RHBA-2014:1712 - Bug Fix Advisory

Topic

Red Hat Enterprise Virtualization Manager 3.4.3 is now available.

Red Hat Product Security has rated this update as having Moderate security
impact. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available from the CVE link in the
References section.

Red Hat Enterprise Virtualization Manager is a visual tool for centrally
managing collections of virtual servers running Red Hat Enterprise Linux
and Microsoft Windows. This package also includes the Red Hat Enterprise
Virtualization Manager API, a set of scriptable commands that give
administrators the ability to perform queries and operations on Red Hat
Enterprise Virtualization Manager.

It was discovered that, when loading XML/RSDL documents, the oVirt Engine
back end module used an insecure DocumentBuilderFactory. A remote,
authenticated attacker could use this flaw to read files accessible to the
user running the ovirt-engine server, and potentially perform other more
advanced XML External Entity (XXE) attacks. (CVE-2014-3573)

This issue was discovered by Arun Babu Neelicattu of Red Hat Product
Security.

All Red Hat Enterprise Virtualization Manager users are advised to upgrade
to these updated packages, which resolve these issues and add these
enhancements.

The Manager is a JBoss Application Server application that provides several
interfaces through which the virtual environment can be accessed and
interacted with, including an Administration Portal, a User Portal, and a
Representational State Transfer (REST) Application Programming Interface
(API).

Description

Changes to the ovirt-engine-backend component:

• When creating VM pools, the balloon device could not be properly disabled and

an error returned. With this bug fix, the balloon device can be
successfullyndisabled.(BZ#1151822)

• When creating a VM with ppc64 architecture, the Memory Balloon Device Enabled

check box was enabled even though it is not supported. This caused VM creation
to fail. Now, the check box does not appear when ppc64 is selected, and no
balloon request is sent.(BZ#1135939)

• Network labels can now be added to networks that are being used by running

VMs.(BZ#1142203)

• A custom vnic_id was not passed to VDSM when starting a VM attached to a

Neutron network which uses OVS caused the VM to fail to start. Now, custom
properties are passed to VDSM properly, and the VM will start.(BZ#1136031)

• The job and step tables were not cleaned after the failure or completion of

tasks and caused some tasks marked as still running. Periodic job deletion has
now been updated so jobs causing database errors will be correctly
cleared.(BZ#1099505)

• Addressing two virtual CD drives at the same time in the sPAPR VSCSI

controller was not supported. Now, payload for CD-ROMs in ppc64 VMs is
addressed.(BZ#1138753)

• Alerts regarding HA reservation are now correctly updated in the Admin Portal

so when additional hosts are added and a cluster is designated as safe for HA in
the logs, the status is reflected in the Admin Portal.(BZ#1128462)

• When running a sealed Windows 7, 8, 2008, or 2012 VM with sysprep floppy

attached, values were written into the sysprep file as plain-text and created a
syntactically incorrect sysprep file. Now, all variables in XML sysprep template
files are placed into CDATA section so all characters are displayed
correctly.(BZ#1135920)

• It is no longer possible to remove VMs that are in states other than

'down'.(BZ#1136010)

• Removing a VM with a memory snapshot now correctly removes the memory snapshot

and OVF volumes when 'Wipe after delete' is selected. (BZ#1147909)

• Support for Power8 cpu type has been updated for RHEV 3.4 and 3.5

clusters.(BZ#1131021)

• Executing multiple template.delete and vm.delete commands created a race

condition that filled an empty template id with the Blank template and removed
it from the environment. Now, an empty template id will prompt the engine to
search for and include the appropriate template id so the Blank template is not
removed.(BZ#1130887)

Changes to the ovirt-engine-notification-service component:

• Added sysUpTime variable binding in accordance with rfc1905 4.2.6.

(BZ#1142418)

Changes to the ovirt-engine-restapi component:

• Resizing VM pools using the REST API for VMs with ppc64 architecture is

supported.(BZ#1151410)

• This update adds a vms sub-collection under affinity group collections in the

REST API and Python and Java software development kits, making it possible to
retrieve information about the VMs in an affinity group.(BZ#1128461)

Changes to the ovirt-engine-setup component:

• Default storage type: (NFS, FC, ISCSI, POSIXFS, GLUSTERFS) [NFS] in

rhevm-setup has been removed from rhevm-setup to make the process more
user-friendly.(BZ#1138249)

• Automatic provisioning ignored the database password in the answer file and

resulted in database connection failure. Now, engine-setup reads the database
credentials from the answer file and connects successfully.(BZ#1139211)

Changes to the ovirt-engine-userportal component:

• Long page load times caused SPICE ActiveX downloads to fail. Now, ActiveX

upgrades install successfully.(BZ#1147609)

Changes to the ovirt-engine-webadmin-portal component:

• The USB Support select box of the Console Tab in the Edit Virtual Machine

window always showed the Disabled choice, even after a different choice was
chosen and saved successfully. Now, the select box shows the saved choice
correctly.(BZ#1147827)

• Firefox 31 is now a supported browser for accessing the Admin Portal and User

Portal.(BZ#1145779)

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at
https://access.redhat.com/articles/11258

Affected Products

• Red Hat Virtualization 3.4 x86_64

Fixes

• BZ - 1099505 - Job and step tables not cleaned after the failure or completion of some tasks.
• BZ - 1128461 - No link to VMs sub-collections under affinitygroups
• BZ - 1128462 - Alerts on HA reservation not updated properly
• BZ - 1130887 - Executing multiple "template.delete" commands in parallel to "vm.delete" commands, creates a race condition which cause the Blank template to be removed from Data Center
• BZ - 1131021 - update supported PPC cpu to power8
• BZ - 1131856 - Failed to remove host xxxxxxxx
• BZ - 1135920 - [Windows sysprep] Run Once: Special characters are not encoded in XML sysprep files for Windows 7, 8, 2008, 2012
• BZ - 1135939 - balloon is sent for PPC VMs
• BZ - 1136010 - RHEVM Backend : VM can be removed while in other state than down, like migrating and powering off
• BZ - 1138753 - Engine allows starting pool VM after its disk was deleted
• BZ - 1139211 - Automatic provisioning ignores db password supplied in answer file
• BZ - 1142203 - [Network label] RHEV does not allow adding label for a network being used by VMs
• BZ - 1142418 - SNMP trap notification has missing sysUptime field
• BZ - 1145779 - Add Firefox 31 to supported browsers (replacing FF17)
• BZ - 1147609 - SPICE ActiveX download fails if user performs upgrade from 3.3.0 to 3.3.1
• BZ - 1147827 - USB Support select box always shows "Disabled" choice.
• BZ - 1147909 - memory snapshots are not deleted when removing a VM with wipe-after-delete enabled
• BZ - 1151410 - [PPC] VMPool size update not working via REST
• BZ - 1151822 - Cannot create pool of ppc64 VMs

CVEs

(none)

References

(none)