Red Hat Security Advisory 2021-1169-01 - The ovirt-engine package provides the manager for virtualization environments. This manager enables admins to define hosts and networks, as well as to add storage, create VMs and manage user permissions. Issues addressed include code execution, cross site scripting, and denial of service vulnerabilities.
ad61386766366b722b219913b56b8cfa60dfc16f9db363fa82bc4c4108510fb1-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: RHV Manager (ovirt-engine) 4.4.z [ovirt-4.4.5] security, bug fix, enhancement
Advisory ID: RHSA-2021:1169-01
Product: Red Hat Virtualization
Advisory URL: https://access.redhat.com/errata/RHSA-2021:1169
Issue date: 2021-04-14
CVE Names: CVE-2019-20921 CVE-2020-25657 CVE-2020-28458
CVE-2020-28477
=====================================================================
1. Summary:
An update is now available for Red Hat Virtualization Engine 4.4.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4 - noarch
3. Description:
The ovirt-engine package provides the manager for virtualization
environments.
This manager enables admins to define hosts and networks, as well as to add
storage, create VMs and manage user permissions.
A list of bugs fixed in this update is available in the Technical Notes
book:
https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/ht
ml-single/technical_notes
Security Fix(es):
* nodejs-bootstrap-select: not escaping title values on <option> may lead
to XSS (CVE-2019-20921)
* m2crypto: bleichenbacher timing attacks in the RSA decryption API
(CVE-2020-25657)
* datatables.net: prototype pollution if 'constructor' were used in a data
property name (CVE-2020-28458)
* nodejs-immer: prototype pollution may lead to DoS or remote code
execution (CVE-2020-28477)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/2974891
5. Bugs fixed (https://bugzilla.redhat.com/):
1145658 - Storage domain removal does not check if the storage domain contains any memory dumps.
1155275 - [RFE] - Online update LUN size to the Guest after LUN resize
1649479 - [RFE] OVF_STORE last update not exposed in the UI
1666786 - RHV-M reports "Balancing VM ${VM}" for ever as successful in the tasks list
1688186 - [RFE] CPU and NUMA Pinning shall be handled automatically
1729359 - Failed image upload leaves disk in locked state, requiring manual intervention to cleanup.
1787235 - [RFE] Offline disk move should log which host the data is being copied on in the audit log
1802844 - rest api setupnetworks: assignment_method should be inside ip_address_assignment
1837221 - [RFE] Allow using other than RSA SHA-1/SHA-2 public keys for SSH connections between RHVM and hypervisors
1843882 - network interface not added to public firewalld zone until host reboot
1858420 - Snapshot creation on host that engine then loses connection to results in missing snapshots table entry
1882273 - CVE-2019-20921 nodejs-bootstrap-select: not escaping title values on <option> may lead to XSS
1884233 - oVirt-engine reports misleading login-domain for external RH-SSO accounts
1889823 - CVE-2020-25657 m2crypto: bleichenbacher timing attacks in the RSA decryption API
1895217 - Hosted-Engine --restore-from-file fails if backup has VM pinned to restore host and has no Icon set.
1901503 - Misleading error message, displaying Data Center Storage Type instead of its name
1901752 - AddVds fails as FIPS host rejects SSH with ssh-rsa, failing HostedEngine deployment
1905108 - Cannot hotplug disk reports libvirtError: Requested operation is not valid: Domain already contains a disk with that address
1905158 - After upgrading RHVH 4.4.2 to 4.4.3 moves to non-operational due to missing CPU features : model_Cascadelake-Server
1908441 - CVE-2020-28458 datatables.net: prototype pollution if 'constructor' were used in a data property name
1910302 - [RFE] Allow SPM switching if all tasks have finished via UI
1913198 - Host deploy fails if 6+ hosts are deployed at the same time.
1914602 - [RHV 4.4] /var/lib/ovirt-engine/external_truststore (Permission denied)
1918162 - CVE-2020-28477 nodejs-immer: prototype pollution may lead to DoS or remote code execution
1919555 - Rebase apache-sshd to version 2.6.0 for RHV 4.4.5
1921104 - Bump required ansible version in RHV Manager 4.4.5
1921119 - RHV reports unsynced cluster when host QoS is in use.
1922200 - Checking the Engine database consistency takes too long to complete
1924012 - Rebase ansible-runner to 1.4.6
1926854 - [RFE] Requesting an audit log entry be added in LSM flow to display the host on which the internal volumes are copied
1927851 - [RFE] Add timezone AUS Eastern Standard Time
1931514 - [downstream] Cluster upgrade fails when using Intel Skylake Client/Server IBRS SSBD MDS Family
1931786 - Windows driver update does not work on cluster level 4.5
6. Package List:
RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4:
Source:
ansible-runner-1.4.6-2.el8ar.src.rpm
ansible-runner-service-1.0.7-1.el8ev.src.rpm
apache-sshd-2.6.0-1.el8ev.src.rpm
ovirt-engine-4.4.5.9-0.1.el8ev.src.rpm
ovirt-engine-dwh-4.4.5.5-1.el8ev.src.rpm
ovirt-web-ui-1.6.7-1.el8ev.src.rpm
noarch:
ansible-runner-1.4.6-2.el8ar.noarch.rpm
ansible-runner-service-1.0.7-1.el8ev.noarch.rpm
apache-sshd-2.6.0-1.el8ev.noarch.rpm
apache-sshd-javadoc-2.6.0-1.el8ev.noarch.rpm
ovirt-engine-4.4.5.9-0.1.el8ev.noarch.rpm
ovirt-engine-backend-4.4.5.9-0.1.el8ev.noarch.rpm
ovirt-engine-dbscripts-4.4.5.9-0.1.el8ev.noarch.rpm
ovirt-engine-dwh-4.4.5.5-1.el8ev.noarch.rpm
ovirt-engine-dwh-grafana-integration-setup-4.4.5.5-1.el8ev.noarch.rpm
ovirt-engine-dwh-setup-4.4.5.5-1.el8ev.noarch.rpm
ovirt-engine-health-check-bundler-4.4.5.9-0.1.el8ev.noarch.rpm
ovirt-engine-restapi-4.4.5.9-0.1.el8ev.noarch.rpm
ovirt-engine-setup-4.4.5.9-0.1.el8ev.noarch.rpm
ovirt-engine-setup-base-4.4.5.9-0.1.el8ev.noarch.rpm
ovirt-engine-setup-plugin-cinderlib-4.4.5.9-0.1.el8ev.noarch.rpm
ovirt-engine-setup-plugin-imageio-4.4.5.9-0.1.el8ev.noarch.rpm
ovirt-engine-setup-plugin-ovirt-engine-4.4.5.9-0.1.el8ev.noarch.rpm
ovirt-engine-setup-plugin-ovirt-engine-common-4.4.5.9-0.1.el8ev.noarch.rpm
ovirt-engine-setup-plugin-vmconsole-proxy-helper-4.4.5.9-0.1.el8ev.noarch.rpm
ovirt-engine-setup-plugin-websocket-proxy-4.4.5.9-0.1.el8ev.noarch.rpm
ovirt-engine-tools-4.4.5.9-0.1.el8ev.noarch.rpm
ovirt-engine-tools-backup-4.4.5.9-0.1.el8ev.noarch.rpm
ovirt-engine-vmconsole-proxy-helper-4.4.5.9-0.1.el8ev.noarch.rpm
ovirt-engine-webadmin-portal-4.4.5.9-0.1.el8ev.noarch.rpm
ovirt-engine-websocket-proxy-4.4.5.9-0.1.el8ev.noarch.rpm
ovirt-web-ui-1.6.7-1.el8ev.noarch.rpm
python3-ansible-runner-1.4.6-2.el8ar.noarch.rpm
python3-ovirt-engine-lib-4.4.5.9-0.1.el8ev.noarch.rpm
rhvm-4.4.5.9-0.1.el8ev.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2019-20921
https://access.redhat.com/security/cve/CVE-2020-25657
https://access.redhat.com/security/cve/CVE-2020-28458
https://access.redhat.com/security/cve/CVE-2020-28477
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/html-single/technical_notes
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2021 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBYHbXDtzjgjWX9erEAQiTWQ/9FiMmej2/JnL+QpebvDH+rtVY6jyd5CZ1
ddZiKSXzW7A7hOhm9LhmdxG+jrtmEOy4w0XD8r9NZzauh9nrZcKYrAbwUorefRNe
7ppAIri2ybGrq62kLW0FkPYo+cKsg9uWdDooNCvJi7pLcn8C7B9ZCyb6SWYSQyEz
NhYPxcbTbAoHQ0ACTC4Fr4YKOM7UIt8toZJ91/fnfLk1pjmM5eUsiax9mIFYB9fa
/ormZyfwUqnr8HtiX8FNsFMamltoz/y5cdBX9RNAC5ype7m1CDDvtePyiD5ch+PB
T1oplGTfbD3YzjwSgdsJb8CxB19QrHBWbw3moVoPelfpm6GDwYGNcONErUDkiYlR
0gukk91EDkNgwTp3n7ihSOGpodF3P7kkvxFVV0nMXCBOz5wIFLeBPQJvBT3CkmQ0
8/vi05DT+ceocexVKXmF7KbLkav0rxlfzKu3NskLgAzVmEysOs93VUajUjcRVrft
562YQ0Set8NKIdJUFrXqtGQ7qaPATdGcyMyJ87vcSM26NcuXrmv9AgcznlBonikx
cxxJW2fAsewPO8zZoGm5mef9yX5wRAn2ulAQpSPZmtIATpS8DKPb7/ihtvInSMyy
HQ6NgVREW0260cTNM6nRSzgehmIKeu8t4Q1Dn4ZI13YdMN7j9TfLAUVv+bJuj7aT
2FfpORrEpRw=
=CVx+
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed