-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: OpenShift Virtualization 4.10.0 Images security and bug fix update Advisory ID: RHSA-2022:0947-01 Product: cnv Advisory URL: https://access.redhat.com/errata/RHSA-2022:0947 Issue date: 2022-03-16 CVE Names: CVE-2021-29923 CVE-2021-33195 CVE-2021-33197 CVE-2021-33198 CVE-2021-34558 CVE-2021-36221 CVE-2021-44716 CVE-2021-44717 CVE-2022-24407 ===================================================================== 1. Summary: Red Hat OpenShift Virtualization release 4.10.0 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform. This advisory contains the following OpenShift Virtualization 4.10.0 images: RHEL-8-CNV-4.10 ============== kubevirt-velero-plugin-container-v4.10.0-8 virtio-win-container-v4.10.0-10 kubevirt-template-validator-container-v4.10.0-16 hostpath-csi-driver-container-v4.10.0-32 hostpath-provisioner-container-v4.10.0-32 hostpath-provisioner-operator-container-v4.10.0-62 cnv-must-gather-container-v4.10.0-110 virt-cdi-controller-container-v4.10.0-90 virt-cdi-apiserver-container-v4.10.0-90 virt-cdi-uploadserver-container-v4.10.0-90 virt-cdi-uploadproxy-container-v4.10.0-90 virt-cdi-operator-container-v4.10.0-90 virt-cdi-cloner-container-v4.10.0-90 virt-cdi-importer-container-v4.10.0-90 kubevirt-ssp-operator-container-v4.10.0-50 virt-api-container-v4.10.0-217 hyperconverged-cluster-webhook-container-v4.10.0-133 libguestfs-tools-container-v4.10.0-217 virt-handler-container-v4.10.0-217 virt-launcher-container-v4.10.0-217 virt-artifacts-server-container-v4.10.0-217 virt-controller-container-v4.10.0-217 node-maintenance-operator-container-v4.10.0-48 hyperconverged-cluster-operator-container-v4.10.0-133 virt-operator-container-v4.10.0-217 cnv-containernetworking-plugins-container-v4.10.0-49 kubemacpool-container-v4.10.0-49 bridge-marker-container-v4.10.0-49 ovs-cni-marker-container-v4.10.0-49 ovs-cni-plugin-container-v4.10.0-49 kubernetes-nmstate-handler-container-v4.10.0-49 cluster-network-addons-operator-container-v4.10.0-49 hco-bundle-registry-container-v4.10.0-696 Security Fix(es): * golang: net/http: limit growth of header canonicalization cache (CVE-2021-44716) * golang: net: incorrect parsing of extraneous zero characters at the beginning of an IP address octet (CVE-2021-29923) * golang: net: lookup functions may return invalid host names (CVE-2021-33195) * golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty (CVE-2021-33197) * golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents (CVE-2021-33198) * golang: crypto/tls: certificate of wrong type is causing TLS client to panic (CVE-2021-34558) * golang: net/http/httputil: panic due to racy read of persistConn after handler panic (CVE-2021-36221) * golang: syscall: don't close fd 0 on ForkExec error (CVE-2021-44717) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 4. Bugs fixed (https://bugzilla.redhat.com/): 1760028 - CPU compatibility is not checked when migrating host-model VMs 1855182 - [Storage] Clone could not be continued after virtctl stop the vm if the clone dv have been created for more than 3 minutes 1906151 - High CPU/Memory usage of Kube API server following a CNV installation 1918294 - VM created from template when OCS is default SC fails to start on "source volumeMode (Block) and target volumeMode (Filesystem) do not match" 1935217 - [CNV-2.5] Manifests in openshift-cnv missing resource requirements - Storage 1945586 - CPU pinning is incorrect after live migration 1958085 - No option to deploy the templates to a non-shared (non default) namespace 1959039 - must-gather doesn't collect iptables info of CNV VM anymore 1975978 - canary-release-openshift-origin-installer-e2e-aws-4.7-cnv is permfailing 1983079 - No "permittedHostDevices" section in HCO CR, allows any hostdevice in the VM spec. 1983596 - CVE-2021-34558 golang: crypto/tls: certificate of wrong type is causing TLS client to panic 1986970 - Node outages can lead to (legitimate) mass restarts of VMs which can block our controller 1987009 - [tracker] CNV Daemonsets have maxUnavailable set to 1 which leads to very slow upgrades on large clusters 1989564 - CVE-2021-33195 golang: net: lookup functions may return invalid host names 1989570 - CVE-2021-33197 golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty 1989575 - CVE-2021-33198 golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents 1990061 - [virt] CNV Daemonsets have maxUnavailable set to 1 which leads to very slow upgrades on large clusters 1992006 - CVE-2021-29923 golang: net: incorrect parsing of extraneous zero characters at the beginning of an IP address octet 1992231 - hostpath-provisioner Pods are not created 1993454 - Improve ImageIO import performance 1995656 - CVE-2021-36221 golang: net/http/httputil: panic due to racy read of persistConn after handler panic 1997540 - Missing kcs: OpenShift Virtualization limits 1998300 - CNV VMs do not contain the cluster domain name in the FQDN 1999110 - 4.10.0 containers 1999636 - 4.10.0 rpms 2000480 - Using depreacted 1.25 API calls 2001984 - VM not in running state with nonroot VirtLauncher Pods with volumeMode as Filesystem and using a PVC 2001987 - VM not in running state with nonroot VirtLauncher Pods with volumeMode as Filesystem and using a DV 2002272 - Unable to LiveMigrate a VM with nonroot VirtLauncher Pod 2003704 - Switch live migration to use unix sockets 2007397 - Unexpected killing of virt-launcher pod, can result in loss of data for hotplugged volumes 2008140 - [4.10.0] CNV fails to deploy due to unavailable SSP virt-template-validator 2008411 - [4.10.0] SSP operator creates kubevirt-os-images instead of openshift-virtualization-os-images namespace 2008938 - missing spec.priorityClassName for pod hyperconverged-cluster-cli-download 2008949 - Multiple storage pods are missing spec.priorityClassName 2008975 - v4.10.0-142 CNV contains outdated ssp-operator and virt-template-validator 2010540 - HCO.status.relatedObjects are not getting updated with correct resourceVersion of reconciled resources 2010908 - [MTV] VM remains in printableStatus: Provisioning in cold migration 2012920 - nncp in progressing state forever when cluster is having Windows node 2013160 - Create an offline VM with storageClass HPP is always in 'Provisioning‘ status 2013455 - Guest agent reports unreliable status when mac address is changed 2015327 - hostpath-provisioner pods do not have any resources.requests values set up 2017255 - Migration of VM doesn't clean up the target pod in time in case of failed migration 2018457 - Windows high performance templates should use virtio storage 2018925 - Metric kubevirt_vmi_memory_used_total_bytes is not reporting correct value 2018970 - RHEL9 alpha template - support level is "Full" 2019053 - DV with immediate bind remains in WaitForFirstConsumer 2021992 - [cnv-4.10.0] After upgrade, live migration is Pending 2025295 - Windows VMs fail to start on air-gapped environments for non-admin users 2025750 - must-gather | nft files are not collected for nodes 2025878 - The import cron pod is not deleted after delete the dataimportcron if the import is failed 2026336 - [SNO] We see multiple replicas of virt-api, virt-controller and virt-operator. 2026363 - kubemacpool is rotating kubernetes-nmstate certificates 2026665 - Unable to ssh to a VM when running with Service Mesh 2026667 - Alerts: SSPDown and SSPTemplateValidatorDown are constantly in Firing state 2027420 - [SNO] SR-IOV operator fails to install after CNV is installed 2027922 - Typo on LowKVMNodesCount summary 2029343 - High performance VM fail to start on libvirt error (kvm-hint-dedicated) 2029767 - Enactment goes to pending even when maxunavailable is set to 100% in nncp 2030660 - ImageSteam rhel8-guest and rhel9-guest are managed by HCO but they are not getting reconciled 2030686 - must-gather | missing SRIOV namespace subdir under collected dir 2030801 - CVE-2021-44716 golang: net/http: limit growth of header canonicalization cache 2030806 - CVE-2021-44717 golang: syscall: don't close fd 0 on ForkExec error 2031033 - VM migration from VMware fail on missing v2v-vmware ConfigMap in OCP-4.10/CNV-4.10 2031688 - hostpath-provisioner-operator deployment is referencing upstream images 2031727 - [CNV-4.10] kubemacpool & nmstate pods stuck in pending state 2031919 - [SNO] we cannot cleanly remove the product on SNO due to kubevirt apiservices leftovers 2032045 - When alert VirtControllerRESTErrorsHigh triggered it keeps in Firing state for hours (even when there are no failed api calls anymore) 2032845 - SSP CR | reason field's value in SSP CR status.conditions is not CamelCased 2032873 - [4.9] Windows VMs fail to start on air-gapped environments for non-admin users 2032876 - [4.8] Windows VMs fail to start on air-gapped environments for non-admin users 2033240 - Templates golden image parameters names should be updated 2033252 - nncp changing it's status between "ConfigurationProgressing" to "SuccessfullyConfigured" every few minutes 2034544 - disk.img file is resized up for HPP and NFS storage classes 2035008 - Auto-update boot sources: CDI tries to import even when a PVC already exists; dataSources are not updated 2035324 - Trying to uninstall CNV with `uninstallStrategy: RemoveWorkloads` and existing workloads lefts the system in a corrupted state 2035658 - NMPolicy can't replace strings using captures, making teardown not possible 2035677 - Windows10 VM with CDROM migration fails 2036220 - Recommended disk image url is outdated in Fedora 33+ template description 2036483 - HCO Enablement | reconciliation error adding a custom cron template 2036605 - Auto-update boot sources: DataSource Ready status is not updated if there's no DataImportCron associated with it 2037270 - Auto-update boot sources: CentOs and Fedora DVs fail to import due to docker references 2037290 - Dataimportcron keeps re-creating when enable the feature gate 2037312 - CNV occasionally cannot be removed due to leftovers dataImportCrons 2037421 - SSP default log level should be set to "info" 2038679 - Clone with volume mode file system using Storage API fails 2038825 - Ubuntu, centos6 and opensuse templates should be removed from common templates bundle in downstream 2038831 - SAP HANA template should not contain evictionStrategy: LiveMigrate 2038985 - No feedback when HPP path is sharing host filesystem 2039196 - DataImportCron with imagestream source does not support image tags 2039208 - Recording Rule "kubevirt_vm_container_free_memory_bytes" is not working 2039489 - KubePersistentVolumeFillingUp Firing for VM disk Filesystem PVCs 2039683 - HANA Template - remove default values for network names 2039686 - SAP HANA template - container disk registry should be updated 2039691 - SAP HANA template - set node label instead of node for node selection 2040113 - The component value of virt-operator label is different with other virt components 2040115 - Labels "part-of" and "version" in virt components are missing 2041519 - Custom DataImportCron with the same name as CNV-provided DataImportCron can be added via HCO overwriting configuration 2041530 - HPP CSI CR can't be deleted if it's a combination of a basic storage pool, and a pvcTemplate 2042139 - HPP-operator reconciling CSI even if nothing is happening 2042799 - All existing templates are marked as deprecated after CNV upgrade 2042842 - SAP HANA template - SR-IOV NICs should not specify model virtio 2042856 - Getting 'jq' error while running 'must-gather' command. 2042880 - 'yq' command is missing in downstream must-gather image. 2042908 - hotplugs not included in VMSnapshot 2044348 - VM with ocs-storagecluster-cephfs sc keeps in CrashLoopBackOff 2044398 - SSP should not update DataSource managed by DataImportCron 2046271 - virt-cdi-importer fails to import a VM image when clusterwide proxy configured 2048227 - Common templates - DATA_SOURCE_NAMESPACE value should be updated in d/s 2048275 - HPP mounter deployment crashes on parsing lsblk output 2051105 - DataSources, managed by DataImportCron, are not reconciled when edited 2051693 - DataSource (which has a golden image and was opted-in/out using cdi label) will be reconciled and will not actually be opted out 2051968 - virt-freezer binary missing from downstream virt-launcher 2052489 - KubevirtVmHighMemoryUsage is based on limit not request 2053027 - nmpolicy cannot clone IP config of the default NIC carrying static IPv6 2058167 - Post deploy on a baremetal cluster SSP is looping attempting to reconcile 5. References: https://access.redhat.com/security/cve/CVE-2021-29923 https://access.redhat.com/security/cve/CVE-2021-33195 https://access.redhat.com/security/cve/CVE-2021-33197 https://access.redhat.com/security/cve/CVE-2021-33198 https://access.redhat.com/security/cve/CVE-2021-34558 https://access.redhat.com/security/cve/CVE-2021-36221 https://access.redhat.com/security/cve/CVE-2021-44716 https://access.redhat.com/security/cve/CVE-2021-44717 https://access.redhat.com/security/cve/CVE-2022-24407 https://access.redhat.com/security/updates/classification/#moderate 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYjJSI9zjgjWX9erEAQgOHBAAlkzm8Bg5mdp2y/95FjjySTigxCiMcV9U 1+hC+WHS0ufzc0mUO8HqKIFSEjDiTKEqF3R00eorBeyfMiklyHlI7oOLs3TEF8Tr MRjNjKdV4bIfVG8m92PaIq9RbUyD5Pzk4P0xgbEABFNT4sdJI18RF826EJoUXxG1 ycBid2d0shEpQgGi0/CVvwsXkkOKQdi7Nsh4mi8U5XkvQ8BXD6k6UerD7QqD82By /uJzWaMJfbOex0ZzBWlXXyiZa4tWNbjJk9ULSKw27lqNaNN9jm5Ec2Jlz6X7JUvY iYu+dQuSuU7aIQGINAFJstKOU3MKas0xTVs5uqdJ/lyMHQfY9fpzLnm7yb883JO9 SLQoRmIjf7bja9vknlrv/3pLZQjIhRk7SUkTo36kTeB79N0AFFRywihomWPAWKnl GAzuaX1j9lUNhz/+UKtR8HHqL6F4OVqDU1qofF13Gw0E90ZTdVrVA0ioU6EFBYv5 gfijlSTEQGa3c/keSacR9zx2LAQd6jn5q3HRR4R2fYXOlsdv+M2oaqM6ai4ABGAa QLHlkth5ieKY9XuU3hJwd2a9/Ar2HeFcD2FfcRsx06/0g0WUaYphaFWuReDQwe3M xCAdSPhi8QysijleW3zOiIw2vFZvKeXTgMwbwlOvgJkK7eXHvO/VCtyFLigf57m3 ZNdx+ztsYEA= =+jwg -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce