Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.2711
OpenShift Virtualization 2.6.6 Images security and bug fix update
11 August 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: OpenShift Virtualization 2.6.6 Images
Publisher: Red Hat
Operating System: Red Hat
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Increased Privileges -- Existing Account
Denial of Service -- Remote/Unauthenticated
Provide Misleading Information -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Reduced Security -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2021-33910 CVE-2021-33909 CVE-2021-32399
CVE-2021-28211 CVE-2021-27219 CVE-2021-25217
CVE-2021-25215 CVE-2021-23336 CVE-2021-23240
CVE-2021-23239 CVE-2021-20271 CVE-2021-20201
CVE-2021-3560 CVE-2021-3541 CVE-2021-3537
CVE-2021-3520 CVE-2021-3518 CVE-2021-3517
CVE-2021-3516 CVE-2021-3326 CVE-2021-3177
CVE-2021-3114 CVE-2020-36242 CVE-2020-29363
CVE-2020-29362 CVE-2020-29361 CVE-2020-28935
CVE-2020-28196 CVE-2020-27619 CVE-2020-27618
CVE-2020-26137 CVE-2020-26116 CVE-2020-25712
CVE-2020-25659 CVE-2020-15358 CVE-2020-14363
CVE-2020-14362 CVE-2020-14361 CVE-2020-14360
CVE-2020-14347 CVE-2020-14346 CVE-2020-14345
CVE-2020-14344 CVE-2020-13584 CVE-2020-13543
CVE-2020-13434 CVE-2020-12364 CVE-2020-12363
CVE-2020-12362 CVE-2020-9983 CVE-2020-9951
CVE-2020-9948 CVE-2020-8927 CVE-2020-8286
CVE-2020-8285 CVE-2020-8284 CVE-2020-8231
CVE-2019-25042 CVE-2019-25041 CVE-2019-25040
CVE-2019-25039 CVE-2019-25038 CVE-2019-25037
CVE-2019-25036 CVE-2019-25035 CVE-2019-25034
CVE-2019-25032 CVE-2019-25013 CVE-2019-14866
CVE-2019-13012 CVE-2019-9169 CVE-2019-2708
CVE-2017-14502 CVE-2016-10228
Reference: ESB-2021.2677
ESB-2021.2657
Original Bulletin:
https://access.redhat.com/errata/RHSA-2021:3119
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: OpenShift Virtualization 2.6.6 Images security and bug fix update
Advisory ID: RHSA-2021:3119-01
Product: cnv
Advisory URL: https://access.redhat.com/errata/RHSA-2021:3119
Issue date: 2021-08-10
CVE Names: CVE-2016-10228 CVE-2017-14502 CVE-2019-2708
CVE-2019-9169 CVE-2019-13012 CVE-2019-14866
CVE-2019-25013 CVE-2019-25032 CVE-2019-25034
CVE-2019-25035 CVE-2019-25036 CVE-2019-25037
CVE-2019-25038 CVE-2019-25039 CVE-2019-25040
CVE-2019-25041 CVE-2019-25042 CVE-2020-8231
CVE-2020-8284 CVE-2020-8285 CVE-2020-8286
CVE-2020-8927 CVE-2020-9948 CVE-2020-9951
CVE-2020-9983 CVE-2020-12362 CVE-2020-12363
CVE-2020-12364 CVE-2020-13434 CVE-2020-13543
CVE-2020-13584 CVE-2020-14344 CVE-2020-14345
CVE-2020-14346 CVE-2020-14347 CVE-2020-14360
CVE-2020-14361 CVE-2020-14362 CVE-2020-14363
CVE-2020-15358 CVE-2020-25659 CVE-2020-25712
CVE-2020-26116 CVE-2020-26137 CVE-2020-27618
CVE-2020-27619 CVE-2020-28196 CVE-2020-28935
CVE-2020-29361 CVE-2020-29362 CVE-2020-29363
CVE-2020-36242 CVE-2021-3114 CVE-2021-3177
CVE-2021-3326 CVE-2021-3516 CVE-2021-3517
CVE-2021-3518 CVE-2021-3520 CVE-2021-3537
CVE-2021-3541 CVE-2021-3560 CVE-2021-20201
CVE-2021-20271 CVE-2021-23239 CVE-2021-23240
CVE-2021-23336 CVE-2021-25215 CVE-2021-25217
CVE-2021-27219 CVE-2021-28211 CVE-2021-32399
CVE-2021-33909 CVE-2021-33910
=====================================================================
1. Summary:
Red Hat OpenShift Virtualization release 2.6.6 is now available with
updates to packages and images that fix several bugs and add enhancements.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Description:
OpenShift Virtualization is Red Hat's virtualization solution designed for
Red Hat OpenShift Container Platform.
This advisory contains the following OpenShift Virtualization
<version_number> images:
RHEL-8-CNV-2.6
hostpath-provisioner-container-v2.6.6-3
vm-import-controller-container-v2.6.6-5
vm-import-virtv2v-container-v2.6.6-5
vm-import-operator-container-v2.6.6-5
virt-cdi-apiserver-container-v2.6.6-4
virt-cdi-controller-container-v2.6.6-4
virt-cdi-cloner-container-v2.6.6-4
virt-cdi-importer-container-v2.6.6-4
virt-cdi-uploadserver-container-v2.6.6-4
virt-cdi-uploadproxy-container-v2.6.6-4
virt-cdi-operator-container-v2.6.6-4
ovs-cni-marker-container-v2.6.6-5
kubevirt-ssp-operator-container-v2.6.6-5
kubemacpool-container-v2.6.6-7
kubevirt-vmware-container-v2.6.6-4
kubevirt-kvm-info-nfd-plugin-container-v2.6.6-4
kubevirt-cpu-model-nfd-plugin-container-v2.6.6-4
kubevirt-cpu-node-labeller-container-v2.6.6-4
virtio-win-container-v2.6.6-4
kubevirt-template-validator-container-v2.6.6-4
cnv-containernetworking-plugins-container-v2.6.6-4
node-maintenance-operator-container-v2.6.6-4
kubevirt-v2v-conversion-container-v2.6.6-4
cluster-network-addons-operator-container-v2.6.6-4
ovs-cni-plugin-container-v2.6.6-4
bridge-marker-container-v2.6.6-4
kubernetes-nmstate-handler-container-v2.6.6-7
hyperconverged-cluster-webhook-container-v2.6.6-4
cnv-must-gather-container-v2.6.6-16
hyperconverged-cluster-operator-container-v2.6.6-4
virt-launcher-container-v2.6.6-7
hostpath-provisioner-operator-container-v2.6.6-5
virt-api-container-v2.6.6-7
virt-handler-container-v2.6.6-7
virt-controller-container-v2.6.6-7
virt-operator-container-v2.6.6-7
hco-bundle-registry-container-v2.6.6-70
Security Fix(es):
* golang: crypto/elliptic: incorrect operations on the P-224 curve
(CVE-2021-3114)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
3. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
4. Bugs fixed (https://bugzilla.redhat.com/):
1918750 - CVE-2021-3114 golang: crypto/elliptic: incorrect operations on the P-224 curve
1945703 - "Guest OS Info" availability in VMI describe is flaky
1958816 - [2.6.z] KubeMacPool fails to start due to OOM likely caused by a high number of Pods running in the cluster
1963275 - migration controller null pointer dereference
1965099 - Live Migration double handoff to virt-handler causes connection failures
1965181 - CDI importer doesn't report AwaitingVDDK like it used to
1967086 - Cloning DataVolumes between namespaces fails while creating cdi-upload pod
1967887 - [2.6.6] nmstate is not progressing on a node and not configuring vlan filtering that causes an outage for VMs
1969756 - Windows VMs fail to start on air-gapped environments
1970372 - Virt-handler fails to verify container-disk
1973227 - segfault in virt-controller during pdb deletion
1974084 - 2.6.6 containers
1975212 - No Virtual Machine Templates Found [EDIT - all templates are marked as depracted]
1975727 - [Regression][VMIO][Warm] The third precopy does not end in warm migration
1977756 - [2.6.z] PVC keeps in pending when using hostpath-provisioner
1982760 - [v2v] no kind VirtualMachine is registered for version \"kubevirt.io/v1\" i...
1986989 - OpenShift Virtualization 2.6.z cannot be upgraded to 4.8.0 initially deployed starting with <= 4.8
5. References:
https://access.redhat.com/security/cve/CVE-2016-10228
https://access.redhat.com/security/cve/CVE-2017-14502
https://access.redhat.com/security/cve/CVE-2019-2708
https://access.redhat.com/security/cve/CVE-2019-9169
https://access.redhat.com/security/cve/CVE-2019-13012
https://access.redhat.com/security/cve/CVE-2019-14866
https://access.redhat.com/security/cve/CVE-2019-25013
https://access.redhat.com/security/cve/CVE-2019-25032
https://access.redhat.com/security/cve/CVE-2019-25034
https://access.redhat.com/security/cve/CVE-2019-25035
https://access.redhat.com/security/cve/CVE-2019-25036
https://access.redhat.com/security/cve/CVE-2019-25037
https://access.redhat.com/security/cve/CVE-2019-25038
https://access.redhat.com/security/cve/CVE-2019-25039
https://access.redhat.com/security/cve/CVE-2019-25040
https://access.redhat.com/security/cve/CVE-2019-25041
https://access.redhat.com/security/cve/CVE-2019-25042
https://access.redhat.com/security/cve/CVE-2020-8231
https://access.redhat.com/security/cve/CVE-2020-8284
https://access.redhat.com/security/cve/CVE-2020-8285
https://access.redhat.com/security/cve/CVE-2020-8286
https://access.redhat.com/security/cve/CVE-2020-8927
https://access.redhat.com/security/cve/CVE-2020-9948
https://access.redhat.com/security/cve/CVE-2020-9951
https://access.redhat.com/security/cve/CVE-2020-9983
https://access.redhat.com/security/cve/CVE-2020-12362
https://access.redhat.com/security/cve/CVE-2020-12363
https://access.redhat.com/security/cve/CVE-2020-12364
https://access.redhat.com/security/cve/CVE-2020-13434
https://access.redhat.com/security/cve/CVE-2020-13543
https://access.redhat.com/security/cve/CVE-2020-13584
https://access.redhat.com/security/cve/CVE-2020-14344
https://access.redhat.com/security/cve/CVE-2020-14345
https://access.redhat.com/security/cve/CVE-2020-14346
https://access.redhat.com/security/cve/CVE-2020-14347
https://access.redhat.com/security/cve/CVE-2020-14360
https://access.redhat.com/security/cve/CVE-2020-14361
https://access.redhat.com/security/cve/CVE-2020-14362
https://access.redhat.com/security/cve/CVE-2020-14363
https://access.redhat.com/security/cve/CVE-2020-15358
https://access.redhat.com/security/cve/CVE-2020-25659
https://access.redhat.com/security/cve/CVE-2020-25712
https://access.redhat.com/security/cve/CVE-2020-26116
https://access.redhat.com/security/cve/CVE-2020-26137
https://access.redhat.com/security/cve/CVE-2020-27618
https://access.redhat.com/security/cve/CVE-2020-27619
https://access.redhat.com/security/cve/CVE-2020-28196
https://access.redhat.com/security/cve/CVE-2020-28935
https://access.redhat.com/security/cve/CVE-2020-29361
https://access.redhat.com/security/cve/CVE-2020-29362
https://access.redhat.com/security/cve/CVE-2020-29363
https://access.redhat.com/security/cve/CVE-2020-36242
https://access.redhat.com/security/cve/CVE-2021-3114
https://access.redhat.com/security/cve/CVE-2021-3177
https://access.redhat.com/security/cve/CVE-2021-3326
https://access.redhat.com/security/cve/CVE-2021-3516
https://access.redhat.com/security/cve/CVE-2021-3517
https://access.redhat.com/security/cve/CVE-2021-3518
https://access.redhat.com/security/cve/CVE-2021-3520
https://access.redhat.com/security/cve/CVE-2021-3537
https://access.redhat.com/security/cve/CVE-2021-3541
https://access.redhat.com/security/cve/CVE-2021-3560
https://access.redhat.com/security/cve/CVE-2021-20201
https://access.redhat.com/security/cve/CVE-2021-20271
https://access.redhat.com/security/cve/CVE-2021-23239
https://access.redhat.com/security/cve/CVE-2021-23240
https://access.redhat.com/security/cve/CVE-2021-23336
https://access.redhat.com/security/cve/CVE-2021-25215
https://access.redhat.com/security/cve/CVE-2021-25217
https://access.redhat.com/security/cve/CVE-2021-27219
https://access.redhat.com/security/cve/CVE-2021-28211
https://access.redhat.com/security/cve/CVE-2021-32399
https://access.redhat.com/security/cve/CVE-2021-33909
https://access.redhat.com/security/cve/CVE-2021-33910
https://access.redhat.com/security/updates/classification/#moderate
6. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2021 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBYRK59dzjgjWX9erEAQiugA/+OZOUaiDDgSrQ0tfhvtCKyogolJh11HpY
TLKj0wK5+V3fC4Dgmv9QN7j9zacor2twCFXoTd5zrdxwWzYYselH/tMchWMcTzm4
AZuPA1m+CnhqiHwTFWt9zrA8Xx/CgyYViFWECzPyyvLFUNElDsfvZqt3Dg0Lq3R1
LqVHYoLsg4+8MYFJYI8KpzQ65TbH3hm/Nv6x+coYGdpLZ6K3eAXuoNUQeVqvmluJ
+AakkgXeuw90g/ycJc2ofzPVQDpKtMC7TSvsE7SWBNjoOqZlCIALsYVWo+wRifvP
QW+wbDtg4/94bAQiOSEetVzZJyb8xZxINoI1p3wtDi3N85vFvc4Nl/MCS2ogbPvd
OAg17kpdepaDBpi5DkkFzyHUTPuuokDN2pHP+BAeQWQWv317jrBPvcY9CvUdIaJJ
DGvRGEDiSy6eYykpPYcwClX2S/q1numsJKVF1W3M9yj1ouzhVnuecY/EBpCTArhk
7//FKFBW8KIBLau/Zbdw2a/+ahg+XA9NvwBr7HVxaVvq5V3czUTMt6iHyTQV9X1V
V5dps8D/ADzPcp/rzLsZaJ9m7AD2y5I/YSy5Qq/8ISbqlwIo6eVCdPxK34m9CQVp
8bHQAXRLDO3vcm2qqXpq74T63eSJ/uVoUJxI7bMUItK23hK8gRVpD4V2c8d+WEX4
jmqgR5m3MoQ=
=LOMD
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYRNlZ+NLKJtyKPYoAQjjcg//QggYZR4jn6UN7wiQ/2iYTH1q1rjU5pDC
pJFqKOzZ9JHGsc1ap2f+UBUUYszD3MLnmpuvzVZx4VJADzxuhok/WyW27Z2+sJD/
XdBhQPRR79dWyS2wVTtRdxDE7JeWKmAPjhaaNvIL9U5lrf8Qt5BhD4sJtInNZ23i
NXhJFfMTTobQD0bkDrePTCAkasGUQzBYGHfmSeatdDTZ8MVVUXzv0Muss7GdchOk
NDTa/lJvXGS/01wUQjrJYVhC0G3BjVZEex49051A3GXoEOjq0uCw3WZ8X5k+6VsY
AeTj4Zecx9RubG8Iorx++DHQSQcZ/CKWIzdVspktmR96fXRJEEogGHb6xeyIJ/RF
fRYfQctK60RQ+qURH/pe3g+8AMDyLzLGEKpJtWCzdBLjUtGeu+pbTA3oR0inX20v
7OrK0SyVp5o2iqI4VTHkolJPYKFQ7MtndpLFttraqbFJHo8gMr9LLwuFyX8D5/Tw
fq+9sRzE/wOoztUuGplrdZkDFvwzuujRxhn3RKCacHehlea5kEJ4pfHR4Ko/tcb0
oGxw2Q6jz1dujVbGotiPiQsBbAUBPSrByJ0tYiVx6e7idQoe84y8hiT02ABEEjP4
5V7KX1hya+9UUkynPiJgbGbOE9wHEbWrge/Ux1cKU0zVqYEjDvbXQnWTMs8k1nJb
McGomd6B/ks=
=ayej
-----END PGP SIGNATURE-----