Red Hat Security Advisory 2023-0074-01

Red Hat Security Advisory 2023-0074-01: Posted Jan 12, 2023; Authored by Red Hat | Site access.redhat.com; Red Hat Security Advisory 2023-0074-01 - The ovirt-engine package provides the Red Hat Virtualization Manager, a centralized management platform that allows system administrators to view and manage virtual machines. The Manager provides a comprehensive range of features including search capabilities, resource management, live migrations, and virtual infrastructure provisioning. Issues addressed include deserialization and traversal vulnerabilities.; tags | advisory, java, vulnerability; systems | linux, redhat; advisories | CVE-2021-30483, CVE-2022-45047; SHA-256 | dcad900288a123d4634bb79ea34d68fb76fa1874797c13f3279e826b93e3f6d9; Download | Favorite | View

Red Hat Security Advisory 2023-0074-01

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: RHV 4.4 SP1 [ovirt-4.5.3-3] security update
Advisory ID:       RHSA-2023:0074-01
Product:           Red Hat Virtualization
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0074
Issue date:        2023-01-11
CVE Names:         CVE-2021-30483 CVE-2022-45047 
=====================================================================

1. Summary:

Updated RHV packages that fix several bugs and add various enhancements are
now available.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4 - noarch
Red Hat Virtualization 4 Hypervisor for RHEL 8 - noarch, x86_64
Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts - noarch, ppc64le, x86_64

3. Description:

The ovirt-engine package provides the Red Hat Virtualization Manager, a
centralized management platform that allows system administrators to view
and manage virtual machines. The Manager provides a comprehensive range of
features including search capabilities, resource management, live
migrations, and virtual infrastructure provisioning.

Security fix(es):

* mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)

* isomorphic-git: Directory traversal via a crafted repository
(CVE-2021-30483)

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.

Bug Fix(es):

* With this release, SELinux rules for the Grafana HTTP port are now
properly set up for new remote DWH installations as part of the Red Hat
Virtualization Manager engine-setup. (BZ#2126778)

* Previously, search conditions were not applied properly when a non-admin
user tried to search for Clusters or Data Centers over the REST API. In
this release, both admin and non-admin users can search for clusters
properly using the REST API. (BZ#2144346)

* Previously, stale bitmaps in the base image during a cold or live
internal merge caused the operation to fail. In this release, the merge
operation succeeds. (BZ#2141371)

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/2974891

5. Bugs fixed (https://bugzilla.redhat.com/):

1988539 - CVE-2021-30483 isomorphic-git: Directory traversal via a crafted repository
2126778 - Port 3000 blocked between engine and remote DWH with Grafana
2141371 - Incorrect image chain when deleting an intermediate snapshot
2144346 - Search returns all entities the permissions allow if the user is not admin
2145194 - CVE-2022-45047 mina-sshd: Java unsafe deserialization vulnerability
2152015 - Discrepancy tool fails with KeyError
2152845 - Storage stabilization for 4.5.3

6. Package List:

Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts:

Source:
vdsm-4.50.3.6-1.el8ev.src.rpm

noarch:
vdsm-api-4.50.3.6-1.el8ev.noarch.rpm
vdsm-client-4.50.3.6-1.el8ev.noarch.rpm
vdsm-common-4.50.3.6-1.el8ev.noarch.rpm
vdsm-hook-cpuflags-4.50.3.6-1.el8ev.noarch.rpm
vdsm-hook-ethtool-options-4.50.3.6-1.el8ev.noarch.rpm
vdsm-hook-fcoe-4.50.3.6-1.el8ev.noarch.rpm
vdsm-hook-localdisk-4.50.3.6-1.el8ev.noarch.rpm
vdsm-hook-nestedvt-4.50.3.6-1.el8ev.noarch.rpm
vdsm-hook-openstacknet-4.50.3.6-1.el8ev.noarch.rpm
vdsm-hook-vhostmd-4.50.3.6-1.el8ev.noarch.rpm
vdsm-http-4.50.3.6-1.el8ev.noarch.rpm
vdsm-jsonrpc-4.50.3.6-1.el8ev.noarch.rpm
vdsm-python-4.50.3.6-1.el8ev.noarch.rpm
vdsm-yajsonrpc-4.50.3.6-1.el8ev.noarch.rpm

ppc64le:
vdsm-4.50.3.6-1.el8ev.ppc64le.rpm
vdsm-hook-checkips-4.50.3.6-1.el8ev.ppc64le.rpm
vdsm-hook-extra-ipv4-addrs-4.50.3.6-1.el8ev.ppc64le.rpm
vdsm-network-4.50.3.6-1.el8ev.ppc64le.rpm

x86_64:
vdsm-4.50.3.6-1.el8ev.x86_64.rpm
vdsm-gluster-4.50.3.6-1.el8ev.x86_64.rpm
vdsm-hook-checkips-4.50.3.6-1.el8ev.x86_64.rpm
vdsm-hook-extra-ipv4-addrs-4.50.3.6-1.el8ev.x86_64.rpm
vdsm-network-4.50.3.6-1.el8ev.x86_64.rpm

Red Hat Virtualization 4 Hypervisor for RHEL 8:

Source:
vdsm-4.50.3.6-1.el8ev.src.rpm

noarch:
vdsm-hook-cpuflags-4.50.3.6-1.el8ev.noarch.rpm
vdsm-hook-ethtool-options-4.50.3.6-1.el8ev.noarch.rpm
vdsm-hook-fcoe-4.50.3.6-1.el8ev.noarch.rpm
vdsm-hook-localdisk-4.50.3.6-1.el8ev.noarch.rpm
vdsm-hook-nestedvt-4.50.3.6-1.el8ev.noarch.rpm
vdsm-hook-openstacknet-4.50.3.6-1.el8ev.noarch.rpm
vdsm-hook-vhostmd-4.50.3.6-1.el8ev.noarch.rpm

x86_64:
vdsm-hook-checkips-4.50.3.6-1.el8ev.x86_64.rpm
vdsm-hook-extra-ipv4-addrs-4.50.3.6-1.el8ev.x86_64.rpm

RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4:

Source:
apache-sshd-2.9.2-0.1.el8ev.src.rpm
ovirt-engine-4.5.3.5-1.el8ev.src.rpm
ovirt-engine-ui-extensions-1.3.7-1.el8ev.src.rpm
ovirt-web-ui-1.9.3-1.el8ev.src.rpm
rhv-log-collector-analyzer-1.0.16-1.el8ev.src.rpm

noarch:
apache-sshd-2.9.2-0.1.el8ev.noarch.rpm
apache-sshd-javadoc-2.9.2-0.1.el8ev.noarch.rpm
ovirt-engine-4.5.3.5-1.el8ev.noarch.rpm
ovirt-engine-backend-4.5.3.5-1.el8ev.noarch.rpm
ovirt-engine-dbscripts-4.5.3.5-1.el8ev.noarch.rpm
ovirt-engine-health-check-bundler-4.5.3.5-1.el8ev.noarch.rpm
ovirt-engine-restapi-4.5.3.5-1.el8ev.noarch.rpm
ovirt-engine-setup-4.5.3.5-1.el8ev.noarch.rpm
ovirt-engine-setup-base-4.5.3.5-1.el8ev.noarch.rpm
ovirt-engine-setup-plugin-cinderlib-4.5.3.5-1.el8ev.noarch.rpm
ovirt-engine-setup-plugin-imageio-4.5.3.5-1.el8ev.noarch.rpm
ovirt-engine-setup-plugin-ovirt-engine-4.5.3.5-1.el8ev.noarch.rpm
ovirt-engine-setup-plugin-ovirt-engine-common-4.5.3.5-1.el8ev.noarch.rpm
ovirt-engine-setup-plugin-vmconsole-proxy-helper-4.5.3.5-1.el8ev.noarch.rpm
ovirt-engine-setup-plugin-websocket-proxy-4.5.3.5-1.el8ev.noarch.rpm
ovirt-engine-tools-4.5.3.5-1.el8ev.noarch.rpm
ovirt-engine-tools-backup-4.5.3.5-1.el8ev.noarch.rpm
ovirt-engine-ui-extensions-1.3.7-1.el8ev.noarch.rpm
ovirt-engine-vmconsole-proxy-helper-4.5.3.5-1.el8ev.noarch.rpm
ovirt-engine-webadmin-portal-4.5.3.5-1.el8ev.noarch.rpm
ovirt-engine-websocket-proxy-4.5.3.5-1.el8ev.noarch.rpm
ovirt-web-ui-1.9.3-1.el8ev.noarch.rpm
python3-ovirt-engine-lib-4.5.3.5-1.el8ev.noarch.rpm
rhv-log-collector-analyzer-1.0.16-1.el8ev.noarch.rpm
rhvm-4.5.3.5-1.el8ev.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2021-30483
https://access.redhat.com/security/cve/CVE-2022-45047
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBY77lENzjgjWX9erEAQgN9A/9G5NYjt87qCs93u5tgnYP1G5A8GCojNtd
G3TglbeCMHIgGlA67TSE5vXvppHdYHCN2QoT+d+9iz0SHbIOOn7Ztc4I/KyIgX3Y
T6e2trOCry7KWz8TX+DTyoJamnGVRbvKnvmoUB6rrZbhoa9wP68ZwhvNdVzuGi27
p8xa2zPv1LDz1gyf2Ko1dtb0i7CtYWhL1dRcAByA4dvACiQJe1NMwCyLZf/vb3Zu
64pO4La8QWn3SJut9HJ8PhoGbtPWBWGCIF1ghKVAysrUjpe6QceIElLd6ADVTa29
GPbsxwcUUyJFIzennM47GVMf+X3uKnHH5MbLuv3ghEjguaBsQ9M9TNNAyFz9wO+k
cTVmxkZfB45t7teRQCoAF5uLLza2xLkzZBvVEgKsiGCKXJrN4nc8mWTXKkbtEXej
kmrVT85brDs0+IgNsian/8Zyn48//5CZJm/TsQne0vRf3GYDOUMabrd3XmOzHH4a
XVw3u57eKZ4dtmQ9KNsgzFKUJOe/w1HWyIbk7XVawNPZX4K0waXXaiBLJZxYTjWP
5Fve+MpRPBCtOrV8LKVLdbz4eZRG4q+Z2N92ZOc6X4omJUhGYHRmmPL5C/iLsXiA
kI3NoANDaeMvgqoR8J1FB4N3Tvk5kKE5yBXCELG/+ZpLgjLecElyxHFCeibogY3s
ZiUYms4Cl8s=
=Z3Jw
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Top Authors In Last 30 Days

Red Hat 221 files
Ubuntu 59 files
Debian 30 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 9 files
Apple 6 files
Milad Karimi 5 files
Google Security Research 5 files
tmrswrr 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,022)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,298)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,550)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,453)
UNIX (9,394)
UnixWare (187)
Windows (6,650)
Other

Red Hat Security Advisory 2023-0074-01

Red Hat Security Advisory 2023-0074-01

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Red Hat Security Advisory 2023-0074-01

Share This

Red Hat Security Advisory 2023-0074-01

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems