Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.3941
OpenShift Virtualization 2.6.8 Images and RPMs security and bug fix updates
18 November 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: OpenShift Virtualization 2.6.8 Images
OpenShift Virtualization 2.6.8 RPMs
Publisher: Red Hat
Operating System: Red Hat
Impact/Access: Increased Privileges -- Existing Account
Denial of Service -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Provide Misleading Information -- Remote with User Interaction
Reduced Security -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2021-37750 CVE-2021-36222 CVE-2021-34558
CVE-2021-29923 CVE-2021-22924 CVE-2021-22923
CVE-2021-22922 CVE-2021-3733 CVE-2021-3653
CVE-2020-25648
Reference: ASB-2021.0222
ESB-2021.3916
ESB-2021.3878
ESB-2021.3848
ESB-2021.3649
Original Bulletin:
https://access.redhat.com/errata/RHSA-2021:4725
https://access.redhat.com/errata/RHSA-2021:4722
Comment: This bulletin contains two (2) Red Hat security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: OpenShift Virtualization 2.6.8 Images security and bug fix update
Advisory ID: RHSA-2021:4725-01
Product: cnv
Advisory URL: https://access.redhat.com/errata/RHSA-2021:4725
Issue date: 2021-11-17
CVE Names: CVE-2020-25648 CVE-2021-3653 CVE-2021-3733
CVE-2021-22922 CVE-2021-22923 CVE-2021-22924
CVE-2021-29923 CVE-2021-34558 CVE-2021-36222
CVE-2021-37750
=====================================================================
1. Summary:
Red Hat OpenShift Virtualization release 2.6.8 is now available with
updates to packages and images that fix several bugs and add enhancements.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Description:
OpenShift Virtualization is Red Hat's virtualization solution designed for
Red Hat OpenShift Container Platform.
This advisory contains the following OpenShift Virtualization 2.6.8 images:
RHEL-8-CNV-2.6
==============
kubevirt-v2v-conversion-container-v2.6.8-1
hyperconverged-cluster-webhook-container-v2.6.8-1
vm-import-controller-container-v2.6.8-1
kubevirt-cpu-model-nfd-plugin-container-v2.6.8-2
vm-import-operator-container-v2.6.8-1
kubevirt-cpu-node-labeller-container-v2.6.8-1
kubevirt-ssp-operator-container-v2.6.8-1
kubemacpool-container-v2.6.8-1
cluster-network-addons-operator-container-v2.6.8-1
virt-cdi-cloner-container-v2.6.8-1
virt-cdi-uploadproxy-container-v2.6.8-1
kubernetes-nmstate-handler-container-v2.6.8-1
ovs-cni-plugin-container-v2.6.8-1
ovs-cni-marker-container-v2.6.8-1
hostpath-provisioner-operator-container-v2.6.8-1
kubevirt-vmware-container-v2.6.8-2
kubevirt-template-validator-container-v2.6.8-2
kubevirt-kvm-info-nfd-plugin-container-v2.6.8-1
node-maintenance-operator-container-v2.6.8-1
vm-import-virtv2v-container-v2.6.8-1
hostpath-provisioner-container-v2.6.8-1
virt-cdi-uploadserver-container-v2.6.8-1
cnv-containernetworking-plugins-container-v2.6.8-1
virtio-win-container-v2.6.8-2
virt-cdi-controller-container-v2.6.8-1
virt-cdi-importer-container-v2.6.8-1
virt-cdi-apiserver-container-v2.6.8-1
virt-cdi-operator-container-v2.6.8-1
bridge-marker-container-v2.6.8-1
hyperconverged-cluster-operator-container-v2.6.8-1
cnv-must-gather-container-v2.6.8-5
virt-launcher-container-v2.6.8-5
virt-operator-container-v2.6.8-5
virt-api-container-v2.6.8-5
virt-controller-container-v2.6.8-5
virt-handler-container-v2.6.8-5
hco-bundle-registry-container-v2.6.8-23
Security Fix(es):
* golang: net: incorrect parsing of extraneous zero characters at the
beginning of an IP address octet (CVE-2021-29923)
* golang: crypto/tls: certificate of wrong type is causing TLS client to
panic (CVE-2021-34558)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
3. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
4. Bugs fixed (https://bugzilla.redhat.com/):
1983596 - CVE-2021-34558 golang: crypto/tls: certificate of wrong type is causing TLS client to panic
1992006 - CVE-2021-29923 golang: net: incorrect parsing of extraneous zero characters at the beginning of an IP address octet
1998844 - virt-handler Pod is missing xorrisofs command
2008522 - "unable to execute QEMU agent command 'guest-get-users'" logs in virt-launcher pod every 10 seconds
2010334 - VM is not able to be migrated after failed migration
2012328 - 2.6.8 containers
2013494 - [CNV-2.6.8] VMI is in LiveMigrate loop when Upgrading Cluster from 2.6.7/4.7.32 to OCP 4.8.13
5. References:
https://access.redhat.com/security/cve/CVE-2020-25648
https://access.redhat.com/security/cve/CVE-2021-3653
https://access.redhat.com/security/cve/CVE-2021-3733
https://access.redhat.com/security/cve/CVE-2021-22922
https://access.redhat.com/security/cve/CVE-2021-22923
https://access.redhat.com/security/cve/CVE-2021-22924
https://access.redhat.com/security/cve/CVE-2021-29923
https://access.redhat.com/security/cve/CVE-2021-34558
https://access.redhat.com/security/cve/CVE-2021-36222
https://access.redhat.com/security/cve/CVE-2021-37750
https://access.redhat.com/security/updates/classification/#moderate
6. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2021 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBYZVo59zjgjWX9erEAQirPRAAm575MMCcD+walsd8Wrc3dWwTbeyutKxJ
HhKHJcCyh3aU6/BoQg/f+j4L/KJf7FMovIWvR9nNZOcLol1rTVmq4Ryo1kVVUGDf
XQj1cClzDre7O6GIJnMkvTgvFFTjqT0PY2unBBzreWPQxpZDt0rvmrIuZPj6A+bF
sPYu8Jx9DE6upV/aS/A4TJWD++Ya8OsSPvyqMi4dPbLTfI0ZXIi9ZS2VfW24jDn8
u6T/OU96b0IbDhuQIKglT578SE3YcgFRd7+8lH4JJZClSotz/JV1fluaTWyXvqj/
3Pi8QGuPrGvdKXrm7GGkiTLblEQBFAD9a5ekc9GJ2771yfP8xFN1hDvMufQ7pcUT
Z4Rrui+5dXvxoR3zrwAj8WSqdAoRMOYnA1I9MOxjI7G1GXqggPdp4w2AumLbH67v
K5GFqUJOKj8cn6ZuLNEodWuqqHIFF2wmz0ca7hBJ5ujkAGviJ/Kz6LT/s9GGL+Sg
JD95Rrngff43v2PgXSSmwjL3RP4lfxShU8ZqpPkVs0yCtX51PmwvbzGYp/G4Kj8m
FQEcvIpY+g+Hw6kO2cE4p88cY+fx8E6Om/m4JFn0uqrBcLt/4hz0HmGnjrqOcRtd
ZfgQ+dHdlRO0Ti7v0FeWlRi2YwOlQCDgQmJHTh/ajnAricp8hBgDlm+8KkAhiznO
oSu1muNLgFw=
=23tA
- -----END PGP SIGNATURE-----
- -----------------------------------------------------------------------------------------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: OpenShift Virtualization 2.6.8 RPMs security and bug fix update
Advisory ID: RHSA-2021:4722-01
Product: cnv
Advisory URL: https://access.redhat.com/errata/RHSA-2021:4722
Issue date: 2021-11-17
CVE Names: CVE-2021-29923 CVE-2021-34558
=====================================================================
1. Summary:
Red Hat OpenShift Virtualization release 2.6.8 is now available with
updates to packages and images that fix several bugs and add enhancements.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
CNV 2.6 for RHEL 7 - x86_64
CNV 2.6 for RHEL 8 - x86_64
3. Description:
OpenShift Virtualization is Red Hat's virtualization solution designed for
Red Hat OpenShift Container Platform.
This advisory contains OpenShift Virtualization 2.6.8 RPMs.
Security Fix(es):
* golang: net: incorrect parsing of extraneous zero characters at the
beginning of an IP address octet (CVE-2021-29923)
* golang: crypto/tls: certificate of wrong type is causing TLS client to
panic (CVE-2021-34558)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1983596 - CVE-2021-34558 golang: crypto/tls: certificate of wrong type is causing TLS client to panic
1992006 - CVE-2021-29923 golang: net: incorrect parsing of extraneous zero characters at the beginning of an IP address octet
2012329 - 2.6.8 rpms
6. Package List:
CNV 2.6 for RHEL 7:
Source:
kubevirt-2.6.8-211.el7.src.rpm
x86_64:
kubevirt-virtctl-2.6.8-211.el7.x86_64.rpm
kubevirt-virtctl-redistributable-2.6.8-211.el7.x86_64.rpm
CNV 2.6 for RHEL 8:
Source:
kubevirt-2.6.8-211.el8.src.rpm
x86_64:
kubevirt-virtctl-2.6.8-211.el8.x86_64.rpm
kubevirt-virtctl-redistributable-2.6.8-211.el8.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2021-29923
https://access.redhat.com/security/cve/CVE-2021-34558
https://access.redhat.com/security/updates/classification/#moderate
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2021 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBYZVo4tzjgjWX9erEAQjbWA//X4eJcytB5Fk8HTVwIeKxQwwvmE4T05x+
X1e0v0p+cP3RTH8CXvAptz8C07qKp7WYw3gEqE/Sl4H6dnEiC/PtJ7U/H9AVN1xH
fC3dwJ+ReEodjTl/M3to/7eaB8yQvCy3mEHYKWJ6fcEongETQDkUPDP3n3rMpchZ
csjVEsnBx4ppsiZ2+QN+B0p9AkzY8MMRH5glu3o44QwM+v3X6zpBXHq3D5cp+wlx
Nh3zsGA/k9MrUNPCmKT6mYEPDFwPxK0i3r2t2W0VQU9fNOEUwUdY6E7d4Y9m50fx
p2w2NOK+p6kVx7ivSN7OjmVHJb4XPCxVJs2tdi7jyZDQOSSMALqIgcw1kOnWHuX1
isJ7b3l9MlFE9PwGqIp87D6EANWW/Gt5/AuXf1HLu0EaWJwjzTJo1+Td/y0Xoz95
JziELfPoS+gxLrFNyKuVG6h18mBLTZQxdRE/3KdazhSDLre6suhnGiXnXZtn2XR+
9FMXs48pzgAi5BjY9+rEqxumTc0WRNjcl+G7RS9rA5x9BvlZnvJrcG1XLgwUj67r
W0KJ4Z2ht+NRCpLNNKg+qlEv4n2YnWIoRk3m7yU3xptnsVb8MIW//xPGWCLeHUjs
3srYk1xHnGNiLzbyYYYcgMao63g7vwpKvxO4SMDII6UiRdNm0QXfTVRFqNb4KYOD
40tI+urm7RU=
=BgJz
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYZWjBuNLKJtyKPYoAQh0xw//WXCpOerkjNWs6HousAatk2/ca6VSSeI4
F4C8EzEX+BrDoFT8mGMLcEoPt7m15GWZ5ZSrJJhY4xlTO7GpFMH7l4wO5MFABA1t
eSTrUUsgzk6YvUdYNxecTCgLIirD7NonI7D/Z3N2aRslJfkNdOApp9G5Hl2xcYe3
rqsV2R0VK14Hs7ZG/hjSv1diMax/aGRPtesfuiHh9aEBCq6FjfFbL3J/U6Cpa+kY
aXOwknmUGheZMJTkyv5se23yoTC0PLLKqHGyo708NQN0vjkBq9ngL9e8kplNssHd
2v4jrgk5FWOpIU3atWA9rJ82IzrJ56uh/oXAc39NaZDzEbSnNMQLZZCdS+jUtLpb
k0HTV0tEpcN4C6IS21WTbMpybGlG0hh+/cz4Hplpa0m7Fvc3IZx6kH1g/YvOD6EC
/88o2gq12NYMHUs8tmnKE0oZcaSx+pMXptgp3yY23Bldv2zazhiH87TXOdFdgEeZ
H+WU8GbtzApeo4EgR4V6Yby7LjKG8D/q0l8CsJkQQE7HqK5OrgMyvRMALXfoZYkq
TLpcd5eGz0sUUpOiFpHRsGLo7Cg5fEbtxWZwxJsJCSmrxoMeugzdP1v4buK0vjlb
KODXU1/lgo/Tnm9KcgQLzhzoqvgXLPHeGv5vPa/AAik8DKrqaSXHEV5rRjQOvaeN
1Y2wfVvuuUE=
=zCYD
-----END PGP SIGNATURE-----