RHSA-2014:0506 - Security Advisory

Topic

Red Hat Enterprise Virtualization Manager 3.4 is now available.

The Red Hat Security Response Team has rated this update as having Moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

Description

Red Hat Enterprise Virtualization Manager is a visual tool for centrally
managing collections of virtual servers running Red Hat Enterprise Linux
and Microsoft Windows. This package also includes the Red Hat Enterprise
Virtualization Manager API, a set of scriptable commands that give
administrators the ability to perform queries and operations on Red Hat
Enterprise Virtualization Manager.

The Manager is a JBoss Application Server application that provides several
interfaces through which the virtual environment can be accessed and
interacted with, including an Administration Portal, a User Portal, and a
Representational State Transfer (REST) Application Programming Interface
(API).

It was found that the oVirt web admin interface did not generate a new
session ID after authenticating a user. A remote attacker could use this
flaw to perform session fixation attacks. (CVE-2014-0152)

It was found that the oVirt web admin interface stored session IDs in HTML5
local storage. A remote attacker could provide a specially crafted web page
that, when visited by a user with a valid REST API session, would allow the
attacker to read the session ID from local storage. This is possible
because HTML5 local storage is not protected by the same-origin policy
(SOP). (CVE-2014-0153)

These updated Red Hat Enterprise Virtualization Manager packages also
include numerous bug fixes and various enhancements. Space precludes
documenting all of these changes in this advisory. Users are directed to
the Red Hat Enterprise Virtualization 3.4 Technical Notes, linked to in the
References, for information on the most significant of these changes.

All Red Hat Enterprise Virtualization Manager users are advised to upgrade
to these updated packages, which resolve these issues and add these
enhancements.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at
https://access.redhat.com/site/articles/11258

Affected Products

• Red Hat Virtualization 3.4 x86_64

Fixes

• BZ - 741111 - PRD34 - [RFE] [REST-API]: add /networks sub-collection under /datacenters/xxx
• BZ - 818051 - PRD34 - [RFE] Webadmin's layout is broken when not enough display real-estate [main-tab clutter, sub-tab clutter, buttons-panel clutter]
• BZ - 828080 - PRD34 - [RFE] Please allow to search in a case-insensitive manner from the search bar
• BZ - 856272 - PRD34 -[RFE] Adding Disk to a VM which is not down adds a Disk that is not activated
• BZ - 858166 - PRD34 - [RFE] webadmin - centralized refreshing logic
• BZ - 867794 - [RFE] print usage information to error page when API user calls POST action incorrectly
• BZ - 877747 - [RFE] engine: extend domain reported as failed in engine but succeeds in vdsm
• BZ - 948653 - PRD34 - [RFE] Change "Guide" link to Power User Portal Guide
• BZ - 953492 - engine: cannot remove template due to failure in commands performed on vm's which are based on template (template is marked as shared)
• BZ - 955429 - displayNetwork must have an IP address on host
• BZ - 957939 - PRD34 - [RFE] When changing the cluster and data centre compatibility versions, it should be clearly stated that changing from version 3.0 makes the data domains incompatible with RHEV 3,0 and roll back will not be possible.
• BZ - 962180 - engine: host stuck on Unassigned when moving from status Maintenance when storage is not availble from the host
• BZ - 969641 - PRD34 - [RFE] Able to detach the ISO domain from the DataCenter though iso is attached and mounted in the VM
• BZ - 970488 - PRD34 - [RFE] gluster - Async task support needed
• BZ - 974076 - PRD34 - [RFE] spice proxy support at cluster/vm-pool granularity
• BZ - 977461 - PRD34 - [RFE] Even Distribution Policy by number of VMs
• BZ - 981420 - A running zombie task is not removed leading to it being repolled after engine restart and spamming engine.log.
• BZ - 983088 - New VMs use display network ports outside of documented 5634 to 6166 range
• BZ - 999713 - PRD34 - [RFE] Need to reclaim horizontal real estate by collapsing the tree panel
• BZ - 1015185 - PRD34 - [RFE] Addition of os disk indicator on VM import screen
• BZ - 1016844 - [RFE] Diplay client IP in the VM Sessions tab
• BZ - 1018847 - PRD34 - [RFE] Storage domain maintenance mode confirmation
• BZ - 1020408 - PRD34 - [RFE] CFME would like to have RHEV emit events for Remote Console Connect
• BZ - 1025295 - Webadmin - Events - Search box: filtering events by time shows bogus results
• BZ - 1026389 - Duplicated login events
• BZ - 1026842 - don't spawn pop-up for .vv file download in User Portal (because it can't open multiple consoles at one click anyway)
• BZ - 1026857 - PRD34 - [RFE] High Availability flag should be included when exporting/importing from Export Domain
• BZ - 1026868 - Direct LUN is not being updated after resizing
• BZ - 1026980 - [RFE] Allow users to cluster level enable/disable KSM
• BZ - 1027697 - PRD34 - [RFE] Make reservations for HA VMs to make sure there's enough capacity to start them if N hosts fail
• BZ - 1029441 - PRD34 - [RFE]: Fix Control-Alt-Delete functionality in console options
• BZ - 1030122 - Virtual machine name missing from Templates and Pool Virtual machine tabs on narrow displays
• BZ - 1032679 - PRD34 - [RFE] Single Disk Snapshots
• BZ - 1036885 - CreateVDSCommand Logging message does not report NIC devices
• BZ - 1038980 - PRD34 - [RFE] Add 'warnings' to Relocate VM disk "Move" and "Deactivate" actions
• BZ - 1044089 - Allow manual fence in connecting state
• BZ - 1044091 - In the event of a full host power outage (including fence devices) a user must wait 19 mins (3 x 3 minute timeouts + 10 minutes for the transaction reaper) until they can manually fence a host to relocate guests.
• BZ - 1045139 - In the event of a full host power outage (including fence devices) VDS_ALERT_FENCE_STATUS_VERIFICATION_FAILED alert remains in audit log
• BZ - 1046625 - PRD34 - [RFE] Add drac7 fence agent with ipmilan as implemintation
• BZ - 1047629 - VMs migration fail though migration is possible.
• BZ - 1048356 - Source cluster and dc does not show up in Power Management tab while editing a previous added host [pm_proxy_preferences]
• BZ - 1049080 - VM update REST API call returns success instead of error on a wrongly formed xml
• BZ - 1049272 - [engine] Editing running vm that has virtio-scsi disabled always fails
• BZ - 1049627 - RHEV 3.2 API changing IP on hypervisor bond sub-int reqs re-passing bond opts
• BZ - 1051297 - setupNetworks: nic with dhcp cannot be bonded
• BZ - 1052024 - After a power outage two VMs marked as HA failed to start automatically, they were required to be started manually.
• BZ - 1052151 - Bookmarks do not work when the selected tree-node in the System tree is not "System"
• BZ - 1052231 - It is not possible to create a NFS storage domain for NFSv4
• BZ - 1052318 - PRD34 - [RFE] Allow shared domain of multiple types in a single Data Center
• BZ - 1053890 - PRD34 - [RFE] Update storage domain's LUNs sizes in DB after lun resize
• BZ - 1054410 - FullListVdsCommand log message appears wrong with java class ref
• BZ - 1055710 - 'list jobs' shows 'UNKNOWN' for target hosts when VMs are migrating
• BZ - 1056064 - [SCALE] Events are being pulled from audit_log in a very inefficient way
• BZ - 1056307 - RHEV 3.2 RHEV-M "Enforcing" typo in host reboot log message
• BZ - 1056743 - Typo in Cluster Policy Tool Tip
• BZ - 1056803 - Creating a new VM fails with MAC_POOL_NOT_INITIALIZED
• BZ - 1057272 - PRD34 - [RFE] allow importing glance image as a template
• BZ - 1057358 - If an inactive SD is off network, new hosts will not activate
• BZ - 1057360 - PRD34 - [RFE] remove ppc architecture
• BZ - 1057363 - PRD34 - [RFE][oVirt][network] Add subnet support for neutron based networks (IPAM)
• BZ - 1057365 - PRD34 - [RFE] [oVirt][network] Allow deleting Neutron based network (in Neutron)
• BZ - 1057367 - PRD34 - [RFE] ovirt-engine URI rework
• BZ - 1057368 - PRD34 - [RFE] Refactor authentication framework in engine
• BZ - 1057369 - PRD34 - [RFE] [oVirt][network] Add Security-Group support for Neutron based networks
• BZ - 1057561 - [SCALE] Templates are being pulled from template view in a very inefficient way
• BZ - 1057654 - Extend important limits to their hard limit
• BZ - 1057988 - PRD34 - [RFE] Predictable vNIC order
• BZ - 1057994 - PRD34 - [RFE] Make default VNC console mode configurable
• BZ - 1057996 - PRD34 - [RFE] RunOnce dialog can not set a vnc keymap itself
• BZ - 1057998 - PRD34 - [RFE] cloud-init options persistence / unification with sysprep options
• BZ - 1059400 - Migrating VM to host with insufficient memory results in a 'host not found' error
• BZ - 1060575 - [RFE] OVF descriptor file data via the REST API for the Active VM
• BZ - 1060636 - Dialogue for attaching ISOs is not logically ordered
• BZ - 1060705 - One display seen on a multi-monitor guest after rhev 3.0 to 3.2 migration
• BZ - 1061634 - Hosts are not displayed for selected network
• BZ - 1062438 - RHEV 3.3 adding new host causes error logging for an attempt to remove host
• BZ - 1063432 - Physically disconnecting blade from chassis does not trigger HA VMs to restart
• BZ - 1063782 - VMs do not appear in virtual machine tab if host is selected in side pane (data-center > cluster > host > )
• BZ - 1064068 - PRD34 [RFE] engine: supporting move of raw+sparse from nfs to iscsi domains
• BZ - 1064312 - Pool VMs are being pulled from template view in a very inefficient way
• BZ - 1064393 - When creating new VM in advanced view "Start running on" is blank for the second cluster
• BZ - 1064428 - Support dual mode of password escaping within pgpassfile
• BZ - 1064880 - RHEV-M fails to detect 'AMD Opteron G5' as CPU_Type for hypervisors.
• BZ - 1064907 - Listing templates takes noticeable amount of time, while listing many more VMs is prompt
• BZ - 1066081 - Enable sync of LUNs after storage domain activation for FC
• BZ - 1066103 - RHEVM user and admin portal logging attempt display
• BZ - 1066693 - Every thirty minutes OnVdsDuringFailureTimer is shown in engine log
• BZ - 1066884 - Please modify /sysprep file in /etc/ovirt-engine/sysprep folder.
• BZ - 1067551 - engine-backup script is not taking the backup of rhevm-report.
• BZ - 1068717 - [RHEV] ability on RHEV to notify the lack of required CPUs to start a VM
• BZ - 1068763 - Ambiguous hint for setting up SSH trusts [TEXT]
• BZ - 1069096 - sysprep timezone is not working when create pool from template.
• BZ - 1070667 - engine should report the interface name for which "Used Network resources of host xxxxxxxx [100%] exceeded defined threshold [95%]" message is applicable.
• BZ - 1070704 - CpuOverCommitDurationMinutes limited to a single digit value by regular expression in database scripts
• BZ - 1070835 - Editing VM clears the VNIC profiles
• BZ - 1072059 - [RFE] 3.4 product translation: translation update 1
• BZ - 1072282 - VM split brain caused by network outage
• BZ - 1073479 - The Memory Size of a VM is editable when the VM is powered up.
• BZ - 1073669 - Event Log Displays multiple identical entries
• BZ - 1075682 - PRD34 - [RFE] REST API for importing glance image as a template
• BZ - 1076131 - RHEVM Webadmin portal displays the vm migration completed time incorrectly
• BZ - 1076246 - RHEV 3.3 - Live Migration fails with ERROR: insert or update on table "step" violates foreign key constraint "fk_step_job"
• BZ - 1077779 - [RFE] RHEL 7 Guest Support
• BZ - 1081860 - CVE-2014-0152 ovirt-engine-webadmin: session fixation
• BZ - 1081875 - CVE-2014-0153 ovirt-engine-api: session ID stored in HTML5 local storage
• BZ - 1082800 - [RFE] 3.4 product translation: translation update 2
• BZ - 1085529 - RHEV-M server appears to send the bad authentication to the AD server repeatedly, locking the account.
• BZ - 1089777 - [RFE] 3.4 product translation: translation update 3
• BZ - 1090660 - SuperUser of DataCenter X cannot approve a host under this Data Center
• BZ - 1091391 - Images in ISO domain to not display until an SPM change

CVEs

• CVE-2014-0152
• CVE-2014-0153

References

• https://access.redhat.com/security/updates/classification/#moderate
• https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.4/html-single/Technical_Notes/index.html