- Issued:
- 2020-09-30
- Updated:
- 2020-09-30
RHBA-2020:4112 - Bug Fix Advisory
Synopsis
Red Hat Virtualization Engine security, bug fix 4.3.11
Type/Severity
Bug Fix Advisory
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
Topic
An update is now available for Red Hat Virtualization Engine 4.3.
Description
The ovirt-engine package provides the Red Hat Virtualization Manager, a
centralized management platform that allows system administrators to view and manage virtual machines. The Manager provides a comprehensive range of features including search capabilities, resource management, live migrations, and virtual infrastructure provisioning.
The rhv-guest-tools-iso package contains tools and drivers that are required by supported Windows guest operating systems when installed as guests on Red Hat Virtualization.
Changes to the ovirt-engine component:
- Previously, importing an OVA as a Template using the ovirt-engine-sdk's uploading script failed with a null pointer exception because some storage-related values were not set correctly. The current release fixes this issue. It adds code that checks the storage values and, if needed, sets them using values from the image object. Now, importing the OVA this way succeeds. (BZ#1830762)
- With this enhancement, while deploying RHEL 7-based hosts, you can configure SPICE encryption so that:
- Only TLSv1.2 and newer protocols are enabled
- Available ciphers are limited as described in BZ1563271
To apply this enhancement to existing hosts, an administrator puts each host into Maintenance mode, performs a Reinstall, and activates each host. For details, search for "Reinstalling Hosts" in the documentation. (BZ#1842522)
- Previously, after upgrading to 4.3 and updating the cluster, the virtual machine (VM) tab in the Administration Portal was extremely slow until you restarted the VMs. This issue happened because updating the page recalculated the list of changed fields for every VM on the VM list page (read from the snapshot). The current release fixes this issue. It eliminates the previous performance impact by calculating the changed fields only once when the next run snapshot is created. (BZ#1845747)
- In previous versions, `engine-backup --mode=verify` passed even if `pg_restore` emitted errors. The current release fixes this issue. The `engine-backup --mode=verify` command correctly fails if `pg_restore` emits errors. (BZ#1848877)
- Previously,creating a live snapshot with memory while LiveSnapshotPerformFreezeInEngine was set to True, resulted in a virtual machine file system that is frozen when previewing or committing the snapshot with memory restore.
In this release, the virtual machine runs successfully after creating a preview snapshot from a memory snapshot. (BZ#1850920)
- Previously, exporting a virtual machine or template to an OVA file incorrectly sets its format in the OVF metadata file to "RAW". This issue causes problems using the OVA file. The current release fixes this issue. Exporting to OVA sets the format in the OVF metadata file to "COW", which represents the disk's actual format, qcow2. (BZ#1852314)
- Previously, while creating virtual machine snapshots, if the VDSM's command to freeze a virtual machines' file systems exceeded the snapshot command's 3-minute timeout period, creating snapshots failed, causing virtual machines and disks to lock.
The current release adds two key-value pairs to the engine configuration. You can configure these using the engine-config tool:
- Setting `LiveSnapshotPerformFreezeInEngine` to `true` enables the {engine-name} to freeze VMs' file systems before it creates a snapshot of them.
- Setting `LiveSnapshotAllowInconsistent` to `true` enables the {engine-name} to continue creating snapshots if it fails to freeze VMs' file systems. (BZ#1842377)
Changes to the rhv-guest-tools-iso component:
- Previously, installing guest agents for Windows guests from rhv-guest-tools-iso-4.3-12.el7ev using rhev-apt.exe failed because it could not verify a filename that exceeded Windows' 63-character limit. The current release fixes this issue. It renames the file with a shorter name, so the installation process works. (BZ#1850963)
Solution
For details on how to apply this update, which includes the changes described in this advisory, refer to:
Affected Products
- Red Hat Virtualization Manager 4.3 x86_64
Fixes
- BZ - 1789327 - rhev-apt cannot parse checksum on RHV guest tools ISO
- BZ - 1830762 - NPE on ImportVmTemplateFromConfigurationCommand when creating VM from ovf_data [4.3.z]
- BZ - 1835554 - Prevent 4.3 ovirt-engine from using ovirt-engine-ui-extensions >= 1.0.11
- BZ - 1837207 - Drop temporary tables on transaction end to prevent vacuuming issues when upgrading to RHV 4.4 [RHV clone - 4.3.11]
- BZ - 1837327 - validatedb.sh script fails to run psql
- BZ - 1842377 - Create Snapshot does not proceed beyond CreateVolume
- BZ - 1842457 - Updating attached VM disk cause many warnings Can't find relative path for class "org.ovirt.engine.api.resource.StorageDomainVmDiskAttachmentsResource", will return null
- BZ - 1842522 - Enable only TLSv1.2+ protocol for SPICE on EL7 hosts [RHV clone - 4.3.11]
- BZ - 1843471 - Update ansible channel for 4.3
- BZ - 1844971 - Add qemu-guest-agent for RHEL 8 to rhv-guest-tools-iso
- BZ - 1845152 - After SPM select the engine lost communication to all hosts until restarted [improved logging] [RHV clone - 4.3.11]
- BZ - 1845747 - After upgrading to 4.3 and updating cluster, VM tab is extremely slow, until VM's are restarted
- BZ - 1846245 - [Metrics] Rebase bug - for the 4.3.11
- BZ - 1847325 - Can't set usehttps to false when also not using elasticsearch certificates [RHV clone - 4.3.11]
- BZ - 1847412 - high cpu usage after entering wrong search pattern in RHVM [RHV clone - 4.3.11]
- BZ - 1848877 - engine-backup --mode=verify is broken [RHV clone - 4.3.11]
- BZ - 1849370 - External VM is created by the engine after creating template from snapshot
- BZ - 1850920 - Live snapshot made with freeze in the engine will cause the FS to be frozen [RHV clone - 4.3.11]
- BZ - 1850963 - Can't install guest agents for windows guest from rhv-guest-tools-iso-4.3-12.el7ev automatically via rhev-apt
- BZ - 1851921 - Disable activation of the host while Enroll certificate flow is still in progress [RHV clone - 4.3.11]
- BZ - 1852314 - Exporting an OVA file from a VM results in its ovf file having a format of RAW when the disk is COW [RHV clone - 4.3.11]
CVEs
(none)
References
(none)
Red Hat Virtualization Manager 4.3
SRPM | |
---|---|
ovirt-engine-4.3.11.3-0.1.el7.src.rpm | SHA-256: 2af51f08e8e73a1cf0ce39e4edc2aee909212e443e8214993019485b0f84f9aa |
ovirt-engine-metrics-1.3.8-1.el7ev.src.rpm | SHA-256: 0d41fbbe4e157cb36f390c5e0da6223a6a0cf97c90216beee19286f86dd88431 |
ovirt-fast-forward-upgrade-1.0.2-1.el7ev.src.rpm | SHA-256: 700e2aaa4115fefa2f282e788e73b85618ee7390619633fb8481fd634b4a239c |
rhv-guest-tools-iso-4.3-13.el7ev.src.rpm | SHA-256: 245ba8260cc76820cbd1add77bf7d8e8cdf833e487cce6fb29d35ff53d59ffd1 |
x86_64 | |
ovirt-engine-4.3.11.3-0.1.el7.noarch.rpm | SHA-256: 1fd4b96efdd7604b379bf800a1365f534079b1ad42dbb045148397eb2e11cdc8 |
ovirt-engine-backend-4.3.11.3-0.1.el7.noarch.rpm | SHA-256: b358ef8770bb2ce4c1435d6a86750de2de8c64e7fce1703c4e7d70293027faef |
ovirt-engine-dbscripts-4.3.11.3-0.1.el7.noarch.rpm | SHA-256: 1146d1edb249fd2dba103e3cbac1925291f505da68e031ca42c6b5dc224b5244 |
ovirt-engine-extensions-api-impl-4.3.11.3-0.1.el7.noarch.rpm | SHA-256: 424ef3566ab15e286872ee6d23a11b4d1d8a49fd99bc49525a8e48b051e95d61 |
ovirt-engine-extensions-api-impl-javadoc-4.3.11.3-0.1.el7.noarch.rpm | SHA-256: ebe0f2f418d29f6885cbb61e47285c523df6196d18b91ef8d8732bfa383b0524 |
ovirt-engine-health-check-bundler-4.3.11.3-0.1.el7.noarch.rpm | SHA-256: 25063d0a4be8a46d1eed676853d58b92b497f833527535f37fc00a50cbe21daa |
ovirt-engine-metrics-1.3.8-1.el7ev.noarch.rpm | SHA-256: 561b4e991495068a47dbfcad0c8130e1e503c30154fe0349741f51c0ca96648d |
ovirt-engine-restapi-4.3.11.3-0.1.el7.noarch.rpm | SHA-256: 22cdc156db4e0c1bb606e20363da1357582c2a872a54a2a86f4035084ea46bea |
ovirt-engine-setup-4.3.11.3-0.1.el7.noarch.rpm | SHA-256: e54627f9daa0f7b913900b0aa8b05167144a086f008173e5d3ab40c745d51234 |
ovirt-engine-setup-base-4.3.11.3-0.1.el7.noarch.rpm | SHA-256: c808b93d2621207975a31171931acbb61813f2865c5ee1d0680a9e1fb5a3ed71 |
ovirt-engine-setup-plugin-cinderlib-4.3.11.3-0.1.el7.noarch.rpm | SHA-256: cbf8756b9c767ff6de14bec52a3ad32097a0c5bf235db109bd4b427f35157b18 |
ovirt-engine-setup-plugin-ovirt-engine-4.3.11.3-0.1.el7.noarch.rpm | SHA-256: 7cbbbfc22f80dfaf9f3c1ebe69335db56c0b84d20db8a2a8a073796d1ee1f990 |
ovirt-engine-setup-plugin-ovirt-engine-common-4.3.11.3-0.1.el7.noarch.rpm | SHA-256: dc6172cce37a6c95ac97681198a60efdbfffd97541a5cd053b2e1a8a6463b20d |
ovirt-engine-setup-plugin-vmconsole-proxy-helper-4.3.11.3-0.1.el7.noarch.rpm | SHA-256: a9d534ff6a720638cf40e171a79f95d4ce650180f92ce861f72e5a86318b16dd |
ovirt-engine-setup-plugin-websocket-proxy-4.3.11.3-0.1.el7.noarch.rpm | SHA-256: b4493d88ac9c02be9b61d44697274c5589d20d0e1c982af345e908a59d1d91e5 |
ovirt-engine-tools-4.3.11.3-0.1.el7.noarch.rpm | SHA-256: 1ed19a8118574d60d2117ccc3d2cb5cdf1c02e1f7f2d8b8fc3f46bd32dbe129c |
ovirt-engine-tools-backup-4.3.11.3-0.1.el7.noarch.rpm | SHA-256: 1aee989ca49b618e0c22b24ec044dfd15dfacdd47794f585fb60755d34a08661 |
ovirt-engine-vmconsole-proxy-helper-4.3.11.3-0.1.el7.noarch.rpm | SHA-256: 763274d188652fd2293a329a73d80dce4c48fd21e83a86125ae4d3aee5bebdb5 |
ovirt-engine-webadmin-portal-4.3.11.3-0.1.el7.noarch.rpm | SHA-256: 6415d25409bcda761cefc14b64e39f3100dc904ffe0029862916e2da465c0a20 |
ovirt-engine-websocket-proxy-4.3.11.3-0.1.el7.noarch.rpm | SHA-256: df1e7ee65b78654fcb5327d70ace0735746b0465131996aa6f8e5e8a46c723e4 |
ovirt-fast-forward-upgrade-1.0.2-1.el7ev.noarch.rpm | SHA-256: cc578bb5ccc5f081b0fd80c1e657f1519baadaf755788f44581df6bec0906639 |
python2-ovirt-engine-lib-4.3.11.3-0.1.el7.noarch.rpm | SHA-256: 2a1a97311229b6bb80aebf68c484109ef0372133d8d047dd4b1c4aba092f3750 |
rhv-guest-tools-iso-4.3-13.el7ev.noarch.rpm | SHA-256: b7ff10ae79a5e81e146291a40835015f692dd4f7f5a5819f975e00c47a46d3dd |
rhvm-4.3.11.3-0.1.el7.noarch.rpm | SHA-256: c415a813937f78de7c1232cc6e3528b325475ad44bd3452ec9056a3c025b5b2e |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.