exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Red Hat Security Advisory 2016-1967-01

Red Hat Security Advisory 2016-1967-01
Posted Sep 29, 2016
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2016-1967-01 - The Red Hat Virtualization Manager is a centralized management platform that allows system administrators to view and manage virtual machines. The Manager provides a comprehensive range of features including search capabilities, resource management, live migrations, and virtual infrastructure provisioning. The Manager is a JBoss Application Server application that provides several interfaces through which the virtual environment can be accessed and interacted with, including an Administration Portal, a User Portal, and a Representational State Transfer Application Programming Interface.

tags | advisory
systems | linux, redhat
advisories | CVE-2016-5432
SHA-256 | 1dad5da83832d848a306c7a1c3edafe684ebd92107f66f7df2652aa86e3cb1b4

Red Hat Security Advisory 2016-1967-01

Change Mirror Download

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
Red Hat Security Advisory

Synopsis: Moderate: org.ovirt.engine-root security, bug fix, and enhancement update
Advisory ID: RHSA-2016:1967-01
Product: Red Hat Virtualization
Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-1967.html
Issue date: 2016-09-28
CVE Names: CVE-2016-5432
=====================================================================

1. Summary:

An update for org.ovirt.engine-root is now available for RHEV Engine
version 4.0.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

RHEV-M 4.0 - noarch

3. Description:

The Red Hat Virtualization Manager is a centralized management platform
that allows system administrators to view and manage virtual machines. The
Manager provides a comprehensive range of features including search
capabilities, resource management, live migrations, and virtual
infrastructure provisioning.

The Manager is a JBoss Application Server application that provides several
interfaces through which the virtual environment can be accessed and
interacted with, including an Administration Portal, a User Portal, and a
Representational State Transfer (REST) Application Programming Interface
(API).

Security Fix(es):

* It was found that the ovirt-engine-provisiondb utility did not correctly
sanitize the authentication details used with the "--provision*db" options
from the output before storing them in log files. This could allow an
attacker with read access to these log files to obtain sensitive
information such as passwords. (CVE-2016-5432)

This issue was discovered by Yedidyah Bar David (Red Hat).

Bug Fix(es):

* Previously, when checking permissions for a CPU profile, group
permissions were not considered. Users that were part of a group could not
assign a CPU profile and so could not start a virtual machine. This was
fixed by using PermissionDao and correct SQL functions when checking
permissions, so group permissions are now considered. (BZ#1371888)

* Setting only one of the thresholds for power saving/evenly distributed
memory based balancing (high or low) can lead to unexpected results. For
example, when in power saving load balancing the threshold for memory over
utilized hosts was set with a value, and the threshold for memory under
utilized hosts was undefined thus getting a default value of 0. All hosts
were considered as under utilized hosts and were chosen as sources for
migration, but no host was chosen as a destination for migration.

This has now been changed so that when the threshold for memory under
utilized host is undefined, it gets a default value of Long.MAX. Now, when
the threshold for memory over utilized hosts is set with a value, and the
threshold for memory under utilized host is undefined, only over utilized
hosts will be selected as sources for migration, and destination hosts will
be hosts that are not over utilized. (BZ#1354281)

* This update ensures that Quality of Service (QoS) Storage values that are
sent to the VDSM service, are used by the VDSM and Memory Overcommit
Manager (MoM). The result is that QoS is live-applied on virtual machines,
and all MoM-related virtual machine changes are only applied when the
memory ballooning device is enabled on the virtual machine. (BZ#1328731)

Enhancement(s):

* Previously, it was possible to install incorrect versions of virtio
drivers, especially when running an older Windows operating system. This
sometimes caused the guest to terminate unexpectedly with a stop error,
also known as the "Blue Screen of Death", if the particular driver and
Windows versions were incompatible. This update adds target OS version
information to driver files, which enables Windows to automatically select
the best driver when pointed to the root of the virtio-win CD image.
Installing an incompatible driver version manually is also no longer
possible, as Windows now presents the user with an error message if
installation is attempted. (BZ#1328181)

* With this release, Red Hat Virtualization now supports CephFS as a POSIX
storage domain. (BZ#1095615)

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1095615 - [RFE] Allow the use of CephFS as a storage domain within RHEV
1328181 - [RFE][TestOnly] Virt: add TargetOSVersion to driver inf files [blocked on platform bug 1325078 - currently for 7.3 - waiting for QE testing on it]
1328731 - Storage QoS is not applying on a Live VM/disk
1339660 - Hosted Engine's disk is in Unassigned Status in the RHEV UI
1354281 - All hosts filtered out when memory underutilized parameter left out
1368202 - HA VMs are not restarted on different host if NonResponsive host is off and start action failed
1371428 - CVE-2016-5432 ovirt-engine: ovirt-engine-provisiondb logs contain DB username and password in plain text
1371888 - [z-stream clone - 4.0.4] User can't assign CPU profile after upgrade from 3.6 to 4.0

6. Package List:

RHEV-M 4.0:

Source:
ovirt-engine-4.0.4.4-0.1.el7ev.src.rpm

noarch:
ovirt-engine-4.0.4.4-0.1.el7ev.noarch.rpm
ovirt-engine-backend-4.0.4.4-0.1.el7ev.noarch.rpm
ovirt-engine-dbscripts-4.0.4.4-0.1.el7ev.noarch.rpm
ovirt-engine-extensions-api-impl-4.0.4.4-0.1.el7ev.noarch.rpm
ovirt-engine-extensions-api-impl-javadoc-4.0.4.4-0.1.el7ev.noarch.rpm
ovirt-engine-lib-4.0.4.4-0.1.el7ev.noarch.rpm
ovirt-engine-restapi-4.0.4.4-0.1.el7ev.noarch.rpm
ovirt-engine-setup-4.0.4.4-0.1.el7ev.noarch.rpm
ovirt-engine-setup-base-4.0.4.4-0.1.el7ev.noarch.rpm
ovirt-engine-setup-plugin-ovirt-engine-4.0.4.4-0.1.el7ev.noarch.rpm
ovirt-engine-setup-plugin-ovirt-engine-common-4.0.4.4-0.1.el7ev.noarch.rpm
ovirt-engine-setup-plugin-vmconsole-proxy-helper-4.0.4.4-0.1.el7ev.noarch.rpm
ovirt-engine-setup-plugin-websocket-proxy-4.0.4.4-0.1.el7ev.noarch.rpm
ovirt-engine-tools-4.0.4.4-0.1.el7ev.noarch.rpm
ovirt-engine-tools-backup-4.0.4.4-0.1.el7ev.noarch.rpm
ovirt-engine-userportal-4.0.4.4-0.1.el7ev.noarch.rpm
ovirt-engine-userportal-debuginfo-4.0.4.4-0.1.el7ev.noarch.rpm
ovirt-engine-vmconsole-proxy-helper-4.0.4.4-0.1.el7ev.noarch.rpm
ovirt-engine-webadmin-portal-4.0.4.4-0.1.el7ev.noarch.rpm
ovirt-engine-webadmin-portal-debuginfo-4.0.4.4-0.1.el7ev.noarch.rpm
ovirt-engine-websocket-proxy-4.0.4.4-0.1.el7ev.noarch.rpm
rhevm-4.0.4.4-0.1.el7ev.noarch.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2016-5432
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2016 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFX7S/vXlSAg2UNWIIRAlBsAKC/BI6eYoLoVzGps/1nf+PYhCFY6ACfTW+f
nOm0ZRFlZCmO1hkjMFDwlbo=
=rhYo
-----END PGP SIGNATURE-----


--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close