Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.3941 OpenShift Virtualization 2.6.8 Images and RPMs security and bug fix updates 18 November 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: OpenShift Virtualization 2.6.8 Images OpenShift Virtualization 2.6.8 RPMs Publisher: Red Hat Operating System: Red Hat Impact/Access: Increased Privileges -- Existing Account Denial of Service -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Provide Misleading Information -- Remote with User Interaction Reduced Security -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2021-37750 CVE-2021-36222 CVE-2021-34558 CVE-2021-29923 CVE-2021-22924 CVE-2021-22923 CVE-2021-22922 CVE-2021-3733 CVE-2021-3653 CVE-2020-25648 Reference: ASB-2021.0222 ESB-2021.3916 ESB-2021.3878 ESB-2021.3848 ESB-2021.3649 Original Bulletin: https://access.redhat.com/errata/RHSA-2021:4725 https://access.redhat.com/errata/RHSA-2021:4722 Comment: This bulletin contains two (2) Red Hat security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: OpenShift Virtualization 2.6.8 Images security and bug fix update Advisory ID: RHSA-2021:4725-01 Product: cnv Advisory URL: https://access.redhat.com/errata/RHSA-2021:4725 Issue date: 2021-11-17 CVE Names: CVE-2020-25648 CVE-2021-3653 CVE-2021-3733 CVE-2021-22922 CVE-2021-22923 CVE-2021-22924 CVE-2021-29923 CVE-2021-34558 CVE-2021-36222 CVE-2021-37750 ===================================================================== 1. Summary: Red Hat OpenShift Virtualization release 2.6.8 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform. This advisory contains the following OpenShift Virtualization 2.6.8 images: RHEL-8-CNV-2.6 ============== kubevirt-v2v-conversion-container-v2.6.8-1 hyperconverged-cluster-webhook-container-v2.6.8-1 vm-import-controller-container-v2.6.8-1 kubevirt-cpu-model-nfd-plugin-container-v2.6.8-2 vm-import-operator-container-v2.6.8-1 kubevirt-cpu-node-labeller-container-v2.6.8-1 kubevirt-ssp-operator-container-v2.6.8-1 kubemacpool-container-v2.6.8-1 cluster-network-addons-operator-container-v2.6.8-1 virt-cdi-cloner-container-v2.6.8-1 virt-cdi-uploadproxy-container-v2.6.8-1 kubernetes-nmstate-handler-container-v2.6.8-1 ovs-cni-plugin-container-v2.6.8-1 ovs-cni-marker-container-v2.6.8-1 hostpath-provisioner-operator-container-v2.6.8-1 kubevirt-vmware-container-v2.6.8-2 kubevirt-template-validator-container-v2.6.8-2 kubevirt-kvm-info-nfd-plugin-container-v2.6.8-1 node-maintenance-operator-container-v2.6.8-1 vm-import-virtv2v-container-v2.6.8-1 hostpath-provisioner-container-v2.6.8-1 virt-cdi-uploadserver-container-v2.6.8-1 cnv-containernetworking-plugins-container-v2.6.8-1 virtio-win-container-v2.6.8-2 virt-cdi-controller-container-v2.6.8-1 virt-cdi-importer-container-v2.6.8-1 virt-cdi-apiserver-container-v2.6.8-1 virt-cdi-operator-container-v2.6.8-1 bridge-marker-container-v2.6.8-1 hyperconverged-cluster-operator-container-v2.6.8-1 cnv-must-gather-container-v2.6.8-5 virt-launcher-container-v2.6.8-5 virt-operator-container-v2.6.8-5 virt-api-container-v2.6.8-5 virt-controller-container-v2.6.8-5 virt-handler-container-v2.6.8-5 hco-bundle-registry-container-v2.6.8-23 Security Fix(es): * golang: net: incorrect parsing of extraneous zero characters at the beginning of an IP address octet (CVE-2021-29923) * golang: crypto/tls: certificate of wrong type is causing TLS client to panic (CVE-2021-34558) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 4. Bugs fixed (https://bugzilla.redhat.com/): 1983596 - CVE-2021-34558 golang: crypto/tls: certificate of wrong type is causing TLS client to panic 1992006 - CVE-2021-29923 golang: net: incorrect parsing of extraneous zero characters at the beginning of an IP address octet 1998844 - virt-handler Pod is missing xorrisofs command 2008522 - "unable to execute QEMU agent command 'guest-get-users'" logs in virt-launcher pod every 10 seconds 2010334 - VM is not able to be migrated after failed migration 2012328 - 2.6.8 containers 2013494 - [CNV-2.6.8] VMI is in LiveMigrate loop when Upgrading Cluster from 2.6.7/4.7.32 to OCP 4.8.13 5. References: https://access.redhat.com/security/cve/CVE-2020-25648 https://access.redhat.com/security/cve/CVE-2021-3653 https://access.redhat.com/security/cve/CVE-2021-3733 https://access.redhat.com/security/cve/CVE-2021-22922 https://access.redhat.com/security/cve/CVE-2021-22923 https://access.redhat.com/security/cve/CVE-2021-22924 https://access.redhat.com/security/cve/CVE-2021-29923 https://access.redhat.com/security/cve/CVE-2021-34558 https://access.redhat.com/security/cve/CVE-2021-36222 https://access.redhat.com/security/cve/CVE-2021-37750 https://access.redhat.com/security/updates/classification/#moderate 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYZVo59zjgjWX9erEAQirPRAAm575MMCcD+walsd8Wrc3dWwTbeyutKxJ HhKHJcCyh3aU6/BoQg/f+j4L/KJf7FMovIWvR9nNZOcLol1rTVmq4Ryo1kVVUGDf XQj1cClzDre7O6GIJnMkvTgvFFTjqT0PY2unBBzreWPQxpZDt0rvmrIuZPj6A+bF sPYu8Jx9DE6upV/aS/A4TJWD++Ya8OsSPvyqMi4dPbLTfI0ZXIi9ZS2VfW24jDn8 u6T/OU96b0IbDhuQIKglT578SE3YcgFRd7+8lH4JJZClSotz/JV1fluaTWyXvqj/ 3Pi8QGuPrGvdKXrm7GGkiTLblEQBFAD9a5ekc9GJ2771yfP8xFN1hDvMufQ7pcUT Z4Rrui+5dXvxoR3zrwAj8WSqdAoRMOYnA1I9MOxjI7G1GXqggPdp4w2AumLbH67v K5GFqUJOKj8cn6ZuLNEodWuqqHIFF2wmz0ca7hBJ5ujkAGviJ/Kz6LT/s9GGL+Sg JD95Rrngff43v2PgXSSmwjL3RP4lfxShU8ZqpPkVs0yCtX51PmwvbzGYp/G4Kj8m FQEcvIpY+g+Hw6kO2cE4p88cY+fx8E6Om/m4JFn0uqrBcLt/4hz0HmGnjrqOcRtd ZfgQ+dHdlRO0Ti7v0FeWlRi2YwOlQCDgQmJHTh/ajnAricp8hBgDlm+8KkAhiznO oSu1muNLgFw= =23tA - -----END PGP SIGNATURE----- - ----------------------------------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: OpenShift Virtualization 2.6.8 RPMs security and bug fix update Advisory ID: RHSA-2021:4722-01 Product: cnv Advisory URL: https://access.redhat.com/errata/RHSA-2021:4722 Issue date: 2021-11-17 CVE Names: CVE-2021-29923 CVE-2021-34558 ===================================================================== 1. Summary: Red Hat OpenShift Virtualization release 2.6.8 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: CNV 2.6 for RHEL 7 - x86_64 CNV 2.6 for RHEL 8 - x86_64 3. Description: OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform. This advisory contains OpenShift Virtualization 2.6.8 RPMs. Security Fix(es): * golang: net: incorrect parsing of extraneous zero characters at the beginning of an IP address octet (CVE-2021-29923) * golang: crypto/tls: certificate of wrong type is causing TLS client to panic (CVE-2021-34558) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1983596 - CVE-2021-34558 golang: crypto/tls: certificate of wrong type is causing TLS client to panic 1992006 - CVE-2021-29923 golang: net: incorrect parsing of extraneous zero characters at the beginning of an IP address octet 2012329 - 2.6.8 rpms 6. Package List: CNV 2.6 for RHEL 7: Source: kubevirt-2.6.8-211.el7.src.rpm x86_64: kubevirt-virtctl-2.6.8-211.el7.x86_64.rpm kubevirt-virtctl-redistributable-2.6.8-211.el7.x86_64.rpm CNV 2.6 for RHEL 8: Source: kubevirt-2.6.8-211.el8.src.rpm x86_64: kubevirt-virtctl-2.6.8-211.el8.x86_64.rpm kubevirt-virtctl-redistributable-2.6.8-211.el8.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2021-29923 https://access.redhat.com/security/cve/CVE-2021-34558 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYZVo4tzjgjWX9erEAQjbWA//X4eJcytB5Fk8HTVwIeKxQwwvmE4T05x+ X1e0v0p+cP3RTH8CXvAptz8C07qKp7WYw3gEqE/Sl4H6dnEiC/PtJ7U/H9AVN1xH fC3dwJ+ReEodjTl/M3to/7eaB8yQvCy3mEHYKWJ6fcEongETQDkUPDP3n3rMpchZ csjVEsnBx4ppsiZ2+QN+B0p9AkzY8MMRH5glu3o44QwM+v3X6zpBXHq3D5cp+wlx Nh3zsGA/k9MrUNPCmKT6mYEPDFwPxK0i3r2t2W0VQU9fNOEUwUdY6E7d4Y9m50fx p2w2NOK+p6kVx7ivSN7OjmVHJb4XPCxVJs2tdi7jyZDQOSSMALqIgcw1kOnWHuX1 isJ7b3l9MlFE9PwGqIp87D6EANWW/Gt5/AuXf1HLu0EaWJwjzTJo1+Td/y0Xoz95 JziELfPoS+gxLrFNyKuVG6h18mBLTZQxdRE/3KdazhSDLre6suhnGiXnXZtn2XR+ 9FMXs48pzgAi5BjY9+rEqxumTc0WRNjcl+G7RS9rA5x9BvlZnvJrcG1XLgwUj67r W0KJ4Z2ht+NRCpLNNKg+qlEv4n2YnWIoRk3m7yU3xptnsVb8MIW//xPGWCLeHUjs 3srYk1xHnGNiLzbyYYYcgMao63g7vwpKvxO4SMDII6UiRdNm0QXfTVRFqNb4KYOD 40tI+urm7RU= =BgJz - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYZWjBuNLKJtyKPYoAQh0xw//WXCpOerkjNWs6HousAatk2/ca6VSSeI4 F4C8EzEX+BrDoFT8mGMLcEoPt7m15GWZ5ZSrJJhY4xlTO7GpFMH7l4wO5MFABA1t eSTrUUsgzk6YvUdYNxecTCgLIirD7NonI7D/Z3N2aRslJfkNdOApp9G5Hl2xcYe3 rqsV2R0VK14Hs7ZG/hjSv1diMax/aGRPtesfuiHh9aEBCq6FjfFbL3J/U6Cpa+kY aXOwknmUGheZMJTkyv5se23yoTC0PLLKqHGyo708NQN0vjkBq9ngL9e8kplNssHd 2v4jrgk5FWOpIU3atWA9rJ82IzrJ56uh/oXAc39NaZDzEbSnNMQLZZCdS+jUtLpb k0HTV0tEpcN4C6IS21WTbMpybGlG0hh+/cz4Hplpa0m7Fvc3IZx6kH1g/YvOD6EC /88o2gq12NYMHUs8tmnKE0oZcaSx+pMXptgp3yY23Bldv2zazhiH87TXOdFdgEeZ H+WU8GbtzApeo4EgR4V6Yby7LjKG8D/q0l8CsJkQQE7HqK5OrgMyvRMALXfoZYkq TLpcd5eGz0sUUpOiFpHRsGLo7Cg5fEbtxWZwxJsJCSmrxoMeugzdP1v4buK0vjlb KODXU1/lgo/Tnm9KcgQLzhzoqvgXLPHeGv5vPa/AAik8DKrqaSXHEV5rRjQOvaeN 1Y2wfVvuuUE= =zCYD -----END PGP SIGNATURE-----