Red Hat Security Advisory 2021-0381-01 - The ovirt-engine package provides the Red Hat Virtualization Manager, a centralized management platform that allows system administrators to view and manage virtual machines. The Manager provides a comprehensive range of features including search capabilities, resource management, live migrations, and virtual infrastructure provisioning. The Manager is a JBoss Application Server application that provides several interfaces through which the virtual environment can be accessed and interacted with, including an Administration Portal, a VM Portal, and a Representational State Transfer Application Programming Interface. Issues addressed include an XML injection vulnerability.
0326933ac26772d368b4bd4bef05ffbd71afc64484937477309a97415799d61f-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Low: RHV-M(ovirt-engine) 4.4.z security, bug fix, enhancement update [ovirt-4.4.4]
Advisory ID: RHSA-2021:0381-01
Product: Red Hat Virtualization
Advisory URL: https://access.redhat.com/errata/RHSA-2021:0381
Issue date: 2021-02-02
CVE Names: CVE-2020-25649
=====================================================================
1. Summary:
Updated ovirt-engine packages that fix several bugs and add various
enhancements are now available.
Red Hat Product Security has rated this update as having a security impact
of Low. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4 - noarch
3. Description:
The ovirt-engine package provides the Red Hat Virtualization Manager, a
centralized management platform that allows system administrators to view
and manage virtual machines. The Manager provides a comprehensive range of
features including search capabilities, resource management, live
migrations, and virtual infrastructure provisioning.
The Manager is a JBoss Application Server application that provides several
interfaces through which the virtual environment can be accessed and
interacted with, including an Administration Portal, a VM Portal, and a
Representational State Transfer (REST) Application Programming Interface
(API).
Security Fix(es):
* jackson-databind: FasterXML DOMDeserializer insecure entity expansion is
vulnerable to XML external entity (XXE) (CVE-2020-25649)
For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.
Bug Fix(es):
* Red Hat Virtualization Manager now requires Ansible 2.9.15. (BZ#1901946)
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/2974891
5. Bugs fixed (https://bugzilla.redhat.com/):
1627997 - [RFE] Allow SPM switching if all tasks have finished via REST-API
1702237 - [RFE] add API for listing disksnapshots under disk resource
1796231 - VM disk remains in locked state if image transfer (image download) timesout due to inactivity.
1868114 - RHV-M UI/Webadmin: The "Disk Snapshots" tab reflects incorrect "Creation Date" information.
1875951 - Disk hot-unplug fails on engine side with NPE in setDiskVmElements after unplugging from the VM.
1879655 - [RFE] Implement searching VM's with partial name or case sensitive vm names in VM Portal.
1880015 - oVirt metrics example Kibana dashboards are broken in Kibana 7.x
1881115 - RHEL VM icons squashed, please adhere to brand rules
1881357 - German language greeting page says Red Hat®
1887664 - CVE-2020-25649 jackson-databind: FasterXML DOMDeserializer insecure entity expansion is vulnerable to XML external entity (XXE)
1893035 - rhv-log-collector-analyzer: check for double quotes in IPTablesConfigSiteCustom
1894298 - ModuleNotFoundError: No module named 'ovirt_engine' raised when starting ovirt-engine-dwhd.py in dev env
1901946 - [RFE] Bump ovirt-engine version lock to the newest Ansible version
1903385 - RFE: rhv-image-discrepancies should report if the truesize from VDSM has different size in images in the engine.
1903595 - [PPC] Can't add PPC host to Engine
6. Package List:
RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4:
Source:
ovirt-engine-4.4.4.5-0.10.el8ev.src.rpm
ovirt-engine-dwh-4.4.4.2-1.el8ev.src.rpm
ovirt-web-ui-1.6.6-1.el8ev.src.rpm
rhv-log-collector-analyzer-1.0.6-1.el8ev.src.rpm
rhvm-branding-rhv-4.4.7-1.el8ev.src.rpm
vdsm-jsonrpc-java-1.6.0-1.el8ev.src.rpm
noarch:
ovirt-engine-4.4.4.5-0.10.el8ev.noarch.rpm
ovirt-engine-backend-4.4.4.5-0.10.el8ev.noarch.rpm
ovirt-engine-dbscripts-4.4.4.5-0.10.el8ev.noarch.rpm
ovirt-engine-dwh-4.4.4.2-1.el8ev.noarch.rpm
ovirt-engine-dwh-grafana-integration-setup-4.4.4.2-1.el8ev.noarch.rpm
ovirt-engine-dwh-setup-4.4.4.2-1.el8ev.noarch.rpm
ovirt-engine-health-check-bundler-4.4.4.5-0.10.el8ev.noarch.rpm
ovirt-engine-restapi-4.4.4.5-0.10.el8ev.noarch.rpm
ovirt-engine-setup-4.4.4.5-0.10.el8ev.noarch.rpm
ovirt-engine-setup-base-4.4.4.5-0.10.el8ev.noarch.rpm
ovirt-engine-setup-plugin-cinderlib-4.4.4.5-0.10.el8ev.noarch.rpm
ovirt-engine-setup-plugin-imageio-4.4.4.5-0.10.el8ev.noarch.rpm
ovirt-engine-setup-plugin-ovirt-engine-4.4.4.5-0.10.el8ev.noarch.rpm
ovirt-engine-setup-plugin-ovirt-engine-common-4.4.4.5-0.10.el8ev.noarch.rpm
ovirt-engine-setup-plugin-vmconsole-proxy-helper-4.4.4.5-0.10.el8ev.noarch.rpm
ovirt-engine-setup-plugin-websocket-proxy-4.4.4.5-0.10.el8ev.noarch.rpm
ovirt-engine-tools-4.4.4.5-0.10.el8ev.noarch.rpm
ovirt-engine-tools-backup-4.4.4.5-0.10.el8ev.noarch.rpm
ovirt-engine-vmconsole-proxy-helper-4.4.4.5-0.10.el8ev.noarch.rpm
ovirt-engine-webadmin-portal-4.4.4.5-0.10.el8ev.noarch.rpm
ovirt-engine-websocket-proxy-4.4.4.5-0.10.el8ev.noarch.rpm
ovirt-web-ui-1.6.6-1.el8ev.noarch.rpm
python3-ovirt-engine-lib-4.4.4.5-0.10.el8ev.noarch.rpm
rhv-log-collector-analyzer-1.0.6-1.el8ev.noarch.rpm
rhvm-4.4.4.5-0.10.el8ev.noarch.rpm
rhvm-branding-rhv-4.4.7-1.el8ev.noarch.rpm
vdsm-jsonrpc-java-1.6.0-1.el8ev.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2020-25649
https://access.redhat.com/security/updates/classification/#low
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2021 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBYBlba9zjgjWX9erEAQhjzQ/9E966aSphBTdfmsL3Upuj4b2vmhXuDcea
r+XD21Q8GkvTK0s4yB7q+Vn/TPquTAVkX13AW+tHHM0sp4NfMB+c6Anzogw2AHq9
o/5aeiB+CJdDX2IwHhPDCioPVpZt4cHYCDeNGUfa7tww7b91y72kJQTbQ/GvnHvj
bGlZ4RTkA1tmSEA/JC0ZzUasIKXidNFK88D755dbyWFxlz3HMkXV/FuDOO1NwtGw
JMH/knAtkN/z9rrYFKotO8wHzt/PfG/V09taK5vogMqVJIpYXDtxwOfer6HjyLsC
9H/jAAYjKL/SQO2Dgsh7VMCEZ4Qlut+ahcbsg/L0dGOLq9OFngdusxTqqhUR9UIb
AqFfniY/xwdddfaFVKnI2CVr0QU6hWTj8wFgBdCbMd80zmanVwpk1lLnlex3bjn2
T52CbKABXhV8RDuGdLQyGgfXksYVaKoLeTnqC9nSfMeQ62PEqq0iLNtYDi5EjqLd
ijiB9+NmB/e0vjU5TSsKaD9Rpf6KbFRUwep8ygSwApMQ8H4CQ2HCy5v4GxsQFYFK
OeA2uJmZT9ELvfOybgwdzV9XWF4R9MnbgYuWrh75Cc5v3FCz2CbwddZy5QdPiRhn
k4n6RFelAAvulO8WbkJ0N90EIC7nI2d7S3MgaO+gFWoDIuNnedqDU0Ydp9ZN9DHd
P8Fb7Gf1V+M=
=XP00
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed