Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.1871
RHV Manager security update (ovirt-engine) [ovirt-4.4.6]
2 June 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: RHV Manager
Publisher: Red Hat
Operating System: Red Hat
Impact/Access: Execute Arbitrary Code/Commands -- Existing Account
Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2021-23337 CVE-2020-28500
Reference: ESB-2021.1225
Original Bulletin:
https://access.redhat.com/errata/RHSA-2021:2179
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: RHV Manager security update (ovirt-engine) [ovirt-4.4.6]
Advisory ID: RHSA-2021:2179-01
Product: Red Hat Virtualization
Advisory URL: https://access.redhat.com/errata/RHSA-2021:2179
Issue date: 2021-06-01
CVE Names: CVE-2020-28500 CVE-2021-23337
=====================================================================
1. Summary:
Updated ovirt-engine packages that fix several bugs , security flaws and
add various enhancements are now available.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4 - noarch
3. Description:
The ovirt-engine package provides the manager for virtualization
environments.
This manager enables admins to define hosts and networks, as well as to add
storage, create VMs and manage user permissions.
A list of bugs fixed in this update is available in the Technical Notes
book:
https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/ht
ml-single/technical_notes
Security Fix(es):
* nodejs-lodash: command injection via template (CVE-2021-23337)
* nodejs-lodash: ReDoS via the toNumber, trim and trimEnd functions
(CVE-2020-28500)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Bug Fix(es):
* This release adds the queue attribute to the virtio-scsi driver in the
virtual machine configuration. This improvement enables multi-queue
performance with the virtio-scsi driver. (BZ#911394)
* With this release, source-load-balancing has been added as a new
sub-option for xmit_hash_policy. It can be configured for bond modes
balance-xor (2), 802.3ad (4) and balance-tlb (5), by specifying
xmit_hash_policy=vlan+srcmac. (BZ#1683987)
* The default DataCenter/Cluster will be set to compatibility level 4.6 on
new installations of Red Hat Virtualization 4.4.6.; (BZ#1950348)
* With this release, support has been added for copying disks between
regular Storage Domains and Managed Block Storage Domains.
It is now possible to migrate disks between Managed Block Storage Domains
and regular Storage Domains. (BZ#1906074)
* Previously, the engine-config value LiveSnapshotPerformFreezeInEngine was
set by default to false and was supposed to be uses in cluster
compatibility levels below 4.4. The value was set to general version.
With this release, each cluster level has it's own value, defaulting to
false for 4.4 and above. This will reduce unnecessary overhead in removing
time outs of the file system freeze command. (BZ#1932284)
* With this release, running virtual machines is supported for up to 16TB
of RAM on x86_64 architectures. (BZ#1944723)
* This release adds the gathering of oVirt/RHV related certificates to
allow easier debugging of issues for faster customer help and issue
resolution.
Information from certificates is now included as part of the sosreport.
Note that no corresponding private key information is gathered, due to
security considerations. (BZ#1845877)
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/2974891
5. Bugs fixed (https://bugzilla.redhat.com/):
1113630 - [RFE] indicate vNICs that are out-of-sync from their configuration on engine
1310330 - [RFE] Provide a way to remove stale LUNs from hypervisors
1589763 - [downstream clone] Error changing CD for a running VM when ISO image is on a block domain
1621421 - [RFE] indicate vNIC is out of sync on network QoS modification on engine
1717411 - improve engine logging when migration fail
1766414 - [downstream] [UI] hint after updating mtu on networks connected to running VMs
1775145 - Incorrect message from hot-plugging memory
1821199 - HP VM fails to migrate between identical hosts (the same cpu flags) not supporting TSC.
1845877 - [RFE] Collect information about RHV PKI
1875363 - engine-setup failing on FIPS enabled rhel8 machine
1906074 - [RFE] Support disks copy between regular and managed block storage domains
1910858 - vm_ovf_generations is not cleared while detaching the storage domain causing VM import with old stale configuration
1917718 - [RFE] Collect memory usage from guests without ovirt-guest-agent and memory ballooning
1919195 - Unable to create snapshot without saving memory of running VM from VM Portal.
1919984 - engine-setup failse to deploy the grafana service in an external DWH server
1924610 - VM Portal shows N/A as the VM IP address even if the guest agent is running and the IP is shown in the webadmin portal
1926018 - Failed to run VM after FIPS mode is enabled
1926823 - Integrating ELK with RHV-4.4 fails as RHVH is missing 'rsyslog-gnutls' package.
1928158 - Rename 'CA Certificate' link in welcome page to 'Engine CA certificate'
1928188 - Failed to parse 'writeOps' value 'XXXX' to integer: For input string: "XXXX"
1928937 - CVE-2021-23337 nodejs-lodash: command injection via template
1928954 - CVE-2020-28500 nodejs-lodash: ReDoS via the toNumber, trim and trimEnd functions
1929211 - Failed to parse 'writeOps' value 'XXXX' to integer: For input string: "XXXX"
1930522 - [RHV-4.4.5.5] Failed to deploy RHEL AV 8.4.0 host to RHV with error "missing groups or modules: virt:8.4"
1930565 - Host upgrade failed in imgbased but RHVM shows upgrade successful
1930895 - RHEL 8 virtual machine with qemu-guest-agent installed displays Guest OS Memory Free/Cached/Buffered: Not Configured
1932284 - Engine handled FS freeze is not fast enough for Windows systems
1935073 - Ansible ovirt_disk module can create disks with conflicting IDs that cannot be removed
1942083 - upgrade ovirt-cockpit-sso to 0.1.4-2
1943267 - Snapshot creation is failing for VM having vGPU.
1944723 - [RFE] Support virtual machines with 16TB memory
1948577 - [welcome page] remove "Infrastructure Migration" section (obsoleted)
1949543 - rhv-log-collector-analyzer fails to run MAC Pools rule
1949547 - rhv-log-collector-analyzer report contains 'b characters
1950348 - Set compatibility level 4.6 for Default DataCenter/Cluster during new installations of RHV 4.4.6
1950466 - Host installation failed
1954401 - HP VMs pinning is wiped after edit->ok and pinned to first physical CPUs.
6. Package List:
RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4:
Source:
engine-db-query-1.6.3-1.el8ev.src.rpm
ovirt-cockpit-sso-0.1.4-2.el8ev.src.rpm
ovirt-engine-4.4.6.6-0.10.el8ev.src.rpm
ovirt-engine-dwh-4.4.6.2-1.el8ev.src.rpm
ovirt-engine-ui-extensions-1.2.6-1.el8ev.src.rpm
ovirt-web-ui-1.6.9-1.el8ev.src.rpm
rhv-log-collector-analyzer-1.0.8-1.el8ev.src.rpm
rhvm-branding-rhv-4.4.8-1.el8ev.src.rpm
noarch:
engine-db-query-1.6.3-1.el8ev.noarch.rpm
ovirt-cockpit-sso-0.1.4-2.el8ev.noarch.rpm
ovirt-engine-4.4.6.6-0.10.el8ev.noarch.rpm
ovirt-engine-backend-4.4.6.6-0.10.el8ev.noarch.rpm
ovirt-engine-dbscripts-4.4.6.6-0.10.el8ev.noarch.rpm
ovirt-engine-dwh-4.4.6.2-1.el8ev.noarch.rpm
ovirt-engine-dwh-grafana-integration-setup-4.4.6.2-1.el8ev.noarch.rpm
ovirt-engine-dwh-setup-4.4.6.2-1.el8ev.noarch.rpm
ovirt-engine-health-check-bundler-4.4.6.6-0.10.el8ev.noarch.rpm
ovirt-engine-restapi-4.4.6.6-0.10.el8ev.noarch.rpm
ovirt-engine-setup-4.4.6.6-0.10.el8ev.noarch.rpm
ovirt-engine-setup-base-4.4.6.6-0.10.el8ev.noarch.rpm
ovirt-engine-setup-plugin-cinderlib-4.4.6.6-0.10.el8ev.noarch.rpm
ovirt-engine-setup-plugin-imageio-4.4.6.6-0.10.el8ev.noarch.rpm
ovirt-engine-setup-plugin-ovirt-engine-4.4.6.6-0.10.el8ev.noarch.rpm
ovirt-engine-setup-plugin-ovirt-engine-common-4.4.6.6-0.10.el8ev.noarch.rpm
ovirt-engine-setup-plugin-vmconsole-proxy-helper-4.4.6.6-0.10.el8ev.noarch.rpm
ovirt-engine-setup-plugin-websocket-proxy-4.4.6.6-0.10.el8ev.noarch.rpm
ovirt-engine-tools-4.4.6.6-0.10.el8ev.noarch.rpm
ovirt-engine-tools-backup-4.4.6.6-0.10.el8ev.noarch.rpm
ovirt-engine-ui-extensions-1.2.6-1.el8ev.noarch.rpm
ovirt-engine-vmconsole-proxy-helper-4.4.6.6-0.10.el8ev.noarch.rpm
ovirt-engine-webadmin-portal-4.4.6.6-0.10.el8ev.noarch.rpm
ovirt-engine-websocket-proxy-4.4.6.6-0.10.el8ev.noarch.rpm
ovirt-web-ui-1.6.9-1.el8ev.noarch.rpm
python3-ovirt-engine-lib-4.4.6.6-0.10.el8ev.noarch.rpm
rhv-log-collector-analyzer-1.0.8-1.el8ev.noarch.rpm
rhvm-4.4.6.6-0.10.el8ev.noarch.rpm
rhvm-branding-rhv-4.4.8-1.el8ev.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2020-28500
https://access.redhat.com/security/cve/CVE-2021-23337
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/html-single/technical_notes
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2021 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBYLY1ttzjgjWX9erEAQho8w//ev/3kbr5iqtF6pJtKIDLPH0kVIo7hhdq
UBpj2veWY2gcWtsBBur7VcRgzTqRsYyofl6JeQseLQAyJxWgLzSUBlSQ/0n28McX
WRjpJXsJp96ye4fWUnfbdzAAuH5kAheBIXDtKPxvpRNSFs6dzQJ6qK86deTwwmqx
1wO3TObR29U9rbqpmArARsGSgJtxF63YMxRqmLeYIjj356KGr4CLNJa3NYOFkvSk
d8KY5Dvgi6CgaKL4oyY8Ee3AetqcteAjmri5k8+u2SPLbo7945E8tAdrxJffAzIz
uqAwvCV9Uy6XmIeMFBpVfM6AcTO8tfFQ6tkxvJ3gOljceHNiul7lBkgJ0kqYdI4/
LllL/fljxwDj3W3L1JB240XCwU6/fJ6JCP2TpaGqhLtEI2W6BbYSCMy5MOywN2q6
7vcG/AP3LbtJ62rlgQdoByqetJ7YdNfizpJ9VToXPYvsjzj9h7U4MfK0+UiH0S+f
sbLOKSfUttgqFyW/YpETLYFzuyrUyGXWER4AkQpJq2E1OaVjU9Ht3mrEugmA9R/V
OpWtJ1hLz2y7ZAx8XD2XEMpvmNXisd/Ur8nkIvUMI6BNWmn4NPTrSe7TWtU085JR
7y0RT9pZjzaJlavhUuLeq1gtoRdi440te0t/jGm+XTuW8GzwVgM/bFnU+jpWFuBb
F7ggBTzqxt8=
=L+W4
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYLbIPuNLKJtyKPYoAQjZDA//RscXmG3oqy+9RjADFdOjjc6PsA9GbZZA
30nwaHFDG1Z1enmaqoo/82B6pKFP2VIiw1k3Ys9Uyx57swFAPngO9Op5fgTGYT6e
4bI5Y2UooShaj3Rrk0mSSxib/Z1E8VZzoOB6mB8H4vjAiUlmx8LU0G8ncboTKKAx
SEZnjalmdZmH8ll3RIRhv9UCmBq9cAa/sS7fq/FgpGwys9tPxw7AysZf4BH33I4d
P+xbvJyaB07LXK6hv/d9pCvsMFJ9LZxR24C+OwMD2ntFEcGLP4IkhGRWCEHerye5
pIa67Q3xFDHw0a2gJJSDNQ31j3lQW/opQpl4qjFx3rRa1+49ly1xkwG1VtZ+HZ3V
48ONPHCpoEvFpoXo9TIzp4nJIdMRgJfMY8K2QPmWFSraDu2Am3bNvo/AUSyzyyft
VccC3MgidIepiNuehvfrik0bCCz/gx/HBf5P6M/IfCuAPzlVab9o3Zo0VJW652fM
b6ba0rcFRJnQf9avXWd6gP4HMQlCEJKO95QJB/49LNe8FYY5RLe0ljOFiIvbSuoI
vSq/ev93ZDdc45rN4Iu6Cw0oJTmYdidFi3XXfRJR2l6lCADZUg4QD9gPEuyaYBtt
MaLXP1gBf2iQqpSh+Ju8OeJVJX9Mg58KnnNsxJ/uogoF8CJq9LKiY7r649fZECXz
/j1npkRAhbs=
=TJuZ
-----END PGP SIGNATURE-----