Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.3168
OpenShift Virtualization 4.8.2 Images security and bug fix update
22 September 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: OpenShift Virtualization 4.8.2 Images
Publisher: Red Hat
Operating System: Red Hat
Impact/Access: Increased Privileges -- Existing Account
Denial of Service -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Reduced Security -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2021-38575 CVE-2021-38201 CVE-2021-37576
CVE-2021-34558 CVE-2021-33198 CVE-2021-33197
CVE-2021-33195 CVE-2021-27218 CVE-2021-22555
CVE-2021-22543 CVE-2021-3609
Reference: ESB-2021.3130
ESB-2021.3074
ESB-2021.3010
Original Bulletin:
https://access.redhat.com/errata/RHSA-2021:3598
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: OpenShift Virtualization 4.8.2 Images security and bug fix update
Advisory ID: RHSA-2021:3598-01
Product: cnv
Advisory URL: https://access.redhat.com/errata/RHSA-2021:3598
Issue date: 2021-09-21
CVE Names: CVE-2021-3609 CVE-2021-22543 CVE-2021-22555
CVE-2021-27218 CVE-2021-33195 CVE-2021-33197
CVE-2021-33198 CVE-2021-34558 CVE-2021-37576
CVE-2021-38201 CVE-2021-38575
=====================================================================
1. Summary:
Red Hat OpenShift Virtualization release 4.8.2 is now available with
updates to packages and images that fix several bugs and add enhancements.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Description:
OpenShift Virtualization is Red Hat's virtualization solution designed for
Red Hat OpenShift Container Platform.
This advisory contains the following OpenShift Virtualization 4.8.2 images:
RHEL-8-CNV-4.8
==============
kubevirt-vmware-container-v4.8.2-1
node-maintenance-operator-container-v4.8.2-1
bridge-marker-container-v4.8.2-1
kubemacpool-container-v4.8.2-1
virtio-win-container-v4.8.2-1
kubevirt-v2v-conversion-container-v4.8.2-1
hostpath-provisioner-container-v4.8.2-1
kubernetes-nmstate-handler-container-v4.8.2-1
cluster-network-addons-operator-container-v4.8.2-1
cnv-containernetworking-plugins-container-v4.8.2-1
hyperconverged-cluster-operator-container-v4.8.2-2
hostpath-provisioner-operator-container-v4.8.2-1
ovs-cni-marker-container-v4.8.2-1
hyperconverged-cluster-webhook-container-v4.8.2-2
ovs-cni-plugin-container-v4.8.2-1
kubevirt-template-validator-container-v4.8.2-2
kubevirt-ssp-operator-container-v4.8.2-2
cnv-must-gather-container-v4.8.2-3
vm-import-virtv2v-container-v4.8.2-4
vm-import-operator-container-v4.8.2-4
vm-import-controller-container-v4.8.2-4
virt-cdi-cloner-container-v4.8.2-2
virt-cdi-controller-container-v4.8.2-2
virt-cdi-operator-container-v4.8.2-2
virt-cdi-uploadproxy-container-v4.8.2-2
virt-cdi-uploadserver-container-v4.8.2-2
virt-cdi-apiserver-container-v4.8.2-2
virt-cdi-importer-container-v4.8.2-2
virt-launcher-container-v4.8.2-5
virt-api-container-v4.8.2-5
virt-handler-container-v4.8.2-5
virt-controller-container-v4.8.2-5
virt-operator-container-v4.8.2-5
hco-bundle-registry-container-v4.8.2-17
Security Fix(es):
* golang: net: lookup functions may return invalid host names
(CVE-2021-33195)
* golang: net/http/httputil: ReverseProxy forwards connection headers if
first one is empty (CVE-2021-33197)
* golang: math/big.Rat: may cause a panic or an unrecoverable fatal error
if passed inputs with very large exponents (CVE-2021-33198)
* golang: crypto/tls: certificate of wrong type is causing TLS client to
panic (CVE-2021-34558)
3. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://docs.openshift.com/container-platform/4.8/virt/upgrading-virt.html
4. Bugs fixed (https://bugzilla.redhat.com/):
1953485 - [CNV-2.5] Manifests in openshift-cnv missing resource requirements - SSP
1957791 - [MTV][Warm] The migrated VM on target side should be powered off/on accordingly to the source VM's last power state during warm migration
1972819 - Failed, Pending and Scheduling VMs can not be stopped
1982143 - [RFE] volumeSnapshotStatuses reason does not check for volume type that do not support snapshots
1983596 - CVE-2021-34558 golang: crypto/tls: certificate of wrong type is causing TLS client to panic
1989564 - CVE-2021-33195 golang: net: lookup functions may return invalid host names
1989570 - CVE-2021-33197 golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty
1989575 - CVE-2021-33198 golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents
1990065 - [4.8.2][network] CNV Daemonsets have maxUnavailable set to 1 which leads to very slow upgrades on large clusters
1991460 - Cannot get 'write' permission without 'resize': Image size is not a multiple of request alignment'
1993122 - Rhel9 templates - provider-url should be updated to https://www.redhat.com/
1995050 - RHEL9 template - support level and description should be updated
1996110 - cdi importer fails for a CirrOS VM import to NFS (but not to Cepf-rbd/block)
1996660 - [4.8] Goroutine count and memory remains high after VMIs are removed
1997668 - [v2v] VM import from RHV should not be blocked for a non UTC Timezone.
1998818 - virt-handler Pod is missing xorrisofs command
1998983 - 4.8.2 containers
2000021 - [VMIO][RHV VM Import] 63 long char VM Name with more than 1 Disk results in DataVolumeCreationFailed
2001038 - Importer attempts to shrink an image in certain situations
2001069 - [4.8.z] Automatic size detection may not request a PVC that is large enough for an import
5. References:
https://access.redhat.com/security/cve/CVE-2021-3609
https://access.redhat.com/security/cve/CVE-2021-22543
https://access.redhat.com/security/cve/CVE-2021-22555
https://access.redhat.com/security/cve/CVE-2021-27218
https://access.redhat.com/security/cve/CVE-2021-33195
https://access.redhat.com/security/cve/CVE-2021-33197
https://access.redhat.com/security/cve/CVE-2021-33198
https://access.redhat.com/security/cve/CVE-2021-34558
https://access.redhat.com/security/cve/CVE-2021-37576
https://access.redhat.com/security/cve/CVE-2021-38201
https://access.redhat.com/security/cve/CVE-2021-38575
https://access.redhat.com/security/updates/classification/#moderate
6. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2021 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBYUm9jNzjgjWX9erEAQj5ERAAlwei+1rByD0NbOnsl6V/N8336joQgWAw
YTaHbCzYC7188JJ2ucnup1wmPhjk1mWFzUGI+7GLNjnCAaBy3Eg3w5ZI86H1G7T6
0q3TOmTU8ezyr6JMryiw1v4aambVtB8g1K7XjNVQnKhKyJtsx7iuagyg9QMbVknU
i2uRANE/7GgL0Yv6jwPSgNjzArhW9TosXVfg+oYY9MQ8fAZyhdXxZKRnwwe0lHVk
NMwPppumF80lvraU/HwcYlkQrc9It5F62fm0NOvyvY0J3+V55+yeb5UeiBMeyFK4
++HIcxtktf/X7dBAfUkeqPoVYX/MkHxHCaYbEnXyVNK9m/8Z9HWOzzJ6YgFGZ7hE
FNnKyGG1ZXcOmWHZ2UBoVFOMLGcf907o6oaC6p3AfX6LVPTRb8E8Df7TS0TP3miS
BQmq+UnJG6mnO0xHtxmS+WJ1lh51LVaczJuMUHgpGOn8pCVkQIH4jx2tmSVkZN6O
0jOcW2Lg1YGX6Byfz9jcjaG2pRXGeos/JVJKEeWOVtiJcFQFRgEUNxJpeothOqi5
Dr1hJbtn/Ts4E8jDw3IrjfvjPC7f+IBU67fcT4FXHklkaYchZKLteaIAEMoy+w6h
GMxVU+aohcvVSfIXv6hi4S8hM6HAxEdklwX7nUP2AsjGDDS1ZKFZz/EleItz45MF
E1MQ2NdfNNY=
=vkzK
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYUqSu+NLKJtyKPYoAQiZ6Q//QQPPxHO09KR5Mf79lm0RFiYanBzU+PXH
02LQM7Ax9JwhoEOCv3vjugtquaBOi0fcYFD7lavc1FwROthjsR0ZlhYgF/zNq3xJ
sJCEOzra/0ogYadudyT07Fx2N/8eMdbLQSr/SOwCzUjh3V1bDTecRFCn8HFsjMtg
Tb/0y03HJzfJyQB2Aba05+SamrXZlF6rM5NdUUa1lfkQXayoptaFrQEKUB5nRabn
xSsjQ7iGwD/pZubk+FOJhW4jodhoF0fFNz4e3ntdKLTcSOFOgHKpH/fjeolnoBOD
fE1M8IypKS1k1CgmMNkDtfpmPj8ISA5BBKpa+D7gHOpPP3hjBdNRdC1bU6alGkdv
n/ZO2omYB32hTRrfe2TEUyAovBH5VQDWBBUzEWBpYpqwtdtmA6mrNaTxjQjGIgkN
643hVE07DnCX14iSiRjhYtewwRtbeyezv8SZwazII9504f+zYZzLHE608U1XILQ5
arv8Cf2OQTeDrZXaYwlYxzLuOj/Ai+r0Yxns83eCgcHusHCV4mqO3FzcxLNThcrn
32bAN36qraBDhw4/+KMqcxV+ViUPmI28opm589CNxcq4dyJgVA0JllHM10/xndgF
J8cy1IJ9e+75f5QEQmTj66t4+KZ35cISimGWLW83+v9aochhaVAsUvzi/gQaPuEq
rLpHxmDQgeE=
=zHu0
-----END PGP SIGNATURE-----