Skip to navigation Skip to main content

Utilities

  • Subscriptions
  • Downloads
  • Containers
  • Support Cases
Red Hat Customer Portal
  • Subscriptions
  • Downloads
  • Containers
  • Support Cases
  • Products & Services

    Products

    Support

    • Production Support
    • Development Support
    • Product Life Cycles

    Services

    • Consulting
    • Technical Account Management
    • Training & Certifications

    Documentation

    • Red Hat Enterprise Linux
    • Red Hat JBoss Enterprise Application Platform
    • Red Hat OpenStack Platform
    • Red Hat OpenShift Container Platform
    All Documentation

    Ecosystem Catalog

    • Red Hat Partner Ecosystem
    • Partner Resources
  • Tools

    Tools

    • Troubleshoot a product issue
    • Packages
    • Errata

    Customer Portal Labs

    • Configuration
    • Deployment
    • Security
    • Troubleshoot
    All labs

    Red Hat Insights

    Increase visibility into IT operations to detect and resolve technical issues before they impact your business.

    Learn More
    Go to Insights
  • Security

    Red Hat Product Security Center

    Engage with our Red Hat Product Security team, access security updates, and ensure your environments are not exposed to any known security vulnerabilities.

    Product Security Center

    Security Updates

    • Security Advisories
    • Red Hat CVE Database
    • Security Labs

    Keep your systems secure with Red Hat's specialized responses to security vulnerabilities.

    View Responses

    Resources

    • Security Blog
    • Security Measurement
    • Severity Ratings
    • Backporting Policies
    • Product Signing (GPG) Keys
  • Community

    Customer Portal Community

    • Discussions
    • Private Groups
    Community Activity

    Customer Events

    • Red Hat Convergence
    • Red Hat Summit

    Stories

    • Red Hat Subscription Value
    • You Asked. We Acted.
    • Open Source Communities
Or troubleshoot an issue.

Select Your Language

  • English
  • 한국어
  • 日本語
  • 中文 (中国)

Infrastructure and Management

  • Red Hat Enterprise Linux
  • Red Hat Virtualization
  • Red Hat Identity Management
  • Red Hat Directory Server
  • Red Hat Certificate System
  • Red Hat Satellite
  • Red Hat Subscription Management
  • Red Hat Update Infrastructure
  • Red Hat Insights
  • Red Hat Ansible Automation Platform

Cloud Computing

  • Red Hat OpenShift
  • Red Hat CloudForms
  • Red Hat OpenStack Platform
  • Red Hat OpenShift Container Platform
  • Red Hat OpenShift Data Science
  • Red Hat OpenShift Online
  • Red Hat OpenShift Dedicated
  • Red Hat Advanced Cluster Security for Kubernetes
  • Red Hat Advanced Cluster Management for Kubernetes
  • Red Hat Quay
  • OpenShift Dev Spaces
  • Red Hat OpenShift Service on AWS

Storage

  • Red Hat Gluster Storage
  • Red Hat Hyperconverged Infrastructure
  • Red Hat Ceph Storage
  • Red Hat OpenShift Data Foundation

Runtimes

  • Red Hat Runtimes
  • Red Hat JBoss Enterprise Application Platform
  • Red Hat Data Grid
  • Red Hat JBoss Web Server
  • Red Hat Single Sign On
  • Red Hat support for Spring Boot
  • Red Hat build of Node.js
  • Red Hat build of Thorntail
  • Red Hat build of Eclipse Vert.x
  • Red Hat build of OpenJDK
  • Red Hat build of Quarkus

Integration and Automation

  • Red Hat Integration
  • Red Hat Fuse
  • Red Hat AMQ
  • Red Hat 3scale API Management
  • Red Hat JBoss Data Virtualization
  • Red Hat Process Automation
  • Red Hat Process Automation Manager
  • Red Hat Decision Manager
All Products
Red Hat Product Errata RHSA-2015:0888 - Security Advisory
Issued:
2015-04-28
Updated:
2015-04-28

RHSA-2015:0888 - Security Advisory

  • Overview
  • Updated Packages

Synopsis

Moderate: Red Hat Enterprise Virtualization Manager 3.5.1 update

Type/Severity

Security Advisory: Moderate

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

Red Hat Enterprise Virtualization Manager 3.5.1 is now available.

Red Hat Product Security has rated this update as having Moderate security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.

Description

Red Hat Enterprise Virtualization Manager is a visual tool for centrally
managing collections of virtual servers running Red Hat Enterprise Linux
and Microsoft Windows. This package also includes the Red Hat Enterprise
Virtualization Manager API, a set of scriptable commands that give
administrators the ability to perform queries and operations on Red Hat
Enterprise Virtualization Manager.

The Manager is a JBoss Application Server application that provides several
interfaces through which the virtual environment can be accessed and
interacted with, including an Administration Portal, a User Portal, and a
Representational State Transfer (REST) Application Programming Interface
(API).

It was discovered that the permissions to allow or deny snapshot creation
were ignored during live storage migration of a VM's disk between storage
domains. An attacker able to live migrate a disk between storage domains
could use this flaw to cause a denial of service. (CVE-2015-0237)

It was discovered that a directory shared between the ovirt-engine-dwhd
service and a plug-in used during the service's startup had incorrect
permissions. A local user could use this flaw to access files in this
directory, which could potentially contain sensitive information.
(CVE-2015-0257)

The CVE-2015-0237 issue was discovered by Red Hat Enterprise Visualization
Engineering, and the CVE-2015-0257 issue was discovered by Yedidyah Bar
David of the Red Hat Enterprise Virtualization team.

These updated Red Hat Enterprise Virtualization Manager packages also
include numerous bug fixes and various enhancements. Space precludes
documenting all of these changes in this advisory. Users are directed to
the Red Hat Enterprise Virtualization 3.5 Technical Notes, linked to in the
References, for information on the most significant of these changes.

All Red Hat Enterprise Virtualization Manager users are advised to upgrade
to these updated packages, which resolve these issues and add these
enhancements.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat Virtualization 3.5 x86_64

Fixes

  • BZ - 1082681 - RHEV-M displays and uses the same values for hypervisor cores regardless of cluster setting for "Count Threads as Cores"
  • BZ - 1140462 - UI crash when configure hosted-engine with unreachable path
  • BZ - 1141543 - [scale] - getdisksvmguid hit the performance due to all_disks_including_snapshots view
  • BZ - 1171724 - [PPC] Mismatch in CPU pinning support
  • BZ - 1171725 - [engine-backend] resizing a disk attached to a paused VM leaves the image LOCKED
  • BZ - 1174812 - [engine-backend] SQLException while starting a VM which was stateless before and had a disk attached to it while it was in stateless
  • BZ - 1174814 - [RFE] Generate sysprep answers file with name matching the version of Windows
  • BZ - 1174815 - Can't run VM with error: CanDoAction of action RunVm failed. Reasons:VAR__ACTION__RUN,VAR__TYPE__VM,ACTION_TYPE_FAILED_O BJECT_LOCKED
  • BZ - 1174816 - Host pending resources are not cleared after migration canceling.
  • BZ - 1174817 - Pending resources are not cleared when network exception occurs.
  • BZ - 1175137 - [RHEL7][log-collector] Missing some info from host's archive due to sos 3 refactoring
  • BZ - 1175289 - rhevm-setup-plugins is missing some dependencies
  • BZ - 1176546 - [ImportDomain] VM with no disks should be part of the OVF_STORE disk
  • BZ - 1176552 - [ImportDomain] The attach operation should issue a warning, if the Storage Domain is already attached to another Data Center in another setup
  • BZ - 1176578 - already provided old password is used to connect to ISCSI target although a different password was provided in a newly added connection
  • BZ - 1177138 - Live deletion of a snapshot (live merge) is blocked(CDA) when attempting the removal from snapshot overview
  • BZ - 1177220 - RHEV: Failed to Delete First snapshot with live merge
  • BZ - 1177221 - [JSONRPC]Live merge - failed to delete snapshot on 2nd attempt - first attempt was interrupted with shutdown of vm
  • BZ - 1177222 - [Block storage] Basic Live Merge after Delete Snapshot fails
  • BZ - 1178646 - [ImportDomain] Engine should add a CDA validation when trying to attach an imported Storage Domain to an un-initalized Data Center
  • BZ - 1181585 - [hosted-engine] Bad check of iso image permission
  • BZ - 1181586 - engine-setup unconditionally enables the engine if ran on dwh on separate host
  • BZ - 1181639 - DWH log does not show message when it closes due to DisconnectDWH flag on engine
  • BZ - 1181642 - If connection to DB fails , the job that checks DisconnectDwh flag does not reconnect to engine db
  • BZ - 1181678 - [scale] Data Center crashing and contending forever due to missing pvs. All SDs are Unknown/Inactive.
  • BZ - 1181681 - Add rest API to support warning for attached Storage Domains on attach or import of Storage Domain
  • BZ - 1181691 - Issues with rename
  • BZ - 1181695 - Issues with rename
  • BZ - 1182125 - Rebase to 5.5 aggregated war package with bug fixes.
  • BZ - 1182158 - [RFE][ImportDomain] Add support for importing Block Storage Domain using REST-api
  • BZ - 1182779 - [engine-backend] [iSCSI multipath] Cannot edit iSCSI multipath bond while iSCSI SD is in maintenance
  • BZ - 1183298 - [engine-backend] NullPointerException when executing AddDiskCommand on a newly creates storage domain with N/A available space
  • BZ - 1184716 - CVE-2015-0237 vdsm: Users attempting a live storage migration create snapshot without snapshot creation permissions
  • BZ - 1184807 - Storage thresholds should not be inclusive
  • BZ - 1185050 - failure of master migration on deactivation will leave domain locked
  • BZ - 1185613 - Bad error when adding vm to pool with low space on storage domain
  • BZ - 1185614 - faulty storage allocation checks when adding a vm to a pool
  • BZ - 1185619 - External Keystone Connection Fails to Juno-based OpenStack
  • BZ - 1185633 - [scale] [storage] ConnectStorageServer failed - The thread pool is out of limit (engine finish its thread pool)
  • BZ - 1185666 - Change message when importing a data domain to an unsupported version
  • BZ - 1186371 - Import of non data Storage Domains (specifically export domain) should not call engine query for web warning
  • BZ - 1186372 - Failure for calling internal query GetExistingStorageDomainList will cause an NPE
  • BZ - 1186375 - [RFE][engine-backend][HC] - add the possibility to import existing Gluster and POSIXFS export domains
  • BZ - 1186410 - [JSON] Force extend block domain, in JSONRPC, using a "dirty" LUN, fails
  • BZ - 1187985 - [RFE] Add default-options to iDrac7 Fencing agent in RHEVM
  • BZ - 1188326 - [engine-iso-uploader] engine-iso-uploader does not work with Local ISO domain
  • BZ - 1188971 - ENGINE_HEAP_MAX default value as 1G must be changed
  • BZ - 1189085 - CVE-2015-0257 ovirt-engine-dwh: incorrect permissions on plugin file containing passwords
  • BZ - 1190466 - HEAP_MAX default value as 1G must be changed
  • BZ - 1190636 - [hosted-engine] [iSCSI support] connectStoragePools fails with "SSLError: The read operation timed out" while adding a new host to the setup
  • BZ - 1191169 - Extra leap second on 30th of June 2015
  • BZ - 1191466 - Using "iSCSI Bond", host does not disconnect from iSCSI targets
  • BZ - 1191729 - [3.5_6.6] - VM fails to start in snapshot preview mode with a RAM snapshot
  • BZ - 1192014 - RHEV-M managed firewall blocks NFS rpc.statd notifications
  • BZ - 1192462 - [RFE][HC] make override of iptables configurable when using hosted-engine
  • BZ - 1192931 - Rebase ovirt-hosted-engine-ha to upstream 1.2.5
  • BZ - 1192937 - Rebase ovirt-hosted-engine-setup to upstream 1.2.2
  • BZ - 1192945 - Rebase rhevm-log-collector to upstream 3.5.1
  • BZ - 1192954 - Can not restore backup file to rhevm with non-default lc_messages
  • BZ - 1194272 - [RFE] finer grained user permissions/roles on snapshots and live storage migration
  • BZ - 1194344 - Exception raised while selected report User's Spice Sessions Monthly Activity
  • BZ - 1194394 - Unable to authenticate if user is using http://indeed-id.com/index.html solution for authentication.
  • BZ - 1194600 - Upgrade rhevm-iso-uploader to upstream ovirt-iso-uploader 3.5.1
  • BZ - 1195000 - Locked snapshot prevents VM's basic operations, after it's disk was removed
  • BZ - 1195030 - Changing rpc to 'json-rpc' fails with, "Operation Failed: [Internal Engine Error]", due to errors on character encoding
  • BZ - 1195114 - Engine does not filter duplicate action on the same entity
  • BZ - 1195115 - REST API Host install action - the option to override firewall definitions should be added
  • BZ - 1195117 - Power management test with non approved host
  • BZ - 1195119 - [backend] [NPE] Adding permission to an object fails if DEBUG level is set
  • BZ - 1196136 - Engine-setup should support cleaning of zombie commands before upgrade
  • BZ - 1197616 - Template creation stuck after upgrade
  • BZ - 1198248 - [performance] bad getVMList output creates unnecessary calls from Engine
  • BZ - 1199812 - Configure new user role dialog: faulty rendering due to javascript exception (missing "ActionGroup___DISK_LIVE_STORAGE_MIGRATION")
  • BZ - 1202334 - Setup validation: Failed to clear zombie tasks after upgrade
  • BZ - 1209131 - "VdcBLLException: NO_UP_SERVER_FOUND" in seen in engine logs

CVEs

  • CVE-2015-0257
  • CVE-2015-0237

References

  • https://access.redhat.com/security/updates/classification/#moderate
  • https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.5/html-single/Technical_Notes/index.html
Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat Virtualization 3.5

SRPM
rhevm-3.5.1-0.4.el6ev.src.rpm SHA-256: 017538863a80ba43c1e6a1e69ac79466f9a2913a76bebaf61b9e5388f6c6d6ab
x86_64
rhevm-3.5.1-0.4.el6ev.noarch.rpm SHA-256: 58e22013c6982c003be21879051a1521a4b46dd03cbefe86355af2714ebc391a
rhevm-backend-3.5.1-0.4.el6ev.noarch.rpm SHA-256: 51310518f0ad0cf4bfa29d7a9cd8b58769612e8c4322cb0fad09ec709e7438a3
rhevm-dbscripts-3.5.1-0.4.el6ev.noarch.rpm SHA-256: 7d205953da926e4e3f94d5acbe9b31862b064a2e93d317d0ef1aea1c05ea7097
rhevm-extensions-api-impl-3.5.1-0.4.el6ev.noarch.rpm SHA-256: 91a79df951ad98b9f44005786764471b8d3a166b15f458078d71f4cb778409cf
rhevm-extensions-api-impl-javadoc-3.5.1-0.4.el6ev.noarch.rpm SHA-256: b222c3d938d49e053ca29cfa87cf70bc5c720598486edad474d0b4114d82941d
rhevm-lib-3.5.1-0.4.el6ev.noarch.rpm SHA-256: 53f2da1a4f121b5a3a84be44772c24d149d8ce4f4df076255579509db2ab5681
rhevm-restapi-3.5.1-0.4.el6ev.noarch.rpm SHA-256: e4ed3d54fcc971bb12a1f91e27a483092fe635e9d90e92fc531f01a283957dd8
rhevm-setup-3.5.1-0.4.el6ev.noarch.rpm SHA-256: 18531e5eff3065f17f64be350a3d2afac183194e50474295eda8ded15c340515
rhevm-setup-base-3.5.1-0.4.el6ev.noarch.rpm SHA-256: 7cd4497c9b077dac714a5402d05ffb9f2cdc366e012826400befbf598852a22d
rhevm-setup-plugin-allinone-3.5.1-0.4.el6ev.noarch.rpm SHA-256: 1fe624876d2f88cf740a993d06ecc9e83efb0bb6a74d6e84fb5457559c5c7ec4
rhevm-setup-plugin-ovirt-engine-3.5.1-0.4.el6ev.noarch.rpm SHA-256: 14a4260f41f0a10b2250409396c2f3fd84588aae69c0916a0d69ee6f7c126a39
rhevm-setup-plugin-ovirt-engine-common-3.5.1-0.4.el6ev.noarch.rpm SHA-256: 899b7d4fb4904d6046f27f9df8693ad37a20c1fb436fe44bd970d73af0ad5dd0
rhevm-setup-plugin-websocket-proxy-3.5.1-0.4.el6ev.noarch.rpm SHA-256: 8540d7ef27e77909ec659f8787354f51be86d653e724d8ea9a8e1b702d1d38b8
rhevm-tools-3.5.1-0.4.el6ev.noarch.rpm SHA-256: d01c40fbe1c27d8089a84908f7f6f4cde4f6be293e005e5960c3a8bea85e8fab
rhevm-userportal-3.5.1-0.4.el6ev.noarch.rpm SHA-256: 22481016592221702848b2672764333b4cc776e989fcf2951bd584d835eeef1c
rhevm-userportal-debuginfo-3.5.1-0.4.el6ev.noarch.rpm SHA-256: 73b6074d388c59b69dc0513e28a79b1c14f01886573aca532bee778b128dba29
rhevm-webadmin-portal-3.5.1-0.4.el6ev.noarch.rpm SHA-256: 12817364927184a9ff58b57c6016599f5313bdb5781c7cb124ae0a214df05caa
rhevm-webadmin-portal-debuginfo-3.5.1-0.4.el6ev.noarch.rpm SHA-256: a42540bd1ca6dd40c7f804dbd509b7ebb9a2986e9698e1f18b31a88133eb49bc
rhevm-websocket-proxy-3.5.1-0.4.el6ev.noarch.rpm SHA-256: 8b41b3e9e2e9b27b461e86ac409b33ed5b8cb59f3f4fc605e3b9fad2b7737fa1

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Red Hat

Quick Links

  • Downloads
  • Subscriptions
  • Support Cases
  • Customer Service
  • Product Documentation

Help

  • Contact Us
  • Customer Portal FAQ
  • Log-in Assistance

Site Info

  • Trust Red Hat
  • Browser Support Policy
  • Accessibility
  • Awards and Recognition
  • Colophon

Related Sites

  • redhat.com
  • developers.redhat.com
  • connect.redhat.com
  • cloud.redhat.com

About

  • Red Hat Subscription Value
  • About Red Hat
  • Red Hat Jobs
Copyright © 2023 Red Hat, Inc.
  • Privacy Statement
  • Customer Portal Terms of Use
  • All Policies and Guidelines
Red Hat Summit
Twitter