-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2022.2599
         RHV Manager (ovirt-engine) [ovirt-4.5.0] security update
                                27 May 2022

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           RHV Manager (ovirt-engine) [ovirt-4.5.0]
Publisher:         Red Hat
Operating System:  Red Hat
Resolution:        Patch/Upgrade
CVE Names:         CVE-2021-41184 CVE-2021-41183 CVE-2021-41182
                   CVE-2021-33502 CVE-2021-23425 CVE-2021-3807

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2022:4711

Comment: CVSS (Max):  7.5 CVE-2021-3807 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
         CVSS Source: Red Hat
         Calculator:  https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: RHV Manager (ovirt-engine) [ovirt-4.5.0] security update
Advisory ID:       RHSA-2022:4711-01
Product:           Red Hat Virtualization
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:4711
Issue date:        2022-05-26
CVE Names:         CVE-2021-3807 CVE-2021-23425 CVE-2021-33502 
                   CVE-2021-41182 CVE-2021-41183 CVE-2021-41184 
=====================================================================

1. Summary:

Updated ovirt-engine packages that fix several bugs and add various
enhancements are now available.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4 - noarch

3. Description:

The ovirt-engine package provides the Red Hat Virtualization Manager, a
centralized management platform that allows system administrators to view
and manage virtual machines. The Manager provides a comprehensive range of
features including search capabilities, resource management, live
migrations, and virtual infrastructure provisioning.

Security Fix(es):

* nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching
ANSI escape codes (CVE-2021-3807)

* nodejs-trim-off-newlines: ReDoS via string processing (CVE-2021-23425)

* normalize-url: ReDoS for data URLs (CVE-2021-33502)

* jquery-ui: XSS in the altField option of the datepicker widget
(CVE-2021-41182)

* jquery-ui: XSS in *Text options of the datepicker widget (CVE-2021-41183)

* jquery-ui: XSS in the 'of' option of the .position() util
(CVE-2021-41184)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

A list of bugs fixed in this update is available in the Technical Notes
book:

https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/html-single/technical_notes

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/2974891

5. Bugs fixed (https://bugzilla.redhat.com/):

655153 - [RFE] confirmation prompt when suspending a virtual machine - webadmin
977778 - [RFE] - Mechanism for converting disks for non-running VMS
1624015 - [RFE] Expose Console Options and Console invocation via API
1648985 - VM from VM-pool which is already in use by a SuperUser is presented to another User with UserRole permission who can shutdown the VM.
1667517 - [RFE] add VM Portal setting for set screen mode
1687845 - Multiple notification for one time host activation
1781241 - missing ?connect automatically? option in vm portal
1782056 - [RFE] Integration of built-in ipsec feature in RHV/RHHI-V with OVN
1849169 - [RFE] add virtualCPUs/physicalCPUs ratio property to evenly_distributed policy
1878930 - [RFE] Provide warning event if MAC Address Pool free and available addresses are below threshold
1922977 - [RFE] VM shared disks are not part of the OVF_STORE
1926625 - [RFE] How to enable HTTP Strict Transport Security (HSTS) on Apache HTTPD for Red Hat Virtualization Manager
1927985 - [RFE] Speed up export-to-OVA on NFS by aligning loopback device offset
1944290 - URL to change the password is not shown properly
1944834 - [RFE] Timer for Console Disconnect Action - Shutdown VM after N minutes of being disconnected (Webadmin-only)
1956295 - Template import from storage domain fails when quota is enabled.
1959186 - Enable assignment of user quota when provisioning from a non-blank template via rest-api
1964208 - [RFE] add new feature for VM's screenshot on RestAPI
1964461 - CVE-2021-33502 normalize-url: ReDoS for data URLs
1971622 - Incorrect warning displayed: "The VM CPU does not match the Cluster CPU Type"
1974741 - Disk images remain in locked state if the HE VM is rebooted during a image transfer
1979441 - High Performance VMs always have "VM CPU does not match the cluster CPU Type" warning
1979797 - Ask user for confirmation when the deleted storage domain has leases of VMs that has disk in other SDs
1980192 - Network statistics copy a U64 into DECIMAL(18,4)
1986726 - VM imported from OVA gets thin provisioned disk despite of allocation policy set as 'preallocated'
1986834 - [DOCS] add nodejs and maven to list of subscription streams to be enabled  in RHVM installation
1987121 - [RFE] Support enabling nVidia Unified Memory on mdev vGPU
1988496 - vmconsole-proxy-helper.cer is not renewed when running engine-setup
1990462 - [RFE] Add user name and password to ELK integration
1991240 - Assign user quota when provisioning from a non-blank template via web-ui
1995793 - CVE-2021-23425 nodejs-trim-off-newlines: ReDoS via string processing
1996123 - ovf stores capacity/truesize on the storage does not match values in engine database
1998255 - [RFE] [UI] Add search box for vNIC Profiles in RHVM WebUI on the main vNIC profiles tab
1999698 - ssl.conf modifications of engine-setup do not conform to best practices (according to red hat insights)
2000031 - SPM host is rebooted multiple times when engine recovers the host
2002283 - Make NumOfPciExpressPorts configurable via engine-config
2003883 - Failed to update the VFs configuration of network interface card type 82599ES and X520
2003996 - ovirt_snapshot module fails to delete snapshot when there is a "Next Run configuration snapshot"
2006602 - vm_statistics table has wrong type for guest_mem_* columns.
2006745 - [MBS] Template disk Copy from data storage domain to Managed Block Storage domain is failing
2007384 - Failed to parse 'writeRate' value xxxx to integer: For input string: xxxx
2007557 - CVE-2021-3807 nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes
2008798 - Older name rhv-openvswitch is not checked in ansible playbook
2010203 - Log analyzer creates faulty VM unmanaged devices  report
2010903 - I/O operations/sec reporting wrong values
2013928 - Log analyzer creates faulty non default vdc_option report
2014888 - oVirt executive dashboard/Virtual Machine dashboard does not actually show disk I/O operations per second, but it shows sum of I/o operations since the boot time of VM
2015796 - [RFE] RHV Manager should support running on a host with DISA STIG security profile applied
2019144 - CVE-2021-41182 jquery-ui: XSS in the altField option of the datepicker widget
2019148 - CVE-2021-41183 jquery-ui: XSS in *Text options of the datepicker widget
2019153 - CVE-2021-41184 jquery-ui: XSS in the 'of' option of the .position() util
2021217 - [RFE] Windows 2022 support
2023250 - [RFE] Use virt:rhel module instead of virt:av in RHEL 8.6+ to get advanced virtualization packages
2023786 - RHV VM with SAP monitoring configuration does not fail to start if the Host is missing vdsm-hook-vhostmd
2024202 - RHV Dashboard does not show memory and storage details properly when using Spanish language.
2025936 - metrics configuration playbooks failing due to rhel-system-role last refactor
2030596 - [RFE] RHV Manager should support running on a host with the PCI-DSS security profile applied
2030663 - Update Network statistics types in DWH
2031027 - The /usr/share/ovirt-engine/ansible-runner-service-project/inventory/hosts fails rpm verification
2035051 - removing nfs-utils cause ovirt-engine removal due to cinderlib dep tree
2037115 - rhv-image-discrepancies (rhv-log-collector-analyzer-1.0.11-1.el8ev) tool continues flags OVF_STORE volumes.
2037121 - RFE:  Add Data Center and Storage Domain name in the rhv-image-discrepancies tool output.
2040361 - Hotplug VirtIO-SCSI disk fails with error "Domain already contains a disk with that address" when IO threads > 1
2040402 - unable to use --log-size=0 option
2040474 - [RFE] Add progress tracking for Cluster Upgrade
2041544 - Admin GUI: Making selection of host while uploading disk it will immediately replace it with the first active host in the list.
2043146 - Expired /etc/pki/vdsm/libvirt-vnc/server-cert.pem certificate is skipped during Enroll Certificate
2044273 - Remove the RHV Guest Tools ISO image upload option from engine-setup
2048546 - sosreport command should be replaced by sos report
2050566 - Upgrade ovirt-log-collector to 4.4.5
2050614 - Upgrade rhvm-setup-plugins to 4.5.0
2051857 - Upgrade rhv-log-collector-analizer to 1.0.13
2052557 - RHV fails to release mdev vGPU device after VM shutdown
2052690 - [RFE] Upgrade to ansible-core-2.12 in ovirt-engine
2054756 - [welcome page] Add link to MTV guide
2055136 - virt module is not changed to the correct stream during host upgrade
2056021 - [BUG]: "Enroll Certificate" operation not updating libvirt-vnc cert and key
2056052 - RHV-H w/ PCI-DSS profile causes OVA export to fail
2056126 - [RFE] Extend time to warn of upcoming certificate expiration
2058264 - Export as OVA playbook gets stuck with 'found an incomplete artifacts directory...Possible ansible_runner error?'
2059521 - [RFE] Upgrade to ansible-core-2.12 in ovirt-engine-metrics
2059877 - [DOCS][Upgrade] Update RHVM update procedure in Upgrade guide
2061904 - Unable to attach a RHV Host back into cluster after removing due to networking
2065052 - [TRACKER] Upgrade to ansible-core-2.12 in RHV 4.4 SP1
2066084 - vmconsole-proxy-user certificate expired - cannot access serial console
2066283 - Upgrade from RHV 4.4.10 to RHV 4.5.0 is broken
2069972 - [Doc][RN]Add cluster-level 4.7 to compatibility table
2070156 - [TESTONLY] Test upgrade from ovirt-engine-4.4.1
2071468 - Engine fenced host that was already reconnected and set to Up status.
2072637 - Build and distribute python38-daemon in RHV channels
2072639 - Build and distribute ansible-runner in RHV channels
2072641 - Build and distribute python38-docutils in RHV channels
2072642 - Build and distribute python38-lockfile in RHV channels
2072645 - Build and distribute python38-pexpect in RHV channels
2072646 - Build and distribute python38-ptyprocess in RHV channels
2075352 - upgrading RHV-H does not renew certificate

6. Package List:

RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4:

Source:
ansible-runner-2.1.3-1.el8ev.src.rpm
apache-sshd-2.8.0-0.1.el8ev.src.rpm
engine-db-query-1.6.4-1.el8ev.src.rpm
ovirt-dependencies-4.5.1-1.el8ev.src.rpm
ovirt-engine-4.5.0.7-0.9.el8ev.src.rpm
ovirt-engine-dwh-4.5.2-1.el8ev.src.rpm
ovirt-engine-metrics-1.6.0-1.el8ev.src.rpm
ovirt-engine-ui-extensions-1.3.3-1.el8ev.src.rpm
ovirt-log-collector-4.4.5-1.el8ev.src.rpm
ovirt-web-ui-1.8.1-2.el8ev.src.rpm
rhv-log-collector-analyzer-1.0.13-1.el8ev.src.rpm
rhvm-branding-rhv-4.4.11-1.el8ev.src.rpm
rhvm-setup-plugins-4.5.0-2.el8ev.src.rpm
vdsm-jsonrpc-java-1.7.1-2.el8ev.src.rpm

noarch:
ansible-runner-2.1.3-1.el8ev.noarch.rpm
apache-sshd-2.8.0-0.1.el8ev.noarch.rpm
apache-sshd-javadoc-2.8.0-0.1.el8ev.noarch.rpm
engine-db-query-1.6.4-1.el8ev.noarch.rpm
ovirt-dependencies-4.5.1-1.el8ev.noarch.rpm
ovirt-engine-4.5.0.7-0.9.el8ev.noarch.rpm
ovirt-engine-backend-4.5.0.7-0.9.el8ev.noarch.rpm
ovirt-engine-dbscripts-4.5.0.7-0.9.el8ev.noarch.rpm
ovirt-engine-dwh-4.5.2-1.el8ev.noarch.rpm
ovirt-engine-dwh-grafana-integration-setup-4.5.2-1.el8ev.noarch.rpm
ovirt-engine-dwh-setup-4.5.2-1.el8ev.noarch.rpm
ovirt-engine-health-check-bundler-4.5.0.7-0.9.el8ev.noarch.rpm
ovirt-engine-metrics-1.6.0-1.el8ev.noarch.rpm
ovirt-engine-restapi-4.5.0.7-0.9.el8ev.noarch.rpm
ovirt-engine-setup-4.5.0.7-0.9.el8ev.noarch.rpm
ovirt-engine-setup-base-4.5.0.7-0.9.el8ev.noarch.rpm
ovirt-engine-setup-plugin-cinderlib-4.5.0.7-0.9.el8ev.noarch.rpm
ovirt-engine-setup-plugin-imageio-4.5.0.7-0.9.el8ev.noarch.rpm
ovirt-engine-setup-plugin-ovirt-engine-4.5.0.7-0.9.el8ev.noarch.rpm
ovirt-engine-setup-plugin-ovirt-engine-common-4.5.0.7-0.9.el8ev.noarch.rpm
ovirt-engine-setup-plugin-vmconsole-proxy-helper-4.5.0.7-0.9.el8ev.noarch.rpm
ovirt-engine-setup-plugin-websocket-proxy-4.5.0.7-0.9.el8ev.noarch.rpm
ovirt-engine-tools-4.5.0.7-0.9.el8ev.noarch.rpm
ovirt-engine-tools-backup-4.5.0.7-0.9.el8ev.noarch.rpm
ovirt-engine-ui-extensions-1.3.3-1.el8ev.noarch.rpm
ovirt-engine-vmconsole-proxy-helper-4.5.0.7-0.9.el8ev.noarch.rpm
ovirt-engine-webadmin-portal-4.5.0.7-0.9.el8ev.noarch.rpm
ovirt-engine-websocket-proxy-4.5.0.7-0.9.el8ev.noarch.rpm
ovirt-log-collector-4.4.5-1.el8ev.noarch.rpm
ovirt-web-ui-1.8.1-2.el8ev.noarch.rpm
python3-ovirt-engine-lib-4.5.0.7-0.9.el8ev.noarch.rpm
python38-ansible-runner-2.1.3-1.el8ev.noarch.rpm
python38-docutils-0.14-12.4.el8ev.noarch.rpm
rhv-log-collector-analyzer-1.0.13-1.el8ev.noarch.rpm
rhvm-4.5.0.7-0.9.el8ev.noarch.rpm
rhvm-branding-rhv-4.4.11-1.el8ev.noarch.rpm
rhvm-setup-plugins-4.5.0-2.el8ev.noarch.rpm
vdsm-jsonrpc-java-1.7.1-2.el8ev.noarch.rpm
vdsm-jsonrpc-java-javadoc-1.7.1-2.el8ev.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2021-3807
https://access.redhat.com/security/cve/CVE-2021-23425
https://access.redhat.com/security/cve/CVE-2021-33502
https://access.redhat.com/security/cve/CVE-2021-41182
https://access.redhat.com/security/cve/CVE-2021-41183
https://access.redhat.com/security/cve/CVE-2021-41184
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/html-single/technical_notes

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYo/qI9zjgjWX9erEAQhpng//aJBlyx9sUzPTC08WE6OwY4Ihk8b0wSh5
C9RWX/PmlDE2CAivQHpSs8D7/IizHl4Arn6f0HJx+NavN8YfbApqs2mcq+KUKYuC
/VxCb3YlukeDsXeYIM+ScifS9M+N+WNGy9BRrlcYxZ4Ya5zLYv/ibrrHCX44yKz8
Jg5abyQyCzI6DEPjSDRIZkULLIdkbQ8xGd7j5P4ThAR2MRf8deeHez4/NmfrQm6n
Q3f4qeQlljiNgoGdxa2z65Shxpb3pkWGt81MZuMwKpRa6EDBDs8vGMA0LZamsikv
XZUU2P7d+JrXvLd2bmfGty6EaQ2FY0XoB0vvK1AyUhSZkX2thUvFsEgIdWjLSu4a
eT28D2etZLTIyl1DB42L+5gcomaQTn0sT0i99ExWkFyf9xWne+ygOFYydjV0/fy+
530Pwzlk9c2QtHgJ/XzGU12QLzKa/tvLbqXTfmAmlqDkU/+3aIr2l5SgnudzY4NN
BAUae8noIVWEs6L+6DY5HYt+x+WYYLipQh9gPjpBOaH+sEFvZ2+GzlVR0zF4IM5E
qLH5bopwO6GfHeNjv+4U+l+3kjhJIpwrsy/uzc+/mExrraYFpZc8skbcGRyhQ7ML
CtHSV7Y4x/OguhgYeqx1ocCfpIpkbu4MGa4esGDW4ocvL03AHnbxOG7gGvBH35oF
cada2etYwu0=
=nreb
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/

iQIVAwUBYpAPe8kNZI30y1K9AQimwA/9FzvFyaMx55/lokR3w7Ikw2BUU4IshQaF
VFYWNDD2lo62THBaSSdW75A49GpDrTK/Be2QgtSzHxU9d2V/ukIxXZxF4UpyjADf
hFmXWq7sKSJ+mXbOivaU4siigTD5Y9LxGEmy8Q7GqhqStWrvVz0BMO3FxqtpYppg
3/NMvKtV4MEaJc51k8P1YQXNnmzOcAAVC2x0T9PBtHB7xF0958O5DLpIP9aoA0tI
zfNt89/U1wSaPGGTlhgzLVUoQfDjFK+0omfRchkXKOJ/Q0sPj/r6XigR1AgMOD/D
UvdTGK0NT/hS6wj1rk3cUrrummhl8ceDw/sV0rhdx+/twq+L1OAMobTb+MFf1Y2a
yI9iwWRWKNUgvRe1+2akz7aWoB6jiaCmvL0auPlqFTkX1Eg5udYOUMU/Sor0CzLZ
k1bJS/hE6rWrGkdN6WrE2HxyaDmYwLrLI9mwTuBVTyPd4cRs5yl0KkkI6ox8gizF
5TdmCNPIancJGFJHztpJRh/zNJJOkdj6vhNqnmlJ+a3ih21r70b+YQFAx/G5eG53
bSzrVatFXkWTj3dGdT5yOy9ivpyYiX8YksV9hUWmtwQlrCHr2gKqEQrQbXZi8V5n
w5RrqgEQS2gk2A8pMT12resrZdc+3aHH5Mz8iMv2z5VzCTqomUmZjPC6fQGkpWpT
+4KS5WPaI/E=
=+fUo
-----END PGP SIGNATURE-----