-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: OpenShift Virtualization 4.9.0 Images security and bug fix update Advisory ID: RHSA-2021:4104-01 Product: cnv Advisory URL: https://access.redhat.com/errata/RHSA-2021:4104 Issue date: 2021-11-02 CVE Names: CVE-2020-25648 CVE-2021-3121 CVE-2021-3653 CVE-2021-22922 CVE-2021-22923 CVE-2021-22924 CVE-2021-31525 CVE-2021-33195 CVE-2021-33197 CVE-2021-33198 CVE-2021-34558 CVE-2021-36222 CVE-2021-37750 ===================================================================== 1. Summary: Red Hat OpenShift Virtualization release 4.9.0 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform. This advisory contains the following OpenShift Virtualization 4.9.0 images: RHEL-8-CNV-4.9 ============== kubevirt-v2v-conversion-container-v4.9.0-9 vm-import-controller-container-v4.9.0-15 cnv-containernetworking-plugins-container-v4.9.0-15 kubemacpool-container-v4.9.0-18 virtio-win-container-v4.9.0-8 vm-import-operator-container-v4.9.0-15 kubevirt-vmware-container-v4.9.0-8 kubevirt-template-validator-container-v4.9.0-14 cluster-network-addons-operator-container-v4.9.0-26 kubernetes-nmstate-handler-container-v4.9.0-25 node-maintenance-operator-container-v4.9.0-13 hostpath-provisioner-container-v4.9.0-6 bridge-marker-container-v4.9.0-13 kubevirt-ssp-operator-container-v4.9.0-28 ovs-cni-marker-container-v4.9.0-16 ovs-cni-plugin-container-v4.9.0-16 vm-import-virtv2v-container-v4.9.0-15 virt-cdi-apiserver-container-v4.9.0-35 virt-cdi-cloner-container-v4.9.0-35 virt-cdi-uploadproxy-container-v4.9.0-35 virt-cdi-controller-container-v4.9.0-35 hostpath-provisioner-operator-container-v4.9.0-15 virt-cdi-importer-container-v4.9.0-35 virt-cdi-uploadserver-container-v4.9.0-35 virt-cdi-operator-container-v4.9.0-35 virt-launcher-container-v4.9.0-58 virt-api-container-v4.9.0-58 virt-handler-container-v4.9.0-58 virt-operator-container-v4.9.0-58 virt-controller-container-v4.9.0-58 virt-artifacts-server-container-v4.9.0-58 libguestfs-tools-container-v4.9.0-58 cnv-must-gather-container-v4.9.0-54 hyperconverged-cluster-operator-container-v4.9.0-57 hyperconverged-cluster-webhook-container-v4.9.0-57 hco-bundle-registry-container-v4.9.0-249 Security Fix(es): * gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation (CVE-2021-3121) * golang: net/http: panic in ReadRequest and ReadResponse when reading a very large header (CVE-2021-31525) * golang: net: lookup functions may return invalid host names (CVE-2021-33195) * golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty (CVE-2021-33197) * golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents (CVE-2021-33198) * golang: crypto/tls: certificate of wrong type is causing TLS client to panic (CVE-2021-34558) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 4. Bugs fixed (https://bugzilla.redhat.com/): 1858777 - Alert for VM with 'evictionStrategy: LiveMigrate' for local PVs set 1891921 - virt-launcher is missing /usr/share/zoneinfo directory, making it impossible to set clock offset of timezone type for the guest RTC 1896469 - In cluster with OVN Kubernetes networking - a node doesn't recover when configuring linux-bridge over its default NIC 1903687 - [scale] 1K DV creation failed 1921650 - CVE-2021-3121 gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation 1933043 - Delete VM just after it turns into "running" is very likely to hit grace period end 1935219 - [CNV-2.5] Set memory and CPU request on hco-operator and hco-webhook deployments 1942726 - test automatic bug creation for a new release 1943164 - Node drain: Sometimes source virt-launcher pod status is Failed and not Completed 1945589 - Live migration with virtiofs is possible 1953481 - New OCP priority classes are not used - Deploy 1953483 - New OCP priority classes are not used - SSP 1953484 - New OCP priority classes are not used - Storage 1955129 - Failed to bindmount hotplug-disk for hostpath-provisioner 1957852 - Could not start VM as restore snapshot was still not Complete 1958341 - CVE-2021-31525 golang: net/http: panic in ReadRequest and ReadResponse when reading a very large header 1963963 - hco.kubevirt.io:config-reader role and rolebinding are not strictly reconciled 1965050 - RoleBinding and ClusterRoleBinding brought in by kubevirt does not get reconciled when kind is ServiceAccount 1973852 - Introduce VM crashloop backoff 1976604 - [CNV-5786] IP connectivity is lost after migration (masquerade) 1976730 - Disk is not usable due to incorrect size for proper alignment 1979631 - virt-chroot: container disk validation crash prevents VMI from starting/migrating 1979659 - 4.9.0 containers 1981345 - 4.9.0 rpms 1983596 - CVE-2021-34558 golang: crypto/tls: certificate of wrong type is causing TLS client to panic 1985083 - VMI Pod fails to terminate due to a zombie qemu process 1985649 - virt-handler Pod is missing xorrisofs command 1985670 - virt-launcher fails to create v1 controller cpu for group: Read-only file system 1985719 - Unprivileged client fails to get guest agent data 1989176 - kube-cni-linux-bridge-plugin Pod is missing bridge CNI plugin 1989263 - VM Snapshot may freeze guest indefinitely 1989269 - Online VM Snapshot storing incorrect VM spec 1989564 - CVE-2021-33195 golang: net: lookup functions may return invalid host names 1989570 - CVE-2021-33197 golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty 1989575 - CVE-2021-33198 golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents 1991691 - Enable DownwardMetrics FeatureGate via HCO CR 1992608 - kubevirt doesn't respect useEmulation: true 1993121 - Rhel9 templates - provider-url should be updated to https://www.redhat.com/ 1994389 - Some of the cdi resources missing app labels 1995295 - SCC annotation of ssp-operator was changed to privileged 1996407 - [cdi-functional-tests] cdi-docker-registry-host Pod fails to start 1997014 - Common templates - dataVolumeTemplates API version should be updated 1998054 - RHEL9 template - update template description. 1998656 - no "name" label in ssp-operator pod 1999571 - NFS clone not progressing when clone sizes mismatch (target > source) 1999617 - Unable to create a VM with nonroot VirtLauncher Pods 1999835 - ConsoleCLIDownload | wrong path in virtctl archive URL 2000052 - NNCP creation failures after nmstate-handler pod deletion 2000204 - [4.9.0] [RFE] volumeSnapshotStatuses reason does not check for volume type that do not support snapshots 2001041 - [4.9.0] Importer attempts to shrink an image in certain situations 2001047 - Automatic size detection may not request a PVC that is large enough for an import 2003473 - Failed to Migrate Windows VM with CDROM (readonly) 2005695 - With descheduler during multiple VMIs migrations, some VMs are restarted 2006418 - Clone Strategy does not work as described 2008900 - Eviction of not live migratable VMs due to virt-launcher upgrade can happen outside the upgrade window 2010742 - [CNV-4.9] VMI is in LiveMigrate loop when Upgrading Cluster from 2.6.7/4.7.32 to OCP 4.8.13 2011179 - Cluster-wide live migration limits and timeouts are not suitable 2017394 - After upgrade, live migration is Pending 2018521 - [Storage] Failed to restore VirtualMachineSnapshot after CNV upgrade 5. References: https://access.redhat.com/security/cve/CVE-2020-25648 https://access.redhat.com/security/cve/CVE-2021-3121 https://access.redhat.com/security/cve/CVE-2021-3653 https://access.redhat.com/security/cve/CVE-2021-22922 https://access.redhat.com/security/cve/CVE-2021-22923 https://access.redhat.com/security/cve/CVE-2021-22924 https://access.redhat.com/security/cve/CVE-2021-31525 https://access.redhat.com/security/cve/CVE-2021-33195 https://access.redhat.com/security/cve/CVE-2021-33197 https://access.redhat.com/security/cve/CVE-2021-33198 https://access.redhat.com/security/cve/CVE-2021-34558 https://access.redhat.com/security/cve/CVE-2021-36222 https://access.redhat.com/security/cve/CVE-2021-37750 https://access.redhat.com/security/updates/classification/#moderate 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYYFgvtzjgjWX9erEAQgTew//UB8+PewiM/dIYqf+illw9SSDTPEm3XQs F0t0Zj3AbQBYoRPwexustd3jcxYQmJnwtl2VAv5pZXGf5iLCVAHg89ZLc6BzadxW NJO+YLsXAzkYPLfn32XKySFaX3kS1OoE5RJUF5Sbr76IV7qAQFgWz24xuBCpqkaj sNi8gBU/Z3ZnJIBhqAneoPlbob21ChCdyYNCHKcuewgH62iIVjhCVuxvLsCQANhL DjCynb29sX/w4CKM5bW8188Z31aFf+5QRswIcg0VLTbbhsix9t/96akYJnrD3mpw lY5jSX++m6HiihWwYHic3JSwX+VCew33PgDsDGd62wblOYg/Am8WZMAHccAHrXQ3 EaaeFdQ1pJBPuIDdar44dfgpFGLmOHfa5kLfPaiW+Lew28xgv2lsPDGd0zjdOY+l H36kJhNDsUy0ZdOPMgTgvMfhDXH3EJLsOL0kLRHpFVvbftYl1cQ7ovc3UUdpoylv XoS+a1nVtVXJDh5Fcc/3SHEFkaIjCkzdLDZrH5ERot3g/SoMwpjG+EiNaivCK228 SOtRVyP1m+CwpGDKkDvJ9aozEBTRmbYy55g3s2hwRdLmsTbnvzgu4oSowhKp6Z7b SSakzzqMAznVOUScnJM6IBOKo75RHvPe9n1RasJl45MK5fKh9Q2p7E/V4F5aJxJE OMZGh3VNA54= =p11j -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce