RHSA-2021:0381 - Security Advisory

Topic

Updated ovirt-engine packages that fix several bugs and add various enhancements are now available.

Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

The ovirt-engine package provides the Red Hat Virtualization Manager, a centralized management platform that allows system administrators to view and manage virtual machines. The Manager provides a comprehensive range of features including search capabilities, resource management, live migrations, and virtual infrastructure provisioning.

The Manager is a JBoss Application Server application that provides several interfaces through which the virtual environment can be accessed and interacted with, including an Administration Portal, a VM Portal, and a Representational State Transfer (REST) Application Programming Interface (API).

Security Fix(es):

• jackson-databind: FasterXML DOMDeserializer insecure entity expansion is vulnerable to XML external entity (XXE) (CVE-2020-25649)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

• Red Hat Virtualization Manager now requires Ansible 2.9.15. (BZ#1901946)

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/2974891

Affected Products

• Red Hat Virtualization Manager 4.4 x86_64

Fixes

• BZ - 1627997 - [RFE] Allow SPM switching if all tasks have finished via REST-API
• BZ - 1702237 - [RFE] add API for listing disksnapshots under disk resource
• BZ - 1796231 - VM disk remains in locked state if image transfer (image download) timesout due to inactivity.
• BZ - 1868114 - RHV-M UI/Webadmin: The "Disk Snapshots" tab reflects incorrect "Creation Date" information.
• BZ - 1875951 - Disk hot-unplug fails on engine side with NPE in setDiskVmElements after unplugging from the VM.
• BZ - 1879655 - [RFE] Implement searching VM's with partial name or case sensitive vm names in VM Portal.
• BZ - 1880015 - oVirt metrics example Kibana dashboards are broken in Kibana 7.x
• BZ - 1881115 - RHEL VM icons squashed, please adhere to brand rules
• BZ - 1881357 - German language greeting page says Red Hat®
• BZ - 1887664 - CVE-2020-25649 jackson-databind: FasterXML DOMDeserializer insecure entity expansion is vulnerable to XML external entity (XXE)
• BZ - 1893035 - rhv-log-collector-analyzer: check for double quotes in IPTablesConfigSiteCustom
• BZ - 1894298 - ModuleNotFoundError: No module named 'ovirt_engine' raised when starting ovirt-engine-dwhd.py in dev env
• BZ - 1901946 - [RFE] Bump ovirt-engine version lock to the newest Ansible version
• BZ - 1903385 - RFE: rhv-image-discrepancies should report if the truesize from VDSM has different size in images in the engine.
• BZ - 1903595 - [PPC] Can't add PPC host to Engine

CVEs

• CVE-2020-25649

References

• https://access.redhat.com/security/updates/classification/#low