- Issued:
- 2016-09-28
- Updated:
- 2016-09-28
RHSA-2016:1967 - Security Advisory
Synopsis
Moderate: org.ovirt.engine-root security, bug fix, and enhancement update
Type/Severity
Security Advisory: Moderate
Red Hat Lightspeed patch analysis
Identify and remediate systems affected by this advisory.
Topic
An update for org.ovirt.engine-root is now available for RHEV Engine version 4.0.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
The Red Hat Virtualization Manager is a centralized management platform
that allows system administrators to view and manage virtual machines. The
Manager provides a comprehensive range of features including search
capabilities, resource management, live migrations, and virtual
infrastructure provisioning.
The Manager is a JBoss Application Server application that provides several
interfaces through which the virtual environment can be accessed and
interacted with, including an Administration Portal, a User Portal, and a
Representational State Transfer (REST) Application Programming Interface
(API).
Security Fix(es):
- It was found that the ovirt-engine-provisiondb utility did not correctly sanitize the authentication details used with the "--provision*db" options from the output before storing them in log files. This could allow an attacker with read access to these log files to obtain sensitive information such as passwords. (CVE-2016-5432)
This issue was discovered by Yedidyah Bar David (Red Hat).
Bug Fix(es):
- Previously, when checking permissions for a CPU profile, group permissions were not considered. Users that were part of a group could not assign a CPU profile and so could not start a virtual machine. This was fixed by using PermissionDao and correct SQL functions when checking permissions, so group permissions are now considered. (BZ#1371888)
- Setting only one of the thresholds for power saving/evenly distributed memory based balancing (high or low) can lead to unexpected results. For example, when in power saving load balancing the threshold for memory over utilized hosts was set with a value, and the threshold for memory under utilized hosts was undefined thus getting a default value of 0. All hosts were considered as under utilized hosts and were chosen as sources for migration, but no host was chosen as a destination for migration.
This has now been changed so that when the threshold for memory under utilized host is undefined, it gets a default value of Long.MAX. Now, when the threshold for memory over utilized hosts is set with a value, and the threshold for memory under utilized host is undefined, only over utilized hosts will be selected as sources for migration, and destination hosts will be hosts that are not over utilized. (BZ#1354281)
- This update ensures that Quality of Service (QoS) Storage values that are sent to the VDSM service, are used by the VDSM and Memory Overcommit Manager (MoM). The result is that QoS is live-applied on virtual machines, and all MoM-related virtual machine changes are only applied when the memory ballooning device is enabled on the virtual machine. (BZ#1328731)
Enhancement(s):
- Previously, it was possible to install incorrect versions of virtio drivers, especially when running an older Windows operating system. This sometimes caused the guest to terminate unexpectedly with a stop error, also known as the "Blue Screen of Death", if the particular driver and Windows versions were incompatible. This update adds target OS version information to driver files, which enables Windows to automatically select the best driver when pointed to the root of the virtio-win CD image. Installing an incompatible driver version manually is also no longer possible, as Windows now presents the user with an error message if installation is attempted. (BZ#1328181)
- With this release, Red Hat Virtualization now supports CephFS as a POSIX storage domain. (BZ#1095615)
Solution
For details on how to apply this update, which includes the changes described in this advisory, refer to:
Affected Products
- Red Hat Virtualization 4.0 x86_64
- Red Hat Virtualization for IBM Power LE 4 for RHEL 7 x86_64
Fixes
- BZ - 1095615 - [RFE] Allow the use of CephFS as a storage domain within RHEV
- BZ - 1328181 - [RFE][TestOnly] Virt: add TargetOSVersion to driver inf files [blocked on platform bug 1325078 - currently for 7.3 - waiting for QE testing on it]
- BZ - 1328731 - Storage QoS is not applying on a Live VM/disk
- BZ - 1339660 - Hosted Engine's disk is in Unassigned Status in the RHEV UI
- BZ - 1354281 - All hosts filtered out when memory underutilized parameter left out
- BZ - 1368202 - HA VMs are not restarted on different host if NonResponsive host is off and start action failed
- BZ - 1371428 - CVE-2016-5432 ovirt-engine: ovirt-engine-provisiondb logs contain DB username and password in plain text
- BZ - 1371888 - [z-stream clone - 4.0.4] User can't assign CPU profile after upgrade from 3.6 to 4.0
CVEs
Note:
More recent versions of these packages may be available.
Click a package name for more details.
Red Hat Virtualization 4.0
| SRPM | |
|---|---|
| ovirt-engine-4.0.4.4-0.1.el7ev.src.rpm | SHA-256: 1ef7995b1e19af59b8821675b991262eae2c002de0fbaf451653dfaaf7554c28 |
| x86_64 | |
| ovirt-engine-4.0.4.4-0.1.el7ev.noarch.rpm | SHA-256: 9d6a754eb3abdcdc8fb565f4f2d1176656a74c019ba2af169d0cb6c66862d43a |
| ovirt-engine-backend-4.0.4.4-0.1.el7ev.noarch.rpm | SHA-256: 75c8fe9989be2b3e268068e930bf6e0fb416af3fdb40ab1844941eba95c4ad1e |
| ovirt-engine-dbscripts-4.0.4.4-0.1.el7ev.noarch.rpm | SHA-256: fea45defe3a08b8af895bc98accdd03b6edc8fbde3830c268ea95e96e7af5924 |
| ovirt-engine-extensions-api-impl-4.0.4.4-0.1.el7ev.noarch.rpm | SHA-256: 223182cd023672d44c1ac35fa7c89e98900f5f7f413a889b95ccdcf4bbcdd3af |
| ovirt-engine-extensions-api-impl-javadoc-4.0.4.4-0.1.el7ev.noarch.rpm | SHA-256: 5cf56c1caf4f0d4774358021d1bc0a14c2c80da024bcebde26dd380e2454f852 |
| ovirt-engine-lib-4.0.4.4-0.1.el7ev.noarch.rpm | SHA-256: 871100684039da17d42c2e93691d8c7e55dd820513ede8a53cdd86befda89e6f |
| ovirt-engine-restapi-4.0.4.4-0.1.el7ev.noarch.rpm | SHA-256: fd23889ed92b6a3650c9fb996ed638cae2044ee417c477196f607ff4d308b976 |
| ovirt-engine-setup-4.0.4.4-0.1.el7ev.noarch.rpm | SHA-256: 67e25590efd8c8d16483c1fdc0314a9a3079c9bd416f6b3307607d6f87b53ea2 |
| ovirt-engine-setup-base-4.0.4.4-0.1.el7ev.noarch.rpm | SHA-256: 2f5aaf8ad9370d0186d52efac909098989bceba8ae13754bcbdacb331bb5f54d |
| ovirt-engine-setup-plugin-ovirt-engine-4.0.4.4-0.1.el7ev.noarch.rpm | SHA-256: f72d9925bb2aae3bcb31e0cd7c3753c41582ee3e7679cefd5a41059450a9777c |
| ovirt-engine-setup-plugin-ovirt-engine-common-4.0.4.4-0.1.el7ev.noarch.rpm | SHA-256: 46c6604c3d308f82300f44fd1c631f5f61b8927357b445c8439cb406126ad9b2 |
| ovirt-engine-setup-plugin-vmconsole-proxy-helper-4.0.4.4-0.1.el7ev.noarch.rpm | SHA-256: c06bb4fb0bef471c6fc6e81940220c38e4928523b1cd802bfe6767e570ab8302 |
| ovirt-engine-setup-plugin-websocket-proxy-4.0.4.4-0.1.el7ev.noarch.rpm | SHA-256: 92d8e2c483e19f271f9be5ce69584297a63392245eb0bc9813d8ced96a90a591 |
| ovirt-engine-tools-4.0.4.4-0.1.el7ev.noarch.rpm | SHA-256: 806e9224a461501fd738cc6ec4b9a2a796df314dd9b2ba9a6c6208f966c87fa6 |
| ovirt-engine-tools-backup-4.0.4.4-0.1.el7ev.noarch.rpm | SHA-256: 662a27efa9e9759aad74aaf428d2067aa950883664ab6b4cc2ab19331226ed73 |
| ovirt-engine-userportal-4.0.4.4-0.1.el7ev.noarch.rpm | SHA-256: c2b2999431796b989c40d3a5baa382056ac9070f6544a30ed7c2816632238fa3 |
| ovirt-engine-userportal-debuginfo-4.0.4.4-0.1.el7ev.noarch.rpm | SHA-256: b32dfa32ec5d6afa1d4e2e484b98837c631398dc534877b259b4b927da6f768f |
| ovirt-engine-vmconsole-proxy-helper-4.0.4.4-0.1.el7ev.noarch.rpm | SHA-256: 91d6d084def78ebed8be26a0c1151248d26408b2cc11277e9ad067011add5938 |
| ovirt-engine-webadmin-portal-4.0.4.4-0.1.el7ev.noarch.rpm | SHA-256: 50c1bf7d6257cfce671243aa291c5e50dbb3cf1d4c0bd76b5d7ca905ac723fd4 |
| ovirt-engine-webadmin-portal-debuginfo-4.0.4.4-0.1.el7ev.noarch.rpm | SHA-256: 2d2da51db9d30278ab0d06a294abe63cff49c9b23bcd84ea3a5c6238f3681033 |
| ovirt-engine-websocket-proxy-4.0.4.4-0.1.el7ev.noarch.rpm | SHA-256: c9266c6ea724e109460e3e1c4cb7342cf4fd4d566b019599118b0c88cdcdd3c2 |
| rhevm-4.0.4.4-0.1.el7ev.noarch.rpm | SHA-256: fa81fa84b77930e5185c1ac321d50b2464e0eb864e5f0e764ac842a0b4b47b55 |
Red Hat Virtualization for IBM Power LE 4 for RHEL 7
| SRPM | |
|---|---|
| ovirt-engine-4.0.4.4-0.1.el7ev.src.rpm | SHA-256: 1ef7995b1e19af59b8821675b991262eae2c002de0fbaf451653dfaaf7554c28 |
| x86_64 | |
| ovirt-engine-4.0.4.4-0.1.el7ev.noarch.rpm | SHA-256: 9d6a754eb3abdcdc8fb565f4f2d1176656a74c019ba2af169d0cb6c66862d43a |
| ovirt-engine-backend-4.0.4.4-0.1.el7ev.noarch.rpm | SHA-256: 75c8fe9989be2b3e268068e930bf6e0fb416af3fdb40ab1844941eba95c4ad1e |
| ovirt-engine-dbscripts-4.0.4.4-0.1.el7ev.noarch.rpm | SHA-256: fea45defe3a08b8af895bc98accdd03b6edc8fbde3830c268ea95e96e7af5924 |
| ovirt-engine-extensions-api-impl-4.0.4.4-0.1.el7ev.noarch.rpm | SHA-256: 223182cd023672d44c1ac35fa7c89e98900f5f7f413a889b95ccdcf4bbcdd3af |
| ovirt-engine-extensions-api-impl-javadoc-4.0.4.4-0.1.el7ev.noarch.rpm | SHA-256: 5cf56c1caf4f0d4774358021d1bc0a14c2c80da024bcebde26dd380e2454f852 |
| ovirt-engine-lib-4.0.4.4-0.1.el7ev.noarch.rpm | SHA-256: 871100684039da17d42c2e93691d8c7e55dd820513ede8a53cdd86befda89e6f |
| ovirt-engine-restapi-4.0.4.4-0.1.el7ev.noarch.rpm | SHA-256: fd23889ed92b6a3650c9fb996ed638cae2044ee417c477196f607ff4d308b976 |
| ovirt-engine-setup-4.0.4.4-0.1.el7ev.noarch.rpm | SHA-256: 67e25590efd8c8d16483c1fdc0314a9a3079c9bd416f6b3307607d6f87b53ea2 |
| ovirt-engine-setup-base-4.0.4.4-0.1.el7ev.noarch.rpm | SHA-256: 2f5aaf8ad9370d0186d52efac909098989bceba8ae13754bcbdacb331bb5f54d |
| ovirt-engine-setup-plugin-ovirt-engine-4.0.4.4-0.1.el7ev.noarch.rpm | SHA-256: f72d9925bb2aae3bcb31e0cd7c3753c41582ee3e7679cefd5a41059450a9777c |
| ovirt-engine-setup-plugin-ovirt-engine-common-4.0.4.4-0.1.el7ev.noarch.rpm | SHA-256: 46c6604c3d308f82300f44fd1c631f5f61b8927357b445c8439cb406126ad9b2 |
| ovirt-engine-setup-plugin-vmconsole-proxy-helper-4.0.4.4-0.1.el7ev.noarch.rpm | SHA-256: c06bb4fb0bef471c6fc6e81940220c38e4928523b1cd802bfe6767e570ab8302 |
| ovirt-engine-setup-plugin-websocket-proxy-4.0.4.4-0.1.el7ev.noarch.rpm | SHA-256: 92d8e2c483e19f271f9be5ce69584297a63392245eb0bc9813d8ced96a90a591 |
| ovirt-engine-tools-4.0.4.4-0.1.el7ev.noarch.rpm | SHA-256: 806e9224a461501fd738cc6ec4b9a2a796df314dd9b2ba9a6c6208f966c87fa6 |
| ovirt-engine-tools-backup-4.0.4.4-0.1.el7ev.noarch.rpm | SHA-256: 662a27efa9e9759aad74aaf428d2067aa950883664ab6b4cc2ab19331226ed73 |
| ovirt-engine-userportal-4.0.4.4-0.1.el7ev.noarch.rpm | SHA-256: c2b2999431796b989c40d3a5baa382056ac9070f6544a30ed7c2816632238fa3 |
| ovirt-engine-userportal-debuginfo-4.0.4.4-0.1.el7ev.noarch.rpm | SHA-256: b32dfa32ec5d6afa1d4e2e484b98837c631398dc534877b259b4b927da6f768f |
| ovirt-engine-vmconsole-proxy-helper-4.0.4.4-0.1.el7ev.noarch.rpm | SHA-256: 91d6d084def78ebed8be26a0c1151248d26408b2cc11277e9ad067011add5938 |
| ovirt-engine-webadmin-portal-4.0.4.4-0.1.el7ev.noarch.rpm | SHA-256: 50c1bf7d6257cfce671243aa291c5e50dbb3cf1d4c0bd76b5d7ca905ac723fd4 |
| ovirt-engine-webadmin-portal-debuginfo-4.0.4.4-0.1.el7ev.noarch.rpm | SHA-256: 2d2da51db9d30278ab0d06a294abe63cff49c9b23bcd84ea3a5c6238f3681033 |
| ovirt-engine-websocket-proxy-4.0.4.4-0.1.el7ev.noarch.rpm | SHA-256: c9266c6ea724e109460e3e1c4cb7342cf4fd4d566b019599118b0c88cdcdd3c2 |
| rhevm-4.0.4.4-0.1.el7ev.noarch.rpm | SHA-256: fa81fa84b77930e5185c1ac321d50b2464e0eb864e5f0e764ac842a0b4b47b55 |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
