RHSA-2015:0158 - Security Advisory

Topic

Red Hat Enterprise Virtualization Manager 3.5.0 is now available.

Red Hat Product Security has rated this update as having Important security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.

Description

Red Hat Enterprise Virtualization Manager is a visual tool for centrally
managing collections of virtual servers running Red Hat Enterprise Linux
and Microsoft Windows. This package also includes the Red Hat Enterprise
Virtualization Manager API, a set of scriptable commands that give
administrators the ability to perform queries and operations on Red Hat
Enterprise Virtualization Manager.

The Manager is a JBoss Application Server application that provides several
interfaces through which the virtual environment can be accessed and
interacted with, including an Administration Portal, a User Portal, and a
Representational State Transfer (REST) Application Programming Interface
(API).

It was discovered that the HttpClient incorrectly extracted the host name
from an X.509 certificate subject's Common Name (CN) field.
A man-in-the-middle attacker could use this flaw to spoof an SSL server
using a specially crafted X.509 certificate. (CVE-2012-6153, CVE-2014-3577)

A Cross-Site Request Forgery (CSRF) flaw was found in the oVirt REST API.
A remote attacker could provide a specially crafted web page that, when
visited by a user with a valid REST API session, would allow the attacker
to trigger calls to the oVirt REST API. (CVE-2014-0151)

It was found that the oVirt web admin interface did not include the
HttpOnly flag when setting session IDs with the Set-Cookie header.
This flaw could make it is easier for a remote attacker to hijack an oVirt
web admin session by leveraging a cross-site scripting (XSS) vulnerability.
(CVE-2014-0154)

The CVE-2012-6153 issue was discovered by Florian Weimer of Red Hat
Product Security.

These updated Red Hat Enterprise Virtualization Manager packages also
include numerous bug fixes and various enhancements. Space precludes
documenting all of these changes in this advisory. Users are directed to
the Red Hat Enterprise Virtualization 3.5 Manager Release Notes document,
linked to in the References, for information on the most significant of
these changes.

All Red Hat Enterprise Virtualization Manager users are advised to upgrade
to these updated packages, which resolve these issues and add these
enhancements.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at
https://access.redhat.com/articles/11258

Affected Products

• Red Hat Virtualization 3.5 x86_64

Fixes

• BZ - 570191 - PRD35 - [RFE] [AAA] support Kerberos authentication (for REST API)
• BZ - 716511 - PRD35 - [RFE] support discovery of existing virtual machines on RHEV storage
• BZ - 723211 - PRD35 - [RFE] clone vm - support copy/duplicate virtual machines (without having to create a template)
• BZ - 800155 - PRD35 - [RFE] configure SPICE disable-copy-paste in GUIs
• BZ - 804530 - PRD35 - [RFE] Change the "Slot" field to "Service Profile" when cisco_ucs is selected as the fencing type
• BZ - 817180 - PRD35 - [RFE] sysprep needs ability to specify Active Directory OU for VMs to join
• BZ - 828591 - PRD35 - [RFE] ability to "rebalance" cluster load with a single button
• BZ - 832167 - PRD35 - [RFE] NUMA information(memory and cpu) in guest - RHEV-M support
• BZ - 859024 - PRD35 - [RFE] Provide confirmation prompt while deactivating a NIC
• BZ - 874328 - PRD35 - [RFE] Add Instance Types (hardware profiles/flavors)
• BZ - 878662 - PRD35 - [RFE] Mechanism for adding additional fence agents to mgr
• BZ - 879077 - PRD35 - [RFE] left-hand pane in the AdminPortal (the tree) should auto-refresh
• BZ - 884653 - [RFE][AAA] support single sign-on to user and admin portals
• BZ - 890517 - PRD35 - [RFE] add gluster profile support
• BZ - 894027 - PRD35 - [RFE] [restapi] Display the current logged in user in API
• BZ - 894084 - PRD35 - [RFE] report SELinux policy and show it in UI + warn when not enabled
• BZ - 895222 - PRD35 - [RFE] Unable to sort on columns in WebAdmin for RHEV
• BZ - 902298 - PRD35 - [RFE] Change Time Zone after the initial-run
• BZ - 906243 - PRD35 - [RFE] provide separate netbios name VM property for Windows sysprep, and relax the VM name limitations
• BZ - 906938 - PRD35 - [RFE] Support blkio SLA features
• BZ - 912057 - PRD35 - [RFE] webadmin [TEXT]: unclear warning that template of linked vm does not exist in export domain
• BZ - 918138 - PRD35 - [RFE] Allow guest serial number to be configurable
• BZ - 920708 - [RESTAPI] Create Data Storage Domain request on non-empty mount results in attempt to import existing domain
• BZ - 922377 - PRD35 - [RFE] Allow to edit VM properties that need VM to be down to apply, just mark it as such and apply on VM shutdown
• BZ - 928727 - [RFE] [engine-webadmin-portal] Resizable columns in add virtual disk window
• BZ - 947965 - RHEVM Backend : VM can be removed while in other state than down, like migrating and powering off
• BZ - 955235 - PRD35 - [RFE] support BIOS boot device menu
• BZ - 961753 - PRD35 - [RFE] Improve fencing robustness by retrying failed attempts
• BZ - 962220 - PRD35 - [RFE] allow to set locale, language and keyboard settings for sysprep operation per vm
• BZ - 962880 - PRD35 - [RFE] when viewing a grid that contains only one item, *automatically* select that item
• BZ - 967466 - PRD35 - [RFE] Show live migration progress in the UI
• BZ - 977079 - [RFE] Add virtio-rng support [EL 6.6 only]
• BZ - 977306 - Password validity time related information is missing in "console.vv" for rhevm 3.2.
• BZ - 985945 - PRD35 - [RFE] rhevm-websocket-proxy - using as standalone service - automatic configuration
• BZ - 987295 - PRD35 - [RFE] Add periodic power management health check to detect/warn about link-down detection of power management LAN
• BZ - 987299 - PRD35 - [RFE] Display of NIC Slave/Bond fault on RHEV-M Event Log and UI
• BZ - 988392 - PRD35 - [RFE] Ability to dismiss alerts from web-admin portal
• BZ - 988422 - PRD35 - [RFE] Neutron Integration: Providing a Neutron appliance
• BZ - 989546 - PRD35 - [RFE] Re-work engine ovirt-node host-deploy sequence
• BZ - 996512 - PRD35 - [RFE] Need API to 'unlock' a running VM when connecting to it through the REST API
• BZ - 999975 - PRD35 - [RFE] Accept vlan devices identified by any name
• BZ - 1001419 - [User Portal] Right hand pane in user portal takes too much space
• BZ - 1003785 - [RFE] cannot edit/create network on DC via left hand panel tree on DC which was recreated
• BZ - 1007133 - PRD35 - [RFE][host-deploy] support more ciphers for ssh - upgrade apache-sshd to 0.11.0
• BZ - 1008512 - [RFE] QoS support is missing from CLI, SDK and REST API
• BZ - 1013670 - New Template: comment is not saved when creating new template
• BZ - 1014326 - Adding a new VM and choosing the OS of any linux, prevents you from changing the time zone.
• BZ - 1015186 - PRD35 - [RFE] Give notification to Admin User, when RHEV Storage Domain approaches the limit of 350 LVs
• BZ - 1016916 - PRD35 - [RFE] Search VMs based on MAC address from RHEVM web-admin portal
• BZ - 1022795 - PRD35 - [RFE] Disk alias recycling in web-admin portal
• BZ - 1025376 - PRD35 - [RFE] [rhevm] Webadmin - RFE - Run Once from CD should Show ISO name
• BZ - 1025831 - PRD35 - [RFE] add administrator password and OrgName properties to Initial Run of Run Once of VMs of Windows OS type
• BZ - 1028387 - virtio-serial and balloon should be managed devices
• BZ - 1029934 - No error message displayed when trying to add an already existing (but unattached) SD in a DC
• BZ - 1032686 - PRD35 - [RFE] Save "domain related" OVFs on any data domain
• BZ - 1034309 - PRD35 - [RFE] add a warning when adding display network
• BZ - 1034885 - PRD35 - [RFE] Snapshot overview in webadmin portal
• BZ - 1038632 - PRD35 - [RFE] [spice-html5] spice-html5 js client is dumb: no error about network connection issue
• BZ - 1040952 - Job and step tables not cleaned after the failure or completion of some tasks.
• BZ - 1043430 - Add Firefox 31 to supported browsers (replacing FF17)
• BZ - 1043808 - For an interface with multiple VLAN interfaces, rhev Host assigns highest mtu of a vlan interface to all vlan interface under the parent interface .
• BZ - 1044033 - PRD35 - [RFE] Support ethtool_opts functionality within RHEV
• BZ - 1044042 - PRD35 - [RFE] Support bridging_opts functionality within RHEV
• BZ - 1048019 - PRD35 - [RFE] [slow RHEV-M portal] optimize queries invocation for left-pane tree data retrieval
• BZ - 1052348 - PRD35 - [RFE] Include iotop package in RHEV-H images
• BZ - 1053884 - Guest fails to migrate while paused
• BZ - 1058022 - PRD35 - [RFE] Decommission the Storage Pool Metadata
• BZ - 1059435 - PRD35 - [RFE] RHEVM Self Hosted Engine on RHEV-H
• BZ - 1061156 - PRD35 - [RFE] Description field in Virtual machines tab
• BZ - 1062435 - PRD35 - [RFE] have rhevm-shell and API provide same functionality that the UI does for ovirt-scheduler-proxy
• BZ - 1064273 - Cannot create a new VM in a local SD
• BZ - 1064544 - PRD35 - [RFE] new engine GUI look and feel (LAF) - phase 1
• BZ - 1065753 - PRD35 - [RFE] Maintenance operations on a VM would ask for an optional reason
• BZ - 1067162 - PRD35 - [RFE] Hosted Engine on iSCSI data centers
• BZ - 1070348 - PRD35 - [RFE] RHEVM GUI - Add host uptime information to the "General" tab
• BZ - 1070823 - PRD35 - [RFE] Wipe after Delete flag modification while VM is Up
• BZ - 1071217 - Misleading error message when user with ClusterAdmin role on cluster tries to add a disk to a VM without permissions on any storage domain
• BZ - 1076705 - RHEV 3.3 rhevm-shell can't change cluster policy to a custom policy
• BZ - 1077284 - [RFE] Allow big ranges in MacPoolManager
• BZ - 1079583 - When RHEV reports a problem with a storage domain, it should report **which** storage domain
• BZ - 1080144 - USB Support select box always shows "Disabled" choice.
• BZ - 1081533 - SPICE ActiveX download fails if user performs upgrade from 3.3.0 to 3.3.1
• BZ - 1081849 - CVE-2014-0151 ovirt-engine: cross-site request forgery (CSRF)
• BZ - 1081896 - CVE-2014-0154 ovirt-engine-webadmin: HttpOnly flag is not included when the session ID is set
• BZ - 1082110 - Event ID 1200 (VM rename) does not record the initating User id
• BZ - 1082681 - RHEV-M displays and uses the same values for hypervisor cores regardless of cluster setting for "Count Threads as Cores"
• BZ - 1083760 - PRD35 - [RFE] Prevent host fencing while kdumping
• BZ - 1083763 - PRD35 - [RFE] replace XML-RPC communication (engine-vdsm) with json-rpc based on bidirectional transport
• BZ - 1083766 - console.vv file does not display name of VM for VNC consoles
• BZ - 1083769 - PRD35 - [RFE] - introduction of Command-Coordination infrastructure
• BZ - 1083926 - The hosts max_scheduling_memory should be updated when a live migration starts.
• BZ - 1083998 - PRD35 - [RFE] using foreman provider to provision bare-metal hosts
• BZ - 1084120 - PRD35 - [RFE] Please add host count and guest count columns to "Clusters" tab in webadmin
• BZ - 1084611 - [RFE] RHEV-M networking went down, 90% of hosts were fenced causing a massive outage
• BZ - 1085136 - PRD35 - [RFE] webadmin : Allow online vDisk description editing.
• BZ - 1085380 - Dialog is not highlighted if VM cannot be created before clicking to "Show Advanced Options"
• BZ - 1087745 - Recommended size of memory is too low for RHEL6 64bit systems
• BZ - 1087917 - [GUI/General sub-tab] Windows-based Template & Pool: Time Zone is blank when set to the global default
• BZ - 1091692 - [Network labels] Removal of labelled network from DC inconsistent with removal from cluster
• BZ - 1092609 - Searching for objects that _do not_ have a tag in the search bar is not possible
• BZ - 1092884 - [RFE] Please improve RHEVM Webadmin portal vm migration displayed only into min:sec format.
• BZ - 1093393 - [engine-backend] [iSCSI multipath] Required cluster network shouldn't be allowed to be added to an iSCSI multipath bond
• BZ - 1093742 - System is not power on after a fencing operation (ILO3).
• BZ - 1093784 - The Expect header is ignored
• BZ - 1093786 - Negative values for "Shared Memory"
• BZ - 1095240 - PRD35 - [RFE] Support logging of commands parameters
• BZ - 1096662 - [RFE] Long strings in dialogs adversely affect GUI
• BZ - 1096971 - Importing an Export/ISO storage domain automatically activates the domain
• BZ - 1097256 - 10 minute delay on migrating VMs out after requesting maintenance mode
• BZ - 1097622 - Inconsistent VirtIO direct lun disk attachment behaviour.
• BZ - 1098591 - [TEXT] Tool tips for weights on Cluster Policy module in Configuration Dialogue are incorrect
• BZ - 1098638 - smartcard entries are duplicated every time a template is saved, resulting in unbootable VMs
• BZ - 1098791 - Reduce blocking operations as part of hosts & VMs monitoring cycles
• BZ - 1100194 - Unable to scroll down template list using IE9
• BZ - 1100810 - Edit button for Setup Host Networks window should always be displayed
• BZ - 1101018 - PRD35 - [RFE][RHEV] Support single disk snapshot on preview snapshot action in REST-API
• BZ - 1101565 - Cannot approve hosts using REST API
• BZ - 1102018 - PRD35 - [RFE] Drop Linux bridge plugin support from neutron integration
• BZ - 1103490 - [REST API]: Missing VM statistics field.
• BZ - 1103676 - ovirt-engine should not store long term files in "/var/tmp/ovirt-engine/": tmpwatch will remove that directory after 30 days
• BZ - 1103707 - application list database limit is too small (4000 chars)
• BZ - 1103976 - rhevm-engine-setup: weak default passwords for PostgreSQL database users
• BZ - 1104030 - Failed VM migrations do not release VM resource lock properly leading to failures in subsequent migration attempts
• BZ - 1104195 - "Domain not found: no domain with matching uuid" error logged to audit_log after live migration fails due to timeout exceeded
• BZ - 1104233 - VM Pools do not properly inherit admin roles in the admin portal
• BZ - 1109326 - 3.4 upgrade does not set correct iptables rules when serving ISO domain from RHEV-M host
• BZ - 1109721 - storage domain ownership of LUN not displayed
• BZ - 1110172 - [RFE]API to check if a host has renew its lease
• BZ - 1110636 - [RFE] Enable PPC Support in RHEV
• BZ - 1111551 - [rhevm] unable to create template from Windows 2012 guest with SPICE videocard in RHEV 3.4
• BZ - 1112359 - Failed to remove host xxxxxxxx
• BZ - 1113499 - [RHEVM] Special character handling on VM Description is not correct
• BZ - 1113937 - [RFE][AAA] Single sign-on into web applications
• BZ - 1114041 - Cannot add AD group to a new VM from the user portal
• BZ - 1114241 - PRD35 - [RFE] Set 'save network configuration' default to 'true' on setup networks dialog
• BZ - 1114244 - [RFE] Admin GUI: Sort by 'IP address' (in VM tab) should not treat the IP address as a string
• BZ - 1114253 - PRD35 - [RFE] Allow to perform fence operations from a host in another DC
• BZ - 1114260 - [RFE] Public extension API for ovirt-engine
• BZ - 1114554 - [RFE] Expose bookmarks through REST API
• BZ - 1115845 - Enable sync of LUNs after storage domain activation for FC - duplicate LUNs
• BZ - 1115966 - Update storage domain from rhevm-shell fails with java.lang.NullPointerException
• BZ - 1116486 - When importing a VM in RHEVM 3.4 all its disks turn from thin provision to preallocated
• BZ - 1118191 - unlock_entity.sh fails with "psql: fe_sendauth: no password supplied"
• BZ - 1118818 - Luns either missing from or having no 'volume_group_id' in the luns table in the RHEV database.
• BZ - 1118847 - ovirt-engine currently sets the disk device to "lun" for all virtio-scsi direct LUN connections and disables read-only for these devices
• BZ - 1118879 - [RFE] Provide configuration screen for "Fencing Policy" within the "Edit Cluster" dialog
• BZ - 1119922 - [RFE]embed the check ("if a host has renew its lease on any SD") into the fencing flow - according to cluster level policy
• BZ - 1120197 - The Balloon driver on VM ... on host ... is requested but unavailable.
• BZ - 1120829 - [RFE] Do not fence hosts when more than X% of hosts are in a Non-Responding or Connecting state
• BZ - 1120858 - [RFE] Option to disable fencing for a cluster
• BZ - 1121454 - In RHEV, admin UI rejects FQDNs ending in a digit when creating NFS storage domains
• BZ - 1123396 - Admin Portal: Unresponsive script leading to Virtual Machines not being displayed any more
• BZ - 1123754 - Direct FC lun disk details aren't validated
• BZ - 1125834 - [engine-setup] "badly formed hexadecimal UUID string" error when ISO domain path contains a directory
• BZ - 1126839 - "There is no over-utilized host in cluster " repeated every minute
• BZ - 1128949 - OvfUpdateIntervalInMinutes/OvfItemsCountPerUpdate fields should be exposed to engine-config tool
• BZ - 1129012 - Unable to add description for "Affinity Group" with space character.
• BZ - 1129074 - CVE-2014-3577 Apache HttpComponents client / Apache CXF: SSL hostname verification bypass, incomplete CVE-2012-6153 fix
• BZ - 1129634 - Cannot export VM. Disk configuration (COW Preallocated) is incompatible with the storage domain type.
• BZ - 1129916 - CVE-2012-6153 Apache HttpComponents client / Apache CXF: SSL hostname verification bypass, incomplete CVE-2012-5783 fix
• BZ - 1130076 - engine.log is flooded with messages as "Executing a command: java.util.concurrent.FutureTask , but note that there are 1 tasks in the queue."
• BZ - 1131693 - Error connecting to VM using RDP if NLA is enabled
• BZ - 1132078 - RESTAPI: RSDL does not document all available parameters
• BZ - 1132191 - [Windows sysprep] Run Once: Special characters are not encoded in XML sysprep files for Windows 7, 8, 2008, 2012
• BZ - 1133938 - SD inactive after 2nd extension (with already added LUN)
• BZ - 1134009 - [Network label] RHEV does not allow adding label for a network being used by VMs
• BZ - 1136087 - engine-manage-domains always searches for KDC servers over DNS, even when --resolve-kdc is not set
• BZ - 1139866 - PRD35 - [RFE] Test RHEV 3.5 on RHEL 6.6
• BZ - 1140098 - [RHEV-M] System is not power on after a fencing operation in power management (agent: ipmilan)
• BZ - 1140430 - Failure to Attach ISO domain causes SPM failover
• BZ - 1141693 - VM Importer Screen does not update disk tab if more than one machine are selected for import
• BZ - 1142233 - Description of affinity group not loaded to edit affinity group tab
• BZ - 1148379 - In case of using new template version (sealed with sysprep) for a pool, VMs get stuck in minisetup
• BZ - 1148623 - Windows 7 guests reports incorrect time after a cold restart.
• BZ - 1149135 - Prestarted VMs dissapear from UI after failure to restore snapshot once VM turns from Unknown status to Down
• BZ - 1149235 - [Admin Portal][ppc64][Power mgmt] ipmi doesn't work - Authentication type NONE not supported/Unable to obtain correct plug status or plug is not available
• BZ - 1153544 - Failed VM migrations do not release VM resource lock properly
• BZ - 1154607 - GetAllFromVms stored function is inefficient
• BZ - 1154630 - [PPC]-Can't Hotplug/unplug VM nic while vm is running and has OS installed
• BZ - 1156577 - [AAA] Adding an LDAP domain against ldap installed on rhel 6.6 fails
• BZ - 1157211 - Engine does not free pending_vmem_size and pending_vcpus_count on migrate host, in case of VM migration failure.
• BZ - 1160889 - Live Storage Migration "completes" but the engine sequence does not, leaving an unfinished job.

CVEs

• CVE-2012-6153
• CVE-2014-3577
• CVE-2014-0154
• CVE-2014-0151

References

• https://access.redhat.com/security/updates/classification/#important
• https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.5/html/Manager_Release_Notes/index.html