RHSA-2020:3807 - Security Advisory

Topic

An update is now available for Red Hat Virtualization Engine 4.4.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

The org.ovirt.engine-root is a core component of oVirt.

The following packages have been upgraded to a later upstream version: ansible-runner-service (1.0.5), org.ovirt.engine-root (4.4.2.3), ovirt-engine-dwh (4.4.2.1), ovirt-engine-extension-aaa-ldap (1.4.1), ovirt-engine-ui-extensions (1.2.3), ovirt-log-collector (4.4.3), ovirt-web-ui (1.6.4), rhvm-branding-rhv (4.4.5), rhvm-dependencies (4.4.1), vdsm-jsonrpc-java (1.5.5). (BZ#1674420, BZ#1866734)

A list of bugs fixed in this update is available in the Technical Notes
book:

https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/html-single/technical_notes

Security Fix(es):

• nodejs-lodash: prototype pollution in zipObjectDeep function (CVE-2020-8203)
• jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022)
• jQuery: passing HTML containing <option> elements to manipulation methods could result in untrusted code execution (CVE-2020-11023)
• ovirt-engine: Reflected cross site scripting vulnerability (CVE-2020-14333)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

• Cannot assign direct LUN from FC storage - grayed out (BZ#1625499)
• VM portal always asks how to open console.vv even it has been set to default application. (BZ#1638217)
• RESTAPI Not able to remove the QoS from a disk profile (BZ#1643520)
• On OVA import, qemu-img fails to write to NFS storage domain (BZ#1748879)
• Possible missing block path for a SCSI host device needs to be handled in the UI (BZ#1801206)
• Scheduling Memory calculation disregards huge-pages (BZ#1804037)
• Engine does not reduce scheduling memory when a VM with dynamic hugepages runs. (BZ#1804046)
• In Admin Portal, "Huge Pages (size: amount)" needs to be clarified (BZ#1806339)
• Refresh LUN is using host from different Data Center to scan the LUN (BZ#1838051)
• Unable to create Windows VM's with Mozilla Firefox version 74.0.1 and greater for RHV-M GUI/Webadmin portal (BZ#1843234)
• [RHV-CNV] - NPE when creating new VM in cnv cluster (BZ#1854488)
• [CNV&RHV] Add-Disk operation failed to complete. (BZ#1855377)
• Cannot create KubeVirt VM as a normal user (BZ#1859460)
• Welcome page - remove Metrics Store links and update "Insights Guide" link (BZ#1866466)
• [RHV 4.4] Change in CPU model name after RHVH upgrade (BZ#1869209)
• VM vm-name is down with error. Exit message: unsupported configuration: Can't add USB input device. USB bus is disabled. (BZ#1871235)
• spec_ctrl host feature not detected (BZ#1875609)

Enhancement(s):

• [RFE] API for changed blocks/sectors for a disk for incremental backup usage (BZ#1139877)
• [RFE] Improve workflow for storage migration of VMs with multiple disks (BZ#1749803)
• [RFE] Move the Remove VM button to the drop down menu when viewing details such as snapshots (BZ#1763812)
• [RFE] enhance search filter for Storage Domains with free argument (BZ#1819260)

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/2974891

Affected Products

• Red Hat Virtualization Manager 4.4 x86_64

Fixes

• BZ - 1625499 - Cannot assign direct LUN from FC storage - grayed out
• BZ - 1638217 - VM portal always asks how to open console.vv even it has been set to default application.
• BZ - 1643520 - RESTAPI Not able to remove the QoS from a disk profile
• BZ - 1674420 - [RFE] - add support for Cascadelake-Server CPUs (and IvyBridge)
• BZ - 1748879 - On OVA import, qemu-img fails to write to NFS storage domain
• BZ - 1749803 - [RFE] Improve workflow for storage migration of VMs with multiple disks
• BZ - 1758024 - Long running Ansible tasks timeout and abort for RHV-H hosts with STIG/Security Profiles applied
• BZ - 1763812 - [RFE] Move the Remove VM button to the drop down menu when viewing details such as snapshots
• BZ - 1778471 - Using more than one asterisk in LDAP search string is not working when searching for AD users.
• BZ - 1787854 - RHV: Updating/reinstall a host which is part of affinity labels is removed from the affinity label.
• BZ - 1801206 - Possible missing block path for a SCSI host device needs to be handled in the UI
• BZ - 1803856 - [Scale] ovirt-vmconsole takes too long or times out in a 500+ VM environment.
• BZ - 1804037 - Scheduling Memory calculation disregards huge-pages
• BZ - 1804046 - Engine does not reduce scheduling memory when a VM with dynamic hugepages runs.
• BZ - 1806339 - In Admin Portal, "Huge Pages (size: amount)" needs to be clarified
• BZ - 1816951 - [CNV&RHV] CNV VM migration failure is not handled correctly by the engine
• BZ - 1819260 - [RFE] enhance search filter for Storage Domains with free argument
• BZ - 1826255 - [CNV&RHV]Change name of type of provider - CNV -> OpenShift Virtualization
• BZ - 1828406 - CVE-2020-11022 jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method
• BZ - 1831949 - RESTAPI javadoc contains missing information about assigning IP address to NIC
• BZ - 1831952 - RESTAPI contains malformed link around JSON representation fo the cluster
• BZ - 1831954 - RESTAPI javadoc contains malformed link around oVirt guest agent
• BZ - 1831956 - RESTAPI javadoc contains malformed link around time zone representation
• BZ - 1838051 - Refresh LUN is using host from different Data Center to scan the LUN
• BZ - 1841112 - not able to upload vm from OVA when there are 2 OVA from the same vm in same directory
• BZ - 1843234 - Unable to create Windows VM's with Mozilla Firefox version 74.0.1 and greater for RHV-M GUI/Webadmin portal
• BZ - 1850004 - CVE-2020-11023 jQuery: passing HTML containing <option> elements to manipulation methods could result in untrusted code execution
• BZ - 1854488 - [RHV-CNV] - NPE when creating new VM in cnv cluster
• BZ - 1855377 - [CNV&RHV] Add-Disk operation failed to complete.
• BZ - 1857412 - CVE-2020-8203 nodejs-lodash: prototype pollution in zipObjectDeep function
• BZ - 1858184 - CVE-2020-14333 ovirt-engine: Reflected cross site scripting vulnerability
• BZ - 1859460 - Cannot create KubeVirt VM as a normal user
• BZ - 1860907 - Upgrade bundled GWT to 2.9.0
• BZ - 1866466 - Welcome page - remove Metrics Store links and update "Insights Guide" link
• BZ - 1866734 - [DWH] Rebase bug - for the 4.4.2 release
• BZ - 1869209 - [RHV 4.4] Change in CPU model name after RHVH upgrade
• BZ - 1869302 - ansible 2.9.12 - host deploy fixes
• BZ - 1871235 - VM vm-name is down with error. Exit message: unsupported configuration: Can't add USB input device. USB bus is disabled.
• BZ - 1875609 - spec_ctrl host feature not detected
• BZ - 1875851 - Web Admin interface broken on Firefox ESR 68.11

CVEs

• CVE-2020-8203
• CVE-2020-11022
• CVE-2020-11023
• CVE-2020-14333

References

• https://access.redhat.com/security/updates/classification/#moderate