-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: OpenShift Virtualization 4.10.5 Images security and bug fix update Advisory ID: RHSA-2022:6351-01 Product: cnv Advisory URL: https://access.redhat.com/errata/RHSA-2022:6351 Issue date: 2022-09-06 CVE Names: CVE-2022-1798 CVE-2022-1996 ===================================================================== 1. Summary: Red Hat OpenShift Virtualization release 4.10.5 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform. This advisory contains the following OpenShift Virtualization 4.10.5 images: RHEL-8-CNV-4.10 =============== cluster-network-addons-operator-container-v4.10.5-1 kubemacpool-container-v4.10.5-1 virt-cdi-importer-container-v4.10.5-1 hyperconverged-cluster-operator-container-v4.10.5-1 hostpath-provisioner-operator-container-v4.10.5-1 virtio-win-container-v4.10.5-1 virt-cdi-cloner-container-v4.10.5-1 kubevirt-ssp-operator-container-v4.10.5-1 cnv-containernetworking-plugins-container-v4.10.5-1 hyperconverged-cluster-webhook-container-v4.10.5-1 virt-cdi-apiserver-container-v4.10.5-1 ovs-cni-plugin-container-v4.10.5-1 virt-cdi-uploadserver-container-v4.10.5-1 virt-cdi-uploadproxy-container-v4.10.5-1 virt-cdi-controller-container-v4.10.5-1 kubevirt-template-validator-container-v4.10.5-1 virt-cdi-operator-container-v4.10.5-1 hostpath-provisioner-container-v4.10.5-1 hostpath-csi-driver-container-v4.10.5-1 kubernetes-nmstate-handler-container-v4.10.5-1 ovs-cni-marker-container-v4.10.5-1 bridge-marker-container-v4.10.5-1 node-maintenance-operator-container-v4.10.5-1 cnv-must-gather-container-v4.10.5-2 virt-controller-container-v4.10.5-3 virt-api-container-v4.10.5-3 virt-handler-container-v4.10.5-3 virt-operator-container-v4.10.5-3 virt-artifacts-server-container-v4.10.5-3 virt-launcher-container-v4.10.5-3 libguestfs-tools-container-v4.10.5-3 hco-bundle-registry-container-v4.10.5-6 Security Fix(es): * kubeVirt: Arbitrary file read on the host from KubeVirt VMs (CVE-2022-1798) * go-restful: Authorization Bypass Through User-Controlled Key (CVE-2022-1996) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 4. Bugs fixed (https://bugzilla.redhat.com/): 2070366 - VM Snapshot Restore hangs indefinitely when backed by a snapshotclass 2094982 - CVE-2022-1996 go-restful: Authorization Bypass Through User-Controlled Key 2099324 - We cant migrate to newer target node and than return to the source node when using host-model cpu 2117872 - CVE-2022-1798 kubeVirt: Arbitrary file read on the host from KubeVirt VMs 2118367 - KubeVirtComponentExceedsRequestedMemory Prometheus Rule is Failing to Evaluate 2120061 - 4.10.5 containers 5. References: https://access.redhat.com/security/cve/CVE-2022-1798 https://access.redhat.com/security/cve/CVE-2022-1996 https://access.redhat.com/security/updates/classification/#important 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYxd1JdzjgjWX9erEAQj97hAAgwJ2vCBCAhelFZkdRXR6LgHjsimXwSiO WzTR8EKltYUkBet4aEUCyF3+pYx65pedqJSwW/f6XKSo2QU9IS0Teyth6JNYKiBK 9yB8WKreebkNXE/qBRr101bgDPTkI4r9yCuCb9oMLtM20ds2/+29j0ZVyr9I3V/F L3+HfV4j0YQk9kcTHg/Q9solVJXiAS8MEsLbPGo9XJimn8zAFZLUx7viv1a2w8Sv UjutBE4TnCFpJWQAb8ldVvnhTdHsZh48MmzxeevH4RIwcTuxM6kIYswL0E3ur5Ni PH680O7CY8Y/5F68ri9oOl4k+6IJU+QJkGSma+IBdob2VedWoEDsDd95x0T4Hmm8 O8iOYqjtsY2MINPFsGbOxDT/Xia9e6OERyKoaDj/sM6EDx8CSn92NFAOgnrJodoE a+ak1k9irZwu1M6kdgwphghY3IBd99hkNiMk2+JgLnyXhsHQrxwI6RDJFkQ2rgmy THJ+JNHPd6F6b21ZXvzWWY6JoA9RU0mnRlvxODZ1Xn9Lp8on6Z57YDOVl95H9KYi JZ/YGY3qstpn8yV3LDvKTpbCLSzO1dEaRWXxp4JnEQMLWZsvn43RHoPp1kGEqekT O9eRv6iDrBk7fdNAxhkm+xWghXDng8ZchW2Fm4Hc954VJNs0CaFGDuEfuuhuwhvX FfF6Y/UGAEs= =LgqY -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce