Skip to navigation Skip to main content

Utilities

  • Subscriptions
  • Downloads
  • Red Hat Console
  • Get Support
Red Hat Customer Portal
  • Subscriptions
  • Downloads
  • Red Hat Console
  • Get Support
  • Products

    Top Products

    • Red Hat Enterprise Linux
    • Red Hat OpenShift
    • Red Hat Ansible Automation Platform
    All Products

    Downloads and Containers

    • Downloads
    • Packages
    • Containers

    Top Resources

    • Documentation
    • Product Life Cycles
    • Product Compliance
    • Errata
  • Knowledge

    Red Hat Knowledge Center

    • Knowledgebase Solutions
    • Knowledgebase Articles
    • Customer Portal Labs
    • Errata

    Top Product Docs

    • Red Hat Enterprise Linux
    • Red Hat OpenShift
    • Red Hat Ansible Automation Platform
    All Product Docs

    Training and Certification

    • About
    • Course Index
    • Certification Index
    • Skill Assessment
  • Security

    Red Hat Product Security Center

    • Security Updates
    • Security Advisories
    • Red Hat CVE Database
    • Errata

    References

    • Security Bulletins
    • Security Measurement
    • Severity Ratings
    • Security Data

    Top Resources

    • Security Labs
    • Backporting Policies
    • Security Blog
  • Support

    Red Hat Support

    • Support Cases
    • Troubleshoot
    • Get Support
    • Contact Red Hat Support

    Red Hat Community Support

    • Customer Portal Community
    • Community Discussions
    • Red Hat Accelerator Program

    Top Resources

    • Product Life Cycles
    • Customer Portal Labs
    • Red Hat JBoss Supported Configurations
    • Red Hat Insights
Or troubleshoot an issue.

Select Your Language

  • English
  • Français
  • 한국어
  • 日本語
  • 中文 (中国)

Infrastructure and Management

  • Red Hat Enterprise Linux
  • Red Hat Satellite
  • Red Hat Subscription Management
  • Red Hat Insights
  • Red Hat Ansible Automation Platform

Cloud Computing

  • Red Hat OpenShift
  • Red Hat OpenStack Platform
  • Red Hat OpenShift
  • Red Hat OpenShift AI
  • Red Hat OpenShift Dedicated
  • Red Hat Advanced Cluster Security for Kubernetes
  • Red Hat Advanced Cluster Management for Kubernetes
  • Red Hat Quay
  • Red Hat OpenShift Dev Spaces
  • Red Hat OpenShift Service on AWS

Storage

  • Red Hat Gluster Storage
  • Red Hat Hyperconverged Infrastructure
  • Red Hat Ceph Storage
  • Red Hat OpenShift Data Foundation

Runtimes

  • Red Hat Runtimes
  • Red Hat JBoss Enterprise Application Platform
  • Red Hat Data Grid
  • Red Hat JBoss Web Server
  • Red Hat build of Keycloak
  • Red Hat support for Spring Boot
  • Red Hat build of Node.js
  • Red Hat build of Quarkus

Integration and Automation

  • Red Hat Application Foundations
  • Red Hat Fuse
  • Red Hat AMQ
  • Red Hat 3scale API Management
All Products
Red Hat Product Errata RHSA-2020:5179 - Security Advisory
Issued:
2020-11-24
Updated:
2020-11-24

RHSA-2020:5179 - Security Advisory

  • Overview
  • Updated Packages

Synopsis

Low: Red Hat Virtualization security, bug fix, and enhancement update

Type/Severity

Security Advisory: Low

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update is now available for Red Hat Virtualization Engine 4.4.

Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

The org.ovirt.engine-root is a core component of oVirt.

The following packages have been upgraded to a later upstream version: engine-db-query (1.6.2), org.ovirt.engine-root (4.4.3.8), ovirt-engine-dwh (4.4.3.1), ovirt-engine-extension-aaa-ldap (1.4.2), ovirt-engine-extension-logger-log4j (1.1.1), ovirt-engine-metrics (1.4.2.1), ovirt-engine-ui-extensions (1.2.4), ovirt-log-collector (4.4.4), ovirt-web-ui (1.6.5), rhv-log-collector-analyzer (1.0.5), rhvm-branding-rhv (4.4.6). (BZ#1866981, BZ#1879377)

Security Fix(es):

  • nodejs-handlebars: lookup helper fails to properly validate templates allowing for arbitrary JavaScript execution (CVE-2019-20920)
  • nodejs-handlebars: an endless loop while processing specially-crafted templates leads to DoS (CVE-2019-20922)
  • nodejs-lodash: prototype pollution in zipObjectDeep function (CVE-2020-8203)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

  • send --nowait to libvirt when we collect qemu stats, to consume bz#1552092 (BZ#1613514)
  • Block moving HE hosts into different Data Centers and make HE host moved to different cluster NonOperational after activation (BZ#1702016)
  • If an in-use MAC is held by a VM on a different cluster, the engine does not attempt to get the next free MAC. (BZ#1760170)
  • Search backend cannot find VMs which name starts with a search keyword (BZ#1797717)
  • [Permissions] DataCenterAdmin role defined on DC level does not allow Cluster creation (BZ#1808320)
  • enable-usb-autoshare is always 0 in console.vv and usb-filter option is listed two times (BZ#1811466)
  • NumaPinningHelper is not huge pages aware, denies migration to suitable host (BZ#1812316)
  • Adding quota to group doesn't propagate to users (BZ#1822372)
  • Engine adding PCI-E elements on XML of i440FX SeaBIOS VM created from Q35 Template (BZ#1829691)
  • Live Migration Bandwidth unit is different from Engine configuration (Mbps) and VDSM (MBps) (BZ#1845397)
  • RHV-M shows successful operation if OVA export/import failed during "qemu-img convert" phase (BZ#1854888)
  • Cannot hotplug disk reports libvirtError: Requested operation is not valid: Domain already contains a disk with that address (BZ#1855305)
  • rhv-log-collector-analyzer --json fails with TypeError (BZ#1859314)
  • RHV 4.4 on AMD EPYC 7742 throws an NUMA related error on VM run (BZ#1866862)
  • Issue with dashboards creation when sending metrics to external Elasticsearch (BZ#1870133)
  • HostedEngine VM is broken after Cluster changed to UEFI (BZ#1871694)
  • [CNV&RHV]Notification about VM creation contain <UNKNOWN> string (BZ#1873136)
  • VM stuck in Migrating status after migration completed due to incorrect status reported by VDSM after restart (BZ#1877632)
  • Use 4.5 as compatibility level for the Default DataCenter and the Default Cluster during installation (BZ#1879280)
  • unable to create/add index pattern in step 5 from kcs articles#4921101 (BZ#1881634)
  • [CNV&RHV] Remove warning about no active storage domain for Kubevirt VMs (BZ#1883844)
  • Deprecate and remove ovirt-engine-api-explorer (BZ#1884146)
  • [CNV&RHV] Disable creating new disks for Kubevirt VM (BZ#1884634)
  • Require ansible-2.9.14 in ovirt-engine (BZ#1888626)

Enhancement(s):

  • [RFE] Virtualization support for NVDIMM - RHV (BZ#1361718)
  • [RFE] - enable renaming HostedEngine VM name (BZ#1657294)
  • [RFE] Enabling Icelake new NIs - RHV (BZ#1745024)
  • [RFE] Show vCPUs and allocated memory in virtual machines summary (BZ#1752751)
  • [RFE] RHV-M Deployment/Install Needs it's own UUID (BZ#1825020)
  • [RFE] Destination Host in migrate VM dialog has to be searchable and sortable (BZ#1851865)
  • [RFE] Expose the "reinstallation required" flag of the hosts in the API (BZ#1856671)

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/2974891

Affected Products

  • Red Hat Virtualization Manager 4.4 x86_64

Fixes

  • BZ - 1613514 - send --nowait to libvirt when we collect qemu stats, to consume bz#1552092
  • BZ - 1657294 - [RFE] - enable renaming HostedEngine VM name
  • BZ - 1691253 - ovirt-engine-extension-aaa-ldap-setup does not escape special characters in password
  • BZ - 1702016 - Block moving HE hosts into different Data Centers and make HE host moved to different cluster NonOperational after activation
  • BZ - 1752751 - [RFE] Show vCPUs and allocated memory in virtual machines summary
  • BZ - 1760170 - If an in-use MAC is held by a VM on a different cluster, the engine does not attempt to get the next free MAC.
  • BZ - 1797717 - Search backend cannot find VMs which name starts with a search keyword
  • BZ - 1808320 - [Permissions] DataCenterAdmin role defined on DC level does not allow Cluster creation
  • BZ - 1811466 - enable-usb-autoshare is always 0 in console.vv and usb-filter option is listed two times
  • BZ - 1812316 - NumaPinningHelper is not huge pages aware, denies migration to suitable host
  • BZ - 1822372 - Adding quota to group doesn't propagate to users
  • BZ - 1825020 - [RFE] RHV-M Deployment/Install Needs it's own UUID
  • BZ - 1828241 - Deleting snapshot do not display a lock for it's disks under "Disk Snapshots" tab.
  • BZ - 1829691 - Engine adding PCI-E elements on XML of i440FX SeaBIOS VM created from Q35 Template
  • BZ - 1842344 - Status loop due to host initialization not checking network status, monitoring finding the network issue and auto-recovery.
  • BZ - 1845432 - [CNV&RHV] Communicatoin with CNV cluster spamming engine.log when token is expired
  • BZ - 1851865 - [RFE] Destination Host in migrate VM dialog has to be searchable and sortable
  • BZ - 1854888 - RHV-M shows successful operation if OVA export/import failed during "qemu-img convert" phase
  • BZ - 1855305 - Cannot hotplug disk reports libvirtError: Requested operation is not valid: Domain already contains a disk with that address
  • BZ - 1856671 - [RFE] Expose the "reinstallation required" flag of the hosts in the API
  • BZ - 1857412 - CVE-2020-8203 nodejs-lodash: prototype pollution in zipObjectDeep function
  • BZ - 1859314 - rhv-log-collector-analyzer --json fails with TypeError
  • BZ - 1862101 - rhv-image-discrepancies does show size of the images on the storage as size of the image in db and vice versa
  • BZ - 1866981 - obj must be encoded before hashing
  • BZ - 1870133 - Issue with dashboards creation when sending metrics to external Elasticsearch
  • BZ - 1871694 - HostedEngine VM is broken after Cluster changed to UEFI
  • BZ - 1872911 - RHV Administration Portal fails with 404 error even after updating to RHV 4.3.9
  • BZ - 1873136 - [CNV&RHV]Notification about VM creation contain <UNKNOWN> string
  • BZ - 1876923 - PostgreSQL 12 in RHV 4.4 - engine-setup menu ref URL needs updating
  • BZ - 1877632 - VM stuck in Migrating status after migration completed due to incorrect status reported by VDSM after restart
  • BZ - 1877679 - Synchronize advanced virtualization module with RHEL version during host upgrade
  • BZ - 1879199 - ovirt-engine-extension-aaa-ldap-setup fails on cert import
  • BZ - 1879280 - Use 4.5 as compatibility level for the Default DataCenter and the Default Cluster during installation
  • BZ - 1879377 - [DWH] Rebase bug - for the 4.4.3 release
  • BZ - 1881634 - unable to create/add index pattern in step 5 from kcs articles#4921101
  • BZ - 1882256 - CVE-2019-20922 nodejs-handlebars: an endless loop while processing specially-crafted templates leads to DoS
  • BZ - 1882260 - CVE-2019-20920 nodejs-handlebars: lookup helper fails to properly validate templates allowing for arbitrary JavaScript execution
  • BZ - 1883844 - [CNV&RHV] Remove warning about no active storage domain for Kubevirt VMs
  • BZ - 1884146 - Deprecate and remove ovirt-engine-api-explorer
  • BZ - 1884634 - [CNV&RHV] Disable creating new disks for Kubevirt VM
  • BZ - 1885976 - rhv-log-collector-analyzer - argument must be str, not bytes
  • BZ - 1887268 - Cannot perform yum update on my RHV manager (ansible conflict)
  • BZ - 1888626 - Require ansible-2.9.14 in ovirt-engine
  • BZ - 1889522 - metrics playbooks are broken due to typo

CVEs

  • CVE-2019-20920
  • CVE-2019-20922
  • CVE-2020-8203

References

  • https://access.redhat.com/security/updates/classification/#low
Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat Virtualization Manager 4.4

SRPM
engine-db-query-1.6.2-1.el8ev.src.rpm SHA-256: 1e5cc61c0c508c90ff622e805602a4a99f51911c762289972c4036988942f5b0
ovirt-engine-4.4.3.8-0.1.el8ev.src.rpm SHA-256: 9855d797207f55f4a4f87a7d1454447b54f698fee36602d0717a9b092f085593
ovirt-engine-dwh-4.4.3.1-1.el8ev.src.rpm SHA-256: d938c36491939fdb781199f811e1d58411baf4c5d4ff680ecca9dd8b4d14e908
ovirt-engine-extension-aaa-ldap-1.4.2-1.el8ev.src.rpm SHA-256: 358604996e8fc202027bb59b48ca43da3e13adff59b835ffa86ff0364322cc81
ovirt-engine-extension-logger-log4j-1.1.1-1.el8ev.src.rpm SHA-256: cb9a1ac71f2ab121a4747134e4304543df3fbb402843629c136bad160f136ab3
ovirt-engine-metrics-1.4.2.1-1.el8ev.src.rpm SHA-256: f661395babd718707dc5620efd54f8269aa0b07b7a937c5c7ae5939c4fa09996
ovirt-engine-ui-extensions-1.2.4-1.el8ev.src.rpm SHA-256: d2b59172a43a30e0980ea2cadbf19e428e7610fd60c3dcbc6b5b5751b5eaf672
ovirt-log-collector-4.4.4-1.el8ev.src.rpm SHA-256: 0b03df06e76b304ee7394bd1cc2cd1bd2486c15c8f28678705ad1a1bbb85c876
ovirt-web-ui-1.6.5-1.el8ev.src.rpm SHA-256: aed3990f361bd5117bc9cb6008fd0d033d30f91ca1efe82bc3ea9808c526d9b5
rhv-log-collector-analyzer-1.0.5-1.el8ev.src.rpm SHA-256: 3c2520b42606a6a01421469f9e49f22c7cc9169fb3f1e681970002ecbd3ad734
rhvm-branding-rhv-4.4.6-1.el8ev.src.rpm SHA-256: 719812f735a37976cf69f62ff3a9d64e0a4065f95838e1ac18fa562b8542945c
x86_64
engine-db-query-1.6.2-1.el8ev.noarch.rpm SHA-256: 45b7fe46025be3ee8ff1d7e65c2bd267a5dfa105562712bb466bf9ce10662d18
ovirt-engine-4.4.3.8-0.1.el8ev.noarch.rpm SHA-256: b04fe105153fa0bd40247d023b041871afd62c0f945850486b7bd1dc930ac322
ovirt-engine-backend-4.4.3.8-0.1.el8ev.noarch.rpm SHA-256: 95e27be75d916f85eedb372d4f05f39edae0b40648be67cd08a0ae3741f98617
ovirt-engine-dbscripts-4.4.3.8-0.1.el8ev.noarch.rpm SHA-256: 1aa128c69e31f8cebe74e40dfbe0bfd3b9325fce1a66848645406f735517c5d9
ovirt-engine-dwh-4.4.3.1-1.el8ev.noarch.rpm SHA-256: 0f07a29b9f86e3d06d296001c370c7904ff600edb68ed9d3a8761838c59fb5b3
ovirt-engine-dwh-grafana-integration-setup-4.4.3.1-1.el8ev.noarch.rpm SHA-256: 6e29e490ee340653b848df4abff913bd0103749f7fab3b4a1a595e3f8c4c9779
ovirt-engine-dwh-setup-4.4.3.1-1.el8ev.noarch.rpm SHA-256: af49f7b66b2d72e2dead3a19fee33ea1c56ab54a2ece5ac26ecce86f92e5c242
ovirt-engine-extension-aaa-ldap-1.4.2-1.el8ev.noarch.rpm SHA-256: faf63f47e4017c6e01707d90512e237e6063dbf1aca33dba5b2e6e7183099467
ovirt-engine-extension-aaa-ldap-setup-1.4.2-1.el8ev.noarch.rpm SHA-256: 9611f1bd2ec5fd3df5e6a554e29255b6a1b4b0fb365778ab35c868064334b5b2
ovirt-engine-extension-logger-log4j-1.1.1-1.el8ev.noarch.rpm SHA-256: ee380d0e77e4eeefbccf31b2a90818fa6e94076b63616af803f9073fd04a2f78
ovirt-engine-health-check-bundler-4.4.3.8-0.1.el8ev.noarch.rpm SHA-256: a90ecfa5fbf9674fdd69681919df3c9c257fbf2c396641af37fa6ffcd69aa645
ovirt-engine-metrics-1.4.2.1-1.el8ev.noarch.rpm SHA-256: 065634393e2cdb28d12b6dd2ca4f76c3d32902b38cdefe7d6430f37313a7e83f
ovirt-engine-restapi-4.4.3.8-0.1.el8ev.noarch.rpm SHA-256: 74fffaec116b1ec7dcfd1890d66b4ae281517d87d47e929003c8ebb96f0c4850
ovirt-engine-setup-4.4.3.8-0.1.el8ev.noarch.rpm SHA-256: 08b44c194ac52f4f55ca599713083b85c31a1bc35c623d3cefaca8ef9d244033
ovirt-engine-setup-base-4.4.3.8-0.1.el8ev.noarch.rpm SHA-256: a366524e6a257715fbe173ebbb95da72d73753988d47001a7fa35a952050920a
ovirt-engine-setup-plugin-cinderlib-4.4.3.8-0.1.el8ev.noarch.rpm SHA-256: a37258d1de1b4c81954002672f58a625ec9bcdae1c61a46e74693ab44ce00703
ovirt-engine-setup-plugin-imageio-4.4.3.8-0.1.el8ev.noarch.rpm SHA-256: d9bd19edcb3d0d2976f22bd56306c978e7a9ba915186889ed9adcb2bbe14c402
ovirt-engine-setup-plugin-ovirt-engine-4.4.3.8-0.1.el8ev.noarch.rpm SHA-256: 15d717a11e7ede2cfe626b1431730ee957dad9b576157d4a198534d1f7eb9199
ovirt-engine-setup-plugin-ovirt-engine-common-4.4.3.8-0.1.el8ev.noarch.rpm SHA-256: 5aadeac288ccc2aad7f8782455c71df53251f90bd4467417ba6aa5ae5c317294
ovirt-engine-setup-plugin-vmconsole-proxy-helper-4.4.3.8-0.1.el8ev.noarch.rpm SHA-256: a8241e4da53cd18d486f917038f4810ca3d8b10fa29d2e807bf458bb39bd77d2
ovirt-engine-setup-plugin-websocket-proxy-4.4.3.8-0.1.el8ev.noarch.rpm SHA-256: 320ec0763f8a00f5568f189ea085d4424afdf1a84b3d2c29646f8092325ea3a0
ovirt-engine-tools-4.4.3.8-0.1.el8ev.noarch.rpm SHA-256: 7a1b27467050d10ed18956708148b9c88c34ca54350cef565b9cde58df1bacc6
ovirt-engine-tools-backup-4.4.3.8-0.1.el8ev.noarch.rpm SHA-256: 02b135c2047e80023aa61ebcfd2ba1e25b76b6aebc7a6af8374531476d6510b2
ovirt-engine-ui-extensions-1.2.4-1.el8ev.noarch.rpm SHA-256: 921cfce691b7542d033b64f707abdc8d4e6c1bccb33ea15a7ec66375bd29a575
ovirt-engine-vmconsole-proxy-helper-4.4.3.8-0.1.el8ev.noarch.rpm SHA-256: 9aa92af5a26bedb754123989050f4251b0465efb54e486dd031b9f4fe67714ac
ovirt-engine-webadmin-portal-4.4.3.8-0.1.el8ev.noarch.rpm SHA-256: 94ccc23f0a17f976364fd1f52bbf68fac4d3525770028fe9e99ae3e214c0ffce
ovirt-engine-websocket-proxy-4.4.3.8-0.1.el8ev.noarch.rpm SHA-256: d66bf7f1510d95223baa105f8dff84c7979c98de6299765edbcaf642db6bd5f2
ovirt-log-collector-4.4.4-1.el8ev.noarch.rpm SHA-256: e873abe9f343b0feaa888576460051edac2fa038acf3770746b662cc76079d21
ovirt-web-ui-1.6.5-1.el8ev.noarch.rpm SHA-256: 342b65aa7bbd4fb8a00665efb4d3381e5758508567804dbf2d7fb31ecd855a96
python3-ovirt-engine-lib-4.4.3.8-0.1.el8ev.noarch.rpm SHA-256: 03153c0a8f3e41ef8fc939a27ab682ab450a5e258d6533b7bfd6143f5c548af4
rhv-log-collector-analyzer-1.0.5-1.el8ev.noarch.rpm SHA-256: b153a356347619d3144cf588d4c70c924a0e88ad6263877d899bb42bd30f574f
rhvm-4.4.3.8-0.1.el8ev.noarch.rpm SHA-256: 92f022be6af52d21bbe4f06e7f57d271f4df5ce02cb007ecabd47b28aed4a6c7
rhvm-branding-rhv-4.4.6-1.el8ev.noarch.rpm SHA-256: e7cec71b85f85af8b267e26a1812b3b74d4e42b2c544572bd02e71ecd73985a4

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Red Hat LinkedIn YouTube Facebook X, formerly Twitter

Quick Links

  • Downloads
  • Subscriptions
  • Support Cases
  • Customer Service
  • Product Documentation

Help

  • Contact Us
  • Customer Portal FAQ
  • Log-in Assistance

Site Info

  • Trust Red Hat
  • Browser Support Policy
  • Accessibility
  • Awards and Recognition
  • Colophon

Related Sites

  • redhat.com
  • developers.redhat.com
  • connect.redhat.com
  • cloud.redhat.com

Red Hat legal and privacy links

  • About Red Hat
  • Jobs
  • Events
  • Locations
  • Contact Red Hat
  • Red Hat Blog
  • Inclusion at Red Hat
  • Cool Stuff Store
  • Red Hat Summit
© 2025 Red Hat

Red Hat legal and privacy links

  • Privacy statement
  • Terms of use
  • All policies and guidelines
  • Digital accessibility