Synopsis

Moderate: rhevm security update

Type/Severity

Security Advisory: Moderate

Topic

Updated rhevm packages that fix one security issue are now available.

The Red Hat Security Response Team has rated this update as having Moderate
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.

Description

The Red Hat Enterprise Virtualization Manager is a centralized management
platform that allows system administrators to view and manage virtual
machines. The Manager provides a comprehensive range of features including
search capabilities, resource management, live migrations, and virtual
infrastructure provisioning.

The Manager is a JBoss Application Server application that provides several
interfaces through which the virtual environment can be accessed and
interacted with, including an Administration Portal, a User Portal, and a
Representational State Transfer (REST) Application Programming Interface
(API).

It was found that the ovirt-engine REST API resolved entities in XML API
calls. A remote attacker with credentials to call the ovirt-engine REST
API could use this flaw to read files accessible to the user running the
ovirt-engine JBoss server, and potentially perform other more advanced XXE
attacks. (CVE-2014-3485)

This issue was discovered by David Jorm of Red Hat Product Security.

All Red Hat Enterprise Virtualization Manager users are advised to upgrade
to these updated packages, which resolve this issue.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/site/articles/11258

Affected Products

• Red Hat Virtualization 3.4 x86_64

Fixes

• BZ - 1107472 - CVE-2014-3485 ovirt-engine-api: XML eXternal Entity (XXE) flaw

CVEs

• CVE-2014-3485

References

• https://access.redhat.com/security/updates/classification/#moderate

Red Hat Virtualization 3.4

SRPM
rhevm-3.4.0-0.22.el6ev.src.rpm	SHA-256: 5c50acef897c5b081f01ca9b9a7ecd1e24fc80687dae9d89366b469b42f3b6d1
x86_64
rhevm-3.4.0-0.22.el6ev.noarch.rpm	SHA-256: 071f813a42f84b494104ba986e54fc16d36dfe7d75924483a1b12018e99a58a5
rhevm-backend-3.4.0-0.22.el6ev.noarch.rpm	SHA-256: 5f4f3946b8c67c5a36fdd0e7fce640109e84287605c63515fd8ccb687bec1691
rhevm-dbscripts-3.4.0-0.22.el6ev.noarch.rpm	SHA-256: d1fc8134411c36c604c21e4911cdef9eb0678d2cd1bf5dbbf66cddba5ba56388
rhevm-lib-3.4.0-0.22.el6ev.noarch.rpm	SHA-256: e501e20d90d99d15f62e7a4e2d9bc0b529a9fd7491e691b7eeee73fd52aae16d
rhevm-restapi-3.4.0-0.22.el6ev.noarch.rpm	SHA-256: 8b91b3a28ed0982e3e59009c02797f4490753ef46c162e8d7ead251b927e2142
rhevm-setup-3.4.0-0.22.el6ev.noarch.rpm	SHA-256: 581f92268f2255b7a1c177910288361340eb03b38c39f0c5855aa419fafe3b0c
rhevm-setup-base-3.4.0-0.22.el6ev.noarch.rpm	SHA-256: 0a37d38fa02d485b85a04c889cf4dd6cafe1c0f80f6e67407d5de4dec52f2cda
rhevm-setup-plugin-allinone-3.4.0-0.22.el6ev.noarch.rpm	SHA-256: 640ce177e6ce84e9437658324e6bf7cfde2db25975d562e63898df76462b8cb5
rhevm-setup-plugin-ovirt-engine-3.4.0-0.22.el6ev.noarch.rpm	SHA-256: 5ebda7bb117b229acc8a0f526c30118a97d5304c415a187f8731664bc6d37ab8
rhevm-setup-plugin-ovirt-engine-common-3.4.0-0.22.el6ev.noarch.rpm	SHA-256: f377da8060d7e3a00d2bf4fd8e3dd928cfc5eec514a2837fdd63188acc75a82a
rhevm-setup-plugin-websocket-proxy-3.4.0-0.22.el6ev.noarch.rpm	SHA-256: 4f2014b11687bdeea74a612d545bbebe70686152d178c55199853ad25342450f
rhevm-tools-3.4.0-0.22.el6ev.noarch.rpm	SHA-256: ba3a71350ae3c68dd5579e15555d2fb0f9a8dfa0951d43725f3dbf8211f145df
rhevm-userportal-3.4.0-0.22.el6ev.noarch.rpm	SHA-256: 2070fce51a08ea09c18387a1f2b340c18757aaa40a8569c7c411bb6ca6eecd20
rhevm-webadmin-portal-3.4.0-0.22.el6ev.noarch.rpm	SHA-256: c83cce56e1c6e8078745e34c28de9937e48e88307f194069f3a7e1a0836dbb0a
rhevm-websocket-proxy-3.4.0-0.22.el6ev.noarch.rpm	SHA-256: 36cf245b01adc57211425fb9167b7f083db6cb9a183c3fc3352fa0ba95aa9116