Skip to navigation Skip to main content

Utilities

  • Subscriptions
  • Downloads
  • Containers
  • Support Cases
Red Hat Customer Portal
  • Subscriptions
  • Downloads
  • Containers
  • Support Cases
  • Products & Services

    Products

    Support

    • Production Support
    • Development Support
    • Product Life Cycles

    Services

    • Consulting
    • Technical Account Management
    • Training & Certifications

    Documentation

    • Red Hat Enterprise Linux
    • Red Hat JBoss Enterprise Application Platform
    • Red Hat OpenStack Platform
    • Red Hat OpenShift Container Platform
    All Documentation

    Ecosystem Catalog

    • Red Hat Partner Ecosystem
    • Partner Resources
  • Tools

    Tools

    • Troubleshoot a product issue
    • Packages
    • Errata

    Customer Portal Labs

    • Configuration
    • Deployment
    • Security
    • Troubleshoot
    All labs

    Red Hat Insights

    Increase visibility into IT operations to detect and resolve technical issues before they impact your business.

    Learn More
    Go to Insights
  • Security

    Red Hat Product Security Center

    Engage with our Red Hat Product Security team, access security updates, and ensure your environments are not exposed to any known security vulnerabilities.

    Product Security Center

    Security Updates

    • Security Advisories
    • Red Hat CVE Database
    • Security Labs

    Keep your systems secure with Red Hat's specialized responses to security vulnerabilities.

    View Responses

    Resources

    • Security Blog
    • Security Measurement
    • Severity Ratings
    • Backporting Policies
    • Product Signing (GPG) Keys
  • Community

    Customer Portal Community

    • Discussions
    • Private Groups
    Community Activity

    Customer Events

    • Red Hat Convergence
    • Red Hat Summit

    Stories

    • Red Hat Subscription Value
    • You Asked. We Acted.
    • Open Source Communities
Or troubleshoot an issue.

Select Your Language

  • English
  • 한국어
  • 日本語
  • 中文 (中国)

Infrastructure and Management

  • Red Hat Enterprise Linux
  • Red Hat Virtualization
  • Red Hat Identity Management
  • Red Hat Directory Server
  • Red Hat Certificate System
  • Red Hat Satellite
  • Red Hat Subscription Management
  • Red Hat Update Infrastructure
  • Red Hat Insights
  • Red Hat Ansible Automation Platform

Cloud Computing

  • Red Hat OpenShift
  • Red Hat CloudForms
  • Red Hat OpenStack Platform
  • Red Hat OpenShift Container Platform
  • Red Hat OpenShift Data Science
  • Red Hat OpenShift Online
  • Red Hat OpenShift Dedicated
  • Red Hat Advanced Cluster Security for Kubernetes
  • Red Hat Advanced Cluster Management for Kubernetes
  • Red Hat Quay
  • OpenShift Dev Spaces
  • Red Hat OpenShift Service on AWS

Storage

  • Red Hat Gluster Storage
  • Red Hat Hyperconverged Infrastructure
  • Red Hat Ceph Storage
  • Red Hat OpenShift Data Foundation

Runtimes

  • Red Hat Runtimes
  • Red Hat JBoss Enterprise Application Platform
  • Red Hat Data Grid
  • Red Hat JBoss Web Server
  • Red Hat Single Sign On
  • Red Hat support for Spring Boot
  • Red Hat build of Node.js
  • Red Hat build of Thorntail
  • Red Hat build of Eclipse Vert.x
  • Red Hat build of OpenJDK
  • Red Hat build of Quarkus

Integration and Automation

  • Red Hat Integration
  • Red Hat Fuse
  • Red Hat AMQ
  • Red Hat 3scale API Management
  • Red Hat JBoss Data Virtualization
  • Red Hat Process Automation
  • Red Hat Process Automation Manager
  • Red Hat Decision Manager
All Products
Red Hat Product Errata RHSA-2020:5179 - Security Advisory
Issued:
2020-11-24
Updated:
2020-11-24

RHSA-2020:5179 - Security Advisory

  • Overview
  • Updated Packages

Synopsis

Low: Red Hat Virtualization security, bug fix, and enhancement update

Type/Severity

Security Advisory: Low

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update is now available for Red Hat Virtualization Engine 4.4.

Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

The org.ovirt.engine-root is a core component of oVirt.

The following packages have been upgraded to a later upstream version: engine-db-query (1.6.2), org.ovirt.engine-root (4.4.3.8), ovirt-engine-dwh (4.4.3.1), ovirt-engine-extension-aaa-ldap (1.4.2), ovirt-engine-extension-logger-log4j (1.1.1), ovirt-engine-metrics (1.4.2.1), ovirt-engine-ui-extensions (1.2.4), ovirt-log-collector (4.4.4), ovirt-web-ui (1.6.5), rhv-log-collector-analyzer (1.0.5), rhvm-branding-rhv (4.4.6). (BZ#1866981, BZ#1879377)

Security Fix(es):

  • nodejs-handlebars: lookup helper fails to properly validate templates allowing for arbitrary JavaScript execution (CVE-2019-20920)
  • nodejs-handlebars: an endless loop while processing specially-crafted templates leads to DoS (CVE-2019-20922)
  • nodejs-lodash: prototype pollution in zipObjectDeep function (CVE-2020-8203)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

  • send --nowait to libvirt when we collect qemu stats, to consume bz#1552092 (BZ#1613514)
  • Block moving HE hosts into different Data Centers and make HE host moved to different cluster NonOperational after activation (BZ#1702016)
  • If an in-use MAC is held by a VM on a different cluster, the engine does not attempt to get the next free MAC. (BZ#1760170)
  • Search backend cannot find VMs which name starts with a search keyword (BZ#1797717)
  • [Permissions] DataCenterAdmin role defined on DC level does not allow Cluster creation (BZ#1808320)
  • enable-usb-autoshare is always 0 in console.vv and usb-filter option is listed two times (BZ#1811466)
  • NumaPinningHelper is not huge pages aware, denies migration to suitable host (BZ#1812316)
  • Adding quota to group doesn't propagate to users (BZ#1822372)
  • Engine adding PCI-E elements on XML of i440FX SeaBIOS VM created from Q35 Template (BZ#1829691)
  • Live Migration Bandwidth unit is different from Engine configuration (Mbps) and VDSM (MBps) (BZ#1845397)
  • RHV-M shows successful operation if OVA export/import failed during "qemu-img convert" phase (BZ#1854888)
  • Cannot hotplug disk reports libvirtError: Requested operation is not valid: Domain already contains a disk with that address (BZ#1855305)
  • rhv-log-collector-analyzer --json fails with TypeError (BZ#1859314)
  • RHV 4.4 on AMD EPYC 7742 throws an NUMA related error on VM run (BZ#1866862)
  • Issue with dashboards creation when sending metrics to external Elasticsearch (BZ#1870133)
  • HostedEngine VM is broken after Cluster changed to UEFI (BZ#1871694)
  • [CNV&RHV]Notification about VM creation contain <UNKNOWN> string (BZ#1873136)
  • VM stuck in Migrating status after migration completed due to incorrect status reported by VDSM after restart (BZ#1877632)
  • Use 4.5 as compatibility level for the Default DataCenter and the Default Cluster during installation (BZ#1879280)
  • unable to create/add index pattern in step 5 from kcs articles#4921101 (BZ#1881634)
  • [CNV&RHV] Remove warning about no active storage domain for Kubevirt VMs (BZ#1883844)
  • Deprecate and remove ovirt-engine-api-explorer (BZ#1884146)
  • [CNV&RHV] Disable creating new disks for Kubevirt VM (BZ#1884634)
  • Require ansible-2.9.14 in ovirt-engine (BZ#1888626)

Enhancement(s):

  • [RFE] Virtualization support for NVDIMM - RHV (BZ#1361718)
  • [RFE] - enable renaming HostedEngine VM name (BZ#1657294)
  • [RFE] Enabling Icelake new NIs - RHV (BZ#1745024)
  • [RFE] Show vCPUs and allocated memory in virtual machines summary (BZ#1752751)
  • [RFE] RHV-M Deployment/Install Needs it's own UUID (BZ#1825020)
  • [RFE] Destination Host in migrate VM dialog has to be searchable and sortable (BZ#1851865)
  • [RFE] Expose the "reinstallation required" flag of the hosts in the API (BZ#1856671)

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/2974891

Affected Products

  • Red Hat Virtualization Manager 4.4 x86_64

Fixes

  • BZ - 1613514 - send --nowait to libvirt when we collect qemu stats, to consume bz#1552092
  • BZ - 1657294 - [RFE] - enable renaming HostedEngine VM name
  • BZ - 1691253 - ovirt-engine-extension-aaa-ldap-setup does not escape special characters in password
  • BZ - 1702016 - Block moving HE hosts into different Data Centers and make HE host moved to different cluster NonOperational after activation
  • BZ - 1752751 - [RFE] Show vCPUs and allocated memory in virtual machines summary
  • BZ - 1760170 - If an in-use MAC is held by a VM on a different cluster, the engine does not attempt to get the next free MAC.
  • BZ - 1797717 - Search backend cannot find VMs which name starts with a search keyword
  • BZ - 1808320 - [Permissions] DataCenterAdmin role defined on DC level does not allow Cluster creation
  • BZ - 1811466 - enable-usb-autoshare is always 0 in console.vv and usb-filter option is listed two times
  • BZ - 1812316 - NumaPinningHelper is not huge pages aware, denies migration to suitable host
  • BZ - 1822372 - Adding quota to group doesn't propagate to users
  • BZ - 1825020 - [RFE] RHV-M Deployment/Install Needs it's own UUID
  • BZ - 1828241 - Deleting snapshot do not display a lock for it's disks under "Disk Snapshots" tab.
  • BZ - 1829691 - Engine adding PCI-E elements on XML of i440FX SeaBIOS VM created from Q35 Template
  • BZ - 1842344 - Status loop due to host initialization not checking network status, monitoring finding the network issue and auto-recovery.
  • BZ - 1845432 - [CNV&RHV] Communicatoin with CNV cluster spamming engine.log when token is expired
  • BZ - 1851865 - [RFE] Destination Host in migrate VM dialog has to be searchable and sortable
  • BZ - 1854888 - RHV-M shows successful operation if OVA export/import failed during "qemu-img convert" phase
  • BZ - 1855305 - Cannot hotplug disk reports libvirtError: Requested operation is not valid: Domain already contains a disk with that address
  • BZ - 1856671 - [RFE] Expose the "reinstallation required" flag of the hosts in the API
  • BZ - 1857412 - CVE-2020-8203 nodejs-lodash: prototype pollution in zipObjectDeep function
  • BZ - 1859314 - rhv-log-collector-analyzer --json fails with TypeError
  • BZ - 1862101 - rhv-image-discrepancies does show size of the images on the storage as size of the image in db and vice versa
  • BZ - 1866981 - obj must be encoded before hashing
  • BZ - 1870133 - Issue with dashboards creation when sending metrics to external Elasticsearch
  • BZ - 1871694 - HostedEngine VM is broken after Cluster changed to UEFI
  • BZ - 1872911 - RHV Administration Portal fails with 404 error even after updating to RHV 4.3.9
  • BZ - 1873136 - [CNV&RHV]Notification about VM creation contain <UNKNOWN> string
  • BZ - 1876923 - PostgreSQL 12 in RHV 4.4 - engine-setup menu ref URL needs updating
  • BZ - 1877632 - VM stuck in Migrating status after migration completed due to incorrect status reported by VDSM after restart
  • BZ - 1877679 - Synchronize advanced virtualization module with RHEL version during host upgrade
  • BZ - 1879199 - ovirt-engine-extension-aaa-ldap-setup fails on cert import
  • BZ - 1879280 - Use 4.5 as compatibility level for the Default DataCenter and the Default Cluster during installation
  • BZ - 1879377 - [DWH] Rebase bug - for the 4.4.3 release
  • BZ - 1881634 - unable to create/add index pattern in step 5 from kcs articles#4921101
  • BZ - 1882256 - CVE-2019-20922 nodejs-handlebars: an endless loop while processing specially-crafted templates leads to DoS
  • BZ - 1882260 - CVE-2019-20920 nodejs-handlebars: lookup helper fails to properly validate templates allowing for arbitrary JavaScript execution
  • BZ - 1883844 - [CNV&RHV] Remove warning about no active storage domain for Kubevirt VMs
  • BZ - 1884146 - Deprecate and remove ovirt-engine-api-explorer
  • BZ - 1884634 - [CNV&RHV] Disable creating new disks for Kubevirt VM
  • BZ - 1885976 - rhv-log-collector-analyzer - argument must be str, not bytes
  • BZ - 1887268 - Cannot perform yum update on my RHV manager (ansible conflict)
  • BZ - 1888626 - Require ansible-2.9.14 in ovirt-engine
  • BZ - 1889522 - metrics playbooks are broken due to typo

CVEs

  • CVE-2019-20920
  • CVE-2019-20922
  • CVE-2020-8203

References

  • https://access.redhat.com/security/updates/classification/#low
Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat Virtualization Manager 4.4

SRPM
engine-db-query-1.6.2-1.el8ev.src.rpm SHA-256: 1e5cc61c0c508c90ff622e805602a4a99f51911c762289972c4036988942f5b0
ovirt-engine-4.4.3.8-0.1.el8ev.src.rpm SHA-256: 9855d797207f55f4a4f87a7d1454447b54f698fee36602d0717a9b092f085593
ovirt-engine-dwh-4.4.3.1-1.el8ev.src.rpm SHA-256: d938c36491939fdb781199f811e1d58411baf4c5d4ff680ecca9dd8b4d14e908
ovirt-engine-extension-aaa-ldap-1.4.2-1.el8ev.src.rpm SHA-256: 358604996e8fc202027bb59b48ca43da3e13adff59b835ffa86ff0364322cc81
ovirt-engine-extension-logger-log4j-1.1.1-1.el8ev.src.rpm SHA-256: cb9a1ac71f2ab121a4747134e4304543df3fbb402843629c136bad160f136ab3
ovirt-engine-metrics-1.4.2.1-1.el8ev.src.rpm SHA-256: f661395babd718707dc5620efd54f8269aa0b07b7a937c5c7ae5939c4fa09996
ovirt-engine-ui-extensions-1.2.4-1.el8ev.src.rpm SHA-256: d2b59172a43a30e0980ea2cadbf19e428e7610fd60c3dcbc6b5b5751b5eaf672
ovirt-log-collector-4.4.4-1.el8ev.src.rpm SHA-256: 0b03df06e76b304ee7394bd1cc2cd1bd2486c15c8f28678705ad1a1bbb85c876
ovirt-web-ui-1.6.5-1.el8ev.src.rpm SHA-256: aed3990f361bd5117bc9cb6008fd0d033d30f91ca1efe82bc3ea9808c526d9b5
rhv-log-collector-analyzer-1.0.5-1.el8ev.src.rpm SHA-256: 3c2520b42606a6a01421469f9e49f22c7cc9169fb3f1e681970002ecbd3ad734
rhvm-branding-rhv-4.4.6-1.el8ev.src.rpm SHA-256: 719812f735a37976cf69f62ff3a9d64e0a4065f95838e1ac18fa562b8542945c
x86_64
engine-db-query-1.6.2-1.el8ev.noarch.rpm SHA-256: 45b7fe46025be3ee8ff1d7e65c2bd267a5dfa105562712bb466bf9ce10662d18
ovirt-engine-4.4.3.8-0.1.el8ev.noarch.rpm SHA-256: b04fe105153fa0bd40247d023b041871afd62c0f945850486b7bd1dc930ac322
ovirt-engine-backend-4.4.3.8-0.1.el8ev.noarch.rpm SHA-256: 95e27be75d916f85eedb372d4f05f39edae0b40648be67cd08a0ae3741f98617
ovirt-engine-dbscripts-4.4.3.8-0.1.el8ev.noarch.rpm SHA-256: 1aa128c69e31f8cebe74e40dfbe0bfd3b9325fce1a66848645406f735517c5d9
ovirt-engine-dwh-4.4.3.1-1.el8ev.noarch.rpm SHA-256: 0f07a29b9f86e3d06d296001c370c7904ff600edb68ed9d3a8761838c59fb5b3
ovirt-engine-dwh-grafana-integration-setup-4.4.3.1-1.el8ev.noarch.rpm SHA-256: 6e29e490ee340653b848df4abff913bd0103749f7fab3b4a1a595e3f8c4c9779
ovirt-engine-dwh-setup-4.4.3.1-1.el8ev.noarch.rpm SHA-256: af49f7b66b2d72e2dead3a19fee33ea1c56ab54a2ece5ac26ecce86f92e5c242
ovirt-engine-extension-aaa-ldap-1.4.2-1.el8ev.noarch.rpm SHA-256: faf63f47e4017c6e01707d90512e237e6063dbf1aca33dba5b2e6e7183099467
ovirt-engine-extension-aaa-ldap-setup-1.4.2-1.el8ev.noarch.rpm SHA-256: 9611f1bd2ec5fd3df5e6a554e29255b6a1b4b0fb365778ab35c868064334b5b2
ovirt-engine-extension-logger-log4j-1.1.1-1.el8ev.noarch.rpm SHA-256: ee380d0e77e4eeefbccf31b2a90818fa6e94076b63616af803f9073fd04a2f78
ovirt-engine-health-check-bundler-4.4.3.8-0.1.el8ev.noarch.rpm SHA-256: a90ecfa5fbf9674fdd69681919df3c9c257fbf2c396641af37fa6ffcd69aa645
ovirt-engine-metrics-1.4.2.1-1.el8ev.noarch.rpm SHA-256: 065634393e2cdb28d12b6dd2ca4f76c3d32902b38cdefe7d6430f37313a7e83f
ovirt-engine-restapi-4.4.3.8-0.1.el8ev.noarch.rpm SHA-256: 74fffaec116b1ec7dcfd1890d66b4ae281517d87d47e929003c8ebb96f0c4850
ovirt-engine-setup-4.4.3.8-0.1.el8ev.noarch.rpm SHA-256: 08b44c194ac52f4f55ca599713083b85c31a1bc35c623d3cefaca8ef9d244033
ovirt-engine-setup-base-4.4.3.8-0.1.el8ev.noarch.rpm SHA-256: a366524e6a257715fbe173ebbb95da72d73753988d47001a7fa35a952050920a
ovirt-engine-setup-plugin-cinderlib-4.4.3.8-0.1.el8ev.noarch.rpm SHA-256: a37258d1de1b4c81954002672f58a625ec9bcdae1c61a46e74693ab44ce00703
ovirt-engine-setup-plugin-imageio-4.4.3.8-0.1.el8ev.noarch.rpm SHA-256: d9bd19edcb3d0d2976f22bd56306c978e7a9ba915186889ed9adcb2bbe14c402
ovirt-engine-setup-plugin-ovirt-engine-4.4.3.8-0.1.el8ev.noarch.rpm SHA-256: 15d717a11e7ede2cfe626b1431730ee957dad9b576157d4a198534d1f7eb9199
ovirt-engine-setup-plugin-ovirt-engine-common-4.4.3.8-0.1.el8ev.noarch.rpm SHA-256: 5aadeac288ccc2aad7f8782455c71df53251f90bd4467417ba6aa5ae5c317294
ovirt-engine-setup-plugin-vmconsole-proxy-helper-4.4.3.8-0.1.el8ev.noarch.rpm SHA-256: a8241e4da53cd18d486f917038f4810ca3d8b10fa29d2e807bf458bb39bd77d2
ovirt-engine-setup-plugin-websocket-proxy-4.4.3.8-0.1.el8ev.noarch.rpm SHA-256: 320ec0763f8a00f5568f189ea085d4424afdf1a84b3d2c29646f8092325ea3a0
ovirt-engine-tools-4.4.3.8-0.1.el8ev.noarch.rpm SHA-256: 7a1b27467050d10ed18956708148b9c88c34ca54350cef565b9cde58df1bacc6
ovirt-engine-tools-backup-4.4.3.8-0.1.el8ev.noarch.rpm SHA-256: 02b135c2047e80023aa61ebcfd2ba1e25b76b6aebc7a6af8374531476d6510b2
ovirt-engine-ui-extensions-1.2.4-1.el8ev.noarch.rpm SHA-256: 921cfce691b7542d033b64f707abdc8d4e6c1bccb33ea15a7ec66375bd29a575
ovirt-engine-vmconsole-proxy-helper-4.4.3.8-0.1.el8ev.noarch.rpm SHA-256: 9aa92af5a26bedb754123989050f4251b0465efb54e486dd031b9f4fe67714ac
ovirt-engine-webadmin-portal-4.4.3.8-0.1.el8ev.noarch.rpm SHA-256: 94ccc23f0a17f976364fd1f52bbf68fac4d3525770028fe9e99ae3e214c0ffce
ovirt-engine-websocket-proxy-4.4.3.8-0.1.el8ev.noarch.rpm SHA-256: d66bf7f1510d95223baa105f8dff84c7979c98de6299765edbcaf642db6bd5f2
ovirt-log-collector-4.4.4-1.el8ev.noarch.rpm SHA-256: e873abe9f343b0feaa888576460051edac2fa038acf3770746b662cc76079d21
ovirt-web-ui-1.6.5-1.el8ev.noarch.rpm SHA-256: 342b65aa7bbd4fb8a00665efb4d3381e5758508567804dbf2d7fb31ecd855a96
python3-ovirt-engine-lib-4.4.3.8-0.1.el8ev.noarch.rpm SHA-256: 03153c0a8f3e41ef8fc939a27ab682ab450a5e258d6533b7bfd6143f5c548af4
rhv-log-collector-analyzer-1.0.5-1.el8ev.noarch.rpm SHA-256: b153a356347619d3144cf588d4c70c924a0e88ad6263877d899bb42bd30f574f
rhvm-4.4.3.8-0.1.el8ev.noarch.rpm SHA-256: 92f022be6af52d21bbe4f06e7f57d271f4df5ce02cb007ecabd47b28aed4a6c7
rhvm-branding-rhv-4.4.6-1.el8ev.noarch.rpm SHA-256: e7cec71b85f85af8b267e26a1812b3b74d4e42b2c544572bd02e71ecd73985a4

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Red Hat

Quick Links

  • Downloads
  • Subscriptions
  • Support Cases
  • Customer Service
  • Product Documentation

Help

  • Contact Us
  • Customer Portal FAQ
  • Log-in Assistance

Site Info

  • Trust Red Hat
  • Browser Support Policy
  • Accessibility
  • Awards and Recognition
  • Colophon

Related Sites

  • redhat.com
  • developers.redhat.com
  • connect.redhat.com
  • cloud.redhat.com

About

  • Red Hat Subscription Value
  • About Red Hat
  • Red Hat Jobs
Copyright © 2023 Red Hat, Inc.
  • Privacy Statement
  • Customer Portal Terms of Use
  • All Policies and Guidelines
Red Hat Summit
Twitter