Issued:
2021-03-10
Updated:
2021-03-10

RHSA-2021:0799 - Security Advisory

Synopsis

Moderate: OpenShift Virtualization 2.6.0 security and bug fix update

Type/Severity

Security Advisory: Moderate

Topic

An update is now available for RHEL-8-CNV-2.6.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform.

This advisory contains the following OpenShift Virtualization 2.6.0 images:

RHEL-8-CNV-2.6
==============
kubevirt-cpu-node-labeller-container-v2.6.0-5
kubevirt-cpu-model-nfd-plugin-container-v2.6.0-5
node-maintenance-operator-container-v2.6.0-13
kubevirt-vmware-container-v2.6.0-5
virtio-win-container-v2.6.0-5
kubevirt-kvm-info-nfd-plugin-container-v2.6.0-5
bridge-marker-container-v2.6.0-9
kubevirt-template-validator-container-v2.6.0-9
kubevirt-v2v-conversion-container-v2.6.0-6
kubemacpool-container-v2.6.0-13
kubevirt-ssp-operator-container-v2.6.0-40
hyperconverged-cluster-webhook-container-v2.6.0-73
hyperconverged-cluster-operator-container-v2.6.0-73
ovs-cni-plugin-container-v2.6.0-10
cnv-containernetworking-plugins-container-v2.6.0-10
ovs-cni-marker-container-v2.6.0-10
cluster-network-addons-operator-container-v2.6.0-16
hostpath-provisioner-container-v2.6.0-11
hostpath-provisioner-operator-container-v2.6.0-14
vm-import-virtv2v-container-v2.6.0-21
kubernetes-nmstate-handler-container-v2.6.0-19
vm-import-controller-container-v2.6.0-21
vm-import-operator-container-v2.6.0-21
virt-api-container-v2.6.0-111
virt-controller-container-v2.6.0-111
virt-handler-container-v2.6.0-111
virt-operator-container-v2.6.0-111
virt-launcher-container-v2.6.0-111
cnv-must-gather-container-v2.6.0-54
virt-cdi-importer-container-v2.6.0-24
virt-cdi-cloner-container-v2.6.0-24
virt-cdi-controller-container-v2.6.0-24
virt-cdi-uploadserver-container-v2.6.0-24
virt-cdi-apiserver-container-v2.6.0-24
virt-cdi-uploadproxy-container-v2.6.0-24
virt-cdi-operator-container-v2.6.0-24
hco-bundle-registry-container-v2.6.0-582

Security Fix(es):

  • golang.org/x/crypto: Processing of crafted ssh-ed25519 public keys allows for panic (CVE-2020-9283)
  • golang: crypto/ssh: crafted authentication request can lead to nil pointer dereference (CVE-2020-29652)
  • gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation (CVE-2021-3121)
  • golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash (CVE-2020-14040)
  • golang: data race in certain net/http servers including ReverseProxy can lead to DoS (CVE-2020-15586)
  • golang: ReadUvarint and ReadVarint can read an unlimited number of bytes from invalid inputs (CVE-2020-16845)
  • jwt-go: access restriction bypass vulnerability (CVE-2020-26160)
  • golang-github-gorilla-websocket: integer overflow leads to denial of service (CVE-2020-27813)
  • golang: math/big: panic during recursive division of very large numbers (CVE-2020-28362)
  • containernetworking-cni: Arbitrary path injection via type field in CNI configuration (CVE-2021-20206)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat Container Native Virtualization 2.6 for RHEL 8 x86_64
  • Red Hat Container Native Virtualization 2.6 for RHEL 7 x86_64

Fixes

  • BZ - 1732329 - Virtual Machine is missing documentation of its properties in yaml editor
  • BZ - 1783192 - Guest kernel panic when start RHEL6.10 guest with q35 machine type and virtio disk in cnv
  • BZ - 1791753 - [RFE] [SSP] Template validator should check validations in template's parent template
  • BZ - 1804533 - CVE-2020-9283 golang.org/x/crypto: Processing of crafted ssh-ed25519 public keys allows for panic
  • BZ - 1848954 - KMP missing CA extensions in cabundle of mutatingwebhookconfiguration
  • BZ - 1848956 - KMP requires downtime for CA stabilization during certificate rotation
  • BZ - 1853652 - CVE-2020-14040 golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash
  • BZ - 1853911 - VM with dot in network name fails to start with unclear message
  • BZ - 1854098 - NodeNetworkState on workers doesn't have "status" key due to nmstate-handler pod failure to run "nmstatectl show"
  • BZ - 1856347 - SR-IOV : Missing network name for sriov during vm setup
  • BZ - 1856953 - CVE-2020-15586 golang: data race in certain net/http servers including ReverseProxy can lead to DoS
  • BZ - 1859235 - Common Templates - after upgrade there are 2 common templates per each os-workload-flavor combination
  • BZ - 1860714 - No API information from `oc explain`
  • BZ - 1860992 - CNV upgrade - users are not removed from privileged SecurityContextConstraints
  • BZ - 1864577 - [v2v][RHV to CNV non migratable source VM fails to import to Ceph-rbd / File system due to overhead required for Filesystem
  • BZ - 1866593 - CDI is not handling vm disk clone
  • BZ - 1867099 - CVE-2020-16845 golang: ReadUvarint and ReadVarint can read an unlimited number of bytes from invalid inputs
  • BZ - 1868817 - Container-native Virtualization 2.6.0 Images
  • BZ - 1873771 - Improve the VMCreationFailed error message caused by VM low memory
  • BZ - 1874812 - SR-IOV: Guest Agent expose link-local ipv6 address for sometime and then remove it
  • BZ - 1878499 - DV import doesn't recover from scratch space PVC deletion
  • BZ - 1879108 - Inconsistent naming of "oc virt" command in help text
  • BZ - 1881874 - openshift-cnv namespace is getting stuck if the user tries to delete it while CNV is running
  • BZ - 1883232 - Webscale: kubevirt/CNV datavolume importer pod inability to disable sidecar injection if namespace has sidecar injection enabled but VM Template does NOT
  • BZ - 1883371 - CVE-2020-26160 jwt-go: access restriction bypass vulnerability
  • BZ - 1885153 - [v2v][RHV to CNv VM import] Wrong Network mapping do not show a relevant error message
  • BZ - 1885418 - [openshift-cnv] issues with memory overhead calculation when limits are used
  • BZ - 1887398 - [openshift-cnv][CNV] nodes need to exist and be labeled first, *before* the NodeNetworkConfigurationPolicy is applied
  • BZ - 1889295 - [v2v][VMware to CNV VM import API] diskMappings: volumeMode Block is not passed on to PVC request.
  • BZ - 1891285 - Common templates and kubevirt-config cm - update machine-type
  • BZ - 1891440 - [v2v][VMware to CNV VM import API]Source VM with no network interface fail with unclear error
  • BZ - 1892227 - [SSP] cluster scoped resources are not being reconciled
  • BZ - 1893278 - openshift-virtualization-os-images namespace not seen by user
  • BZ - 1893646 - [HCO] Pod placement configuration - dry run is not performed for all the configuration stanza
  • BZ - 1894428 - Message for VMI not migratable is not clear enough
  • BZ - 1894824 - [v2v][VM import] Pick the smallest template for the imported VM, and not always Medium
  • BZ - 1894897 - [v2v][VMIO] VMimport CR is not reported as failed when target VM is deleted during the import
  • BZ - 1895414 - Virt-operator is accepting updates to the placement of its workload components even with running VMs
  • BZ - 1897635 - CVE-2020-28362 golang: math/big: panic during recursive division of very large numbers
  • BZ - 1898072 - Add Fedora33 to Fedora common templates
  • BZ - 1898840 - [v2v] VM import VMWare to CNV Import 63 chars vm name should not fail
  • BZ - 1899558 - CNV 2.6 - nmstate fails to set state
  • BZ - 1901480 - VM disk io can't worked if namespace have label kubemacpool
  • BZ - 1902046 - Not possible to edit CDIConfig (through CDI CR / CDIConfig)
  • BZ - 1902111 - CVE-2020-27813 golang-github-gorilla-websocket: integer overflow leads to denial of service
  • BZ - 1903014 - hco-webhook pod in CreateContainerError
  • BZ - 1903585 - [v2v] Windows 2012 VM imported from RHV goes into Windows repair mode
  • BZ - 1904797 - [VMIO][vmware] A migrated RHEL/Windows VM starts in emergency mode/safe mode when target storage is NFS and target namespace is NOT "default"
  • BZ - 1906199 - [CNV-2.5] CNV Tries to Install on Windows Workers
  • BZ - 1907151 - kubevirt version is not reported correctly via virtctl
  • BZ - 1907352 - VM/VMI link changes to `kubevirt.io~v1~VirtualMachineInstance` on CNV 2.6
  • BZ - 1907691 - [CNV] Configuring NodeNetworkConfigurationPolicy caused "Internal error occurred" for creating datavolume
  • BZ - 1907988 - VM loses dynamic IP address of its default interface after migration
  • BZ - 1908363 - Applying NodeNetworkConfigurationPolicy for different NIC than default disables br-ex bridge and nodes lose connectivity
  • BZ - 1908421 - [v2v] [VM import RHV to CNV] Windows imported VM boot failed: INACCESSIBLE BOOT DEVICE error
  • BZ - 1908883 - CVE-2020-29652 golang: crypto/ssh: crafted authentication request can lead to nil pointer dereference
  • BZ - 1909458 - [V2V][VMware to CNV VM import via api using VMIO] VM import to Ceph RBD/BLOCK fails on "qemu-img: /data/disk.img" error
  • BZ - 1910857 - Provide a mechanism to enable the HotplugVolumes feature gate via HCO
  • BZ - 1911118 - Windows VMI LiveMigration / shutdown fails on 'XML error: non unique alias detected: ua-')
  • BZ - 1911396 - Set networkInterfaceMultiqueue false in rhel 6 template for e1000e interface
  • BZ - 1911662 - el6 guests don't work properly if virtio bus is specified on various devices
  • BZ - 1912908 - Allow using "scsi" bus for disks in template validation
  • BZ - 1913248 - Creating vlan interface on top of a bond device via NodeNetworkConfigurationPolicy fails
  • BZ - 1913320 - Informative message needed with virtctl image-upload, that additional step is needed from the user
  • BZ - 1913717 - Users should have read permitions for golden images data volumes
  • BZ - 1913756 - Migrating to Ceph-RBD + Block fails when skipping zeroes
  • BZ - 1914177 - CNV does not preallocate blank file data volumes
  • BZ - 1914608 - Obsolete CPU models (kubevirt-cpu-plugin-configmap) are set on worker nodes
  • BZ - 1914947 - HPP golden images - DV shoudld not be created with WaitForFirstConsumer
  • BZ - 1917908 - [VMIO] vmimport pod fail to create when using ceph-rbd/block
  • BZ - 1917963 - [CNV 2.6] Unable to install CNV disconnected - requires kvm-info-nfd-plugin which is not mirrored
  • BZ - 1919391 - CVE-2021-20206 containernetworking-cni: Arbitrary path injection via type field in CNI configuration
  • BZ - 1920576 - HCO can report ready=true when it failed to create a CR for a component operator
  • BZ - 1920610 - e2e-aws-4.7-cnv consistently failing on Hyperconverged Cluster Operator
  • BZ - 1921650 - CVE-2021-3121 gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation
  • BZ - 1923979 - kubernetes-nmstate: nmstate-handler pod crashes when configuring bridge device using ip tool
  • BZ - 1927373 - NoExecute taint violates pdb; VMIs are not live migrated
  • BZ - 1931376 - VMs disconnected from nmstate-defined bridge after CNV-2.5.4->CNV-2.6.0 upgrade

CVEs

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.