Operating System:

[RedHat]

Published:

07 October 2020

Protect yourself against future threats.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.3461
                   OpenShift Virtualization 2.4.2 Images
                              7 October 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Red Hat OpenShift Virtualization
Publisher:         Red Hat
Operating System:  Red Hat Enterprise Linux Server 7
                   Red Hat Enterprise Linux WS/Desktop 7
                   Red Hat Enterprise Linux Server 8
                   Red Hat Enterprise Linux WS/Desktop 8
Impact/Access:     Execute Arbitrary Code/Commands -- Existing Account            
                   Increased Privileges            -- Remote with User Interaction
                   Access Privileged Data          -- Existing Account            
                   Modify Arbitrary Files          -- Remote with User Interaction
                   Denial of Service               -- Remote with User Interaction
                   Access Confidential Data        -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-16845 CVE-2020-15586 CVE-2020-14365
                   CVE-2020-14352 CVE-2020-12825 CVE-2020-12402
                   CVE-2019-17023 CVE-2019-17006 CVE-2019-11756

Reference:         ESB-2020.3352
                   ESB-2020.3351
                   ESB-2020.3156
                   ESB-2020.3073
                   ESB-2020.3071
                   ESB-2020.3070

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2020:4201

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Low: OpenShift Virtualization 2.4.2 Images
Advisory ID:       RHSA-2020:4201-01
Product:           Container-native Virtualization
Advisory URL:      https://access.redhat.com/errata/RHSA-2020:4201
Issue date:        2020-10-06
CVE Names:         CVE-2019-11756 CVE-2019-17006 CVE-2019-17023 
                   CVE-2020-12402 CVE-2020-12825 CVE-2020-14352 
                   CVE-2020-14365 CVE-2020-15586 CVE-2020-16845 
=====================================================================

1. Summary:

Red Hat OpenShift Virtualization release 2.4.2 is now available with
updates to packages and images that fix several bugs and add enhancements.

Red Hat Product Security has rated this update as having a security impact
of Low. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

OpenShift Virtualization is Red Hat's virtualization solution designed for
Red Hat OpenShift Container Platform.

Security Fix(es):

* golang: data race in certain net/http servers including ReverseProxy can
lead to DoS (CVE-2020-15586)

* golang: ReadUvarint and ReadVarint can read an unlimited number of bytes
from invalid inputs (CVE-2020-16845)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

Bug Fix(es):

* Container-native Virtualization 2.4.2 Images (BZ#1877407)

This advisory contains the following OpenShift Virtualization 2.4.2 images:

RHEL-7-CNV-2.4
==============
kubevirt-ssp-operator-container-v2.4.2-2

RHEL-8-CNV-2.4
==============
virt-cdi-controller-container-v2.4.2-1
virt-cdi-apiserver-container-v2.4.2-1
hostpath-provisioner-operator-container-v2.4.2-1
virt-cdi-uploadproxy-container-v2.4.2-1
virt-cdi-cloner-container-v2.4.2-1
virt-cdi-importer-container-v2.4.2-1
kubevirt-template-validator-container-v2.4.2-1
hostpath-provisioner-container-v2.4.2-1
virt-cdi-uploadserver-container-v2.4.2-1
virt-cdi-operator-container-v2.4.2-1
virt-controller-container-v2.4.2-1
kubevirt-cpu-model-nfd-plugin-container-v2.4.2-1
virt-api-container-v2.4.2-1
ovs-cni-marker-container-v2.4.2-1
kubevirt-cpu-node-labeller-container-v2.4.2-1
bridge-marker-container-v2.4.2-1
kubevirt-metrics-collector-container-v2.4.2-1
kubemacpool-container-v2.4.2-1
cluster-network-addons-operator-container-v2.4.2-1
ovs-cni-plugin-container-v2.4.2-1
kubernetes-nmstate-handler-container-v2.4.2-1
cnv-containernetworking-plugins-container-v2.4.2-1
virtio-win-container-v2.4.2-1
virt-handler-container-v2.4.2-1
virt-launcher-container-v2.4.2-1
cnv-must-gather-container-v2.4.2-1
virt-operator-container-v2.4.2-1
vm-import-controller-container-v2.4.2-1
hyperconverged-cluster-operator-container-v2.4.2-1
vm-import-operator-container-v2.4.2-1
kubevirt-vmware-container-v2.4.2-1
kubevirt-v2v-conversion-container-v2.4.2-1
kubevirt-kvm-info-nfd-plugin-container-v2.4.2-1
node-maintenance-operator-container-v2.4.2-1
hco-bundle-registry-container-v2.4.2-15

3. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

1856953 - CVE-2020-15586 golang: data race in certain net/http servers including ReverseProxy can lead to DoS
1867099 - CVE-2020-16845 golang: ReadUvarint and ReadVarint can read an unlimited number of bytes from invalid inputs
1869194 - HCO CR display name should contain "OpenShift Virtualization" instead of CNV
1869734 - OpenShift Virtualization does not appear in OperatorHub when filtering to "Disconnected"
1875383 - terminationGracePeriodSeconds should be updated in VMs created from common templates
1877407 - Container-native Virtualization 2.4.2 Images

5. References:

https://access.redhat.com/security/cve/CVE-2019-11756
https://access.redhat.com/security/cve/CVE-2019-17006
https://access.redhat.com/security/cve/CVE-2019-17023
https://access.redhat.com/security/cve/CVE-2020-12402
https://access.redhat.com/security/cve/CVE-2020-12825
https://access.redhat.com/security/cve/CVE-2020-14352
https://access.redhat.com/security/cve/CVE-2020-14365
https://access.redhat.com/security/cve/CVE-2020-15586
https://access.redhat.com/security/cve/CVE-2020-16845
https://access.redhat.com/security/updates/classification/#low

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBX30EmtzjgjWX9erEAQgnhg/+Kw8PF1VdWqLhdnth6BBrjcI0qoGVd671
KqomXg22a9lJ+oFUqV8AV7FssyqRe5XDufdREbO7Q5QFJnLZh9sbvpJvmINA4/En
FX3caimjz5YQsTVJfDme/aHv8dfyqkjhd5hVRVHDjdZ/xagXqTB7qkA7H9IaHsMd
dLc4QHFIRCw3i+AUo6OLhnxIwkkDToTM6saoSscK5ePnze8t+dA2E2yk7n2NcB6n
djRONbWQ9am8/plK8QfeNHxpq6Yv9dXQMc8OqRPDN5Tytz4JSfW3isqhWSSzj7dd
D0nT6kpeeOD7a9tXkI1/J4e9UHY22oKaCBtgtzruba86yI5Imuq10tsn4Cmvn0hj
Frj7CwIy88vEq0WXUWY0P99a//pCJE5YozzJZWnqdEUb7xxyGWBtVzEGAcdIOT3o
BN5g5AYMjDXpShDDw24U2DCbCt0f9snZDqIXurL5PkcQyGq0CPjHjglhy5JrKes+
VY3LJa/bkT38RRXk/TzKrlPjxoJNXjhGqU8YdrTe4DGTTiCfE+CGQ5f5RObFt1Pp
UtbGikSRlso8P3Fu93unPgnqd1S8p3nVoYtAcUrMa+2CzjxpIN2OV/zmfl49tytf
q2sG6oiDTYtEMpGKiy5UQRLD9njJxNBHH+HD85SeSNfBwbnJeebfw9nLd7HJj3Ld
yrKxjSoHgxw=
=LVFp
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBX30SguNLKJtyKPYoAQjJVQ/9FlPPi/w/BuW2Qi7kLiGGArnHLBUcBkZr
/Mi9SFETjoB3TPySuOBfk/wdbLCtcxTzMDGghXHefvB2uyjELtF3VREpYPXZyQxm
si+NDblTdXWhQ3fOq6j4JsnqKzitOOF5ape82/5C7LhNjdRZAtlOFD6mVM8b83DU
3YfDVMf+sC2gorEP8mcTP7jT8isQJs7Cw5rKZy+cexdk6ZlWsefyUgOO2gQKtd3f
ash7sm9l1aNEJAvsAeSsoWMi7agXWkWNYQZFVbfUi50RyWkLyReP2kNEP+r7PeQJ
bDNyZ+AgJ8qf+U9IK+YsbiQYub7F6RvF4yC1L5ROVW15I4yZHoup7502j4bzyKqM
YUq328e/Sio9nCHE6pbXHp8FUspEt9a6o1mX5Lx7lhQO9fomzUvmCu1Y4Oxrdq5g
Vzm88Bilax0wZ9DDsUQ6eCqslnXVKOxi3i7+512Ef9o4rJQFLNyPS7EpeDnLzULa
F3pMVBfRXbPmo6YuUVVTU/1Ix9sBYmZ1nAqk6XYKKTF+CEIvmcMl3KUYNDI4VRTj
vkuxKHG+/L7PD5bRAJnM1CQAOyUll8cIX3CS+kirhRCJJJ6XA+Y4d3H1HJcaDKMQ
kSGXJQY1S9yoPRCIDvYMOpU1/HbLTTp38ThYn/SuN6bIHgz0a0/t36XFd9m3vD1L
e5uL9BzRHUI=
=eSwz
-----END PGP SIGNATURE-----