- Issued:
- 2018-06-27
- Updated:
- 2018-06-27
RHSA-2018:2071 - Security Advisory
Synopsis
Moderate: Red Hat Virtualization Manager security, bug fix, and enhancement update
Type/Severity
Security Advisory: Moderate
Topic
An update for org.ovirt.engine-root is now available for Red Hat Virtualization Manager 4.2.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
The Red Hat Virtualization Manager is a centralized management platform that allows system administrators to view and manage virtual machines. The Manager provides a comprehensive range of features including search capabilities, resource management, live migrations, and virtual infrastructure provisioning.
The Manager is a JBoss Application Server application that provides several interfaces through which the virtual environment can be accessed and interacted with, including an Administration Portal, a User Portal, and a Representational State Transfer (REST) Application Programming Interface (API).
The following packages have been upgraded to a later version:
- org.ovirt.engine-root (4.2.4.5). (BZ#1576752)
Security Fix(es):
- ovirt-engine: Unfiltered password when choosing manual db provisioning (CVE-2018-1075)
- ovirt-engine-setup: unfiltered db password in engine-backup log (CVE-2018-1072)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
These issues were discovered by Yedidyah Bar David (Red Hat).
Bug Fix(es):
- This update enables engine-setup to upgrade PostgreSQL 9.2 to 9.5, even when the locale of the 9.2 database is different from the system locale. (BZ#1579268)
- This update fixes an inefficient query that is generated when users click on the 'Users' tab in the Administration Portal. The fix ensures that the tab loads quicker. (BZ#1583619)
Enhancement(s):
- The storage domain's General sub-tab in the Administration Portal now shows the number of images on the storage domain under the rubric "Images", this corresponds to the number of LVs on a block domain. (BZ#1587885)
Solution
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/2974891
Affected Products
- Red Hat Virtualization Manager 4.2 x86_64
Fixes
- BZ - 1098612 - [donstream clone 4.2.4] [RFE] filter for "Allocation Policy" in Disks search
- BZ - 1251468 - [RFE] Additional warning when removing required networks
- BZ - 1542508 - CVE-2018-1075 ovirt-engine: Unfiltered password when choosing manual db provisioning
- BZ - 1575081 - VMs will fail to start in a cluster which is having display network having name greater than 15 characters
- BZ - 1576352 - rhvm-4.2 reports "no updates found" although there is available updates
- BZ - 1576752 - Number of "Prestarted VMs" is ignored and all VMs of Pool starts after editing existing Pool.
- BZ - 1579268 - Upgrade of PostgreSQL during RHV 4.1 to 4.2 upgrade fails with locale mismatch
- BZ - 1582822 - [UI] - Interface name is gone in the Network Interfaces sub tab
- BZ - 1583579 - [downstream clone - 4.2.4] Very slow UI if Host has many (~64) elements (VFs or dummies or networks)
- BZ - 1583619 - [downstream clone - 4.2.4] [SCALE] Listing users in Users tab overloads the postgresql DB (CPU)
- BZ - 1584885 - VM remains migrating forever with no Host (actually doesn't exist) after StopVmCommand fails to DestroyVDS
- BZ - 1585013 - [downstream clone - 4.2.4] ovirt-engine loses track of a cancelled disk
- BZ - 1585039 - [downstream clone - 4.2.4] Live Storage Migration continued on after snapshot creation hung and timed out
- BZ - 1585157 - [downstream clone - 4.2.4] [UI] - VM's network interface name and icon too large and wrap
- BZ - 1585454 - [downstream clone - 4.2.4] Uploaded image: Virtual Size of qcow2 image is not reflected at guest OS level
- BZ - 1585455 - [downstream clone - 4.2.4] Move disk failed but delete was called on source sd, losing all the data
- BZ - 1585456 - [downstream clone - 4.2.4] ovirt-engine fails to start when having a large number of stateless snapshots
- BZ - 1585950 - [downstream clone - 4.2.4] Live Merge failed on engine with "still in volume chain", but merge on host was successful
- BZ - 1587884 - [downstream clone - 4.2.4] [RFE] Include storage domain UUID in Storage Domain 'General' tab
- BZ - 1587885 - [downstream clone - 4.2.4] [RFE] Need a way to track how many logical volumes consumed in a storage domain and alert when it gets full
CVEs
References
Red Hat Virtualization Manager 4.2
| SRPM | |
|---|---|
| ovirt-engine-4.2.4.5-0.1.el7_3.src.rpm | SHA-256: df248b004570d2ea92d7502d6648f1a2affb7f867cb54b0ad4f139ba615eea1a |
| x86_64 | |
| ovirt-engine-4.2.4.5-0.1.el7_3.noarch.rpm | SHA-256: 904c272a2185c58d1ed6c8cfcc11826934d7cf8ce8ca6c9ea8d608ab13db2e8e |
| ovirt-engine-backend-4.2.4.5-0.1.el7_3.noarch.rpm | SHA-256: de9a447dc08bd142c79210e73616e60365eb7649ed18460e557399ff9951bb46 |
| ovirt-engine-dbscripts-4.2.4.5-0.1.el7_3.noarch.rpm | SHA-256: c7a2e4e0ddedc4a815c6f870ffb118ba582910d412e136aad74dc82383a80abd |
| ovirt-engine-extensions-api-impl-4.2.4.5-0.1.el7_3.noarch.rpm | SHA-256: 6b07ea06b35c6984da9893032e7182bebefeb14344f9f6d938ec2308eab347d8 |
| ovirt-engine-extensions-api-impl-javadoc-4.2.4.5-0.1.el7_3.noarch.rpm | SHA-256: 18eaff7825a44d347027929be957aa29345b126786dfbd6faebfa5d54541e449 |
| ovirt-engine-health-check-bundler-4.2.4.5-0.1.el7_3.noarch.rpm | SHA-256: e81df6e046fbc16319434e8ed78ad052a832cf3a12ffb2d6ddb7f097c0495b62 |
| ovirt-engine-lib-4.2.4.5-0.1.el7_3.noarch.rpm | SHA-256: eac013b7b43ef2824d58380838952f8b55cd9de4332a9f0eaaafe969c752d1c4 |
| ovirt-engine-restapi-4.2.4.5-0.1.el7_3.noarch.rpm | SHA-256: 589c27090fc95540c7ecaabdc488b97b4ea17291d06f6ca9ce45055d69a8597c |
| ovirt-engine-setup-4.2.4.5-0.1.el7_3.noarch.rpm | SHA-256: e004b537907542c3ea223baa87ab13d04758982a872d5dfd427efe95817e8694 |
| ovirt-engine-setup-base-4.2.4.5-0.1.el7_3.noarch.rpm | SHA-256: 68170682a22d790db74e2b629266d4741c09d5256c7dadb6b675b19b9801a1a0 |
| ovirt-engine-setup-plugin-ovirt-engine-4.2.4.5-0.1.el7_3.noarch.rpm | SHA-256: dcc14e0253a12554deebdf08482e9450bf6ece29e3d75f21870a77f67221f6c9 |
| ovirt-engine-setup-plugin-ovirt-engine-common-4.2.4.5-0.1.el7_3.noarch.rpm | SHA-256: e0ff74da04445ac45ade4019736d5cf1cbcac72727cf2e98ee02e384167f7979 |
| ovirt-engine-setup-plugin-vmconsole-proxy-helper-4.2.4.5-0.1.el7_3.noarch.rpm | SHA-256: 9c6d3ccb3fcef38cdc2727c9187473c3cf945a3068180a2c105829d0f0b67e4b |
| ovirt-engine-setup-plugin-websocket-proxy-4.2.4.5-0.1.el7_3.noarch.rpm | SHA-256: 8bad62f6e1ad0d228d3336cf440edacf4c62232840c2f3153acf044d3b322e6f |
| ovirt-engine-tools-4.2.4.5-0.1.el7_3.noarch.rpm | SHA-256: 10aa5ec563f28dc376e8185d4e5569e0d49424cb51240c0e77281ac4f508617c |
| ovirt-engine-tools-backup-4.2.4.5-0.1.el7_3.noarch.rpm | SHA-256: a6daab102a814479bf325108fa6686e9c40dd4b36100bef4179f4ee253126122 |
| ovirt-engine-vmconsole-proxy-helper-4.2.4.5-0.1.el7_3.noarch.rpm | SHA-256: 3d8e1281e305e6d46b5793372e16adffaab7122d561ef94229f53995029487e0 |
| ovirt-engine-webadmin-portal-4.2.4.5-0.1.el7_3.noarch.rpm | SHA-256: 62495572c77fd62f78a9bdf72845293e23cca862f0dcb6a6e28f6b6130a44d42 |
| ovirt-engine-websocket-proxy-4.2.4.5-0.1.el7_3.noarch.rpm | SHA-256: 387af85840d6083cd343fcc2901194905ea88e2afa3b40cd1ae8dcc287e12992 |
| rhvm-4.2.4.5-0.1.el7_3.noarch.rpm | SHA-256: 1b5384d85045f2cf338b634b3e44c2a48ed46c6d8402d6f5b3c6cfbb2d9d9c00 |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.