemon-driver-lxc-3.9.0-14.amzn2.6.x86_64
    libvirt-daemon-kvm-3.9.0-14.amzn2.6.x86_64
    libvirt-daemon-lxc-3.9.0-14.amzn2.6.x86_64
    libvirt-client-3.9.0-14.amzn2.6.x86_64
    libvirt-libs-3.9.0-14.amzn2.6.x86_64
    libvirt-admin-3.9.0-14.amzn2.6.x86_64
    libvirt-login-shell-3.9.0-14.amzn2.6.x86_64
    libvirt-devel-3.9.0-14.amzn2.6.x86_64
    libvirt-lock-sanlock-3.9.0-14.amzn2.6.x86_64
    libvirt-nss-3.9.0-14.amzn2.6.x86_64
    libvirt-debuginfo-3.9.0-14.amzn2.6.x86_64

Changelog:

2025-09-23: CVE-2018-3639 was removed from this advisory.

2025-09-23: The severity of this advisory has been changed from important to low.

Additional References

Release Notes: Amazon Linux 2 Release Notes

Red Hat: CVE-2018-1064, CVE-2018-5748

Mitre: CVE-2018-1064, CVE-2018-5748