RHSA-2021:1184 - Security Advisory

Topic

Updated host packages that fix several bugs and add various enhancements are now available.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

The ovirt-hosted-engine-setup package provides a self-hosted engine tool for the Red Hat Virtualization Manager. A self-hosted engine is a virtualized environment in which the Manager runs on a virtual machine on the hosts managed by the Manager.
Bug Fix(es):

• In this release, it is now possible to enter a path to the OVA archive for local appliance installation using the cockpit-ovirt UI. (BZ#1755156)
• Previously, following a successful migration on the Self-hosted Engine, he HA agent on the source host immediately moved to the state EngineDown, and shorly thereafter tried to start the engine locally, if the destination host didn't update the shared storage quickly enough, marking the Manager virtual machine as being up.

As a result, starting the virtual machine failed due to a shared lock held by the destination host. This also resulted in generating false alarms and notifications.
In this release, the HA agent first moves to the state EngineMaybeAway, providing the destination host more time to update the shared storage with the updated state. As a result, no notifications or false alarms are generated.
Note: in scenarios where the virtual machine needs to be started on the source host, this fix slightly increases the time it takes the Manager virtual
machine on the source host to start. (BZ#1815589)

• Previously, if a host in the Self-hosted Engine had an ID number higher than 64, other hosts did not recognize that host, and the host did not appear in 'hosted-engine --vm-status'.

In this release, the Self-hosted Engine allows host ID numbers of up to 2000. (BZ#1916032)

• ovirt-hosted-engine-setup now requires ansible-2.9.17. (BZ#1921108)
• Previously the logical names for disks without a mounted filesystem were not displayed in the Red Hat Virtualization Manager.

In this release, logical names for such disks are properly reported provided the version of QEMU Guest Agent in the virtual machine is 5.2 or higher. (BZ#1836661)

• Previously, if the Seal option was used when creating a template for Linux virtual machines, the original host name was not removed from the template.

In this release, the host name is set to localhost or the new virtual machine host name. (BZ#1860492)

• Previously, the used memory of the host didn't take the SReclaimable memory into consideration while it did for free memory. As a result, there were discrepancies in the host statistics.

In this release, the SReclaimable memory is a part of the used memory calculation. (BZ#1916519)

Security Fix(es):

• datatables.net: prototype pollution if 'constructor' were used in a data property name (CVE-2020-28458)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/2974891

Affected Products

• Red Hat Virtualization 4 for RHEL 8 x86_64
• Red Hat Virtualization Host 4 for RHEL 8 x86_64
• Red Hat Virtualization for IBM Power LE 4 for RHEL 8 ppc64le

Fixes

• BZ - 1755156 - [RFE] Cockpit: RHV deployment missing local appliance installation
• BZ - 1796415 - Live Merge and Remove Snapshot fails
• BZ - 1815589 - The HA agent trying to start HE VM in source host after successful HE migration
• BZ - 1836661 - [RFE] GET diskattachments for a VM using qemu-guest-agent is missing a logical_name for disks without monted file-system
• BZ - 1860492 - Create template with option "seal template" from VM snapshot fails to remove VM specific information.
• BZ - 1870435 - StorageDomain.dump() can return {"key" : None} if metadata is missing
• BZ - 1901503 - Misleading error message, displaying Data Center Storage Type instead of its name
• BZ - 1908441 - CVE-2020-28458 datatables.net: prototype pollution if 'constructor' were used in a data property name
• BZ - 1909956 - Failed to authenticate ssh session with host during hosted engine deployment with STIG profile
• BZ - 1916032 - Engine allows deploying HE hosts with spm_id > 64 but broker won't read past slot 64
• BZ - 1916519 - Host memory statistics discrepancies due to SReclaimable
• BZ - 1916947 - The syntax of the entry in '99-vdsm_protect_ifcfg.conf' is incorrect
• BZ - 1917927 - Upgrade cockpit-ovirt to 0.14.19
• BZ - 1919246 - Fix volume status lookup on OSP with Python 3
• BZ - 1921014 - Upgrade ovirt-host to 4.4.5
• BZ - 1921108 - Bump required ansible version in ovirt-hosted-engine-setup

CVEs

• CVE-2020-28458

References

• https://access.redhat.com/security/updates/classification/#moderate