Skip to navigation Skip to main content

Utilities

  • Subscriptions
  • Downloads
  • Containers
  • Support Cases
Red Hat Customer Portal
  • Subscriptions
  • Downloads
  • Containers
  • Support Cases
  • Products & Services

    Products

    Support

    • Production Support
    • Development Support
    • Product Life Cycles

    Services

    • Consulting
    • Technical Account Management
    • Training & Certifications

    Documentation

    • Red Hat Enterprise Linux
    • Red Hat JBoss Enterprise Application Platform
    • Red Hat OpenStack Platform
    • Red Hat OpenShift Container Platform
    All Documentation

    Ecosystem Catalog

    • Red Hat Partner Ecosystem
    • Partner Resources
  • Tools

    Tools

    • Troubleshoot a product issue
    • Packages
    • Errata

    Customer Portal Labs

    • Configuration
    • Deployment
    • Security
    • Troubleshoot
    All labs

    Red Hat Insights

    Increase visibility into IT operations to detect and resolve technical issues before they impact your business.

    Learn More
    Go to Insights
  • Security

    Red Hat Product Security Center

    Engage with our Red Hat Product Security team, access security updates, and ensure your environments are not exposed to any known security vulnerabilities.

    Product Security Center

    Security Updates

    • Security Advisories
    • Red Hat CVE Database
    • Security Labs

    Keep your systems secure with Red Hat's specialized responses to security vulnerabilities.

    View Responses

    Resources

    • Security Blog
    • Security Measurement
    • Severity Ratings
    • Backporting Policies
    • Product Signing (GPG) Keys
  • Community

    Customer Portal Community

    • Discussions
    • Private Groups
    Community Activity

    Customer Events

    • Red Hat Convergence
    • Red Hat Summit

    Stories

    • Red Hat Subscription Value
    • You Asked. We Acted.
    • Open Source Communities
Or troubleshoot an issue.

Select Your Language

  • English
  • 한국어
  • 日本語
  • 中文 (中国)

Infrastructure and Management

  • Red Hat Enterprise Linux
  • Red Hat Virtualization
  • Red Hat Identity Management
  • Red Hat Directory Server
  • Red Hat Certificate System
  • Red Hat Satellite
  • Red Hat Subscription Management
  • Red Hat Update Infrastructure
  • Red Hat Insights
  • Red Hat Ansible Automation Platform

Cloud Computing

  • Red Hat OpenShift
  • Red Hat CloudForms
  • Red Hat OpenStack Platform
  • Red Hat OpenShift Container Platform
  • Red Hat OpenShift Data Science
  • Red Hat OpenShift Online
  • Red Hat OpenShift Dedicated
  • Red Hat Advanced Cluster Security for Kubernetes
  • Red Hat Advanced Cluster Management for Kubernetes
  • Red Hat Quay
  • OpenShift Dev Spaces
  • Red Hat OpenShift Service on AWS

Storage

  • Red Hat Gluster Storage
  • Red Hat Hyperconverged Infrastructure
  • Red Hat Ceph Storage
  • Red Hat OpenShift Data Foundation

Runtimes

  • Red Hat Runtimes
  • Red Hat JBoss Enterprise Application Platform
  • Red Hat Data Grid
  • Red Hat JBoss Web Server
  • Red Hat Single Sign On
  • Red Hat support for Spring Boot
  • Red Hat build of Node.js
  • Red Hat build of Thorntail
  • Red Hat build of Eclipse Vert.x
  • Red Hat build of OpenJDK
  • Red Hat build of Quarkus

Integration and Automation

  • Red Hat Integration
  • Red Hat Fuse
  • Red Hat AMQ
  • Red Hat 3scale API Management
  • Red Hat JBoss Data Virtualization
  • Red Hat Process Automation
  • Red Hat Process Automation Manager
  • Red Hat Decision Manager
All Products
Red Hat Product Errata RHSA-2021:0799 - Security Advisory
Issued:
2021-03-10
Updated:
2021-03-10

RHSA-2021:0799 - Security Advisory

  • Overview

Synopsis

Moderate: OpenShift Virtualization 2.6.0 security and bug fix update

Type/Severity

Security Advisory: Moderate

Topic

An update is now available for RHEL-8-CNV-2.6.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform.

This advisory contains the following OpenShift Virtualization 2.6.0 images:

RHEL-8-CNV-2.6
==============
kubevirt-cpu-node-labeller-container-v2.6.0-5
kubevirt-cpu-model-nfd-plugin-container-v2.6.0-5
node-maintenance-operator-container-v2.6.0-13
kubevirt-vmware-container-v2.6.0-5
virtio-win-container-v2.6.0-5
kubevirt-kvm-info-nfd-plugin-container-v2.6.0-5
bridge-marker-container-v2.6.0-9
kubevirt-template-validator-container-v2.6.0-9
kubevirt-v2v-conversion-container-v2.6.0-6
kubemacpool-container-v2.6.0-13
kubevirt-ssp-operator-container-v2.6.0-40
hyperconverged-cluster-webhook-container-v2.6.0-73
hyperconverged-cluster-operator-container-v2.6.0-73
ovs-cni-plugin-container-v2.6.0-10
cnv-containernetworking-plugins-container-v2.6.0-10
ovs-cni-marker-container-v2.6.0-10
cluster-network-addons-operator-container-v2.6.0-16
hostpath-provisioner-container-v2.6.0-11
hostpath-provisioner-operator-container-v2.6.0-14
vm-import-virtv2v-container-v2.6.0-21
kubernetes-nmstate-handler-container-v2.6.0-19
vm-import-controller-container-v2.6.0-21
vm-import-operator-container-v2.6.0-21
virt-api-container-v2.6.0-111
virt-controller-container-v2.6.0-111
virt-handler-container-v2.6.0-111
virt-operator-container-v2.6.0-111
virt-launcher-container-v2.6.0-111
cnv-must-gather-container-v2.6.0-54
virt-cdi-importer-container-v2.6.0-24
virt-cdi-cloner-container-v2.6.0-24
virt-cdi-controller-container-v2.6.0-24
virt-cdi-uploadserver-container-v2.6.0-24
virt-cdi-apiserver-container-v2.6.0-24
virt-cdi-uploadproxy-container-v2.6.0-24
virt-cdi-operator-container-v2.6.0-24
hco-bundle-registry-container-v2.6.0-582

Security Fix(es):

  • golang.org/x/crypto: Processing of crafted ssh-ed25519 public keys allows for panic (CVE-2020-9283)
  • golang: crypto/ssh: crafted authentication request can lead to nil pointer dereference (CVE-2020-29652)
  • gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation (CVE-2021-3121)
  • golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash (CVE-2020-14040)
  • golang: data race in certain net/http servers including ReverseProxy can lead to DoS (CVE-2020-15586)
  • golang: ReadUvarint and ReadVarint can read an unlimited number of bytes from invalid inputs (CVE-2020-16845)
  • jwt-go: access restriction bypass vulnerability (CVE-2020-26160)
  • golang-github-gorilla-websocket: integer overflow leads to denial of service (CVE-2020-27813)
  • golang: math/big: panic during recursive division of very large numbers (CVE-2020-28362)
  • containernetworking-cni: Arbitrary path injection via type field in CNI configuration (CVE-2021-20206)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat Container Native Virtualization 2.6 for RHEL 8 x86_64
  • Red Hat Container Native Virtualization 2.6 for RHEL 7 x86_64

Fixes

  • BZ - 1732329 - Virtual Machine is missing documentation of its properties in yaml editor
  • BZ - 1783192 - Guest kernel panic when start RHEL6.10 guest with q35 machine type and virtio disk in cnv
  • BZ - 1791753 - [RFE] [SSP] Template validator should check validations in template's parent template
  • BZ - 1804533 - CVE-2020-9283 golang.org/x/crypto: Processing of crafted ssh-ed25519 public keys allows for panic
  • BZ - 1848954 - KMP missing CA extensions in cabundle of mutatingwebhookconfiguration
  • BZ - 1848956 - KMP requires downtime for CA stabilization during certificate rotation
  • BZ - 1853652 - CVE-2020-14040 golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash
  • BZ - 1853911 - VM with dot in network name fails to start with unclear message
  • BZ - 1854098 - NodeNetworkState on workers doesn't have "status" key due to nmstate-handler pod failure to run "nmstatectl show"
  • BZ - 1856347 - SR-IOV : Missing network name for sriov during vm setup
  • BZ - 1856953 - CVE-2020-15586 golang: data race in certain net/http servers including ReverseProxy can lead to DoS
  • BZ - 1859235 - Common Templates - after upgrade there are 2 common templates per each os-workload-flavor combination
  • BZ - 1860714 - No API information from `oc explain`
  • BZ - 1860992 - CNV upgrade - users are not removed from privileged SecurityContextConstraints
  • BZ - 1864577 - [v2v][RHV to CNV non migratable source VM fails to import to Ceph-rbd / File system due to overhead required for Filesystem
  • BZ - 1866593 - CDI is not handling vm disk clone
  • BZ - 1867099 - CVE-2020-16845 golang: ReadUvarint and ReadVarint can read an unlimited number of bytes from invalid inputs
  • BZ - 1868817 - Container-native Virtualization 2.6.0 Images
  • BZ - 1873771 - Improve the VMCreationFailed error message caused by VM low memory
  • BZ - 1874812 - SR-IOV: Guest Agent expose link-local ipv6 address for sometime and then remove it
  • BZ - 1878499 - DV import doesn't recover from scratch space PVC deletion
  • BZ - 1879108 - Inconsistent naming of "oc virt" command in help text
  • BZ - 1881874 - openshift-cnv namespace is getting stuck if the user tries to delete it while CNV is running
  • BZ - 1883232 - Webscale: kubevirt/CNV datavolume importer pod inability to disable sidecar injection if namespace has sidecar injection enabled but VM Template does NOT
  • BZ - 1883371 - CVE-2020-26160 jwt-go: access restriction bypass vulnerability
  • BZ - 1885153 - [v2v][RHV to CNv VM import] Wrong Network mapping do not show a relevant error message
  • BZ - 1885418 - [openshift-cnv] issues with memory overhead calculation when limits are used
  • BZ - 1887398 - [openshift-cnv][CNV] nodes need to exist and be labeled first, *before* the NodeNetworkConfigurationPolicy is applied
  • BZ - 1889295 - [v2v][VMware to CNV VM import API] diskMappings: volumeMode Block is not passed on to PVC request.
  • BZ - 1891285 - Common templates and kubevirt-config cm - update machine-type
  • BZ - 1891440 - [v2v][VMware to CNV VM import API]Source VM with no network interface fail with unclear error
  • BZ - 1892227 - [SSP] cluster scoped resources are not being reconciled
  • BZ - 1893278 - openshift-virtualization-os-images namespace not seen by user
  • BZ - 1893646 - [HCO] Pod placement configuration - dry run is not performed for all the configuration stanza
  • BZ - 1894428 - Message for VMI not migratable is not clear enough
  • BZ - 1894824 - [v2v][VM import] Pick the smallest template for the imported VM, and not always Medium
  • BZ - 1894897 - [v2v][VMIO] VMimport CR is not reported as failed when target VM is deleted during the import
  • BZ - 1895414 - Virt-operator is accepting updates to the placement of its workload components even with running VMs
  • BZ - 1897635 - CVE-2020-28362 golang: math/big: panic during recursive division of very large numbers
  • BZ - 1898072 - Add Fedora33 to Fedora common templates
  • BZ - 1898840 - [v2v] VM import VMWare to CNV Import 63 chars vm name should not fail
  • BZ - 1899558 - CNV 2.6 - nmstate fails to set state
  • BZ - 1901480 - VM disk io can't worked if namespace have label kubemacpool
  • BZ - 1902046 - Not possible to edit CDIConfig (through CDI CR / CDIConfig)
  • BZ - 1902111 - CVE-2020-27813 golang-github-gorilla-websocket: integer overflow leads to denial of service
  • BZ - 1903014 - hco-webhook pod in CreateContainerError
  • BZ - 1903585 - [v2v] Windows 2012 VM imported from RHV goes into Windows repair mode
  • BZ - 1904797 - [VMIO][vmware] A migrated RHEL/Windows VM starts in emergency mode/safe mode when target storage is NFS and target namespace is NOT "default"
  • BZ - 1906199 - [CNV-2.5] CNV Tries to Install on Windows Workers
  • BZ - 1907151 - kubevirt version is not reported correctly via virtctl
  • BZ - 1907352 - VM/VMI link changes to `kubevirt.io~v1~VirtualMachineInstance` on CNV 2.6
  • BZ - 1907691 - [CNV] Configuring NodeNetworkConfigurationPolicy caused "Internal error occurred" for creating datavolume
  • BZ - 1907988 - VM loses dynamic IP address of its default interface after migration
  • BZ - 1908363 - Applying NodeNetworkConfigurationPolicy for different NIC than default disables br-ex bridge and nodes lose connectivity
  • BZ - 1908421 - [v2v] [VM import RHV to CNV] Windows imported VM boot failed: INACCESSIBLE BOOT DEVICE error
  • BZ - 1908883 - CVE-2020-29652 golang: crypto/ssh: crafted authentication request can lead to nil pointer dereference
  • BZ - 1909458 - [V2V][VMware to CNV VM import via api using VMIO] VM import to Ceph RBD/BLOCK fails on "qemu-img: /data/disk.img" error
  • BZ - 1910857 - Provide a mechanism to enable the HotplugVolumes feature gate via HCO
  • BZ - 1911118 - Windows VMI LiveMigration / shutdown fails on 'XML error: non unique alias detected: ua-')
  • BZ - 1911396 - Set networkInterfaceMultiqueue false in rhel 6 template for e1000e interface
  • BZ - 1911662 - el6 guests don't work properly if virtio bus is specified on various devices
  • BZ - 1912908 - Allow using "scsi" bus for disks in template validation
  • BZ - 1913248 - Creating vlan interface on top of a bond device via NodeNetworkConfigurationPolicy fails
  • BZ - 1913320 - Informative message needed with virtctl image-upload, that additional step is needed from the user
  • BZ - 1913717 - Users should have read permitions for golden images data volumes
  • BZ - 1913756 - Migrating to Ceph-RBD + Block fails when skipping zeroes
  • BZ - 1914177 - CNV does not preallocate blank file data volumes
  • BZ - 1914608 - Obsolete CPU models (kubevirt-cpu-plugin-configmap) are set on worker nodes
  • BZ - 1914947 - HPP golden images - DV shoudld not be created with WaitForFirstConsumer
  • BZ - 1917908 - [VMIO] vmimport pod fail to create when using ceph-rbd/block
  • BZ - 1917963 - [CNV 2.6] Unable to install CNV disconnected - requires kvm-info-nfd-plugin which is not mirrored
  • BZ - 1919391 - CVE-2021-20206 containernetworking-cni: Arbitrary path injection via type field in CNI configuration
  • BZ - 1920576 - HCO can report ready=true when it failed to create a CR for a component operator
  • BZ - 1920610 - e2e-aws-4.7-cnv consistently failing on Hyperconverged Cluster Operator
  • BZ - 1921650 - CVE-2021-3121 gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation
  • BZ - 1923979 - kubernetes-nmstate: nmstate-handler pod crashes when configuring bridge device using ip tool
  • BZ - 1927373 - NoExecute taint violates pdb; VMIs are not live migrated
  • BZ - 1931376 - VMs disconnected from nmstate-defined bridge after CNV-2.5.4->CNV-2.6.0 upgrade

CVEs

  • CVE-2018-10103
  • CVE-2018-10105
  • CVE-2018-14461
  • CVE-2018-14462
  • CVE-2018-14463
  • CVE-2018-14464
  • CVE-2018-14465
  • CVE-2018-14466
  • CVE-2018-14467
  • CVE-2018-14468
  • CVE-2018-14469
  • CVE-2018-14470
  • CVE-2018-14879
  • CVE-2018-14880
  • CVE-2018-14881
  • CVE-2018-14882
  • CVE-2018-16227
  • CVE-2018-16228
  • CVE-2018-16229
  • CVE-2018-16230
  • CVE-2018-16300
  • CVE-2018-16451
  • CVE-2018-16452
  • CVE-2018-20843
  • CVE-2019-5018
  • CVE-2019-8625
  • CVE-2019-8710
  • CVE-2019-8720
  • CVE-2019-8743
  • CVE-2019-8764
  • CVE-2019-8766
  • CVE-2019-8769
  • CVE-2019-8771
  • CVE-2019-8782
  • CVE-2019-8783
  • CVE-2019-8808
  • CVE-2019-8811
  • CVE-2019-8812
  • CVE-2019-8813
  • CVE-2019-8814
  • CVE-2019-8815
  • CVE-2019-8816
  • CVE-2019-8819
  • CVE-2019-8820
  • CVE-2019-8823
  • CVE-2019-8835
  • CVE-2019-8844
  • CVE-2019-8846
  • CVE-2019-11068
  • CVE-2019-13050
  • CVE-2019-13627
  • CVE-2019-14559
  • CVE-2019-14889
  • CVE-2019-15165
  • CVE-2019-15166
  • CVE-2019-15903
  • CVE-2019-16168
  • CVE-2019-16935
  • CVE-2019-17450
  • CVE-2019-18197
  • CVE-2019-19221
  • CVE-2019-19906
  • CVE-2019-19956
  • CVE-2019-20218
  • CVE-2019-20387
  • CVE-2019-20388
  • CVE-2019-20454
  • CVE-2019-20807
  • CVE-2019-20907
  • CVE-2019-20916
  • CVE-2020-1730
  • CVE-2020-1751
  • CVE-2020-1752
  • CVE-2020-1971
  • CVE-2020-3862
  • CVE-2020-3864
  • CVE-2020-3865
  • CVE-2020-3867
  • CVE-2020-3868
  • CVE-2020-3885
  • CVE-2020-3894
  • CVE-2020-3895
  • CVE-2020-3897
  • CVE-2020-3899
  • CVE-2020-3900
  • CVE-2020-3901
  • CVE-2020-3902
  • CVE-2020-6405
  • CVE-2020-6829
  • CVE-2020-7595
  • CVE-2020-8492
  • CVE-2020-8619
  • CVE-2020-8622
  • CVE-2020-8623
  • CVE-2020-8624
  • CVE-2020-9283
  • CVE-2020-9327
  • CVE-2020-9802
  • CVE-2020-9803
  • CVE-2020-9805
  • CVE-2020-9806
  • CVE-2020-9807
  • CVE-2020-9843
  • CVE-2020-9850
  • CVE-2020-9862
  • CVE-2020-9893
  • CVE-2020-9894
  • CVE-2020-9895
  • CVE-2020-9915
  • CVE-2020-9925
  • CVE-2020-10018
  • CVE-2020-10029
  • CVE-2020-11793
  • CVE-2020-12321
  • CVE-2020-12400
  • CVE-2020-12403
  • CVE-2020-13630
  • CVE-2020-13631
  • CVE-2020-13632
  • CVE-2020-14040
  • CVE-2020-14351
  • CVE-2020-14382
  • CVE-2020-14391
  • CVE-2020-14422
  • CVE-2020-15503
  • CVE-2020-15586
  • CVE-2020-15999
  • CVE-2020-16845
  • CVE-2020-24659
  • CVE-2020-25681
  • CVE-2020-25682
  • CVE-2020-25683
  • CVE-2020-25684
  • CVE-2020-25685
  • CVE-2020-25686
  • CVE-2020-25687
  • CVE-2020-25705
  • CVE-2020-26160
  • CVE-2020-27813
  • CVE-2020-28362
  • CVE-2020-29652
  • CVE-2020-29661
  • CVE-2021-3121
  • CVE-2021-3156
  • CVE-2021-20206

References

  • https://access.redhat.com/security/updates/classification/#moderate

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Red Hat

Quick Links

  • Downloads
  • Subscriptions
  • Support Cases
  • Customer Service
  • Product Documentation

Help

  • Contact Us
  • Customer Portal FAQ
  • Log-in Assistance

Site Info

  • Trust Red Hat
  • Browser Support Policy
  • Accessibility
  • Awards and Recognition
  • Colophon

Related Sites

  • redhat.com
  • developers.redhat.com
  • connect.redhat.com
  • cloud.redhat.com

About

  • Red Hat Subscription Value
  • About Red Hat
  • Red Hat Jobs
Copyright © 2023 Red Hat, Inc.
  • Privacy Statement
  • Customer Portal Terms of Use
  • All Policies and Guidelines
Red Hat Summit
Twitter