RHSA-2015:0888 - Security Advisory

Topic

Red Hat Enterprise Virtualization Manager 3.5.1 is now available.

Red Hat Product Security has rated this update as having Moderate security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.

Description

Red Hat Enterprise Virtualization Manager is a visual tool for centrally
managing collections of virtual servers running Red Hat Enterprise Linux
and Microsoft Windows. This package also includes the Red Hat Enterprise
Virtualization Manager API, a set of scriptable commands that give
administrators the ability to perform queries and operations on Red Hat
Enterprise Virtualization Manager.

The Manager is a JBoss Application Server application that provides several
interfaces through which the virtual environment can be accessed and
interacted with, including an Administration Portal, a User Portal, and a
Representational State Transfer (REST) Application Programming Interface
(API).

It was discovered that the permissions to allow or deny snapshot creation
were ignored during live storage migration of a VM's disk between storage
domains. An attacker able to live migrate a disk between storage domains
could use this flaw to cause a denial of service. (CVE-2015-0237)

It was discovered that a directory shared between the ovirt-engine-dwhd
service and a plug-in used during the service's startup had incorrect
permissions. A local user could use this flaw to access files in this
directory, which could potentially contain sensitive information.
(CVE-2015-0257)

The CVE-2015-0237 issue was discovered by Red Hat Enterprise Visualization
Engineering, and the CVE-2015-0257 issue was discovered by Yedidyah Bar
David of the Red Hat Enterprise Virtualization team.

These updated Red Hat Enterprise Virtualization Manager packages also
include numerous bug fixes and various enhancements. Space precludes
documenting all of these changes in this advisory. Users are directed to
the Red Hat Enterprise Virtualization 3.5 Technical Notes, linked to in the
References, for information on the most significant of these changes.

All Red Hat Enterprise Virtualization Manager users are advised to upgrade
to these updated packages, which resolve these issues and add these
enhancements.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

• Red Hat Virtualization 3.5 x86_64

Fixes

• BZ - 1082681 - RHEV-M displays and uses the same values for hypervisor cores regardless of cluster setting for "Count Threads as Cores"
• BZ - 1140462 - UI crash when configure hosted-engine with unreachable path
• BZ - 1141543 - [scale] - getdisksvmguid hit the performance due to all_disks_including_snapshots view
• BZ - 1171724 - [PPC] Mismatch in CPU pinning support
• BZ - 1171725 - [engine-backend] resizing a disk attached to a paused VM leaves the image LOCKED
• BZ - 1174812 - [engine-backend] SQLException while starting a VM which was stateless before and had a disk attached to it while it was in stateless
• BZ - 1174814 - [RFE] Generate sysprep answers file with name matching the version of Windows
• BZ - 1174815 - Can't run VM with error: CanDoAction of action RunVm failed. Reasons:VAR__ACTION__RUN,VAR__TYPE__VM,ACTION_TYPE_FAILED_O BJECT_LOCKED
• BZ - 1174816 - Host pending resources are not cleared after migration canceling.
• BZ - 1174817 - Pending resources are not cleared when network exception occurs.
• BZ - 1175137 - [RHEL7][log-collector] Missing some info from host's archive due to sos 3 refactoring
• BZ - 1175289 - rhevm-setup-plugins is missing some dependencies
• BZ - 1176546 - [ImportDomain] VM with no disks should be part of the OVF_STORE disk
• BZ - 1176552 - [ImportDomain] The attach operation should issue a warning, if the Storage Domain is already attached to another Data Center in another setup
• BZ - 1176578 - already provided old password is used to connect to ISCSI target although a different password was provided in a newly added connection
• BZ - 1177138 - Live deletion of a snapshot (live merge) is blocked(CDA) when attempting the removal from snapshot overview
• BZ - 1177220 - RHEV: Failed to Delete First snapshot with live merge
• BZ - 1177221 - [JSONRPC]Live merge - failed to delete snapshot on 2nd attempt - first attempt was interrupted with shutdown of vm
• BZ - 1177222 - [Block storage] Basic Live Merge after Delete Snapshot fails
• BZ - 1178646 - [ImportDomain] Engine should add a CDA validation when trying to attach an imported Storage Domain to an un-initalized Data Center
• BZ - 1181585 - [hosted-engine] Bad check of iso image permission
• BZ - 1181586 - engine-setup unconditionally enables the engine if ran on dwh on separate host
• BZ - 1181639 - DWH log does not show message when it closes due to DisconnectDWH flag on engine
• BZ - 1181642 - If connection to DB fails , the job that checks DisconnectDwh flag does not reconnect to engine db
• BZ - 1181678 - [scale] Data Center crashing and contending forever due to missing pvs. All SDs are Unknown/Inactive.
• BZ - 1181681 - Add rest API to support warning for attached Storage Domains on attach or import of Storage Domain
• BZ - 1181691 - Issues with rename
• BZ - 1181695 - Issues with rename
• BZ - 1182125 - Rebase to 5.5 aggregated war package with bug fixes.
• BZ - 1182158 - [RFE][ImportDomain] Add support for importing Block Storage Domain using REST-api
• BZ - 1182779 - [engine-backend] [iSCSI multipath] Cannot edit iSCSI multipath bond while iSCSI SD is in maintenance
• BZ - 1183298 - [engine-backend] NullPointerException when executing AddDiskCommand on a newly creates storage domain with N/A available space
• BZ - 1184716 - CVE-2015-0237 vdsm: Users attempting a live storage migration create snapshot without snapshot creation permissions
• BZ - 1184807 - Storage thresholds should not be inclusive
• BZ - 1185050 - failure of master migration on deactivation will leave domain locked
• BZ - 1185613 - Bad error when adding vm to pool with low space on storage domain
• BZ - 1185614 - faulty storage allocation checks when adding a vm to a pool
• BZ - 1185619 - External Keystone Connection Fails to Juno-based OpenStack
• BZ - 1185633 - [scale] [storage] ConnectStorageServer failed - The thread pool is out of limit (engine finish its thread pool)
• BZ - 1185666 - Change message when importing a data domain to an unsupported version
• BZ - 1186371 - Import of non data Storage Domains (specifically export domain) should not call engine query for web warning
• BZ - 1186372 - Failure for calling internal query GetExistingStorageDomainList will cause an NPE
• BZ - 1186375 - [RFE][engine-backend][HC] - add the possibility to import existing Gluster and POSIXFS export domains
• BZ - 1186410 - [JSON] Force extend block domain, in JSONRPC, using a "dirty" LUN, fails
• BZ - 1187985 - [RFE] Add default-options to iDrac7 Fencing agent in RHEVM
• BZ - 1188326 - [engine-iso-uploader] engine-iso-uploader does not work with Local ISO domain
• BZ - 1188971 - ENGINE_HEAP_MAX default value as 1G must be changed
• BZ - 1189085 - CVE-2015-0257 ovirt-engine-dwh: incorrect permissions on plugin file containing passwords
• BZ - 1190466 - HEAP_MAX default value as 1G must be changed
• BZ - 1190636 - [hosted-engine] [iSCSI support] connectStoragePools fails with "SSLError: The read operation timed out" while adding a new host to the setup
• BZ - 1191169 - Extra leap second on 30th of June 2015
• BZ - 1191466 - Using "iSCSI Bond", host does not disconnect from iSCSI targets
• BZ - 1191729 - [3.5_6.6] - VM fails to start in snapshot preview mode with a RAM snapshot
• BZ - 1192014 - RHEV-M managed firewall blocks NFS rpc.statd notifications
• BZ - 1192462 - [RFE][HC] make override of iptables configurable when using hosted-engine
• BZ - 1192931 - Rebase ovirt-hosted-engine-ha to upstream 1.2.5
• BZ - 1192937 - Rebase ovirt-hosted-engine-setup to upstream 1.2.2
• BZ - 1192945 - Rebase rhevm-log-collector to upstream 3.5.1
• BZ - 1192954 - Can not restore backup file to rhevm with non-default lc_messages
• BZ - 1194272 - [RFE] finer grained user permissions/roles on snapshots and live storage migration
• BZ - 1194344 - Exception raised while selected report User's Spice Sessions Monthly Activity
• BZ - 1194394 - Unable to authenticate if user is using http://indeed-id.com/index.html solution for authentication.
• BZ - 1194600 - Upgrade rhevm-iso-uploader to upstream ovirt-iso-uploader 3.5.1
• BZ - 1195000 - Locked snapshot prevents VM's basic operations, after it's disk was removed
• BZ - 1195030 - Changing rpc to 'json-rpc' fails with, "Operation Failed: [Internal Engine Error]", due to errors on character encoding
• BZ - 1195114 - Engine does not filter duplicate action on the same entity
• BZ - 1195115 - REST API Host install action - the option to override firewall definitions should be added
• BZ - 1195117 - Power management test with non approved host
• BZ - 1195119 - [backend] [NPE] Adding permission to an object fails if DEBUG level is set
• BZ - 1196136 - Engine-setup should support cleaning of zombie commands before upgrade
• BZ - 1197616 - Template creation stuck after upgrade
• BZ - 1198248 - [performance] bad getVMList output creates unnecessary calls from Engine
• BZ - 1199812 - Configure new user role dialog: faulty rendering due to javascript exception (missing "ActionGroup___DISK_LIVE_STORAGE_MIGRATION")
• BZ - 1202334 - Setup validation: Failed to clear zombie tasks after upgrade
• BZ - 1209131 - "VdcBLLException: NO_UP_SERVER_FOUND" in seen in engine logs

CVEs

• CVE-2015-0257
• CVE-2015-0237

References

• https://access.redhat.com/security/updates/classification/#moderate
• https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.5/html-single/Technical_Notes/index.html