- Issued:
- 2021-04-14
- Updated:
- 2021-04-14
RHSA-2021:1169 - Security Advisory
Synopsis
Moderate: RHV Manager (ovirt-engine) 4.4.z [ovirt-4.4.5] security, bug fix, enhancement
Type/Severity
Security Advisory: Moderate
Red Hat Lightspeed patch analysis
Identify and remediate systems affected by this advisory.
Topic
An update is now available for Red Hat Virtualization Engine 4.4.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
The ovirt-engine package provides the manager for virtualization environments.
This manager enables admins to define hosts and networks, as well as to add
storage, create VMs and manage user permissions.
A list of bugs fixed in this update is available in the Technical Notes
book:
https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/html-single/technical_notes
Security Fix(es):
- nodejs-bootstrap-select: not escaping title values on <option> may lead to XSS (CVE-2019-20921)
- m2crypto: bleichenbacher timing attacks in the RSA decryption API (CVE-2020-25657)
- datatables.net: prototype pollution if 'constructor' were used in a data property name (CVE-2020-28458)
- nodejs-immer: prototype pollution may lead to DoS or remote code execution (CVE-2020-28477)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Solution
For details on how to apply this update, which includes the changes described in this advisory, refer to:
Affected Products
- Red Hat Virtualization Manager 4.4 x86_64
Fixes
- BZ - 1145658 - Storage domain removal does not check if the storage domain contains any memory dumps.
- BZ - 1155275 - [RFE] - Online update LUN size to the Guest after LUN resize
- BZ - 1649479 - [RFE] OVF_STORE last update not exposed in the UI
- BZ - 1666786 - RHV-M reports "Balancing VM ${VM}" for ever as successful in the tasks list
- BZ - 1688186 - [RFE] CPU and NUMA Pinning shall be handled automatically
- BZ - 1729359 - Failed image upload leaves disk in locked state, requiring manual intervention to cleanup.
- BZ - 1787235 - [RFE] Offline disk move should log which host the data is being copied on in the audit log
- BZ - 1802844 - rest api setupnetworks: assignment_method should be inside ip_address_assignment
- BZ - 1837221 - [RFE] Allow using other than RSA SHA-1/SHA-2 public keys for SSH connections between RHVM and hypervisors
- BZ - 1843882 - network interface not added to public firewalld zone until host reboot
- BZ - 1858420 - Snapshot creation on host that engine then loses connection to results in missing snapshots table entry
- BZ - 1882273 - CVE-2019-20921 nodejs-bootstrap-select: not escaping title values on <option> may lead to XSS
- BZ - 1884233 - oVirt-engine reports misleading login-domain for external RH-SSO accounts
- BZ - 1889823 - CVE-2020-25657 m2crypto: bleichenbacher timing attacks in the RSA decryption API
- BZ - 1895217 - Hosted-Engine --restore-from-file fails if backup has VM pinned to restore host and has no Icon set.
- BZ - 1901503 - Misleading error message, displaying Data Center Storage Type instead of its name
- BZ - 1901752 - AddVds fails as FIPS host rejects SSH with ssh-rsa, failing HostedEngine deployment
- BZ - 1905108 - Cannot hotplug disk reports libvirtError: Requested operation is not valid: Domain already contains a disk with that address
- BZ - 1905158 - After upgrading RHVH 4.4.2 to 4.4.3 moves to non-operational due to missing CPU features : model_Cascadelake-Server
- BZ - 1908441 - CVE-2020-28458 datatables.net: prototype pollution if 'constructor' were used in a data property name
- BZ - 1910302 - [RFE] Allow SPM switching if all tasks have finished via UI
- BZ - 1913198 - Host deploy fails if 6+ hosts are deployed at the same time.
- BZ - 1914602 - [RHV 4.4] /var/lib/ovirt-engine/external_truststore (Permission denied)
- BZ - 1918162 - CVE-2020-28477 nodejs-immer: prototype pollution may lead to DoS or remote code execution
- BZ - 1919555 - Rebase apache-sshd to version 2.6.0 for RHV 4.4.5
- BZ - 1921104 - Bump required ansible version in RHV Manager 4.4.5
- BZ - 1921119 - RHV reports unsynced cluster when host QoS is in use.
- BZ - 1922200 - Checking the Engine database consistency takes too long to complete
- BZ - 1924012 - Rebase ansible-runner to 1.4.6
- BZ - 1926854 - [RFE] Requesting an audit log entry be added in LSM flow to display the host on which the internal volumes are copied
- BZ - 1927851 - [RFE] Add timezone AUS Eastern Standard Time
- BZ - 1931514 - [downstream] Cluster upgrade fails when using Intel Skylake Client/Server IBRS SSBD MDS Family
- BZ - 1931786 - Windows driver update does not work on cluster level 4.5
Note:
More recent versions of these packages may be available.
Click a package name for more details.
Red Hat Virtualization Manager 4.4
| SRPM | |
|---|---|
| ansible-runner-1.4.6-2.el8ar.src.rpm | SHA-256: 16d3b6b16d1cd2095c05c098073843d04be8d6cdce90556021b0a3a4ed6bedb7 |
| ansible-runner-service-1.0.7-1.el8ev.src.rpm | SHA-256: 08c2bef1d2f5d90dd0e404bc091a19d9df730b8c11b006191df5c6b3beaecfc1 |
| apache-sshd-2.6.0-1.el8ev.src.rpm | SHA-256: 85271d11aae3a6258381e64c8ec2c3475ba11ea6ba1f62b1bbcb20bd0622b7d4 |
| ovirt-engine-4.4.5.9-0.1.el8ev.src.rpm | SHA-256: e58eef12f20bedd0c0023d99f6302743ff3d8d6d5ffdd48499615a6d4b006d1e |
| ovirt-engine-dwh-4.4.5.5-1.el8ev.src.rpm | SHA-256: 0a244f1f7ea436f08dd341da00cdbbdd76a09de43317d3bf4b81f639dc6dc295 |
| ovirt-web-ui-1.6.7-1.el8ev.src.rpm | SHA-256: facb8ee7f82600f46a45eafc49dc76b9bf18d66f349fa6e3f051086d9002c385 |
| x86_64 | |
| ansible-runner-1.4.6-2.el8ar.noarch.rpm | SHA-256: 9b5a0a66ae5aeeaef8d71a34c8304903e88322a4f768d0a0b0a5364bace9f41c |
| ansible-runner-service-1.0.7-1.el8ev.noarch.rpm | SHA-256: 10d342ad299348c79794a66644862cb589ab1c3e32ffc7701a875346a9283965 |
| apache-sshd-2.6.0-1.el8ev.noarch.rpm | SHA-256: 9d114d42aa60b7108a228597c446294d67d00ffa9a4e8e2d7c4392914fc3b51c |
| apache-sshd-javadoc-2.6.0-1.el8ev.noarch.rpm | SHA-256: bfd53f153eaa73b7d2023969c03135c4f3078ee9c99c3bfba4766074585245f0 |
| ovirt-engine-4.4.5.9-0.1.el8ev.noarch.rpm | SHA-256: 16184851d6e5e87245aff30a772d99b97c54193975913887a8ee34c40105e6d6 |
| ovirt-engine-backend-4.4.5.9-0.1.el8ev.noarch.rpm | SHA-256: 2433351de74662e31abeca10059e7fe9f018723b138f18bb2b55b7f343d2fa75 |
| ovirt-engine-dbscripts-4.4.5.9-0.1.el8ev.noarch.rpm | SHA-256: a1d949d475798a2ac2ed98761b69201c41bbfa4544968f3b9b41759ff39bceb4 |
| ovirt-engine-dwh-4.4.5.5-1.el8ev.noarch.rpm | SHA-256: e342e4eb689bc226791a951460661b71ec50949882d66d707f85181390de615f |
| ovirt-engine-dwh-grafana-integration-setup-4.4.5.5-1.el8ev.noarch.rpm | SHA-256: dd671e4b5e85b61413ef3e62a9621e04709f130d5c706cda192dbd2fec4b59a3 |
| ovirt-engine-dwh-setup-4.4.5.5-1.el8ev.noarch.rpm | SHA-256: 03dac3a307514684155192f1f2374da067796c4e0c9eeb9f1e9dff9d90cb0a5b |
| ovirt-engine-health-check-bundler-4.4.5.9-0.1.el8ev.noarch.rpm | SHA-256: 2b994fb12711766ccf79d87ec32ad8a6ae18fffdf566b5e516b355f5307795b3 |
| ovirt-engine-restapi-4.4.5.9-0.1.el8ev.noarch.rpm | SHA-256: 7da19cb9ac42613c19d5f4b7daf3f710003a6a8782794a1339f595d8e55ca9c2 |
| ovirt-engine-setup-4.4.5.9-0.1.el8ev.noarch.rpm | SHA-256: 4becdaa3ad057c4649529bc05e34cc0b60e9a33688f9f422d726e43336b41052 |
| ovirt-engine-setup-base-4.4.5.9-0.1.el8ev.noarch.rpm | SHA-256: 3699b6cc0b50d0ad97b3a02511a68bc0d8e91631f873d9465339831b0942b67a |
| ovirt-engine-setup-plugin-cinderlib-4.4.5.9-0.1.el8ev.noarch.rpm | SHA-256: 036e1929ade62ed0be4322210afca21aad9edaabebf5d7fcdcec8cc03948f434 |
| ovirt-engine-setup-plugin-imageio-4.4.5.9-0.1.el8ev.noarch.rpm | SHA-256: c34692e8525c9feba5cc908cfe63e4978d901b1c15a89d2fab6bfecd010acafb |
| ovirt-engine-setup-plugin-ovirt-engine-4.4.5.9-0.1.el8ev.noarch.rpm | SHA-256: ce2b0176dbb16e1d6cfff8e3c833c84b05ec24c96f0b9ed3aca906b6b46d75ea |
| ovirt-engine-setup-plugin-ovirt-engine-common-4.4.5.9-0.1.el8ev.noarch.rpm | SHA-256: e94bb56b4ce20ac3cc09428ac48eeafec8561ace28d7c59ed35de167da2a71d5 |
| ovirt-engine-setup-plugin-vmconsole-proxy-helper-4.4.5.9-0.1.el8ev.noarch.rpm | SHA-256: 82f6e031398674ffab5ccd654a3824f4bb0f6a15e3305f763a0ac3c3e8f07ec1 |
| ovirt-engine-setup-plugin-websocket-proxy-4.4.5.9-0.1.el8ev.noarch.rpm | SHA-256: af5526d835e4bab89c32683da44816cedae54b5cf52ec92bfc6c03582395ed71 |
| ovirt-engine-tools-4.4.5.9-0.1.el8ev.noarch.rpm | SHA-256: d0469aa9cccb0f43e80020cdcf2f6f297883e85e93f8afbe9e2ca499e68f2479 |
| ovirt-engine-tools-backup-4.4.5.9-0.1.el8ev.noarch.rpm | SHA-256: 27ad2b7984e81057db7082766045589e19c7e43e54f3d84491016ae19e2a363b |
| ovirt-engine-vmconsole-proxy-helper-4.4.5.9-0.1.el8ev.noarch.rpm | SHA-256: 64934b0fccbc087fa92ce8481080b7edc3ac189c0407d0c382793fd96a53321e |
| ovirt-engine-webadmin-portal-4.4.5.9-0.1.el8ev.noarch.rpm | SHA-256: 2fb1dd8f0e7ec220c48684a215923a37812f4d5749cfeb35d0313819db44c171 |
| ovirt-engine-websocket-proxy-4.4.5.9-0.1.el8ev.noarch.rpm | SHA-256: ea2e3d565da6a10a0c69a7955fdc5273a051ddd0f2fcfd75ebacc0bdbfc3bb73 |
| ovirt-web-ui-1.6.7-1.el8ev.noarch.rpm | SHA-256: 45b167903b117dfe4b3c88a8a8e96fa431930fa13b4b8f54428127b7ef4e1004 |
| python3-ansible-runner-1.4.6-2.el8ar.noarch.rpm | SHA-256: b2841c47415190cddcd4389f9dcb26cea427bac14ed02054ef216e77e8c01c5f |
| python3-ovirt-engine-lib-4.4.5.9-0.1.el8ev.noarch.rpm | SHA-256: d211c6d94e331381c44b3ac154d922f78dcf0aa11b5838cbeb6012f66ff21352 |
| rhvm-4.4.5.9-0.1.el8ev.noarch.rpm | SHA-256: 736c2bc2a4c35eb0464304c204b7f59d0062880427a392792e8c2b1707026580 |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
