Skip to navigation Skip to main content

Utilities

  • Subscriptions
  • Downloads
  • Red Hat Console
  • Get Support
Red Hat Customer Portal
  • Subscriptions
  • Downloads
  • Red Hat Console
  • Get Support
  • Products

    Top Products

    • Red Hat Enterprise Linux
    • Red Hat OpenShift
    • Red Hat Ansible Automation Platform
    All Products

    Downloads and Containers

    • Downloads
    • Packages
    • Containers

    Top Resources

    • Documentation
    • Product Life Cycles
    • Product Compliance
    • Errata
  • Knowledge

    Red Hat Knowledge Center

    • Knowledgebase Solutions
    • Knowledgebase Articles
    • Customer Portal Labs
    • Errata

    Top Product Docs

    • Red Hat Enterprise Linux
    • Red Hat OpenShift
    • Red Hat Ansible Automation Platform
    All Product Docs

    Training and Certification

    • About
    • Course Index
    • Certification Index
    • Skill Assessment
  • Security

    Red Hat Product Security Center

    • Security Updates
    • Security Advisories
    • Red Hat CVE Database
    • Errata

    References

    • Security Bulletins
    • Security Measurement
    • Severity Ratings
    • Security Data

    Top Resources

    • Security Labs
    • Backporting Policies
    • Security Blog
  • Support

    Red Hat Support

    • Support Cases
    • Troubleshoot
    • Get Support
    • Contact Red Hat Support

    Red Hat Community Support

    • Customer Portal Community
    • Community Discussions
    • Red Hat Accelerator Program

    Top Resources

    • Product Life Cycles
    • Customer Portal Labs
    • Red Hat JBoss Supported Configurations
    • Red Hat Insights
Or troubleshoot an issue.

Select Your Language

  • English
  • Français
  • 한국어
  • 日本語
  • 中文 (中国)

Infrastructure and Management

  • Red Hat Enterprise Linux
  • Red Hat Satellite
  • Red Hat Subscription Management
  • Red Hat Insights
  • Red Hat Ansible Automation Platform

Cloud Computing

  • Red Hat OpenShift
  • Red Hat OpenStack Platform
  • Red Hat OpenShift
  • Red Hat OpenShift AI
  • Red Hat OpenShift Dedicated
  • Red Hat Advanced Cluster Security for Kubernetes
  • Red Hat Advanced Cluster Management for Kubernetes
  • Red Hat Quay
  • Red Hat OpenShift Dev Spaces
  • Red Hat OpenShift Service on AWS

Storage

  • Red Hat Gluster Storage
  • Red Hat Hyperconverged Infrastructure
  • Red Hat Ceph Storage
  • Red Hat OpenShift Data Foundation

Runtimes

  • Red Hat Runtimes
  • Red Hat JBoss Enterprise Application Platform
  • Red Hat Data Grid
  • Red Hat JBoss Web Server
  • Red Hat build of Keycloak
  • Red Hat support for Spring Boot
  • Red Hat build of Node.js
  • Red Hat build of Quarkus

Integration and Automation

  • Red Hat Application Foundations
  • Red Hat Fuse
  • Red Hat AMQ
  • Red Hat 3scale API Management
All Products
Red Hat Product Errata RHSA-2021:0799 - Security Advisory
Issued:
2021-03-10
Updated:
2021-03-10

RHSA-2021:0799 - Security Advisory

  • Overview

Synopsis

Moderate: OpenShift Virtualization 2.6.0 security and bug fix update

Type/Severity

Security Advisory: Moderate

Topic

An update is now available for RHEL-8-CNV-2.6.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform.

This advisory contains the following OpenShift Virtualization 2.6.0 images:

RHEL-8-CNV-2.6
==============
kubevirt-cpu-node-labeller-container-v2.6.0-5
kubevirt-cpu-model-nfd-plugin-container-v2.6.0-5
node-maintenance-operator-container-v2.6.0-13
kubevirt-vmware-container-v2.6.0-5
virtio-win-container-v2.6.0-5
kubevirt-kvm-info-nfd-plugin-container-v2.6.0-5
bridge-marker-container-v2.6.0-9
kubevirt-template-validator-container-v2.6.0-9
kubevirt-v2v-conversion-container-v2.6.0-6
kubemacpool-container-v2.6.0-13
kubevirt-ssp-operator-container-v2.6.0-40
hyperconverged-cluster-webhook-container-v2.6.0-73
hyperconverged-cluster-operator-container-v2.6.0-73
ovs-cni-plugin-container-v2.6.0-10
cnv-containernetworking-plugins-container-v2.6.0-10
ovs-cni-marker-container-v2.6.0-10
cluster-network-addons-operator-container-v2.6.0-16
hostpath-provisioner-container-v2.6.0-11
hostpath-provisioner-operator-container-v2.6.0-14
vm-import-virtv2v-container-v2.6.0-21
kubernetes-nmstate-handler-container-v2.6.0-19
vm-import-controller-container-v2.6.0-21
vm-import-operator-container-v2.6.0-21
virt-api-container-v2.6.0-111
virt-controller-container-v2.6.0-111
virt-handler-container-v2.6.0-111
virt-operator-container-v2.6.0-111
virt-launcher-container-v2.6.0-111
cnv-must-gather-container-v2.6.0-54
virt-cdi-importer-container-v2.6.0-24
virt-cdi-cloner-container-v2.6.0-24
virt-cdi-controller-container-v2.6.0-24
virt-cdi-uploadserver-container-v2.6.0-24
virt-cdi-apiserver-container-v2.6.0-24
virt-cdi-uploadproxy-container-v2.6.0-24
virt-cdi-operator-container-v2.6.0-24
hco-bundle-registry-container-v2.6.0-582

Security Fix(es):

  • golang.org/x/crypto: Processing of crafted ssh-ed25519 public keys allows for panic (CVE-2020-9283)
  • golang: crypto/ssh: crafted authentication request can lead to nil pointer dereference (CVE-2020-29652)
  • gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation (CVE-2021-3121)
  • golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash (CVE-2020-14040)
  • golang: data race in certain net/http servers including ReverseProxy can lead to DoS (CVE-2020-15586)
  • golang: ReadUvarint and ReadVarint can read an unlimited number of bytes from invalid inputs (CVE-2020-16845)
  • jwt-go: access restriction bypass vulnerability (CVE-2020-26160)
  • golang-github-gorilla-websocket: integer overflow leads to denial of service (CVE-2020-27813)
  • golang: math/big: panic during recursive division of very large numbers (CVE-2020-28362)
  • containernetworking-cni: Arbitrary path injection via type field in CNI configuration (CVE-2021-20206)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat Container Native Virtualization 2.6 for RHEL 8 x86_64
  • Red Hat Container Native Virtualization 2.6 for RHEL 7 x86_64

Fixes

  • BZ - 1732329 - Virtual Machine is missing documentation of its properties in yaml editor
  • BZ - 1783192 - Guest kernel panic when start RHEL6.10 guest with q35 machine type and virtio disk in cnv
  • BZ - 1791753 - [RFE] [SSP] Template validator should check validations in template's parent template
  • BZ - 1804533 - CVE-2020-9283 golang.org/x/crypto: Processing of crafted ssh-ed25519 public keys allows for panic
  • BZ - 1848954 - KMP missing CA extensions in cabundle of mutatingwebhookconfiguration
  • BZ - 1848956 - KMP requires downtime for CA stabilization during certificate rotation
  • BZ - 1853652 - CVE-2020-14040 golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash
  • BZ - 1853911 - VM with dot in network name fails to start with unclear message
  • BZ - 1854098 - NodeNetworkState on workers doesn't have "status" key due to nmstate-handler pod failure to run "nmstatectl show"
  • BZ - 1856347 - SR-IOV : Missing network name for sriov during vm setup
  • BZ - 1856953 - CVE-2020-15586 golang: data race in certain net/http servers including ReverseProxy can lead to DoS
  • BZ - 1859235 - Common Templates - after upgrade there are 2 common templates per each os-workload-flavor combination
  • BZ - 1860714 - No API information from `oc explain`
  • BZ - 1860992 - CNV upgrade - users are not removed from privileged SecurityContextConstraints
  • BZ - 1864577 - [v2v][RHV to CNV non migratable source VM fails to import to Ceph-rbd / File system due to overhead required for Filesystem
  • BZ - 1866593 - CDI is not handling vm disk clone
  • BZ - 1867099 - CVE-2020-16845 golang: ReadUvarint and ReadVarint can read an unlimited number of bytes from invalid inputs
  • BZ - 1868817 - Container-native Virtualization 2.6.0 Images
  • BZ - 1873771 - Improve the VMCreationFailed error message caused by VM low memory
  • BZ - 1874812 - SR-IOV: Guest Agent expose link-local ipv6 address for sometime and then remove it
  • BZ - 1878499 - DV import doesn't recover from scratch space PVC deletion
  • BZ - 1879108 - Inconsistent naming of "oc virt" command in help text
  • BZ - 1881874 - openshift-cnv namespace is getting stuck if the user tries to delete it while CNV is running
  • BZ - 1883232 - Webscale: kubevirt/CNV datavolume importer pod inability to disable sidecar injection if namespace has sidecar injection enabled but VM Template does NOT
  • BZ - 1883371 - CVE-2020-26160 jwt-go: access restriction bypass vulnerability
  • BZ - 1885153 - [v2v][RHV to CNv VM import] Wrong Network mapping do not show a relevant error message
  • BZ - 1885418 - [openshift-cnv] issues with memory overhead calculation when limits are used
  • BZ - 1887398 - [openshift-cnv][CNV] nodes need to exist and be labeled first, *before* the NodeNetworkConfigurationPolicy is applied
  • BZ - 1889295 - [v2v][VMware to CNV VM import API] diskMappings: volumeMode Block is not passed on to PVC request.
  • BZ - 1891285 - Common templates and kubevirt-config cm - update machine-type
  • BZ - 1891440 - [v2v][VMware to CNV VM import API]Source VM with no network interface fail with unclear error
  • BZ - 1892227 - [SSP] cluster scoped resources are not being reconciled
  • BZ - 1893278 - openshift-virtualization-os-images namespace not seen by user
  • BZ - 1893646 - [HCO] Pod placement configuration - dry run is not performed for all the configuration stanza
  • BZ - 1894428 - Message for VMI not migratable is not clear enough
  • BZ - 1894824 - [v2v][VM import] Pick the smallest template for the imported VM, and not always Medium
  • BZ - 1894897 - [v2v][VMIO] VMimport CR is not reported as failed when target VM is deleted during the import
  • BZ - 1895414 - Virt-operator is accepting updates to the placement of its workload components even with running VMs
  • BZ - 1897635 - CVE-2020-28362 golang: math/big: panic during recursive division of very large numbers
  • BZ - 1898072 - Add Fedora33 to Fedora common templates
  • BZ - 1898840 - [v2v] VM import VMWare to CNV Import 63 chars vm name should not fail
  • BZ - 1899558 - CNV 2.6 - nmstate fails to set state
  • BZ - 1901480 - VM disk io can't worked if namespace have label kubemacpool
  • BZ - 1902046 - Not possible to edit CDIConfig (through CDI CR / CDIConfig)
  • BZ - 1902111 - CVE-2020-27813 golang-github-gorilla-websocket: integer overflow leads to denial of service
  • BZ - 1903014 - hco-webhook pod in CreateContainerError
  • BZ - 1903585 - [v2v] Windows 2012 VM imported from RHV goes into Windows repair mode
  • BZ - 1904797 - [VMIO][vmware] A migrated RHEL/Windows VM starts in emergency mode/safe mode when target storage is NFS and target namespace is NOT "default"
  • BZ - 1906199 - [CNV-2.5] CNV Tries to Install on Windows Workers
  • BZ - 1907151 - kubevirt version is not reported correctly via virtctl
  • BZ - 1907352 - VM/VMI link changes to `kubevirt.io~v1~VirtualMachineInstance` on CNV 2.6
  • BZ - 1907691 - [CNV] Configuring NodeNetworkConfigurationPolicy caused "Internal error occurred" for creating datavolume
  • BZ - 1907988 - VM loses dynamic IP address of its default interface after migration
  • BZ - 1908363 - Applying NodeNetworkConfigurationPolicy for different NIC than default disables br-ex bridge and nodes lose connectivity
  • BZ - 1908421 - [v2v] [VM import RHV to CNV] Windows imported VM boot failed: INACCESSIBLE BOOT DEVICE error
  • BZ - 1908883 - CVE-2020-29652 golang: crypto/ssh: crafted authentication request can lead to nil pointer dereference
  • BZ - 1909458 - [V2V][VMware to CNV VM import via api using VMIO] VM import to Ceph RBD/BLOCK fails on "qemu-img: /data/disk.img" error
  • BZ - 1910857 - Provide a mechanism to enable the HotplugVolumes feature gate via HCO
  • BZ - 1911118 - Windows VMI LiveMigration / shutdown fails on 'XML error: non unique alias detected: ua-')
  • BZ - 1911396 - Set networkInterfaceMultiqueue false in rhel 6 template for e1000e interface
  • BZ - 1911662 - el6 guests don't work properly if virtio bus is specified on various devices
  • BZ - 1912908 - Allow using "scsi" bus for disks in template validation
  • BZ - 1913248 - Creating vlan interface on top of a bond device via NodeNetworkConfigurationPolicy fails
  • BZ - 1913320 - Informative message needed with virtctl image-upload, that additional step is needed from the user
  • BZ - 1913717 - Users should have read permitions for golden images data volumes
  • BZ - 1913756 - Migrating to Ceph-RBD + Block fails when skipping zeroes
  • BZ - 1914177 - CNV does not preallocate blank file data volumes
  • BZ - 1914608 - Obsolete CPU models (kubevirt-cpu-plugin-configmap) are set on worker nodes
  • BZ - 1914947 - HPP golden images - DV shoudld not be created with WaitForFirstConsumer
  • BZ - 1917908 - [VMIO] vmimport pod fail to create when using ceph-rbd/block
  • BZ - 1917963 - [CNV 2.6] Unable to install CNV disconnected - requires kvm-info-nfd-plugin which is not mirrored
  • BZ - 1919391 - CVE-2021-20206 containernetworking-cni: Arbitrary path injection via type field in CNI configuration
  • BZ - 1920576 - HCO can report ready=true when it failed to create a CR for a component operator
  • BZ - 1920610 - e2e-aws-4.7-cnv consistently failing on Hyperconverged Cluster Operator
  • BZ - 1921650 - CVE-2021-3121 gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation
  • BZ - 1923979 - kubernetes-nmstate: nmstate-handler pod crashes when configuring bridge device using ip tool
  • BZ - 1927373 - NoExecute taint violates pdb; VMIs are not live migrated
  • BZ - 1931376 - VMs disconnected from nmstate-defined bridge after CNV-2.5.4->CNV-2.6.0 upgrade

CVEs

  • CVE-2018-10103
  • CVE-2018-10105
  • CVE-2018-14461
  • CVE-2018-14462
  • CVE-2018-14463
  • CVE-2018-14464
  • CVE-2018-14465
  • CVE-2018-14466
  • CVE-2018-14467
  • CVE-2018-14468
  • CVE-2018-14469
  • CVE-2018-14470
  • CVE-2018-14879
  • CVE-2018-14880
  • CVE-2018-14881
  • CVE-2018-14882
  • CVE-2018-16227
  • CVE-2018-16228
  • CVE-2018-16229
  • CVE-2018-16230
  • CVE-2018-16300
  • CVE-2018-16451
  • CVE-2018-16452
  • CVE-2018-20843
  • CVE-2019-5018
  • CVE-2019-8625
  • CVE-2019-8710
  • CVE-2019-8720
  • CVE-2019-8743
  • CVE-2019-8764
  • CVE-2019-8766
  • CVE-2019-8769
  • CVE-2019-8771
  • CVE-2019-8782
  • CVE-2019-8783
  • CVE-2019-8808
  • CVE-2019-8811
  • CVE-2019-8812
  • CVE-2019-8813
  • CVE-2019-8814
  • CVE-2019-8815
  • CVE-2019-8816
  • CVE-2019-8819
  • CVE-2019-8820
  • CVE-2019-8823
  • CVE-2019-8835
  • CVE-2019-8844
  • CVE-2019-8846
  • CVE-2019-11068
  • CVE-2019-13050
  • CVE-2019-13627
  • CVE-2019-14559
  • CVE-2019-14889
  • CVE-2019-15165
  • CVE-2019-15166
  • CVE-2019-15903
  • CVE-2019-16168
  • CVE-2019-16935
  • CVE-2019-17450
  • CVE-2019-18197
  • CVE-2019-19221
  • CVE-2019-19906
  • CVE-2019-19956
  • CVE-2019-20218
  • CVE-2019-20387
  • CVE-2019-20388
  • CVE-2019-20454
  • CVE-2019-20807
  • CVE-2019-20907
  • CVE-2019-20916
  • CVE-2020-1730
  • CVE-2020-1751
  • CVE-2020-1752
  • CVE-2020-1971
  • CVE-2020-3862
  • CVE-2020-3864
  • CVE-2020-3865
  • CVE-2020-3867
  • CVE-2020-3868
  • CVE-2020-3885
  • CVE-2020-3894
  • CVE-2020-3895
  • CVE-2020-3897
  • CVE-2020-3899
  • CVE-2020-3900
  • CVE-2020-3901
  • CVE-2020-3902
  • CVE-2020-6405
  • CVE-2020-6829
  • CVE-2020-7595
  • CVE-2020-8492
  • CVE-2020-8619
  • CVE-2020-8622
  • CVE-2020-8623
  • CVE-2020-8624
  • CVE-2020-9283
  • CVE-2020-9327
  • CVE-2020-9802
  • CVE-2020-9803
  • CVE-2020-9805
  • CVE-2020-9806
  • CVE-2020-9807
  • CVE-2020-9843
  • CVE-2020-9850
  • CVE-2020-9862
  • CVE-2020-9893
  • CVE-2020-9894
  • CVE-2020-9895
  • CVE-2020-9915
  • CVE-2020-9925
  • CVE-2020-10018
  • CVE-2020-10029
  • CVE-2020-11793
  • CVE-2020-12321
  • CVE-2020-12400
  • CVE-2020-12403
  • CVE-2020-13630
  • CVE-2020-13631
  • CVE-2020-13632
  • CVE-2020-14040
  • CVE-2020-14351
  • CVE-2020-14382
  • CVE-2020-14391
  • CVE-2020-14422
  • CVE-2020-15503
  • CVE-2020-15586
  • CVE-2020-15999
  • CVE-2020-16845
  • CVE-2020-24659
  • CVE-2020-25681
  • CVE-2020-25682
  • CVE-2020-25683
  • CVE-2020-25684
  • CVE-2020-25685
  • CVE-2020-25686
  • CVE-2020-25687
  • CVE-2020-25705
  • CVE-2020-26160
  • CVE-2020-27813
  • CVE-2020-28362
  • CVE-2020-29652
  • CVE-2020-29661
  • CVE-2021-3121
  • CVE-2021-3156
  • CVE-2021-20206

References

  • https://access.redhat.com/security/updates/classification/#moderate

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Red Hat LinkedIn YouTube Facebook X, formerly Twitter

Quick Links

  • Downloads
  • Subscriptions
  • Support Cases
  • Customer Service
  • Product Documentation

Help

  • Contact Us
  • Customer Portal FAQ
  • Log-in Assistance

Site Info

  • Trust Red Hat
  • Browser Support Policy
  • Accessibility
  • Awards and Recognition
  • Colophon

Related Sites

  • redhat.com
  • developers.redhat.com
  • connect.redhat.com
  • cloud.redhat.com

Red Hat legal and privacy links

  • About Red Hat
  • Jobs
  • Events
  • Locations
  • Contact Red Hat
  • Red Hat Blog
  • Inclusion at Red Hat
  • Cool Stuff Store
  • Red Hat Summit
© 2025 Red Hat, Inc.

Red Hat legal and privacy links

  • Privacy statement
  • Terms of use
  • All policies and guidelines
  • Digital accessibility