Skip to navigation Skip to main content

Utilities

  • Subscriptions
  • Downloads
  • Red Hat Console
  • Get Support
Red Hat Customer Portal
  • Subscriptions
  • Downloads
  • Red Hat Console
  • Get Support
  • Products

    Top Products

    • Red Hat Enterprise Linux
    • Red Hat OpenShift
    • Red Hat Ansible Automation Platform
    All Products

    Downloads and Containers

    • Downloads
    • Packages
    • Containers

    Top Resources

    • Documentation
    • Product Life Cycles
    • Product Compliance
    • Errata
  • Knowledge

    Red Hat Knowledge Center

    • Knowledgebase Solutions
    • Knowledgebase Articles
    • Customer Portal Labs
    • Errata

    Top Product Docs

    • Red Hat Enterprise Linux
    • Red Hat OpenShift
    • Red Hat Ansible Automation Platform
    All Product Docs

    Training and Certification

    • About
    • Course Index
    • Certification Index
    • Skill Assessment
  • Security

    Red Hat Product Security Center

    • Security Updates
    • Security Advisories
    • Red Hat CVE Database
    • Errata

    References

    • Security Bulletins
    • Security Measurement
    • Severity Ratings
    • Security Data

    Top Resources

    • Security Labs
    • Backporting Policies
    • Security Blog
  • Support

    Red Hat Support

    • Support Cases
    • Troubleshoot
    • Get Support
    • Contact Red Hat Support

    Red Hat Community Support

    • Customer Portal Community
    • Community Discussions
    • Red Hat Accelerator Program

    Top Resources

    • Product Life Cycles
    • Customer Portal Labs
    • Red Hat JBoss Supported Configurations
    • Red Hat Insights
Or troubleshoot an issue.

Select Your Language

  • English
  • Français
  • 한국어
  • 日本語
  • 中文 (中国)

Infrastructure and Management

  • Red Hat Enterprise Linux
  • Red Hat Satellite
  • Red Hat Subscription Management
  • Red Hat Insights
  • Red Hat Ansible Automation Platform

Cloud Computing

  • Red Hat OpenShift
  • Red Hat OpenStack Platform
  • Red Hat OpenShift
  • Red Hat OpenShift AI
  • Red Hat OpenShift Dedicated
  • Red Hat Advanced Cluster Security for Kubernetes
  • Red Hat Advanced Cluster Management for Kubernetes
  • Red Hat Quay
  • Red Hat OpenShift Dev Spaces
  • Red Hat OpenShift Service on AWS

Storage

  • Red Hat Gluster Storage
  • Red Hat Hyperconverged Infrastructure
  • Red Hat Ceph Storage
  • Red Hat OpenShift Data Foundation

Runtimes

  • Red Hat Runtimes
  • Red Hat JBoss Enterprise Application Platform
  • Red Hat Data Grid
  • Red Hat JBoss Web Server
  • Red Hat build of Keycloak
  • Red Hat support for Spring Boot
  • Red Hat build of Node.js
  • Red Hat build of Quarkus

Integration and Automation

  • Red Hat Application Foundations
  • Red Hat Fuse
  • Red Hat AMQ
  • Red Hat 3scale API Management
All Products
Red Hat Product Errata RHSA-2020:3807 - Security Advisory
Issued:
2020-09-23
Updated:
2020-09-23

RHSA-2020:3807 - Security Advisory

  • Overview
  • Updated Packages

Synopsis

Moderate: Red Hat Virtualization security, bug fix, and enhancement update

Type/Severity

Security Advisory: Moderate

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update is now available for Red Hat Virtualization Engine 4.4.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

The org.ovirt.engine-root is a core component of oVirt.

The following packages have been upgraded to a later upstream version: ansible-runner-service (1.0.5), org.ovirt.engine-root (4.4.2.3), ovirt-engine-dwh (4.4.2.1), ovirt-engine-extension-aaa-ldap (1.4.1), ovirt-engine-ui-extensions (1.2.3), ovirt-log-collector (4.4.3), ovirt-web-ui (1.6.4), rhvm-branding-rhv (4.4.5), rhvm-dependencies (4.4.1), vdsm-jsonrpc-java (1.5.5). (BZ#1674420, BZ#1866734)

A list of bugs fixed in this update is available in the Technical Notes
book:

https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/html-single/technical_notes

Security Fix(es):

  • nodejs-lodash: prototype pollution in zipObjectDeep function (CVE-2020-8203)
  • jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022)
  • jQuery: passing HTML containing <option> elements to manipulation methods could result in untrusted code execution (CVE-2020-11023)
  • ovirt-engine: Reflected cross site scripting vulnerability (CVE-2020-14333)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

  • Cannot assign direct LUN from FC storage - grayed out (BZ#1625499)
  • VM portal always asks how to open console.vv even it has been set to default application. (BZ#1638217)
  • RESTAPI Not able to remove the QoS from a disk profile (BZ#1643520)
  • On OVA import, qemu-img fails to write to NFS storage domain (BZ#1748879)
  • Possible missing block path for a SCSI host device needs to be handled in the UI (BZ#1801206)
  • Scheduling Memory calculation disregards huge-pages (BZ#1804037)
  • Engine does not reduce scheduling memory when a VM with dynamic hugepages runs. (BZ#1804046)
  • In Admin Portal, "Huge Pages (size: amount)" needs to be clarified (BZ#1806339)
  • Refresh LUN is using host from different Data Center to scan the LUN (BZ#1838051)
  • Unable to create Windows VM's with Mozilla Firefox version 74.0.1 and greater for RHV-M GUI/Webadmin portal (BZ#1843234)
  • [RHV-CNV] - NPE when creating new VM in cnv cluster (BZ#1854488)
  • [CNV&RHV] Add-Disk operation failed to complete. (BZ#1855377)
  • Cannot create KubeVirt VM as a normal user (BZ#1859460)
  • Welcome page - remove Metrics Store links and update "Insights Guide" link (BZ#1866466)
  • [RHV 4.4] Change in CPU model name after RHVH upgrade (BZ#1869209)
  • VM vm-name is down with error. Exit message: unsupported configuration: Can't add USB input device. USB bus is disabled. (BZ#1871235)
  • spec_ctrl host feature not detected (BZ#1875609)

Enhancement(s):

  • [RFE] API for changed blocks/sectors for a disk for incremental backup usage (BZ#1139877)
  • [RFE] Improve workflow for storage migration of VMs with multiple disks (BZ#1749803)
  • [RFE] Move the Remove VM button to the drop down menu when viewing details such as snapshots (BZ#1763812)
  • [RFE] enhance search filter for Storage Domains with free argument (BZ#1819260)

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/2974891

Affected Products

  • Red Hat Virtualization Manager 4.4 x86_64

Fixes

  • BZ - 1625499 - Cannot assign direct LUN from FC storage - grayed out
  • BZ - 1638217 - VM portal always asks how to open console.vv even it has been set to default application.
  • BZ - 1643520 - RESTAPI Not able to remove the QoS from a disk profile
  • BZ - 1674420 - [RFE] - add support for Cascadelake-Server CPUs (and IvyBridge)
  • BZ - 1748879 - On OVA import, qemu-img fails to write to NFS storage domain
  • BZ - 1749803 - [RFE] Improve workflow for storage migration of VMs with multiple disks
  • BZ - 1758024 - Long running Ansible tasks timeout and abort for RHV-H hosts with STIG/Security Profiles applied
  • BZ - 1763812 - [RFE] Move the Remove VM button to the drop down menu when viewing details such as snapshots
  • BZ - 1778471 - Using more than one asterisk in LDAP search string is not working when searching for AD users.
  • BZ - 1787854 - RHV: Updating/reinstall a host which is part of affinity labels is removed from the affinity label.
  • BZ - 1801206 - Possible missing block path for a SCSI host device needs to be handled in the UI
  • BZ - 1803856 - [Scale] ovirt-vmconsole takes too long or times out in a 500+ VM environment.
  • BZ - 1804037 - Scheduling Memory calculation disregards huge-pages
  • BZ - 1804046 - Engine does not reduce scheduling memory when a VM with dynamic hugepages runs.
  • BZ - 1806339 - In Admin Portal, "Huge Pages (size: amount)" needs to be clarified
  • BZ - 1816951 - [CNV&RHV] CNV VM migration failure is not handled correctly by the engine
  • BZ - 1819260 - [RFE] enhance search filter for Storage Domains with free argument
  • BZ - 1826255 - [CNV&RHV]Change name of type of provider - CNV -> OpenShift Virtualization
  • BZ - 1828406 - CVE-2020-11022 jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method
  • BZ - 1831949 - RESTAPI javadoc contains missing information about assigning IP address to NIC
  • BZ - 1831952 - RESTAPI contains malformed link around JSON representation fo the cluster
  • BZ - 1831954 - RESTAPI javadoc contains malformed link around oVirt guest agent
  • BZ - 1831956 - RESTAPI javadoc contains malformed link around time zone representation
  • BZ - 1838051 - Refresh LUN is using host from different Data Center to scan the LUN
  • BZ - 1841112 - not able to upload vm from OVA when there are 2 OVA from the same vm in same directory
  • BZ - 1843234 - Unable to create Windows VM's with Mozilla Firefox version 74.0.1 and greater for RHV-M GUI/Webadmin portal
  • BZ - 1850004 - CVE-2020-11023 jQuery: passing HTML containing <option> elements to manipulation methods could result in untrusted code execution
  • BZ - 1854488 - [RHV-CNV] - NPE when creating new VM in cnv cluster
  • BZ - 1855377 - [CNV&RHV] Add-Disk operation failed to complete.
  • BZ - 1857412 - CVE-2020-8203 nodejs-lodash: prototype pollution in zipObjectDeep function
  • BZ - 1858184 - CVE-2020-14333 ovirt-engine: Reflected cross site scripting vulnerability
  • BZ - 1859460 - Cannot create KubeVirt VM as a normal user
  • BZ - 1860907 - Upgrade bundled GWT to 2.9.0
  • BZ - 1866466 - Welcome page - remove Metrics Store links and update "Insights Guide" link
  • BZ - 1866734 - [DWH] Rebase bug - for the 4.4.2 release
  • BZ - 1869209 - [RHV 4.4] Change in CPU model name after RHVH upgrade
  • BZ - 1869302 - ansible 2.9.12 - host deploy fixes
  • BZ - 1871235 - VM vm-name is down with error. Exit message: unsupported configuration: Can't add USB input device. USB bus is disabled.
  • BZ - 1875609 - spec_ctrl host feature not detected
  • BZ - 1875851 - Web Admin interface broken on Firefox ESR 68.11

CVEs

  • CVE-2020-8203
  • CVE-2020-11022
  • CVE-2020-11023
  • CVE-2020-14333

References

  • https://access.redhat.com/security/updates/classification/#moderate
Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat Virtualization Manager 4.4

SRPM
ansible-runner-service-1.0.5-1.el8ev.src.rpm SHA-256: f4c1c770a302ea4338bfcbd903a884d7c8acab9db943b119655bda562c74f80f
ovirt-engine-4.4.2.3-0.6.el8ev.src.rpm SHA-256: 2484c1c89ef5567545245e59041ac8e656b81bac6dc10e044aa2bd617b567c2c
ovirt-engine-dwh-4.4.2.1-1.el8ev.src.rpm SHA-256: b044ddb504505aaa40ebb46c1f27fd9ffd11a1e37418d5bfe13b2a63ab635980
ovirt-engine-extension-aaa-ldap-1.4.1-1.el8ev.src.rpm SHA-256: 6428d3e241915f06c622b0476d6acbf64316b1e7627b701d2b0a9b5f74549bea
ovirt-engine-ui-extensions-1.2.3-1.el8ev.src.rpm SHA-256: 40c0127c1d6593cc1d76df06d090529db4678a9085a5590123735a42cdc5e301
ovirt-log-collector-4.4.3-1.el8ev.src.rpm SHA-256: acefeb5e09f521405322267752f829df960779ab31cdb3cc0994f52439c34f76
ovirt-web-ui-1.6.4-1.el8ev.src.rpm SHA-256: c84517ff234014e56407e9c2ae4aa5579899b35701b2734f8bee6c7206208b66
rhvm-branding-rhv-4.4.5-1.el8ev.src.rpm SHA-256: 38586e2d351f7071f1b49d3da394ba8a6ef76fe60f5c5691d89acbeb97a8e49b
rhvm-dependencies-4.4.1-1.el8ev.src.rpm SHA-256: 4d8689f77f4ff2feb9382c3770049cff39bb0e26c900080e67936d0f8d2ef8bb
vdsm-jsonrpc-java-1.5.5-1.el8ev.src.rpm SHA-256: dac720f7091e00a0bb57e7cebf36c117a6220c1c966f7a7e0f27c7aed9aabf81
x86_64
ansible-runner-service-1.0.5-1.el8ev.noarch.rpm SHA-256: 2f5c9ff0793254e2373c092e433ac1d932ff54902683634b6c3ed67deb3850e0
ovirt-engine-4.4.2.3-0.6.el8ev.noarch.rpm SHA-256: 709450ec4143f528d16c0c15444610fc3e58594ac63faae1674ead9841c31034
ovirt-engine-backend-4.4.2.3-0.6.el8ev.noarch.rpm SHA-256: c2037ac93b33f302d68787d3a62bb598aa2825470d0568b6e890b3c5f7ed6b11
ovirt-engine-dbscripts-4.4.2.3-0.6.el8ev.noarch.rpm SHA-256: ecdb1aa2e95155680a43f0fc2f419b383a26812566d5865bed9631e29febda22
ovirt-engine-dwh-4.4.2.1-1.el8ev.noarch.rpm SHA-256: cf636d777129eabf902336e8a6c37fe9799b48dad7f26f6813eb7c8440188a87
ovirt-engine-dwh-grafana-integration-setup-4.4.2.1-1.el8ev.noarch.rpm SHA-256: ce64a9a9afa1c5ca37d3575b90a9a9af1f350258f3dfc44285715fcacdf07311
ovirt-engine-dwh-setup-4.4.2.1-1.el8ev.noarch.rpm SHA-256: 4329a105a3e2f1c8398a707e3307f8df23aae3d5d899ade927fbfa07924b5a58
ovirt-engine-extension-aaa-ldap-1.4.1-1.el8ev.noarch.rpm SHA-256: 845f7137492cc5161c7e980bc65552756b2f96bf8492133cd233def708e951e5
ovirt-engine-extension-aaa-ldap-setup-1.4.1-1.el8ev.noarch.rpm SHA-256: 35ed80806d53952cb0ae21de3c35967e1c86fd3d3f7e344c032e56e1832fbc9a
ovirt-engine-health-check-bundler-4.4.2.3-0.6.el8ev.noarch.rpm SHA-256: 9c429312e2a942053993909e68b1458c56abf19b9656b3afe8d2d9680b8701c7
ovirt-engine-restapi-4.4.2.3-0.6.el8ev.noarch.rpm SHA-256: 871274d8726ef081baab37ae6d27acda57a1e7dcc6a4551ebb61c5d131ba4621
ovirt-engine-setup-4.4.2.3-0.6.el8ev.noarch.rpm SHA-256: ea16e89ed58f7e517bba6f5214c4601209e835d22d247a28314e08ed21418d87
ovirt-engine-setup-base-4.4.2.3-0.6.el8ev.noarch.rpm SHA-256: 322db1a3e92ee2cf4b29fc9faf725e78adac008d568dce6f6df90c1063e2c602
ovirt-engine-setup-plugin-cinderlib-4.4.2.3-0.6.el8ev.noarch.rpm SHA-256: 6bb4786d9d021c5564768d43b29897028cb5d9c79c3be8bb2017ac2ef2958190
ovirt-engine-setup-plugin-imageio-4.4.2.3-0.6.el8ev.noarch.rpm SHA-256: 082739ff3bdb0f8febf3f524dbb5d343cf3d2931908395392ce701130c303e33
ovirt-engine-setup-plugin-ovirt-engine-4.4.2.3-0.6.el8ev.noarch.rpm SHA-256: f1a87ca070ecf58800f32c9ccbbc360879c44a70e4ff0d5a31b465b722e2ad8d
ovirt-engine-setup-plugin-ovirt-engine-common-4.4.2.3-0.6.el8ev.noarch.rpm SHA-256: 03ae6927aadede7331b9bae757160b787368f94a8f4535607622a101b8c517a0
ovirt-engine-setup-plugin-vmconsole-proxy-helper-4.4.2.3-0.6.el8ev.noarch.rpm SHA-256: 6531086e21f0a2d1eee5301012f2db46498e89546f00e6aae343c1bc08b35954
ovirt-engine-setup-plugin-websocket-proxy-4.4.2.3-0.6.el8ev.noarch.rpm SHA-256: 7c22e0e5ef204d602960ac0facc36e57db313381206c3937aa90a1f9557faeb8
ovirt-engine-tools-4.4.2.3-0.6.el8ev.noarch.rpm SHA-256: 8f99a9d75282a64ab56d986800ba4efa5c8365f5e3d970fc1f36e50b6b5f5e87
ovirt-engine-tools-backup-4.4.2.3-0.6.el8ev.noarch.rpm SHA-256: 7b78064214c40c1150cfe8395afabcbdac8b9e52fa81f1f286b1834824fe3ca0
ovirt-engine-ui-extensions-1.2.3-1.el8ev.noarch.rpm SHA-256: 8ec5035e2c330f867e83c13c2f5b77b54ae4bd4849d46694845071d8e6a070bc
ovirt-engine-vmconsole-proxy-helper-4.4.2.3-0.6.el8ev.noarch.rpm SHA-256: 36f0b83ad13c139fda76bbbc9b0e3e51c3727e8421329752555a42546d18e168
ovirt-engine-webadmin-portal-4.4.2.3-0.6.el8ev.noarch.rpm SHA-256: e5a901e56b0f22926236d58cca5800c06208ca641f25d150d7742452f3b964e0
ovirt-engine-websocket-proxy-4.4.2.3-0.6.el8ev.noarch.rpm SHA-256: 37a7f4135ba0cde02a32370864a49d6b8071bea74579107d19bf867fa43b9cf6
ovirt-log-collector-4.4.3-1.el8ev.noarch.rpm SHA-256: 37b9c7b9532a4c40a4b6978106eac75b4cb90fc911863d77eeec514aab9fcc89
ovirt-web-ui-1.6.4-1.el8ev.noarch.rpm SHA-256: ae9b817982a75a0fa9ccb9a7472abfb664efcd93a331764758473ba49fab5b1f
python3-ovirt-engine-lib-4.4.2.3-0.6.el8ev.noarch.rpm SHA-256: c69b2d177162eb408aeac2551cc1baca0474512a4ec7346543325043bafb4f50
rhvm-4.4.2.3-0.6.el8ev.noarch.rpm SHA-256: 68b4c9926cd338966de9a0265141f0aa07a0443645fa1ee849055a4340c4271b
rhvm-branding-rhv-4.4.5-1.el8ev.noarch.rpm SHA-256: 8bd09649a923ed45c01d5d37f17d0ddeeed6b5b2f3c58024fc6429d4d36c5c1a
rhvm-dependencies-4.4.1-1.el8ev.noarch.rpm SHA-256: aae1355dae3220c9425640dec82eb3520e31e3124e144a5309006b8970773ae5
vdsm-jsonrpc-java-1.5.5-1.el8ev.noarch.rpm SHA-256: 808926d7255434a76c4d4b9939945ec254d7514d277dbfa720fa88c4c9f3b0cf

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Red Hat LinkedIn YouTube Facebook X, formerly Twitter

Quick Links

  • Downloads
  • Subscriptions
  • Support Cases
  • Customer Service
  • Product Documentation

Help

  • Contact Us
  • Customer Portal FAQ
  • Log-in Assistance

Site Info

  • Trust Red Hat
  • Browser Support Policy
  • Accessibility
  • Awards and Recognition
  • Colophon

Related Sites

  • redhat.com
  • developers.redhat.com
  • connect.redhat.com
  • cloud.redhat.com

Red Hat legal and privacy links

  • About Red Hat
  • Jobs
  • Events
  • Locations
  • Contact Red Hat
  • Red Hat Blog
  • Inclusion at Red Hat
  • Cool Stuff Store
  • Red Hat Summit
© 2025 Red Hat

Red Hat legal and privacy links

  • Privacy statement
  • Terms of use
  • All policies and guidelines
  • Digital accessibility