Skip to navigation Skip to main content

Utilities

  • Subscriptions
  • Downloads
  • Red Hat Console
  • Get Support
Red Hat Customer Portal
  • Subscriptions
  • Downloads
  • Red Hat Console
  • Get Support
  • Products

    Top Products

    • Red Hat Enterprise Linux
    • Red Hat OpenShift
    • Red Hat Ansible Automation Platform
    All Products

    Downloads and Containers

    • Downloads
    • Packages
    • Containers

    Top Resources

    • Documentation
    • Product Life Cycles
    • Product Compliance
    • Errata
  • Knowledge

    Red Hat Knowledge Center

    • Knowledgebase Solutions
    • Knowledgebase Articles
    • Customer Portal Labs
    • Errata

    Top Product Docs

    • Red Hat Enterprise Linux
    • Red Hat OpenShift
    • Red Hat Ansible Automation Platform
    All Product Docs

    Training and Certification

    • About
    • Course Index
    • Certification Index
    • Skill Assessment
  • Security

    Red Hat Product Security Center

    • Security Updates
    • Security Advisories
    • Red Hat CVE Database
    • Errata

    References

    • Security Bulletins
    • Security Measurement
    • Severity Ratings
    • Security Data

    Top Resources

    • Security Labs
    • Backporting Policies
    • Security Blog
  • Support

    Red Hat Support

    • Support Cases
    • Troubleshoot
    • Get Support
    • Contact Red Hat Support

    Red Hat Community Support

    • Customer Portal Community
    • Community Discussions
    • Red Hat Accelerator Program

    Top Resources

    • Product Life Cycles
    • Customer Portal Labs
    • Red Hat JBoss Supported Configurations
    • Red Hat Insights
Or troubleshoot an issue.

Select Your Language

  • English
  • Français
  • 한국어
  • 日本語
  • 中文 (中国)

Infrastructure and Management

  • Red Hat Enterprise Linux
  • Red Hat Satellite
  • Red Hat Subscription Management
  • Red Hat Insights
  • Red Hat Ansible Automation Platform

Cloud Computing

  • Red Hat OpenShift
  • Red Hat OpenStack Platform
  • Red Hat OpenShift
  • Red Hat OpenShift AI
  • Red Hat OpenShift Dedicated
  • Red Hat Advanced Cluster Security for Kubernetes
  • Red Hat Advanced Cluster Management for Kubernetes
  • Red Hat Quay
  • Red Hat OpenShift Dev Spaces
  • Red Hat OpenShift Service on AWS

Storage

  • Red Hat Gluster Storage
  • Red Hat Hyperconverged Infrastructure
  • Red Hat Ceph Storage
  • Red Hat OpenShift Data Foundation

Runtimes

  • Red Hat Runtimes
  • Red Hat JBoss Enterprise Application Platform
  • Red Hat Data Grid
  • Red Hat JBoss Web Server
  • Red Hat build of Keycloak
  • Red Hat support for Spring Boot
  • Red Hat build of Node.js
  • Red Hat build of Quarkus

Integration and Automation

  • Red Hat Application Foundations
  • Red Hat Fuse
  • Red Hat AMQ
  • Red Hat 3scale API Management
All Products
Red Hat Product Errata RHSA-2020:3194 - Security Advisory
Issued:
2020-07-28
Updated:
2020-07-28

RHSA-2020:3194 - Security Advisory

  • Overview

Synopsis

Important: Container-native Virtualization security, bug fix, and enhancement update

Type/Severity

Security Advisory: Important

Topic

Red Hat OpenShift Virtualization release 2.4.0 is now available with updates to packages and images that fix several bugs and add enhancements.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform.

Security Fix(es):

  • kubevirt: VMIs can be used to access host files (CVE-2020-14316)
  • containernetworking/plugins: IPv6 router advertisements allow for MitM attacks on IPv4 clusters (CVE-2020-10749)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

This update also fixes several bugs and adds various enhancements.

This advisory contains the following OpenShift Virtualization 2.4.0 images:

RHEL-7-CNV-2.4
==============
kubevirt-ssp-operator-container-v2.4.0-71

RHEL-8-CNV-2.4
==============
virt-cdi-controller-container-v2.4.0-29
virt-cdi-uploadproxy-container-v2.4.0-29
hostpath-provisioner-container-v2.4.0-25
virt-cdi-operator-container-v2.4.0-29
kubevirt-metrics-collector-container-v2.4.0-18
cnv-containernetworking-plugins-container-v2.4.0-36
kubevirt-kvm-info-nfd-plugin-container-v2.4.0-18
hostpath-provisioner-operator-container-v2.4.0-31
virt-cdi-uploadserver-container-v2.4.0-29
virt-cdi-apiserver-container-v2.4.0-29
virt-controller-container-v2.4.0-58
virt-cdi-cloner-container-v2.4.0-29
kubevirt-template-validator-container-v2.4.0-21
vm-import-operator-container-v2.4.0-21
kubernetes-nmstate-handler-container-v2.4.0-37
node-maintenance-operator-container-v2.4.0-27
virt-operator-container-v2.4.0-58
kubevirt-v2v-conversion-container-v2.4.0-23
cnv-must-gather-container-v2.4.0-73
virtio-win-container-v2.4.0-15
kubevirt-cpu-node-labeller-container-v2.4.0-19
ovs-cni-plugin-container-v2.4.0-37
kubevirt-vmware-container-v2.4.0-21
hyperconverged-cluster-operator-container-v2.4.0-70
virt-handler-container-v2.4.0-58
virt-cdi-importer-container-v2.4.0-29
virt-launcher-container-v2.4.0-58
kubevirt-cpu-model-nfd-plugin-container-v2.4.0-17
virt-api-container-v2.4.0-58
ovs-cni-marker-container-v2.4.0-38
kubemacpool-container-v2.4.0-39
cluster-network-addons-operator-container-v2.4.0-38
bridge-marker-container-v2.4.0-39
vm-import-controller-container-v2.4.0-21
hco-bundle-registry-container-v2.3.0-497

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat Container Native Virtualization 2.4 for RHEL 8 x86_64
  • Red Hat Container Native Virtualization 2.4 for RHEL 7 x86_64

Fixes

  • BZ - 1684772 - virt-launcher images do not have the edk2-ovmf package installed
  • BZ - 1716329 - missing Status, Version and Label for a number of CNV components, and Status term inconsistency
  • BZ - 1724978 - [RFE][v2v] Improve the way we display progress percent in UI
  • BZ - 1725672 - CDI: getting error with "unknown reason" when trying to create UploadTokenRequest for a none existing pvc
  • BZ - 1727117 - [RFE] Reduce installed libvirt components
  • BZ - 1780473 - Delete VM is hanging if the corresponding template does not exist anymore
  • BZ - 1787213 - KubeMacpool may not work from time to time since it is skipped when we face certificate issue.
  • BZ - 1789564 - Failed to allocate a SRIOV VF to VMI
  • BZ - 1795889 - internal IP shown on VMI spec instead of public one on VMI with guest-agent
  • BZ - 1796342 - VM Failing to start since hard disk not ready
  • BZ - 1802554 - [SSP] cpu-feature-lahf_lm and Conroe are enabled on one worker (test issue)
  • BZ - 1805044 - No mem/filesystem/Network Utilization in VM overview
  • BZ - 1806288 - [CDI] fails to import images that comes from url that reject HEAD requests
  • BZ - 1806436 - [SSP] Windows common templates - Windows10 should be removed from windows-server* templates, windows-server* should not have desktop version
  • BZ - 1811111 - All the VM templates are visible in the developer catalog but not really/easily instantiable
  • BZ - 1811417 - Failed to install cnv-2.4 on top of ocp 4.4 (hco operator in crashLoopBackOff state)
  • BZ - 1816518 - [SSP] Common templates - template name under objects -> metadata -> labels should be identical to the template actual name
  • BZ - 1817080 - node maintenance CRD is marked with NonStructuralSchema condition
  • BZ - 1819252 - kubevirt-ssp-operator cannot create ServiceMonitor object
  • BZ - 1820651 - CDI import fails using block volume (available size -1)
  • BZ - 1821209 - Debug log message looks unprofessional
  • BZ - 1822079 - nmstate-handler fails to start and keeps restarting
  • BZ - 1822315 - status.desiredState: doesn't pick the correct value and is null
  • BZ - 1823342 - Invalid qcow2 image causes HTTP range error and difficult to read stack trace
  • BZ - 1823699 - [CNV-2.4] Failing to deploy NetworkAddons
  • BZ - 1823701 - [CNV-2.4] when a single component is failing, HCO can continue reporting outdated negative conditions also on other components
  • BZ - 1825801 - [CNV-2.4] Failing to deploy due issues in CRD of cluster network operator
  • BZ - 1826044 - [CNV-2.4] Failing to deploy due issues in CRD of cluster host-path-provisioner operator
  • BZ - 1827257 - VMs' connectivity is available even the two VMs are in different vlan
  • BZ - 1828401 - misconfigured prow job e2e-aws-4.5-cnv resulting in step e2e-aws failed: step needs a lease but no lease client provided
  • BZ - 1829376 - VMs with blank block volumes fail to spin up
  • BZ - 1830780 - virt-v2v-wrapper - 0% VM migration progress in UI
  • BZ - 1831536 - kubevirt-{handler,apiserver,controller} service accounts added to the privileged SCC
  • BZ - 1832179 - [virt] VM with runStrategy attribute (instead of 'running' attribute) does not have 'RUNNING' state in cli
  • BZ - 1832283 - [SSP operator] Common templates and template_validator are missing after clean installation
  • BZ - 1832291 - SSP installation is successful even with some components missing
  • BZ - 1832769 - [kubevirt version] is not reported correctly
  • BZ - 1833220 - CVE-2020-10749 containernetworking/plugins: IPv6 router advertisements allow for MitM attacks on IPv4 clusters
  • BZ - 1833376 - Hardcoded VMware-vix-disklib version 6 - import fail with version 7
  • BZ - 1833786 - kubevirt hyperconverged-cluster-operator deploy_marketplace.sh fails in disconnected cluster
  • BZ - 1834253 - VMs are stuck in Starting state
  • BZ - 1835242 - Can't query SSP CRs after upgrade from 2.3 to 2.4
  • BZ - 1835426 - [RFE] Provide a clear error message when VM and VMI name does not match
  • BZ - 1836792 - [CNV deployment] kubevirt components are missing
  • BZ - 1837182 - VMI virt-launcher reaches Error state after running for 10-24 hours
  • BZ - 1837670 - Specifying "Ubuntu 18.04 LTS" force the Conroe CPU model
  • BZ - 1838066 - [CNV deployment] kubevirt failing to create cpu-plugin-configmap obsoleteCPUs
  • BZ - 1838424 - [Installation] CNV 2.4.0 virt-handler and kubevirt-node-labeller pods are not showing up
  • BZ - 1839982 - [CNV][DOC] Lack of explanation for StorageClass default accessMode in openshift-cnv kubevirt-storage-class-defaults
  • BZ - 1840047 - [CNV-2.4] virt-handler failing on /usr/bin/container-disk: no such file or directory
  • BZ - 1840220 - [CNV-2.4] node-maintenance-operator failing to create deployment - invalid format of manifest
  • BZ - 1840652 - Upgrade indication is missing
  • BZ - 1841065 - [v2v] RHV to CNV: VM import fail on network mapping validation
  • BZ - 1841325 - [CNV][V2V] VM migration fails if VMWare host isn't under Cluster but directly under Datacenter
  • BZ - 1841505 - [CNV-2.4] virt-template-validator container fails to start
  • BZ - 1842869 - vmi cannot be scheduled, because node labeller doesn't report correct labels
  • BZ - 1842958 - [SSP] Fail to create Windows VMs from templates - windows-cd-bus validation added but cdrom is missing from the template
  • BZ - 1843219 - node-labeller SCC is privileged, which appears too relaxed
  • BZ - 1843456 - virt-launcher goes from running to error state due to panic: timed out waiting for domain to be defined
  • BZ - 1843467 - [CNV network KMP] kubemacpool causes worker node to be Ready,SchedulingDisabled
  • BZ - 1843519 - HCO CR is not listed when running "kubectl get all" from command line
  • BZ - 1843948 - [Network operator] Upgrade from 2.3 to 2.4 - Network operator fails to upgrade ovs-cni pods, upgrade is not completed
  • BZ - 1844057 - [CNV-2.4] cluster-network-addons-operator failing to start
  • BZ - 1844105 - [SSP operator] Upgrade from 2.3.0 to 2.4.0- SSP operator fails to upgrade node labeller and template validator
  • BZ - 1844907 - kubemacpool deployment status errors regarding replicas
  • BZ - 1845060 - Node-labeller is in pending state when node doesn't have kvm device
  • BZ - 1845061 - Version displayed in Container Native Virtualization OperatorHub side panel
  • BZ - 1845477 - [SSP] Template validator fails to "Extract the CA bundle"; template validator is not called when a VM is created
  • BZ - 1845557 - [CNV-2.4] template validator webhook fails with certification issues
  • BZ - 1845604 - [v2v] RHV to CNV VM import: Prevent a second vm-import from starting.
  • BZ - 1845899 - [CNV-2.5] cluster-network-addons-operator failing to start
  • BZ - 1845901 - Filesystem corruption related to smart clone
  • BZ - 1847070 - vmi cannot be scheduled , qemu-kvm core dump
  • BZ - 1847594 - pods in openshift-cnv namespace no longer have openshift.io/scc under metadata.annotations
  • BZ - 1848004 - [CNV-2.5] Deployment fails on NetworkAddonsConfigNotAvailable
  • BZ - 1848007 - [CNV-2.4] Deployment fails on NetworkAddonsConfigNotAvailable
  • BZ - 1848951 - CVE-2020-14316 kubevirt: VMIs can be used to access host files
  • BZ - 1849527 - [v2v] [api] VM import RHV to CNV importer should stop send requests to RHV if they are rejected because of wrong user/pass
  • BZ - 1849915 - [v2v] VM import RHV to CNV: The timezone data is not available in the vm-import-controller image.
  • BZ - 1850425 - [v2v][VM import RHV to CNV] Add validation for network target type in network mapping
  • BZ - 1850467 - [v2v] [api] VM import RHV to CNV invalid target network type should not crash the controller
  • BZ - 1850482 - [v2v][VM import from RHV to CNV] 2 nics are mapped to a new network though second was mapped to pod.
  • BZ - 1850937 - kubemacpool fails in a specific order of components startup
  • BZ - 1851856 - Deployment not progressing due to PriorityClass missing
  • BZ - 1851886 - [CNV][V2V] VMWare pod is failing when running wizard to migrate from RHV
  • BZ - 1852446 - [v2v][RHV to CNV VM import] Windows10 VM import fail on: timezone is not UTC-compatible
  • BZ - 1853028 - CNV must-gather failure on CNV-QE BM-RHCOS environment
  • BZ - 1853133 - [CNV-2.4] Deployment fails on KubeVirtMetricsAggregationNotAvailable
  • BZ - 1853373 - virtctl image-upload fails to upload an image if the dv name includes a "."
  • BZ - 1854419 - [Re-brand] Align CSV
  • BZ - 1854744 - To stabilize some tests I need to backport PRs which change production code
  • BZ - 1855256 - [v2v][RHV to CNV VM import] Empty directories created for vm-import-operator/controller logs in cnv-must-gather
  • BZ - 1856438 - [CNAO] Upgrade is not completed (wrong operatorVersion), CR is not updated.
  • BZ - 1856447 - CNV upgrade - HCO fails to identify wrong observedVersion in CR, HCO is reported as READY
  • BZ - 1856979 - Domain notify errors break VMI migrations and graceful shutdown

CVEs

  • CVE-2018-7263
  • CVE-2018-9251
  • CVE-2018-14404
  • CVE-2018-18074
  • CVE-2018-19519
  • CVE-2018-20060
  • CVE-2018-20337
  • CVE-2018-20852
  • CVE-2019-1547
  • CVE-2019-1549
  • CVE-2019-1563
  • CVE-2019-3016
  • CVE-2019-3825
  • CVE-2019-5094
  • CVE-2019-5436
  • CVE-2019-5481
  • CVE-2019-5482
  • CVE-2019-8457
  • CVE-2019-11236
  • CVE-2019-11324
  • CVE-2019-12447
  • CVE-2019-12448
  • CVE-2019-12449
  • CVE-2019-13232
  • CVE-2019-13752
  • CVE-2019-13753
  • CVE-2019-14563
  • CVE-2019-14822
  • CVE-2019-15847
  • CVE-2019-16056
  • CVE-2019-17451
  • CVE-2019-19126
  • CVE-2019-19232
  • CVE-2019-19807
  • CVE-2019-19923
  • CVE-2019-19924
  • CVE-2019-19925
  • CVE-2019-19959
  • CVE-2019-1010180
  • CVE-2019-1010204
  • CVE-2020-8616
  • CVE-2020-8617
  • CVE-2020-10749
  • CVE-2020-10754
  • CVE-2020-10757
  • CVE-2020-10766
  • CVE-2020-10767
  • CVE-2020-10768
  • CVE-2020-11008
  • CVE-2020-11080
  • CVE-2020-12049
  • CVE-2020-12653
  • CVE-2020-12654
  • CVE-2020-12662
  • CVE-2020-12663
  • CVE-2020-12888
  • CVE-2020-13777
  • CVE-2020-14316

References

  • https://access.redhat.com/security/updates/classification/#important

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Red Hat LinkedIn YouTube Facebook X, formerly Twitter

Quick Links

  • Downloads
  • Subscriptions
  • Support Cases
  • Customer Service
  • Product Documentation

Help

  • Contact Us
  • Customer Portal FAQ
  • Log-in Assistance

Site Info

  • Trust Red Hat
  • Browser Support Policy
  • Accessibility
  • Awards and Recognition
  • Colophon

Related Sites

  • redhat.com
  • developers.redhat.com
  • connect.redhat.com
  • cloud.redhat.com

Red Hat legal and privacy links

  • About Red Hat
  • Jobs
  • Events
  • Locations
  • Contact Red Hat
  • Red Hat Blog
  • Inclusion at Red Hat
  • Cool Stuff Store
  • Red Hat Summit
© 2025 Red Hat

Red Hat legal and privacy links

  • Privacy statement
  • Terms of use
  • All policies and guidelines
  • Digital accessibility