Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.2711 OpenShift Virtualization 2.6.6 Images security and bug fix update 11 August 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: OpenShift Virtualization 2.6.6 Images Publisher: Red Hat Operating System: Red Hat Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Increased Privileges -- Existing Account Denial of Service -- Remote/Unauthenticated Provide Misleading Information -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Reduced Security -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2021-33910 CVE-2021-33909 CVE-2021-32399 CVE-2021-28211 CVE-2021-27219 CVE-2021-25217 CVE-2021-25215 CVE-2021-23336 CVE-2021-23240 CVE-2021-23239 CVE-2021-20271 CVE-2021-20201 CVE-2021-3560 CVE-2021-3541 CVE-2021-3537 CVE-2021-3520 CVE-2021-3518 CVE-2021-3517 CVE-2021-3516 CVE-2021-3326 CVE-2021-3177 CVE-2021-3114 CVE-2020-36242 CVE-2020-29363 CVE-2020-29362 CVE-2020-29361 CVE-2020-28935 CVE-2020-28196 CVE-2020-27619 CVE-2020-27618 CVE-2020-26137 CVE-2020-26116 CVE-2020-25712 CVE-2020-25659 CVE-2020-15358 CVE-2020-14363 CVE-2020-14362 CVE-2020-14361 CVE-2020-14360 CVE-2020-14347 CVE-2020-14346 CVE-2020-14345 CVE-2020-14344 CVE-2020-13584 CVE-2020-13543 CVE-2020-13434 CVE-2020-12364 CVE-2020-12363 CVE-2020-12362 CVE-2020-9983 CVE-2020-9951 CVE-2020-9948 CVE-2020-8927 CVE-2020-8286 CVE-2020-8285 CVE-2020-8284 CVE-2020-8231 CVE-2019-25042 CVE-2019-25041 CVE-2019-25040 CVE-2019-25039 CVE-2019-25038 CVE-2019-25037 CVE-2019-25036 CVE-2019-25035 CVE-2019-25034 CVE-2019-25032 CVE-2019-25013 CVE-2019-14866 CVE-2019-13012 CVE-2019-9169 CVE-2019-2708 CVE-2017-14502 CVE-2016-10228 Reference: ESB-2021.2677 ESB-2021.2657 Original Bulletin: https://access.redhat.com/errata/RHSA-2021:3119 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: OpenShift Virtualization 2.6.6 Images security and bug fix update Advisory ID: RHSA-2021:3119-01 Product: cnv Advisory URL: https://access.redhat.com/errata/RHSA-2021:3119 Issue date: 2021-08-10 CVE Names: CVE-2016-10228 CVE-2017-14502 CVE-2019-2708 CVE-2019-9169 CVE-2019-13012 CVE-2019-14866 CVE-2019-25013 CVE-2019-25032 CVE-2019-25034 CVE-2019-25035 CVE-2019-25036 CVE-2019-25037 CVE-2019-25038 CVE-2019-25039 CVE-2019-25040 CVE-2019-25041 CVE-2019-25042 CVE-2020-8231 CVE-2020-8284 CVE-2020-8285 CVE-2020-8286 CVE-2020-8927 CVE-2020-9948 CVE-2020-9951 CVE-2020-9983 CVE-2020-12362 CVE-2020-12363 CVE-2020-12364 CVE-2020-13434 CVE-2020-13543 CVE-2020-13584 CVE-2020-14344 CVE-2020-14345 CVE-2020-14346 CVE-2020-14347 CVE-2020-14360 CVE-2020-14361 CVE-2020-14362 CVE-2020-14363 CVE-2020-15358 CVE-2020-25659 CVE-2020-25712 CVE-2020-26116 CVE-2020-26137 CVE-2020-27618 CVE-2020-27619 CVE-2020-28196 CVE-2020-28935 CVE-2020-29361 CVE-2020-29362 CVE-2020-29363 CVE-2020-36242 CVE-2021-3114 CVE-2021-3177 CVE-2021-3326 CVE-2021-3516 CVE-2021-3517 CVE-2021-3518 CVE-2021-3520 CVE-2021-3537 CVE-2021-3541 CVE-2021-3560 CVE-2021-20201 CVE-2021-20271 CVE-2021-23239 CVE-2021-23240 CVE-2021-23336 CVE-2021-25215 CVE-2021-25217 CVE-2021-27219 CVE-2021-28211 CVE-2021-32399 CVE-2021-33909 CVE-2021-33910 ===================================================================== 1. Summary: Red Hat OpenShift Virtualization release 2.6.6 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform. This advisory contains the following OpenShift Virtualization <version_number> images: RHEL-8-CNV-2.6 hostpath-provisioner-container-v2.6.6-3 vm-import-controller-container-v2.6.6-5 vm-import-virtv2v-container-v2.6.6-5 vm-import-operator-container-v2.6.6-5 virt-cdi-apiserver-container-v2.6.6-4 virt-cdi-controller-container-v2.6.6-4 virt-cdi-cloner-container-v2.6.6-4 virt-cdi-importer-container-v2.6.6-4 virt-cdi-uploadserver-container-v2.6.6-4 virt-cdi-uploadproxy-container-v2.6.6-4 virt-cdi-operator-container-v2.6.6-4 ovs-cni-marker-container-v2.6.6-5 kubevirt-ssp-operator-container-v2.6.6-5 kubemacpool-container-v2.6.6-7 kubevirt-vmware-container-v2.6.6-4 kubevirt-kvm-info-nfd-plugin-container-v2.6.6-4 kubevirt-cpu-model-nfd-plugin-container-v2.6.6-4 kubevirt-cpu-node-labeller-container-v2.6.6-4 virtio-win-container-v2.6.6-4 kubevirt-template-validator-container-v2.6.6-4 cnv-containernetworking-plugins-container-v2.6.6-4 node-maintenance-operator-container-v2.6.6-4 kubevirt-v2v-conversion-container-v2.6.6-4 cluster-network-addons-operator-container-v2.6.6-4 ovs-cni-plugin-container-v2.6.6-4 bridge-marker-container-v2.6.6-4 kubernetes-nmstate-handler-container-v2.6.6-7 hyperconverged-cluster-webhook-container-v2.6.6-4 cnv-must-gather-container-v2.6.6-16 hyperconverged-cluster-operator-container-v2.6.6-4 virt-launcher-container-v2.6.6-7 hostpath-provisioner-operator-container-v2.6.6-5 virt-api-container-v2.6.6-7 virt-handler-container-v2.6.6-7 virt-controller-container-v2.6.6-7 virt-operator-container-v2.6.6-7 hco-bundle-registry-container-v2.6.6-70 Security Fix(es): * golang: crypto/elliptic: incorrect operations on the P-224 curve (CVE-2021-3114) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 4. Bugs fixed (https://bugzilla.redhat.com/): 1918750 - CVE-2021-3114 golang: crypto/elliptic: incorrect operations on the P-224 curve 1945703 - "Guest OS Info" availability in VMI describe is flaky 1958816 - [2.6.z] KubeMacPool fails to start due to OOM likely caused by a high number of Pods running in the cluster 1963275 - migration controller null pointer dereference 1965099 - Live Migration double handoff to virt-handler causes connection failures 1965181 - CDI importer doesn't report AwaitingVDDK like it used to 1967086 - Cloning DataVolumes between namespaces fails while creating cdi-upload pod 1967887 - [2.6.6] nmstate is not progressing on a node and not configuring vlan filtering that causes an outage for VMs 1969756 - Windows VMs fail to start on air-gapped environments 1970372 - Virt-handler fails to verify container-disk 1973227 - segfault in virt-controller during pdb deletion 1974084 - 2.6.6 containers 1975212 - No Virtual Machine Templates Found [EDIT - all templates are marked as depracted] 1975727 - [Regression][VMIO][Warm] The third precopy does not end in warm migration 1977756 - [2.6.z] PVC keeps in pending when using hostpath-provisioner 1982760 - [v2v] no kind VirtualMachine is registered for version \"kubevirt.io/v1\" i... 1986989 - OpenShift Virtualization 2.6.z cannot be upgraded to 4.8.0 initially deployed starting with <= 4.8 5. References: https://access.redhat.com/security/cve/CVE-2016-10228 https://access.redhat.com/security/cve/CVE-2017-14502 https://access.redhat.com/security/cve/CVE-2019-2708 https://access.redhat.com/security/cve/CVE-2019-9169 https://access.redhat.com/security/cve/CVE-2019-13012 https://access.redhat.com/security/cve/CVE-2019-14866 https://access.redhat.com/security/cve/CVE-2019-25013 https://access.redhat.com/security/cve/CVE-2019-25032 https://access.redhat.com/security/cve/CVE-2019-25034 https://access.redhat.com/security/cve/CVE-2019-25035 https://access.redhat.com/security/cve/CVE-2019-25036 https://access.redhat.com/security/cve/CVE-2019-25037 https://access.redhat.com/security/cve/CVE-2019-25038 https://access.redhat.com/security/cve/CVE-2019-25039 https://access.redhat.com/security/cve/CVE-2019-25040 https://access.redhat.com/security/cve/CVE-2019-25041 https://access.redhat.com/security/cve/CVE-2019-25042 https://access.redhat.com/security/cve/CVE-2020-8231 https://access.redhat.com/security/cve/CVE-2020-8284 https://access.redhat.com/security/cve/CVE-2020-8285 https://access.redhat.com/security/cve/CVE-2020-8286 https://access.redhat.com/security/cve/CVE-2020-8927 https://access.redhat.com/security/cve/CVE-2020-9948 https://access.redhat.com/security/cve/CVE-2020-9951 https://access.redhat.com/security/cve/CVE-2020-9983 https://access.redhat.com/security/cve/CVE-2020-12362 https://access.redhat.com/security/cve/CVE-2020-12363 https://access.redhat.com/security/cve/CVE-2020-12364 https://access.redhat.com/security/cve/CVE-2020-13434 https://access.redhat.com/security/cve/CVE-2020-13543 https://access.redhat.com/security/cve/CVE-2020-13584 https://access.redhat.com/security/cve/CVE-2020-14344 https://access.redhat.com/security/cve/CVE-2020-14345 https://access.redhat.com/security/cve/CVE-2020-14346 https://access.redhat.com/security/cve/CVE-2020-14347 https://access.redhat.com/security/cve/CVE-2020-14360 https://access.redhat.com/security/cve/CVE-2020-14361 https://access.redhat.com/security/cve/CVE-2020-14362 https://access.redhat.com/security/cve/CVE-2020-14363 https://access.redhat.com/security/cve/CVE-2020-15358 https://access.redhat.com/security/cve/CVE-2020-25659 https://access.redhat.com/security/cve/CVE-2020-25712 https://access.redhat.com/security/cve/CVE-2020-26116 https://access.redhat.com/security/cve/CVE-2020-26137 https://access.redhat.com/security/cve/CVE-2020-27618 https://access.redhat.com/security/cve/CVE-2020-27619 https://access.redhat.com/security/cve/CVE-2020-28196 https://access.redhat.com/security/cve/CVE-2020-28935 https://access.redhat.com/security/cve/CVE-2020-29361 https://access.redhat.com/security/cve/CVE-2020-29362 https://access.redhat.com/security/cve/CVE-2020-29363 https://access.redhat.com/security/cve/CVE-2020-36242 https://access.redhat.com/security/cve/CVE-2021-3114 https://access.redhat.com/security/cve/CVE-2021-3177 https://access.redhat.com/security/cve/CVE-2021-3326 https://access.redhat.com/security/cve/CVE-2021-3516 https://access.redhat.com/security/cve/CVE-2021-3517 https://access.redhat.com/security/cve/CVE-2021-3518 https://access.redhat.com/security/cve/CVE-2021-3520 https://access.redhat.com/security/cve/CVE-2021-3537 https://access.redhat.com/security/cve/CVE-2021-3541 https://access.redhat.com/security/cve/CVE-2021-3560 https://access.redhat.com/security/cve/CVE-2021-20201 https://access.redhat.com/security/cve/CVE-2021-20271 https://access.redhat.com/security/cve/CVE-2021-23239 https://access.redhat.com/security/cve/CVE-2021-23240 https://access.redhat.com/security/cve/CVE-2021-23336 https://access.redhat.com/security/cve/CVE-2021-25215 https://access.redhat.com/security/cve/CVE-2021-25217 https://access.redhat.com/security/cve/CVE-2021-27219 https://access.redhat.com/security/cve/CVE-2021-28211 https://access.redhat.com/security/cve/CVE-2021-32399 https://access.redhat.com/security/cve/CVE-2021-33909 https://access.redhat.com/security/cve/CVE-2021-33910 https://access.redhat.com/security/updates/classification/#moderate 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYRK59dzjgjWX9erEAQiugA/+OZOUaiDDgSrQ0tfhvtCKyogolJh11HpY TLKj0wK5+V3fC4Dgmv9QN7j9zacor2twCFXoTd5zrdxwWzYYselH/tMchWMcTzm4 AZuPA1m+CnhqiHwTFWt9zrA8Xx/CgyYViFWECzPyyvLFUNElDsfvZqt3Dg0Lq3R1 LqVHYoLsg4+8MYFJYI8KpzQ65TbH3hm/Nv6x+coYGdpLZ6K3eAXuoNUQeVqvmluJ +AakkgXeuw90g/ycJc2ofzPVQDpKtMC7TSvsE7SWBNjoOqZlCIALsYVWo+wRifvP QW+wbDtg4/94bAQiOSEetVzZJyb8xZxINoI1p3wtDi3N85vFvc4Nl/MCS2ogbPvd OAg17kpdepaDBpi5DkkFzyHUTPuuokDN2pHP+BAeQWQWv317jrBPvcY9CvUdIaJJ DGvRGEDiSy6eYykpPYcwClX2S/q1numsJKVF1W3M9yj1ouzhVnuecY/EBpCTArhk 7//FKFBW8KIBLau/Zbdw2a/+ahg+XA9NvwBr7HVxaVvq5V3czUTMt6iHyTQV9X1V V5dps8D/ADzPcp/rzLsZaJ9m7AD2y5I/YSy5Qq/8ISbqlwIo6eVCdPxK34m9CQVp 8bHQAXRLDO3vcm2qqXpq74T63eSJ/uVoUJxI7bMUItK23hK8gRVpD4V2c8d+WEX4 jmqgR5m3MoQ= =LOMD - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYRNlZ+NLKJtyKPYoAQjjcg//QggYZR4jn6UN7wiQ/2iYTH1q1rjU5pDC pJFqKOzZ9JHGsc1ap2f+UBUUYszD3MLnmpuvzVZx4VJADzxuhok/WyW27Z2+sJD/ XdBhQPRR79dWyS2wVTtRdxDE7JeWKmAPjhaaNvIL9U5lrf8Qt5BhD4sJtInNZ23i NXhJFfMTTobQD0bkDrePTCAkasGUQzBYGHfmSeatdDTZ8MVVUXzv0Muss7GdchOk NDTa/lJvXGS/01wUQjrJYVhC0G3BjVZEex49051A3GXoEOjq0uCw3WZ8X5k+6VsY AeTj4Zecx9RubG8Iorx++DHQSQcZ/CKWIzdVspktmR96fXRJEEogGHb6xeyIJ/RF fRYfQctK60RQ+qURH/pe3g+8AMDyLzLGEKpJtWCzdBLjUtGeu+pbTA3oR0inX20v 7OrK0SyVp5o2iqI4VTHkolJPYKFQ7MtndpLFttraqbFJHo8gMr9LLwuFyX8D5/Tw fq+9sRzE/wOoztUuGplrdZkDFvwzuujRxhn3RKCacHehlea5kEJ4pfHR4Ko/tcb0 oGxw2Q6jz1dujVbGotiPiQsBbAUBPSrByJ0tYiVx6e7idQoe84y8hiT02ABEEjP4 5V7KX1hya+9UUkynPiJgbGbOE9wHEbWrge/Ux1cKU0zVqYEjDvbXQnWTMs8k1nJb McGomd6B/ks= =ayej -----END PGP SIGNATURE-----