Operating System:

[RedHat]

Published:

03 December 2021

Protect yourself against future threats.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2021.4095
     OpenShift Virtualization 4.8.3 Images security and bug fix update
                              3 December 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           OpenShift Virtualization 4.8.3 Images
Publisher:         Red Hat
Operating System:  Red Hat
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Increased Privileges            -- Existing Account      
                   Denial of Service               -- Remote/Unauthenticated
                   Access Confidential Data        -- Remote/Unauthenticated
                   Reduced Security                -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2021-43267 CVE-2021-42574 CVE-2021-37750
                   CVE-2021-36222 CVE-2021-36087 CVE-2021-36086
                   CVE-2021-36085 CVE-2021-36084 CVE-2021-35942
                   CVE-2021-34558 CVE-2021-33938 CVE-2021-33930
                   CVE-2021-33929 CVE-2021-33928 CVE-2021-33574
                   CVE-2021-33560 CVE-2021-29923 CVE-2021-28950
                   CVE-2021-28153 CVE-2021-27645 CVE-2021-23841
                   CVE-2021-23840 CVE-2021-22947 CVE-2021-22946
                   CVE-2021-22925 CVE-2021-22898 CVE-2021-22876
                   CVE-2021-20317 CVE-2021-20266 CVE-2021-20232
                   CVE-2021-20231 CVE-2021-3800 CVE-2021-3796
                   CVE-2021-3778 CVE-2021-3733 CVE-2021-3656
                   CVE-2021-3580 CVE-2021-3572 CVE-2021-3445
                   CVE-2021-3426 CVE-2021-3200 CVE-2021-0512
                   CVE-2020-36385 CVE-2020-25648 CVE-2020-24370
                   CVE-2020-16135 CVE-2020-14155 CVE-2020-13435
                   CVE-2020-12762 CVE-2019-20838 CVE-2019-19603
                   CVE-2019-18218 CVE-2019-17595 CVE-2019-17594
                   CVE-2019-13751 CVE-2019-13750 CVE-2019-5827
                   CVE-2018-20673  

Reference:         ESB-2021.4019

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2021:4914

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: OpenShift Virtualization 4.8.3 Images security and bug fix update
Advisory ID:       RHSA-2021:4914-01
Product:           cnv
Advisory URL:      https://access.redhat.com/errata/RHSA-2021:4914
Issue date:        2021-12-02
CVE Names:         CVE-2018-20673 CVE-2019-5827 CVE-2019-13750 
                   CVE-2019-13751 CVE-2019-17594 CVE-2019-17595 
                   CVE-2019-18218 CVE-2019-19603 CVE-2019-20838 
                   CVE-2020-12762 CVE-2020-13435 CVE-2020-14155 
                   CVE-2020-16135 CVE-2020-24370 CVE-2020-25648 
                   CVE-2020-36385 CVE-2021-0512 CVE-2021-3200 
                   CVE-2021-3426 CVE-2021-3445 CVE-2021-3572 
                   CVE-2021-3580 CVE-2021-3656 CVE-2021-3733 
                   CVE-2021-3778 CVE-2021-3796 CVE-2021-3800 
                   CVE-2021-20231 CVE-2021-20232 CVE-2021-20266 
                   CVE-2021-20317 CVE-2021-22876 CVE-2021-22898 
                   CVE-2021-22925 CVE-2021-22946 CVE-2021-22947 
                   CVE-2021-23840 CVE-2021-23841 CVE-2021-27645 
                   CVE-2021-28153 CVE-2021-28950 CVE-2021-29923 
                   CVE-2021-33560 CVE-2021-33574 CVE-2021-33928 
                   CVE-2021-33929 CVE-2021-33930 CVE-2021-33938 
                   CVE-2021-34558 CVE-2021-35942 CVE-2021-36084 
                   CVE-2021-36085 CVE-2021-36086 CVE-2021-36087 
                   CVE-2021-36222 CVE-2021-37750 CVE-2021-42574 
                   CVE-2021-43267 
=====================================================================

1. Summary:

Red Hat OpenShift Virtualization release 4.8.3 is now available with
updates to packages and images that fix several bugs and add enhancements.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

OpenShift Virtualization is Red Hat's virtualization solution designed for
Red Hat OpenShift Container Platform.

This advisory contains the following OpenShift Virtualization 4.8.3 images:

RHEL-8-CNV-4.8
==============
hostpath-provisioner-container-v4.8.3-4
kubevirt-v2v-conversion-container-v4.8.3-3
virt-cdi-cloner-container-v4.8.3-4
virt-cdi-operator-container-v4.8.3-4
virt-cdi-uploadproxy-container-v4.8.3-4
virt-launcher-container-v4.8.3-9
vm-import-operator-container-v4.8.3-7
virt-cdi-apiserver-container-v4.8.3-4
kubevirt-vmware-container-v4.8.3-3
virt-api-container-v4.8.3-9
vm-import-virtv2v-container-v4.8.3-7
virtio-win-container-v4.8.3-3
node-maintenance-operator-container-v4.8.3-2
hostpath-provisioner-operator-container-v4.8.3-4
virt-cdi-controller-container-v4.8.3-4
virt-cdi-importer-container-v4.8.3-4
bridge-marker-container-v4.8.3-3
ovs-cni-marker-container-v4.8.3-3
virt-handler-container-v4.8.3-9
virt-controller-container-v4.8.3-9
cnv-containernetworking-plugins-container-v4.8.3-3
kubevirt-template-validator-container-v4.8.3-3
hyperconverged-cluster-webhook-container-v4.8.3-5
ovs-cni-plugin-container-v4.8.3-3
hyperconverged-cluster-operator-container-v4.8.3-5
kubevirt-ssp-operator-container-v4.8.3-4
virt-cdi-uploadserver-container-v4.8.3-4
kubemacpool-container-v4.8.3-5
vm-import-controller-container-v4.8.3-7
virt-operator-container-v4.8.3-9
kubernetes-nmstate-handler-container-v4.8.3-8
cnv-must-gather-container-v4.8.3-12
cluster-network-addons-operator-container-v4.8.3-8
hco-bundle-registry-container-v4.8.3-58

Security Fix(es):

* golang: net: incorrect parsing of extraneous zero characters at the
beginning of an IP address octet (CVE-2021-29923)

* golang: crypto/tls: certificate of wrong type is causing TLS client to
panic (CVE-2021-34558)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

1983596 - CVE-2021-34558 golang: crypto/tls: certificate of wrong type is causing TLS client to panic
1992006 - CVE-2021-29923 golang: net: incorrect parsing of extraneous zero characters at the beginning of an IP address octet
1997017 - unprivileged client fails to get guest agent data
1998855 - Node drain: Sometimes source virt-launcher pod status is Failed and not Completed
2000251 - RoleBinding and ClusterRoleBinding brought in by kubevirt does not get reconciled when kind is ServiceAccount
2001270 - [VMIO] [Warm from Vmware] Snapshot files are not deleted after Successful Import
2001281 - [VMIO] [Warm from VMware] Source VM should not be turned ON if  vmio import is  removed
2001901 - [4.8.3] NNCP creation failures after nmstate-handler pod deletion
2007336 - 4.8.3 containers
2007776 - Failed to Migrate Windows VM with CDROM  (readonly)
2008511 - [CNV-4.8.3] VMI is in LiveMigrate loop when Upgrading Cluster from 2.6.7/4.7.32 to OCP 4.8.13
2012890 - With descheduler during multiple VMIs migrations, some VMs are restarted
2025475 - [4.8.3] Upgrade from 2.6 to 4.x versions failed due to vlan-filtering issues
2026881 - [4.8.3] vlan-filtering is getting applied on veth ports

5. References:

https://access.redhat.com/security/cve/CVE-2018-20673
https://access.redhat.com/security/cve/CVE-2019-5827
https://access.redhat.com/security/cve/CVE-2019-13750
https://access.redhat.com/security/cve/CVE-2019-13751
https://access.redhat.com/security/cve/CVE-2019-17594
https://access.redhat.com/security/cve/CVE-2019-17595
https://access.redhat.com/security/cve/CVE-2019-18218
https://access.redhat.com/security/cve/CVE-2019-19603
https://access.redhat.com/security/cve/CVE-2019-20838
https://access.redhat.com/security/cve/CVE-2020-12762
https://access.redhat.com/security/cve/CVE-2020-13435
https://access.redhat.com/security/cve/CVE-2020-14155
https://access.redhat.com/security/cve/CVE-2020-16135
https://access.redhat.com/security/cve/CVE-2020-24370
https://access.redhat.com/security/cve/CVE-2020-25648
https://access.redhat.com/security/cve/CVE-2020-36385
https://access.redhat.com/security/cve/CVE-2021-0512
https://access.redhat.com/security/cve/CVE-2021-3200
https://access.redhat.com/security/cve/CVE-2021-3426
https://access.redhat.com/security/cve/CVE-2021-3445
https://access.redhat.com/security/cve/CVE-2021-3572
https://access.redhat.com/security/cve/CVE-2021-3580
https://access.redhat.com/security/cve/CVE-2021-3656
https://access.redhat.com/security/cve/CVE-2021-3733
https://access.redhat.com/security/cve/CVE-2021-3778
https://access.redhat.com/security/cve/CVE-2021-3796
https://access.redhat.com/security/cve/CVE-2021-3800
https://access.redhat.com/security/cve/CVE-2021-20231
https://access.redhat.com/security/cve/CVE-2021-20232
https://access.redhat.com/security/cve/CVE-2021-20266
https://access.redhat.com/security/cve/CVE-2021-20317
https://access.redhat.com/security/cve/CVE-2021-22876
https://access.redhat.com/security/cve/CVE-2021-22898
https://access.redhat.com/security/cve/CVE-2021-22925
https://access.redhat.com/security/cve/CVE-2021-22946
https://access.redhat.com/security/cve/CVE-2021-22947
https://access.redhat.com/security/cve/CVE-2021-23840
https://access.redhat.com/security/cve/CVE-2021-23841
https://access.redhat.com/security/cve/CVE-2021-27645
https://access.redhat.com/security/cve/CVE-2021-28153
https://access.redhat.com/security/cve/CVE-2021-28950
https://access.redhat.com/security/cve/CVE-2021-29923
https://access.redhat.com/security/cve/CVE-2021-33560
https://access.redhat.com/security/cve/CVE-2021-33574
https://access.redhat.com/security/cve/CVE-2021-33928
https://access.redhat.com/security/cve/CVE-2021-33929
https://access.redhat.com/security/cve/CVE-2021-33930
https://access.redhat.com/security/cve/CVE-2021-33938
https://access.redhat.com/security/cve/CVE-2021-34558
https://access.redhat.com/security/cve/CVE-2021-35942
https://access.redhat.com/security/cve/CVE-2021-36084
https://access.redhat.com/security/cve/CVE-2021-36085
https://access.redhat.com/security/cve/CVE-2021-36086
https://access.redhat.com/security/cve/CVE-2021-36087
https://access.redhat.com/security/cve/CVE-2021-36222
https://access.redhat.com/security/cve/CVE-2021-37750
https://access.redhat.com/security/cve/CVE-2021-42574
https://access.redhat.com/security/cve/CVE-2021-43267
https://access.redhat.com/security/updates/classification/#moderate

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYakvrdzjgjWX9erEAQi33w//VpPvIhnB7lczkCNCzlCeIngYY1zX6nIV
LJ1pDNz4uCWOacL1WtHqq+yv87I6GW8x8JgY8XpfQyGWEZnkmZc2lUJ3qsRXKm2f
2PrqXPCPLbO9gC6ErRUSVL51cWDolEFJM4j4+MmYVzwA09SptlfooR/SZ6zHsGh8
OHbupl22XXd1ugemeSaMGsycNmEbYqt4KfMAGaqDLAClWIL35p6/HRUmbY9oVhtG
gLnvt+7DElCW+vfqm7GtcT8sVSti786aB2dbTh2trXRt0j5P3mG6ovow4koA0riX
5rH2Wt7bnmxKR4qvFl5yqJSeQkghnaJmpu3j3SHQ88sfTmpqUZJbRFljiefgHsPZ
MgZsspOE0QmP+HHRmiJvJYLlQs8r5ukJGe/YmBdRV2g3IcVhJtrfdvT/u2luv6/9
PGoVGaPA2ZCtrYJxuzbOzd4VupKSoKfvZTHJdKaUvyZB3o0bjqAfOQg5sTaeFqS5
9qXZBmJ9gMTQdQBrHAzYbNe/IbJbR7LvVIY3Q2gPkDNrmtfA8ifkmm2UJkJ3U/3F
gWFaELq2RRM1fo7QMhBJ8gO3oVXEN5q42LR6IUEYFY7xMMvrR+ztc/Y9PfkEVTbP
YaRgzUU0YNocEnuQ2LEQnt+KyAm2slHQccaVgDa0kELWZjRus9J+Dm7IetK+RVpL
rOhdZCv5eQg=
=YFIo
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYalaIeNLKJtyKPYoAQjDpg/9FKvdx60Ae+Kp8TXEutOh2hXH5+HD+KAI
ZBcvEdtsFqDj/qccFGNe5Lsnod1nHHl5Mehyiu5h2gOwtS/NjdvnaXjkj7tjzxRG
2vHJRytjoEpV57BaLl+NnG2ix59ExLxZbQEoMyvoffRI44B+cOaM1zLq0d9BqwEX
krTGm+sfO0d26yx//mj0NOdPoWnXVeendyPajwQ1XwqpvbcRGTktlFy9wUb4EDZ8
fXxSVA/8mIdL3wrWEckRcR8JOXSTFOi8TX8r3CxcnulUbJBDYD4N8UG4GyC+mGZ6
btHBma+6VU90C1krVAtKSVO+lmrLb9YbzYi1dmDNRwW0rzImtJogzW5KDSgNNmkZ
HKUHr8btQHHLe6YNInt1RjlsZ5NH9nk2KLlJrNBawPz/B0xgNSCI8euYc+inJVxC
9WSH9A2M64dMRd2jaYrrCKxJti0YlVd11tlOEZ922TAgHQtevvf5ym3ZUGRqUlcW
MxwfXpaXASSRxKf3VfWZRdvSHrBCJfE2qXrdG4rNEA+CrYESJydEnIztw+ZCeDe9
v5aNnbDVgUZJ8ceyBg2P3uxt2Xnykah2qe6m/bW9cNtHmc/XPHHeILkZIjV6kdrt
0O9NazBg84K3qQLCUNQmfFGtHA6WWbJgdIpF5iXvcGmaKXCJIy55VH0BxXa2e09k
ZIwfAFG1hr8=
=KIMG
-----END PGP SIGNATURE-----