- Issued:
- 2020-11-24
- Updated:
- 2020-11-24
RHSA-2020:5179 - Security Advisory
Synopsis
Low: Red Hat Virtualization security, bug fix, and enhancement update
Type/Severity
Security Advisory: Low
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
Topic
An update is now available for Red Hat Virtualization Engine 4.4.
Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
The org.ovirt.engine-root is a core component of oVirt.
The following packages have been upgraded to a later upstream version: engine-db-query (1.6.2), org.ovirt.engine-root (4.4.3.8), ovirt-engine-dwh (4.4.3.1), ovirt-engine-extension-aaa-ldap (1.4.2), ovirt-engine-extension-logger-log4j (1.1.1), ovirt-engine-metrics (1.4.2.1), ovirt-engine-ui-extensions (1.2.4), ovirt-log-collector (4.4.4), ovirt-web-ui (1.6.5), rhv-log-collector-analyzer (1.0.5), rhvm-branding-rhv (4.4.6). (BZ#1866981, BZ#1879377)
Security Fix(es):
- nodejs-handlebars: lookup helper fails to properly validate templates allowing for arbitrary JavaScript execution (CVE-2019-20920)
- nodejs-handlebars: an endless loop while processing specially-crafted templates leads to DoS (CVE-2019-20922)
- nodejs-lodash: prototype pollution in zipObjectDeep function (CVE-2020-8203)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Bug Fix(es):
- send --nowait to libvirt when we collect qemu stats, to consume bz#1552092 (BZ#1613514)
- Block moving HE hosts into different Data Centers and make HE host moved to different cluster NonOperational after activation (BZ#1702016)
- If an in-use MAC is held by a VM on a different cluster, the engine does not attempt to get the next free MAC. (BZ#1760170)
- Search backend cannot find VMs which name starts with a search keyword (BZ#1797717)
- [Permissions] DataCenterAdmin role defined on DC level does not allow Cluster creation (BZ#1808320)
- enable-usb-autoshare is always 0 in console.vv and usb-filter option is listed two times (BZ#1811466)
- NumaPinningHelper is not huge pages aware, denies migration to suitable host (BZ#1812316)
- Adding quota to group doesn't propagate to users (BZ#1822372)
- Engine adding PCI-E elements on XML of i440FX SeaBIOS VM created from Q35 Template (BZ#1829691)
- Live Migration Bandwidth unit is different from Engine configuration (Mbps) and VDSM (MBps) (BZ#1845397)
- RHV-M shows successful operation if OVA export/import failed during "qemu-img convert" phase (BZ#1854888)
- Cannot hotplug disk reports libvirtError: Requested operation is not valid: Domain already contains a disk with that address (BZ#1855305)
- rhv-log-collector-analyzer --json fails with TypeError (BZ#1859314)
- RHV 4.4 on AMD EPYC 7742 throws an NUMA related error on VM run (BZ#1866862)
- Issue with dashboards creation when sending metrics to external Elasticsearch (BZ#1870133)
- HostedEngine VM is broken after Cluster changed to UEFI (BZ#1871694)
- [CNV&RHV]Notification about VM creation contain <UNKNOWN> string (BZ#1873136)
- VM stuck in Migrating status after migration completed due to incorrect status reported by VDSM after restart (BZ#1877632)
- Use 4.5 as compatibility level for the Default DataCenter and the Default Cluster during installation (BZ#1879280)
- unable to create/add index pattern in step 5 from kcs articles#4921101 (BZ#1881634)
- [CNV&RHV] Remove warning about no active storage domain for Kubevirt VMs (BZ#1883844)
- Deprecate and remove ovirt-engine-api-explorer (BZ#1884146)
- [CNV&RHV] Disable creating new disks for Kubevirt VM (BZ#1884634)
- Require ansible-2.9.14 in ovirt-engine (BZ#1888626)
Enhancement(s):
- [RFE] Virtualization support for NVDIMM - RHV (BZ#1361718)
- [RFE] - enable renaming HostedEngine VM name (BZ#1657294)
- [RFE] Enabling Icelake new NIs - RHV (BZ#1745024)
- [RFE] Show vCPUs and allocated memory in virtual machines summary (BZ#1752751)
- [RFE] RHV-M Deployment/Install Needs it's own UUID (BZ#1825020)
- [RFE] Destination Host in migrate VM dialog has to be searchable and sortable (BZ#1851865)
- [RFE] Expose the "reinstallation required" flag of the hosts in the API (BZ#1856671)
Solution
For details on how to apply this update, which includes the changes described in this advisory, refer to:
Affected Products
- Red Hat Virtualization Manager 4.4 x86_64
Fixes
- BZ - 1613514 - send --nowait to libvirt when we collect qemu stats, to consume bz#1552092
- BZ - 1657294 - [RFE] - enable renaming HostedEngine VM name
- BZ - 1691253 - ovirt-engine-extension-aaa-ldap-setup does not escape special characters in password
- BZ - 1702016 - Block moving HE hosts into different Data Centers and make HE host moved to different cluster NonOperational after activation
- BZ - 1752751 - [RFE] Show vCPUs and allocated memory in virtual machines summary
- BZ - 1760170 - If an in-use MAC is held by a VM on a different cluster, the engine does not attempt to get the next free MAC.
- BZ - 1797717 - Search backend cannot find VMs which name starts with a search keyword
- BZ - 1808320 - [Permissions] DataCenterAdmin role defined on DC level does not allow Cluster creation
- BZ - 1811466 - enable-usb-autoshare is always 0 in console.vv and usb-filter option is listed two times
- BZ - 1812316 - NumaPinningHelper is not huge pages aware, denies migration to suitable host
- BZ - 1822372 - Adding quota to group doesn't propagate to users
- BZ - 1825020 - [RFE] RHV-M Deployment/Install Needs it's own UUID
- BZ - 1828241 - Deleting snapshot do not display a lock for it's disks under "Disk Snapshots" tab.
- BZ - 1829691 - Engine adding PCI-E elements on XML of i440FX SeaBIOS VM created from Q35 Template
- BZ - 1842344 - Status loop due to host initialization not checking network status, monitoring finding the network issue and auto-recovery.
- BZ - 1845432 - [CNV&RHV] Communicatoin with CNV cluster spamming engine.log when token is expired
- BZ - 1851865 - [RFE] Destination Host in migrate VM dialog has to be searchable and sortable
- BZ - 1854888 - RHV-M shows successful operation if OVA export/import failed during "qemu-img convert" phase
- BZ - 1855305 - Cannot hotplug disk reports libvirtError: Requested operation is not valid: Domain already contains a disk with that address
- BZ - 1856671 - [RFE] Expose the "reinstallation required" flag of the hosts in the API
- BZ - 1857412 - CVE-2020-8203 nodejs-lodash: prototype pollution in zipObjectDeep function
- BZ - 1859314 - rhv-log-collector-analyzer --json fails with TypeError
- BZ - 1862101 - rhv-image-discrepancies does show size of the images on the storage as size of the image in db and vice versa
- BZ - 1866981 - obj must be encoded before hashing
- BZ - 1870133 - Issue with dashboards creation when sending metrics to external Elasticsearch
- BZ - 1871694 - HostedEngine VM is broken after Cluster changed to UEFI
- BZ - 1872911 - RHV Administration Portal fails with 404 error even after updating to RHV 4.3.9
- BZ - 1873136 - [CNV&RHV]Notification about VM creation contain <UNKNOWN> string
- BZ - 1876923 - PostgreSQL 12 in RHV 4.4 - engine-setup menu ref URL needs updating
- BZ - 1877632 - VM stuck in Migrating status after migration completed due to incorrect status reported by VDSM after restart
- BZ - 1877679 - Synchronize advanced virtualization module with RHEL version during host upgrade
- BZ - 1879199 - ovirt-engine-extension-aaa-ldap-setup fails on cert import
- BZ - 1879280 - Use 4.5 as compatibility level for the Default DataCenter and the Default Cluster during installation
- BZ - 1879377 - [DWH] Rebase bug - for the 4.4.3 release
- BZ - 1881634 - unable to create/add index pattern in step 5 from kcs articles#4921101
- BZ - 1882256 - CVE-2019-20922 nodejs-handlebars: an endless loop while processing specially-crafted templates leads to DoS
- BZ - 1882260 - CVE-2019-20920 nodejs-handlebars: lookup helper fails to properly validate templates allowing for arbitrary JavaScript execution
- BZ - 1883844 - [CNV&RHV] Remove warning about no active storage domain for Kubevirt VMs
- BZ - 1884146 - Deprecate and remove ovirt-engine-api-explorer
- BZ - 1884634 - [CNV&RHV] Disable creating new disks for Kubevirt VM
- BZ - 1885976 - rhv-log-collector-analyzer - argument must be str, not bytes
- BZ - 1887268 - Cannot perform yum update on my RHV manager (ansible conflict)
- BZ - 1888626 - Require ansible-2.9.14 in ovirt-engine
- BZ - 1889522 - metrics playbooks are broken due to typo
Red Hat Virtualization Manager 4.4
SRPM | |
---|---|
engine-db-query-1.6.2-1.el8ev.src.rpm | SHA-256: 1e5cc61c0c508c90ff622e805602a4a99f51911c762289972c4036988942f5b0 |
ovirt-engine-4.4.3.8-0.1.el8ev.src.rpm | SHA-256: 9855d797207f55f4a4f87a7d1454447b54f698fee36602d0717a9b092f085593 |
ovirt-engine-dwh-4.4.3.1-1.el8ev.src.rpm | SHA-256: d938c36491939fdb781199f811e1d58411baf4c5d4ff680ecca9dd8b4d14e908 |
ovirt-engine-extension-aaa-ldap-1.4.2-1.el8ev.src.rpm | SHA-256: 358604996e8fc202027bb59b48ca43da3e13adff59b835ffa86ff0364322cc81 |
ovirt-engine-extension-logger-log4j-1.1.1-1.el8ev.src.rpm | SHA-256: cb9a1ac71f2ab121a4747134e4304543df3fbb402843629c136bad160f136ab3 |
ovirt-engine-metrics-1.4.2.1-1.el8ev.src.rpm | SHA-256: f661395babd718707dc5620efd54f8269aa0b07b7a937c5c7ae5939c4fa09996 |
ovirt-engine-ui-extensions-1.2.4-1.el8ev.src.rpm | SHA-256: d2b59172a43a30e0980ea2cadbf19e428e7610fd60c3dcbc6b5b5751b5eaf672 |
ovirt-log-collector-4.4.4-1.el8ev.src.rpm | SHA-256: 0b03df06e76b304ee7394bd1cc2cd1bd2486c15c8f28678705ad1a1bbb85c876 |
ovirt-web-ui-1.6.5-1.el8ev.src.rpm | SHA-256: aed3990f361bd5117bc9cb6008fd0d033d30f91ca1efe82bc3ea9808c526d9b5 |
rhv-log-collector-analyzer-1.0.5-1.el8ev.src.rpm | SHA-256: 3c2520b42606a6a01421469f9e49f22c7cc9169fb3f1e681970002ecbd3ad734 |
rhvm-branding-rhv-4.4.6-1.el8ev.src.rpm | SHA-256: 719812f735a37976cf69f62ff3a9d64e0a4065f95838e1ac18fa562b8542945c |
x86_64 | |
engine-db-query-1.6.2-1.el8ev.noarch.rpm | SHA-256: 45b7fe46025be3ee8ff1d7e65c2bd267a5dfa105562712bb466bf9ce10662d18 |
ovirt-engine-4.4.3.8-0.1.el8ev.noarch.rpm | SHA-256: b04fe105153fa0bd40247d023b041871afd62c0f945850486b7bd1dc930ac322 |
ovirt-engine-backend-4.4.3.8-0.1.el8ev.noarch.rpm | SHA-256: 95e27be75d916f85eedb372d4f05f39edae0b40648be67cd08a0ae3741f98617 |
ovirt-engine-dbscripts-4.4.3.8-0.1.el8ev.noarch.rpm | SHA-256: 1aa128c69e31f8cebe74e40dfbe0bfd3b9325fce1a66848645406f735517c5d9 |
ovirt-engine-dwh-4.4.3.1-1.el8ev.noarch.rpm | SHA-256: 0f07a29b9f86e3d06d296001c370c7904ff600edb68ed9d3a8761838c59fb5b3 |
ovirt-engine-dwh-grafana-integration-setup-4.4.3.1-1.el8ev.noarch.rpm | SHA-256: 6e29e490ee340653b848df4abff913bd0103749f7fab3b4a1a595e3f8c4c9779 |
ovirt-engine-dwh-setup-4.4.3.1-1.el8ev.noarch.rpm | SHA-256: af49f7b66b2d72e2dead3a19fee33ea1c56ab54a2ece5ac26ecce86f92e5c242 |
ovirt-engine-extension-aaa-ldap-1.4.2-1.el8ev.noarch.rpm | SHA-256: faf63f47e4017c6e01707d90512e237e6063dbf1aca33dba5b2e6e7183099467 |
ovirt-engine-extension-aaa-ldap-setup-1.4.2-1.el8ev.noarch.rpm | SHA-256: 9611f1bd2ec5fd3df5e6a554e29255b6a1b4b0fb365778ab35c868064334b5b2 |
ovirt-engine-extension-logger-log4j-1.1.1-1.el8ev.noarch.rpm | SHA-256: ee380d0e77e4eeefbccf31b2a90818fa6e94076b63616af803f9073fd04a2f78 |
ovirt-engine-health-check-bundler-4.4.3.8-0.1.el8ev.noarch.rpm | SHA-256: a90ecfa5fbf9674fdd69681919df3c9c257fbf2c396641af37fa6ffcd69aa645 |
ovirt-engine-metrics-1.4.2.1-1.el8ev.noarch.rpm | SHA-256: 065634393e2cdb28d12b6dd2ca4f76c3d32902b38cdefe7d6430f37313a7e83f |
ovirt-engine-restapi-4.4.3.8-0.1.el8ev.noarch.rpm | SHA-256: 74fffaec116b1ec7dcfd1890d66b4ae281517d87d47e929003c8ebb96f0c4850 |
ovirt-engine-setup-4.4.3.8-0.1.el8ev.noarch.rpm | SHA-256: 08b44c194ac52f4f55ca599713083b85c31a1bc35c623d3cefaca8ef9d244033 |
ovirt-engine-setup-base-4.4.3.8-0.1.el8ev.noarch.rpm | SHA-256: a366524e6a257715fbe173ebbb95da72d73753988d47001a7fa35a952050920a |
ovirt-engine-setup-plugin-cinderlib-4.4.3.8-0.1.el8ev.noarch.rpm | SHA-256: a37258d1de1b4c81954002672f58a625ec9bcdae1c61a46e74693ab44ce00703 |
ovirt-engine-setup-plugin-imageio-4.4.3.8-0.1.el8ev.noarch.rpm | SHA-256: d9bd19edcb3d0d2976f22bd56306c978e7a9ba915186889ed9adcb2bbe14c402 |
ovirt-engine-setup-plugin-ovirt-engine-4.4.3.8-0.1.el8ev.noarch.rpm | SHA-256: 15d717a11e7ede2cfe626b1431730ee957dad9b576157d4a198534d1f7eb9199 |
ovirt-engine-setup-plugin-ovirt-engine-common-4.4.3.8-0.1.el8ev.noarch.rpm | SHA-256: 5aadeac288ccc2aad7f8782455c71df53251f90bd4467417ba6aa5ae5c317294 |
ovirt-engine-setup-plugin-vmconsole-proxy-helper-4.4.3.8-0.1.el8ev.noarch.rpm | SHA-256: a8241e4da53cd18d486f917038f4810ca3d8b10fa29d2e807bf458bb39bd77d2 |
ovirt-engine-setup-plugin-websocket-proxy-4.4.3.8-0.1.el8ev.noarch.rpm | SHA-256: 320ec0763f8a00f5568f189ea085d4424afdf1a84b3d2c29646f8092325ea3a0 |
ovirt-engine-tools-4.4.3.8-0.1.el8ev.noarch.rpm | SHA-256: 7a1b27467050d10ed18956708148b9c88c34ca54350cef565b9cde58df1bacc6 |
ovirt-engine-tools-backup-4.4.3.8-0.1.el8ev.noarch.rpm | SHA-256: 02b135c2047e80023aa61ebcfd2ba1e25b76b6aebc7a6af8374531476d6510b2 |
ovirt-engine-ui-extensions-1.2.4-1.el8ev.noarch.rpm | SHA-256: 921cfce691b7542d033b64f707abdc8d4e6c1bccb33ea15a7ec66375bd29a575 |
ovirt-engine-vmconsole-proxy-helper-4.4.3.8-0.1.el8ev.noarch.rpm | SHA-256: 9aa92af5a26bedb754123989050f4251b0465efb54e486dd031b9f4fe67714ac |
ovirt-engine-webadmin-portal-4.4.3.8-0.1.el8ev.noarch.rpm | SHA-256: 94ccc23f0a17f976364fd1f52bbf68fac4d3525770028fe9e99ae3e214c0ffce |
ovirt-engine-websocket-proxy-4.4.3.8-0.1.el8ev.noarch.rpm | SHA-256: d66bf7f1510d95223baa105f8dff84c7979c98de6299765edbcaf642db6bd5f2 |
ovirt-log-collector-4.4.4-1.el8ev.noarch.rpm | SHA-256: e873abe9f343b0feaa888576460051edac2fa038acf3770746b662cc76079d21 |
ovirt-web-ui-1.6.5-1.el8ev.noarch.rpm | SHA-256: 342b65aa7bbd4fb8a00665efb4d3381e5758508567804dbf2d7fb31ecd855a96 |
python3-ovirt-engine-lib-4.4.3.8-0.1.el8ev.noarch.rpm | SHA-256: 03153c0a8f3e41ef8fc939a27ab682ab450a5e258d6533b7bfd6143f5c548af4 |
rhv-log-collector-analyzer-1.0.5-1.el8ev.noarch.rpm | SHA-256: b153a356347619d3144cf588d4c70c924a0e88ad6263877d899bb42bd30f574f |
rhvm-4.4.3.8-0.1.el8ev.noarch.rpm | SHA-256: 92f022be6af52d21bbe4f06e7f57d271f4df5ce02cb007ecabd47b28aed4a6c7 |
rhvm-branding-rhv-4.4.6-1.el8ev.noarch.rpm | SHA-256: e7cec71b85f85af8b267e26a1812b3b74d4e42b2c544572bd02e71ecd73985a4 |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.