-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Low: Red Hat Virtualization security, bug fix, and enhancement update Advisory ID: RHSA-2020:5179-01 Product: Red Hat Virtualization Advisory URL: https://access.redhat.com/errata/RHSA-2020:5179 Issue date: 2020-11-24 CVE Names: CVE-2019-20920 CVE-2019-20922 CVE-2020-8203 ==================================================================== 1. Summary: An update is now available for Red Hat Virtualization Engine 4.4. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4 - noarch 3. Description: The org.ovirt.engine-root is a core component of oVirt. The following packages have been upgraded to a later upstream version: engine-db-query (1.6.2), org.ovirt.engine-root (4.4.3.8), ovirt-engine-dwh (4.4.3.1), ovirt-engine-extension-aaa-ldap (1.4.2), ovirt-engine-extension-logger-log4j (1.1.1), ovirt-engine-metrics (1.4.2.1), ovirt-engine-ui-extensions (1.2.4), ovirt-log-collector (4.4.4), ovirt-web-ui (1.6.5), rhv-log-collector-analyzer (1.0.5), rhvm-branding-rhv (4.4.6). (BZ#1866981, BZ#1879377) Security Fix(es): * nodejs-handlebars: lookup helper fails to properly validate templates allowing for arbitrary JavaScript execution (CVE-2019-20920) * nodejs-handlebars: an endless loop while processing specially-crafted templates leads to DoS (CVE-2019-20922) * nodejs-lodash: prototype pollution in zipObjectDeep function (CVE-2020-8203) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * send --nowait to libvirt when we collect qemu stats, to consume bz#1552092 (BZ#1613514) * Block moving HE hosts into different Data Centers and make HE host moved to different cluster NonOperational after activation (BZ#1702016) * If an in-use MAC is held by a VM on a different cluster, the engine does not attempt to get the next free MAC. (BZ#1760170) * Search backend cannot find VMs which name starts with a search keyword (BZ#1797717) * [Permissions] DataCenterAdmin role defined on DC level does not allow Cluster creation (BZ#1808320) * enable-usb-autoshare is always 0 in console.vv and usb-filter option is listed two times (BZ#1811466) * NumaPinningHelper is not huge pages aware, denies migration to suitable host (BZ#1812316) * Adding quota to group doesn't propagate to users (BZ#1822372) * Engine adding PCI-E elements on XML of i440FX SeaBIOS VM created from Q35 Template (BZ#1829691) * Live Migration Bandwidth unit is different from Engine configuration (Mbps) and VDSM (MBps) (BZ#1845397) * RHV-M shows successful operation if OVA export/import failed during "qemu-img convert" phase (BZ#1854888) * Cannot hotplug disk reports libvirtError: Requested operation is not valid: Domain already contains a disk with that address (BZ#1855305) * rhv-log-collector-analyzer --json fails with TypeError (BZ#1859314) * RHV 4.4 on AMD EPYC 7742 throws an NUMA related error on VM run (BZ#1866862) * Issue with dashboards creation when sending metrics to external Elasticsearch (BZ#1870133) * HostedEngine VM is broken after Cluster changed to UEFI (BZ#1871694) * [CNV&RHV]Notification about VM creation contain string (BZ#1873136) * VM stuck in Migrating status after migration completed due to incorrect status reported by VDSM after restart (BZ#1877632) * Use 4.5 as compatibility level for the Default DataCenter and the Default Cluster during installation (BZ#1879280) * unable to create/add index pattern in step 5 from kcs articles#4921101 (BZ#1881634) * [CNV&RHV] Remove warning about no active storage domain for Kubevirt VMs (BZ#1883844) * Deprecate and remove ovirt-engine-api-explorer (BZ#1884146) * [CNV&RHV] Disable creating new disks for Kubevirt VM (BZ#1884634) * Require ansible-2.9.14 in ovirt-engine (BZ#1888626) Enhancement(s): * [RFE] Virtualization support for NVDIMM - RHV (BZ#1361718) * [RFE] - enable renaming HostedEngine VM name (BZ#1657294) * [RFE] Enabling Icelake new NIs - RHV (BZ#1745024) * [RFE] Show vCPUs and allocated memory in virtual machines summary (BZ#1752751) * [RFE] RHV-M Deployment/Install Needs it's own UUID (BZ#1825020) * [RFE] Destination Host in migrate VM dialog has to be searchable and sortable (BZ#1851865) * [RFE] Expose the "reinstallation required" flag of the hosts in the API (BZ#1856671) 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/2974891 5. Bugs fixed (https://bugzilla.redhat.com/): 1613514 - send --nowait to libvirt when we collect qemu stats, to consume bz#1552092 1657294 - [RFE] - enable renaming HostedEngine VM name 1691253 - ovirt-engine-extension-aaa-ldap-setup does not escape special characters in password 1702016 - Block moving HE hosts into different Data Centers and make HE host moved to different cluster NonOperational after activation 1752751 - [RFE] Show vCPUs and allocated memory in virtual machines summary 1760170 - If an in-use MAC is held by a VM on a different cluster, the engine does not attempt to get the next free MAC. 1797717 - Search backend cannot find VMs which name starts with a search keyword 1808320 - [Permissions] DataCenterAdmin role defined on DC level does not allow Cluster creation 1811466 - enable-usb-autoshare is always 0 in console.vv and usb-filter option is listed two times 1812316 - NumaPinningHelper is not huge pages aware, denies migration to suitable host 1822372 - Adding quota to group doesn't propagate to users 1825020 - [RFE] RHV-M Deployment/Install Needs it's own UUID 1828241 - Deleting snapshot do not display a lock for it's disks under "Disk Snapshots" tab. 1829691 - Engine adding PCI-E elements on XML of i440FX SeaBIOS VM created from Q35 Template 1842344 - Status loop due to host initialization not checking network status, monitoring finding the network issue and auto-recovery. 1845432 - [CNV&RHV] Communicatoin with CNV cluster spamming engine.log when token is expired 1851865 - [RFE] Destination Host in migrate VM dialog has to be searchable and sortable 1854888 - RHV-M shows successful operation if OVA export/import failed during "qemu-img convert" phase 1855305 - Cannot hotplug disk reports libvirtError: Requested operation is not valid: Domain already contains a disk with that address 1856671 - [RFE] Expose the "reinstallation required" flag of the hosts in the API 1857412 - CVE-2020-8203 nodejs-lodash: prototype pollution in zipObjectDeep function 1859314 - rhv-log-collector-analyzer --json fails with TypeError 1862101 - rhv-image-discrepancies does show size of the images on the storage as size of the image in db and vice versa 1866981 - obj must be encoded before hashing 1870133 - Issue with dashboards creation when sending metrics to external Elasticsearch 1871694 - HostedEngine VM is broken after Cluster changed to UEFI 1872911 - RHV Administration Portal fails with 404 error even after updating to RHV 4.3.9 1873136 - [CNV&RHV]Notification about VM creation contain string 1876923 - PostgreSQL 12 in RHV 4.4 - engine-setup menu ref URL needs updating 1877632 - VM stuck in Migrating status after migration completed due to incorrect status reported by VDSM after restart 1877679 - Synchronize advanced virtualization module with RHEL version during host upgrade 1879199 - ovirt-engine-extension-aaa-ldap-setup fails on cert import 1879280 - Use 4.5 as compatibility level for the Default DataCenter and the Default Cluster during installation 1879377 - [DWH] Rebase bug - for the 4.4.3 release 1881634 - unable to create/add index pattern in step 5 from kcs articles#4921101 1882256 - CVE-2019-20922 nodejs-handlebars: an endless loop while processing specially-crafted templates leads to DoS 1882260 - CVE-2019-20920 nodejs-handlebars: lookup helper fails to properly validate templates allowing for arbitrary JavaScript execution 1883844 - [CNV&RHV] Remove warning about no active storage domain for Kubevirt VMs 1884146 - Deprecate and remove ovirt-engine-api-explorer 1884634 - [CNV&RHV] Disable creating new disks for Kubevirt VM 1885976 - rhv-log-collector-analyzer - argument must be str, not bytes 1887268 - Cannot perform yum update on my RHV manager (ansible conflict) 1888626 - Require ansible-2.9.14 in ovirt-engine 1889522 - metrics playbooks are broken due to typo 6. Package List: RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4: Source: engine-db-query-1.6.2-1.el8ev.src.rpm ovirt-engine-4.4.3.8-0.1.el8ev.src.rpm ovirt-engine-dwh-4.4.3.1-1.el8ev.src.rpm ovirt-engine-extension-aaa-ldap-1.4.2-1.el8ev.src.rpm ovirt-engine-extension-logger-log4j-1.1.1-1.el8ev.src.rpm ovirt-engine-metrics-1.4.2.1-1.el8ev.src.rpm ovirt-engine-ui-extensions-1.2.4-1.el8ev.src.rpm ovirt-log-collector-4.4.4-1.el8ev.src.rpm ovirt-web-ui-1.6.5-1.el8ev.src.rpm rhv-log-collector-analyzer-1.0.5-1.el8ev.src.rpm rhvm-branding-rhv-4.4.6-1.el8ev.src.rpm noarch: engine-db-query-1.6.2-1.el8ev.noarch.rpm ovirt-engine-4.4.3.8-0.1.el8ev.noarch.rpm ovirt-engine-backend-4.4.3.8-0.1.el8ev.noarch.rpm ovirt-engine-dbscripts-4.4.3.8-0.1.el8ev.noarch.rpm ovirt-engine-dwh-4.4.3.1-1.el8ev.noarch.rpm ovirt-engine-dwh-grafana-integration-setup-4.4.3.1-1.el8ev.noarch.rpm ovirt-engine-dwh-setup-4.4.3.1-1.el8ev.noarch.rpm ovirt-engine-extension-aaa-ldap-1.4.2-1.el8ev.noarch.rpm ovirt-engine-extension-aaa-ldap-setup-1.4.2-1.el8ev.noarch.rpm ovirt-engine-extension-logger-log4j-1.1.1-1.el8ev.noarch.rpm ovirt-engine-health-check-bundler-4.4.3.8-0.1.el8ev.noarch.rpm ovirt-engine-metrics-1.4.2.1-1.el8ev.noarch.rpm ovirt-engine-restapi-4.4.3.8-0.1.el8ev.noarch.rpm ovirt-engine-setup-4.4.3.8-0.1.el8ev.noarch.rpm ovirt-engine-setup-base-4.4.3.8-0.1.el8ev.noarch.rpm ovirt-engine-setup-plugin-cinderlib-4.4.3.8-0.1.el8ev.noarch.rpm ovirt-engine-setup-plugin-imageio-4.4.3.8-0.1.el8ev.noarch.rpm ovirt-engine-setup-plugin-ovirt-engine-4.4.3.8-0.1.el8ev.noarch.rpm ovirt-engine-setup-plugin-ovirt-engine-common-4.4.3.8-0.1.el8ev.noarch.rpm ovirt-engine-setup-plugin-vmconsole-proxy-helper-4.4.3.8-0.1.el8ev.noarch.rpm ovirt-engine-setup-plugin-websocket-proxy-4.4.3.8-0.1.el8ev.noarch.rpm ovirt-engine-tools-4.4.3.8-0.1.el8ev.noarch.rpm ovirt-engine-tools-backup-4.4.3.8-0.1.el8ev.noarch.rpm ovirt-engine-ui-extensions-1.2.4-1.el8ev.noarch.rpm ovirt-engine-vmconsole-proxy-helper-4.4.3.8-0.1.el8ev.noarch.rpm ovirt-engine-webadmin-portal-4.4.3.8-0.1.el8ev.noarch.rpm ovirt-engine-websocket-proxy-4.4.3.8-0.1.el8ev.noarch.rpm ovirt-log-collector-4.4.4-1.el8ev.noarch.rpm ovirt-web-ui-1.6.5-1.el8ev.noarch.rpm python3-ovirt-engine-lib-4.4.3.8-0.1.el8ev.noarch.rpm rhv-log-collector-analyzer-1.0.5-1.el8ev.noarch.rpm rhvm-4.4.3.8-0.1.el8ev.noarch.rpm rhvm-branding-rhv-4.4.6-1.el8ev.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2019-20920 https://access.redhat.com/security/cve/CVE-2019-20922 https://access.redhat.com/security/cve/CVE-2020-8203 https://access.redhat.com/security/updates/classification/#low 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBX70HvdzjgjWX9erEAQjCLA//a317mM4YG3b2NthOYrawJOiY8u4jPw5B fkOi7cTYkgrN1DeXJdUxfrZztt+QPix3ehqZhxromwCUi4cdh0jvlliMWQbzgGcW vIybXzMULIXGd1JbV18SAo+S04b2ggCprbkIZ+HAI3zDIpiZ2/1167kV0x4yFHma WYzTz5j9M6ZLBA9h94vnhQPGfcDfaTFuCluAcNdLvm5aDiitriE/wLYEpueHtmKN BZVNwfsJ9FI3WEKVf8w/BP134O+Qh7aioXudDWgO3olfUyZ6QAs0BDaerw/kqNP9 VZdVKTZDkx5y6ccOCpNztsn19S8//LzTXKtwBJpd/oYlfo34+/hm9dq0JOTDcJNd xHbYHVMK6/8P0uJ1BtKlq4AX3B3Qw4ffFR0vLfWRLf7zNR2x0DNj5gdS7BWJsNjr 3qorwKjznM2rcXNfNx8uIDy2S1bIQgMAE8X22IUhDSeRenh2ZRrdgwUPZzvQkDll eWTxL/ipWvjFhUBUUsQQGaUSmrKr8Q4pzYSH6jBEhES73yP4Sh8A/uXiwNoLV0PJ 2S3JPOC/5H159bGgRhZyE0PjS7jnRlO6SCCnuUUhgnlRJd/w9+LVEf8UG0P3B8us TV25drHEEprcR48tgfiFKEzNuv7o9PJWUnckM4HXGQLktj1pdoTfBfcB5tLHOIAy qoINkVG9ep0=Zkp/ -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce