Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.1274
RHV Manager (ovirt-engine) 4.4.z [ovirt-4.4.5] security, bug
fix, enhancement
15 April 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: RHV Manager
Publisher: Red Hat
Operating System: Red Hat
Impact/Access: Denial of Service -- Remote/Unauthenticated
Cross-site Scripting -- Remote with User Interaction
Access Confidential Data -- Remote/Unauthenticated
Reduced Security -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2020-28477 CVE-2020-28458 CVE-2020-25657
CVE-2019-20921
Reference: ESB-2021.0978
ESB-2021.0977
Original Bulletin:
https://access.redhat.com/errata/RHSA-2021:1169
https://access.redhat.com/errata/RHSA-2021:1186
Comment: This bulletin contains two (2) Red Hat security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: RHV Manager (ovirt-engine) 4.4.z [ovirt-4.4.5] security, bug fix, enhancement
Advisory ID: RHSA-2021:1169-01
Product: Red Hat Virtualization
Advisory URL: https://access.redhat.com/errata/RHSA-2021:1169
Issue date: 2021-04-14
CVE Names: CVE-2019-20921 CVE-2020-25657 CVE-2020-28458
CVE-2020-28477
=====================================================================
1. Summary:
An update is now available for Red Hat Virtualization Engine 4.4.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4 - noarch
3. Description:
The ovirt-engine package provides the manager for virtualization
environments.
This manager enables admins to define hosts and networks, as well as to add
storage, create VMs and manage user permissions.
A list of bugs fixed in this update is available in the Technical Notes
book:
https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/ht
ml-single/technical_notes
Security Fix(es):
* nodejs-bootstrap-select: not escaping title values on <option> may lead
to XSS (CVE-2019-20921)
* m2crypto: bleichenbacher timing attacks in the RSA decryption API
(CVE-2020-25657)
* datatables.net: prototype pollution if 'constructor' were used in a data
property name (CVE-2020-28458)
* nodejs-immer: prototype pollution may lead to DoS or remote code
execution (CVE-2020-28477)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/2974891
5. Bugs fixed (https://bugzilla.redhat.com/):
1145658 - Storage domain removal does not check if the storage domain contains any memory dumps.
1155275 - [RFE] - Online update LUN size to the Guest after LUN resize
1649479 - [RFE] OVF_STORE last update not exposed in the UI
1666786 - RHV-M reports "Balancing VM ${VM}" for ever as successful in the tasks list
1688186 - [RFE] CPU and NUMA Pinning shall be handled automatically
1729359 - Failed image upload leaves disk in locked state, requiring manual intervention to cleanup.
1787235 - [RFE] Offline disk move should log which host the data is being copied on in the audit log
1802844 - rest api setupnetworks: assignment_method should be inside ip_address_assignment
1837221 - [RFE] Allow using other than RSA SHA-1/SHA-2 public keys for SSH connections between RHVM and hypervisors
1843882 - network interface not added to public firewalld zone until host reboot
1858420 - Snapshot creation on host that engine then loses connection to results in missing snapshots table entry
1882273 - CVE-2019-20921 nodejs-bootstrap-select: not escaping title values on <option> may lead to XSS
1884233 - oVirt-engine reports misleading login-domain for external RH-SSO accounts
1889823 - CVE-2020-25657 m2crypto: bleichenbacher timing attacks in the RSA decryption API
1895217 - Hosted-Engine --restore-from-file fails if backup has VM pinned to restore host and has no Icon set.
1901503 - Misleading error message, displaying Data Center Storage Type instead of its name
1901752 - AddVds fails as FIPS host rejects SSH with ssh-rsa, failing HostedEngine deployment
1905108 - Cannot hotplug disk reports libvirtError: Requested operation is not valid: Domain already contains a disk with that address
1905158 - After upgrading RHVH 4.4.2 to 4.4.3 moves to non-operational due to missing CPU features : model_Cascadelake-Server
1908441 - CVE-2020-28458 datatables.net: prototype pollution if 'constructor' were used in a data property name
1910302 - [RFE] Allow SPM switching if all tasks have finished via UI
1913198 - Host deploy fails if 6+ hosts are deployed at the same time.
1914602 - [RHV 4.4] /var/lib/ovirt-engine/external_truststore (Permission denied)
1918162 - CVE-2020-28477 nodejs-immer: prototype pollution may lead to DoS or remote code execution
1919555 - Rebase apache-sshd to version 2.6.0 for RHV 4.4.5
1921104 - Bump required ansible version in RHV Manager 4.4.5
1921119 - RHV reports unsynced cluster when host QoS is in use.
1922200 - Checking the Engine database consistency takes too long to complete
1924012 - Rebase ansible-runner to 1.4.6
1926854 - [RFE] Requesting an audit log entry be added in LSM flow to display the host on which the internal volumes are copied
1927851 - [RFE] Add timezone AUS Eastern Standard Time
1931514 - [downstream] Cluster upgrade fails when using Intel Skylake Client/Server IBRS SSBD MDS Family
1931786 - Windows driver update does not work on cluster level 4.5
6. Package List:
RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4:
Source:
ansible-runner-1.4.6-2.el8ar.src.rpm
ansible-runner-service-1.0.7-1.el8ev.src.rpm
apache-sshd-2.6.0-1.el8ev.src.rpm
ovirt-engine-4.4.5.9-0.1.el8ev.src.rpm
ovirt-engine-dwh-4.4.5.5-1.el8ev.src.rpm
ovirt-web-ui-1.6.7-1.el8ev.src.rpm
noarch:
ansible-runner-1.4.6-2.el8ar.noarch.rpm
ansible-runner-service-1.0.7-1.el8ev.noarch.rpm
apache-sshd-2.6.0-1.el8ev.noarch.rpm
apache-sshd-javadoc-2.6.0-1.el8ev.noarch.rpm
ovirt-engine-4.4.5.9-0.1.el8ev.noarch.rpm
ovirt-engine-backend-4.4.5.9-0.1.el8ev.noarch.rpm
ovirt-engine-dbscripts-4.4.5.9-0.1.el8ev.noarch.rpm
ovirt-engine-dwh-4.4.5.5-1.el8ev.noarch.rpm
ovirt-engine-dwh-grafana-integration-setup-4.4.5.5-1.el8ev.noarch.rpm
ovirt-engine-dwh-setup-4.4.5.5-1.el8ev.noarch.rpm
ovirt-engine-health-check-bundler-4.4.5.9-0.1.el8ev.noarch.rpm
ovirt-engine-restapi-4.4.5.9-0.1.el8ev.noarch.rpm
ovirt-engine-setup-4.4.5.9-0.1.el8ev.noarch.rpm
ovirt-engine-setup-base-4.4.5.9-0.1.el8ev.noarch.rpm
ovirt-engine-setup-plugin-cinderlib-4.4.5.9-0.1.el8ev.noarch.rpm
ovirt-engine-setup-plugin-imageio-4.4.5.9-0.1.el8ev.noarch.rpm
ovirt-engine-setup-plugin-ovirt-engine-4.4.5.9-0.1.el8ev.noarch.rpm
ovirt-engine-setup-plugin-ovirt-engine-common-4.4.5.9-0.1.el8ev.noarch.rpm
ovirt-engine-setup-plugin-vmconsole-proxy-helper-4.4.5.9-0.1.el8ev.noarch.rpm
ovirt-engine-setup-plugin-websocket-proxy-4.4.5.9-0.1.el8ev.noarch.rpm
ovirt-engine-tools-4.4.5.9-0.1.el8ev.noarch.rpm
ovirt-engine-tools-backup-4.4.5.9-0.1.el8ev.noarch.rpm
ovirt-engine-vmconsole-proxy-helper-4.4.5.9-0.1.el8ev.noarch.rpm
ovirt-engine-webadmin-portal-4.4.5.9-0.1.el8ev.noarch.rpm
ovirt-engine-websocket-proxy-4.4.5.9-0.1.el8ev.noarch.rpm
ovirt-web-ui-1.6.7-1.el8ev.noarch.rpm
python3-ansible-runner-1.4.6-2.el8ar.noarch.rpm
python3-ovirt-engine-lib-4.4.5.9-0.1.el8ev.noarch.rpm
rhvm-4.4.5.9-0.1.el8ev.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2019-20921
https://access.redhat.com/security/cve/CVE-2020-25657
https://access.redhat.com/security/cve/CVE-2020-28458
https://access.redhat.com/security/cve/CVE-2020-28477
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/html-single/technical_notes
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2021 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBYHbXDtzjgjWX9erEAQiTWQ/9FiMmej2/JnL+QpebvDH+rtVY6jyd5CZ1
ddZiKSXzW7A7hOhm9LhmdxG+jrtmEOy4w0XD8r9NZzauh9nrZcKYrAbwUorefRNe
7ppAIri2ybGrq62kLW0FkPYo+cKsg9uWdDooNCvJi7pLcn8C7B9ZCyb6SWYSQyEz
NhYPxcbTbAoHQ0ACTC4Fr4YKOM7UIt8toZJ91/fnfLk1pjmM5eUsiax9mIFYB9fa
/ormZyfwUqnr8HtiX8FNsFMamltoz/y5cdBX9RNAC5ype7m1CDDvtePyiD5ch+PB
T1oplGTfbD3YzjwSgdsJb8CxB19QrHBWbw3moVoPelfpm6GDwYGNcONErUDkiYlR
0gukk91EDkNgwTp3n7ihSOGpodF3P7kkvxFVV0nMXCBOz5wIFLeBPQJvBT3CkmQ0
8/vi05DT+ceocexVKXmF7KbLkav0rxlfzKu3NskLgAzVmEysOs93VUajUjcRVrft
562YQ0Set8NKIdJUFrXqtGQ7qaPATdGcyMyJ87vcSM26NcuXrmv9AgcznlBonikx
cxxJW2fAsewPO8zZoGm5mef9yX5wRAn2ulAQpSPZmtIATpS8DKPb7/ihtvInSMyy
HQ6NgVREW0260cTNM6nRSzgehmIKeu8t4Q1Dn4ZI13YdMN7j9TfLAUVv+bJuj7aT
2FfpORrEpRw=
=CVx+
- -----END PGP SIGNATURE-----
- --------------------------------------------------------------------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: RHV Manager (ovirt-engine) 4.4.z [ovirt-4.4.5] 0-day security, bug fix, enhance
Advisory ID: RHSA-2021:1186-01
Product: Red Hat Virtualization
Advisory URL: https://access.redhat.com/errata/RHSA-2021:1186
Issue date: 2021-04-14
CVE Names: CVE-2019-20921 CVE-2020-28458
=====================================================================
1. Summary:
An update for org.ovirt.engine-root, ovirt-engine-ui-extensions, and
ovirt-web-ui is now available for Red Hat Virtualization Engine 4.4.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4 - noarch
3. Description:
The ovirt-engine package provides the manager for virtualization
environments.
This manager enables admins to define hosts and networks, as well as to add
storage, create VMs and manage user permissions.
Bug Fix(es):
* Previously, saving user preferences in the Red Hat Virtualization Manager
required the MANIPULATE_USERS permission level. As a result, user
preferences were not saved on the server.
In this release, the required permission level for saving user preferences
was changed to EDIT_PROFILE, which is the permission level assigned by
default to all users. As a result, saving user preferences works as
expected. (BZ#1920539)
A list of bugs fixed in this update is available in the Technical Notes
book:
https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/ht
ml-single/technical_notes
Security Fix(es):
* nodejs-bootstrap-select: not escaping title values on <option> may lead
to XSS (CVE-2019-20921)
* datatables.net: prototype pollution if 'constructor' were used in a data
property name (CVE-2020-28458)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/2974891
5. Bugs fixed (https://bugzilla.redhat.com/):
1171924 - [RFE] User Preferences / settings dialog with server-side storage
1750426 - [RFE] No clear/consistent indication that Upgrade Cluster is underway
1795457 - RHV-M causing high load on PostgreSQL DB after upgrade to 4.2
1882273 - CVE-2019-20921 nodejs-bootstrap-select: not escaping title values on <option> may lead to XSS
1908441 - CVE-2020-28458 datatables.net: prototype pollution if 'constructor' were used in a data property name
1920539 - Error screen displayed after user login in admin portal.
6. Package List:
RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4:
Source:
ovirt-engine-4.4.5.11-0.1.el8ev.src.rpm
ovirt-engine-ui-extensions-1.2.5-1.el8ev.src.rpm
ovirt-web-ui-1.6.8-1.el8ev.src.rpm
noarch:
ovirt-engine-4.4.5.11-0.1.el8ev.noarch.rpm
ovirt-engine-backend-4.4.5.11-0.1.el8ev.noarch.rpm
ovirt-engine-dbscripts-4.4.5.11-0.1.el8ev.noarch.rpm
ovirt-engine-health-check-bundler-4.4.5.11-0.1.el8ev.noarch.rpm
ovirt-engine-restapi-4.4.5.11-0.1.el8ev.noarch.rpm
ovirt-engine-setup-4.4.5.11-0.1.el8ev.noarch.rpm
ovirt-engine-setup-base-4.4.5.11-0.1.el8ev.noarch.rpm
ovirt-engine-setup-plugin-cinderlib-4.4.5.11-0.1.el8ev.noarch.rpm
ovirt-engine-setup-plugin-imageio-4.4.5.11-0.1.el8ev.noarch.rpm
ovirt-engine-setup-plugin-ovirt-engine-4.4.5.11-0.1.el8ev.noarch.rpm
ovirt-engine-setup-plugin-ovirt-engine-common-4.4.5.11-0.1.el8ev.noarch.rpm
ovirt-engine-setup-plugin-vmconsole-proxy-helper-4.4.5.11-0.1.el8ev.noarch.rpm
ovirt-engine-setup-plugin-websocket-proxy-4.4.5.11-0.1.el8ev.noarch.rpm
ovirt-engine-tools-4.4.5.11-0.1.el8ev.noarch.rpm
ovirt-engine-tools-backup-4.4.5.11-0.1.el8ev.noarch.rpm
ovirt-engine-ui-extensions-1.2.5-1.el8ev.noarch.rpm
ovirt-engine-vmconsole-proxy-helper-4.4.5.11-0.1.el8ev.noarch.rpm
ovirt-engine-webadmin-portal-4.4.5.11-0.1.el8ev.noarch.rpm
ovirt-engine-websocket-proxy-4.4.5.11-0.1.el8ev.noarch.rpm
ovirt-web-ui-1.6.8-1.el8ev.noarch.rpm
python3-ovirt-engine-lib-4.4.5.11-0.1.el8ev.noarch.rpm
rhvm-4.4.5.11-0.1.el8ev.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2019-20921
https://access.redhat.com/security/cve/CVE-2020-28458
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/html-single/technical_notes
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2021 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBYHbWvtzjgjWX9erEAQhn0g//Tq1J7QQK39XqARe/yaUWGMTA5/A2vFyl
1mY+q0N28mpDEKG2aCN/Qa5fBmk6bstCT3qZjog5kQa4z4gy54BxmhnYAEnlVk4s
pLW/f9akgalJrnRHs18h+ElGlIhIAQ7X/Kmve5XsarXYLuu9H1eIaVwLX9mPRiTi
4jcwZUmNUGO32xCYW9k1+AZf7t7BHvx3IwOQkY33SznwqLY7IWVJ7VbsS3SnNUOT
t5Ww1ewZqMD8QUiZcMMbX4ySu9aINIVYDNRIh/GOd6W9U0xVozg0PMjVVLqd2gZM
A8G7K/Wns8xDt0/XEdW12F8kC4aH25dKZydU6uPynI2n5nLyR+9db1zV9y0v0mDB
fwBhCGh2YnieW9v7Tjnde46wmg08MOxi6a+FpxHJgfWtwgEiyhm+sPxfwe+fSUmB
LNoZyvPr+yVuEuGIEhZeTIUpWnNsv94fkyaN+aLYs3GNpB1/+r3agtJJh1/Gu58Y
d4f2iuzMqaLN6SYW3LjUH2wv6tBEu+vqcx2+cyx098qS2c3/dn9hfg3KNsAMRU5l
3yMDe7BKuKgFhqLdxwW/YopCYX4C39Lg3oJgew6R2GsM0mAaha/pFmjQ/scICTLY
fovk925eAT5Pv+A9ExkOQrXWZU9uSXRYeBhONpv04bqWnw9BMhKLzMWWpyKP+lsc
QafqGkxbv7g=
=BhsF
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYHezwONLKJtyKPYoAQgUUg/8D2ShO5Tlftq4wK4zs/IOBvFdNhKm0uX+
X24Eo3aYg3fcLCXleCkofEJ78mwIrk2cTLltCfIPQkUNkY2gAffXNBgea20qzD78
+TqpqM8fUFHCrsJwYmg9fGYTNJRmpseqflifIPSn/yDykXVCUNC9yiP5n36030HS
LAAtWOsPXHOl/i3e/6YJZSlva4NZd1afqseyUumEqVBLWlI+i1CIdSRTYg5tH1Pa
W3jyYbicfkwe4Jzz+wBW0bdI0chwBVQsw8Q5t7lN/RVGZTM2XD85AiozSApu4pDL
EdIZU3/zT2A97vVSLKOhgyY/gAwUjameRcyrEyVgcKNJ33kRDJE4NhBMnK8ZcT91
Ieam/DyQ/ixOPaM0V14PGdvtE+Iu6M85UZufG+WYaMGeNgN4rCvL+EdyHZNMOd1O
AXWlr08jraESLuRJ289hJ5Hqh74NPOKvpSx4VZoJTwzs5rUeAMeGjPC41zMK/L0P
p4NP3XvbNExIa76lduEbuB2Pfr3Vj6RaDdwTKVp+3GVlYOg8R8n2To4bjtLbiZBW
e5EyHBffENarR3Rsbci92rUTCGv1G0BOPkjNCFmlPPcP/9ine66BYQIBkmQXu9Dm
cqw0Hwr200oh7ZkScoRBF/doDV5USQWwCJ7BMAITFvr8kx3zNU2SKX9WPwG+DOoB
C/LgMjSixvo=
=dVfA
-----END PGP SIGNATURE-----