RHV Engine and Host Common Packages: Access Confidential Data -- Existing Account

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2021.3920
     RHV Engine and Host Common Packages security update [ovirt-4.4.9]
                             17 November 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           RHV Engine and Host Common Packages
Publisher:         Red Hat
Operating System:  Red Hat
Impact/Access:     Access Confidential Data -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2021-3620  

Reference:         ESB-2021.3436

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2021:4703

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: RHV Engine and Host Common Packages security update [ovirt-4.4.9]
Advisory ID:       RHSA-2021:4703-01
Product:           Red Hat Virtualization
Advisory URL:      https://access.redhat.com/errata/RHSA-2021:4703
Issue date:        2021-11-16
CVE Names:         CVE-2021-3620 
=====================================================================

1. Summary:

Updated dependency packages for ovirt-engine and ovirt-host that fix
several bugs and add various enhancements are now available.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4 - noarch, x86_64
Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts - noarch, ppc64le, x86_64
Red Hat Virtualization 4 Tools for Red Hat Enterprise Linux 8 - noarch

3. Description:

The ovirt-engine package provides the Red Hat Virtualization Manager, a
centralized management platform that allows system administrators to view
and manage virtual machines. The Manager provides a comprehensive range of
features including search capabilities, resource management, live
migrations, and virtual infrastructure provisioning.

The ovirt.ovirt package (previously ovirt-ansible-collection) manages all
oVirt Ansible modules.

The ovirt-ansible-hosted-engine-setup package provides an Ansible role for
deploying Red Hat Virtualization Hosted-Engine.

otopi is a standalone, plug-in based installation framework to be used to
set up system components. The plug-in nature provides simplicity to add new
installation functionality without the complexity of the state and
transaction management.

Security Fix(es):

* Ansible: ansible-connection module discloses sensitive info in traceback
error message (CVE-2021-3620)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

 Bug Fix(es):

* A playbook executed by Ansible Engine 2.9.25 inside a virtual machine
running on Red Hat Virtualization 4.4.9 correctly detects that this is a
virtual machine running on Red Hat Virtualization by using Ansible facts.
(BZ#1904085)

* Red Hat Virtualization now supports Ansible-2.9.27 for internal usage.
(BZ#2003671)

* Previously, upgrading from Red Hat Virtualization 4.3 failed when using
an isolated network during IPv6 deployment. In this release, a forward
network is used instead of an isolated network during an IPv6 deployment.
As a result, upgrade from Red Hat Virtualization 4.3 using IPv6 now
succeeds. (BZ#1947709)

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/2974891

5. Bugs fixed (https://bugzilla.redhat.com/):

1947709 - [IPv6] HostedEngineLocal is an isolated libvirt network, breaking upgrades from 4.3
1975767 - CVE-2021-3620 Ansible: ansible-connection module discloses sensitive info in traceback error message
2003671 - Bump Ansible distributed within RHV channels to 2.9.27
2010670 - Upgrade otopi to 1.9.6

6. Package List:

Red Hat Virtualization 4 Tools for Red Hat Enterprise Linux 8:

Source:
ovirt-ansible-collection-1.6.5-1.el8ev.src.rpm

noarch:
ovirt-ansible-collection-1.6.5-1.el8ev.noarch.rpm

Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts:

Source:
ansible-2.9.27-1.el8ae.src.rpm
otopi-1.9.6-2.el8ev.src.rpm
ovirt-ansible-collection-1.6.5-1.el8ev.src.rpm
ovirt-imageio-2.3.0-1.el8ev.src.rpm

noarch:
ansible-2.9.27-1.el8ae.noarch.rpm
otopi-common-1.9.6-2.el8ev.noarch.rpm
otopi-debug-plugins-1.9.6-2.el8ev.noarch.rpm
ovirt-ansible-collection-1.6.5-1.el8ev.noarch.rpm
python3-otopi-1.9.6-2.el8ev.noarch.rpm

ppc64le:
ovirt-imageio-client-2.3.0-1.el8ev.ppc64le.rpm
ovirt-imageio-common-2.3.0-1.el8ev.ppc64le.rpm
ovirt-imageio-common-debuginfo-2.3.0-1.el8ev.ppc64le.rpm
ovirt-imageio-daemon-2.3.0-1.el8ev.ppc64le.rpm
ovirt-imageio-debugsource-2.3.0-1.el8ev.ppc64le.rpm

x86_64:
ovirt-imageio-client-2.3.0-1.el8ev.x86_64.rpm
ovirt-imageio-common-2.3.0-1.el8ev.x86_64.rpm
ovirt-imageio-common-debuginfo-2.3.0-1.el8ev.x86_64.rpm
ovirt-imageio-daemon-2.3.0-1.el8ev.x86_64.rpm
ovirt-imageio-debugsource-2.3.0-1.el8ev.x86_64.rpm

RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4:

Source:
ansible-2.9.27-1.el8ae.src.rpm
otopi-1.9.6-2.el8ev.src.rpm
ovirt-ansible-collection-1.6.5-1.el8ev.src.rpm
ovirt-imageio-2.3.0-1.el8ev.src.rpm

noarch:
ansible-2.9.27-1.el8ae.noarch.rpm
otopi-common-1.9.6-2.el8ev.noarch.rpm
otopi-debug-plugins-1.9.6-2.el8ev.noarch.rpm
ovirt-ansible-collection-1.6.5-1.el8ev.noarch.rpm
python3-otopi-1.9.6-2.el8ev.noarch.rpm

x86_64:
ovirt-imageio-client-2.3.0-1.el8ev.x86_64.rpm
ovirt-imageio-common-2.3.0-1.el8ev.x86_64.rpm
ovirt-imageio-common-debuginfo-2.3.0-1.el8ev.x86_64.rpm
ovirt-imageio-daemon-2.3.0-1.el8ev.x86_64.rpm
ovirt-imageio-debugsource-2.3.0-1.el8ev.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2021-3620
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYZQXltzjgjWX9erEAQjvjw/6Ag0jbBYE+89ki14FkfjvY60Wy/wI2M5s
gp5CiTEaW15tASirPRXVBv+i9Cwug9ara0IaaHEHRAoMmw61PlWdH39SjDVFyVHM
poeSIR1YslISuabjsUGG8uVUsfiaKP4Xsg1QgtfOKn/g1DZVPgoyHby9VnIFcgRX
/6mZQTOo+SW6/kuwUlx04/kjCxasX38iMJZlXVg82HwpPKPN7evukrlaE5haS+ja
gronKHu9PW96N23u/VlssC4em8uoQ1gw0YSJzr38Ei2QOYbatdaYE3b6/yVX+UuN
LEDNdwSbPTt458snmf+CtAqef7X6NWuWz+dsVEtiH1tqcBI/maqfvElRxKQZ3bIF
qlnhWGJUDLpZODyBkS9zuZxe8mmxM89a2WuggD6PvCOO1zFJmvXc1Ad/Quh2Hhii
Wp1bTDeSUl1bfIooPEoGVTPrNIsjgYpt3y4iqvoxzMF77wLmPs976TRLKF1a1vDo
IMLJZtPx57WWopXubMyBvGwK3GyzQr4aSHGT2/HJTN/hwbEOBaIfcFXl4/fX3yX4
P++OEZN+cDmDIdRbKn1AXiv8IkvtTSS2dUJ3+elPkN05T+IR+u5K2VjbMPOuW4IJ
DKYXHGtp2y785sDmxH2M5ug8QYzPBEFW7CC4QlWl9jSu/vWm3xBiHhUx/uaeS3qP
clPd21+yCtc=
=wKss
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYZRQUuNLKJtyKPYoAQiWXA/7BG657ot9xRrCR3p8TQEe0RS1uOUIxU7C
X5EAUY3XOQCo62Ab/o8ggOZLN51hiR/CXLsNAUheLBOoADJdW3ucjTuzDRLxhQvV
AaBz9Hgai2WNTDbpKrl/bqJY0lvoc5Gwg3bX7NYXuQsfyW3pgUoXsGvHCOzBioJl
Y5FAUHa7SyEkjn8yBxmIESrq0pj+N2VGy7BesGuUkjvdqbzfwAKbKuUNx8JYVIhl
ISFkqP6CsCF628WZEna38AfQ/7Kj6K+tXSxta0b5+1dF/Bp7L8oA1K1NRgRGymMC
hVZumGo55cVIO7/FI6oGacQzAV/wBNFtw2UMa12UQMGHtYuvGnTvtwxB5fr0ZXIv
GRf7M5IWpXAljjG4BYnaqBYcP9b/pyoEL5NVyIfu3g1OaVA8Tq0I2+Ae/9zozryc
cOcFF7ADMwn3omhzw1GGSQT6/7vNAGXgnvJo9sHF11XvMZq1Qdbb2rhvvLkwqvot
A/H29kPfRZuFmK8byNZs6oPCy/CkOX0PQ8XFcStHcnPruKgxPOXYZOZNm8qVHOWi
6PG8ts9karCwWQ3cEOqFnW6cpsCFS1uuVT1MffE6NLt0NmaH8ZNQgbz+H+4jSgbP
j5nSoHHq4lAlEV37qho9VSxZ9pgONw5How2CoNbenfUC1B5ORaS6nwfOyi08WKYA
tE5A8Fblji0=
=Gb+j
-----END PGP SIGNATURE-----