- Issued:
- 2021-07-22
- Updated:
- 2021-07-22
RHSA-2021:2736 - Security Advisory
Synopsis
Important: Red Hat Virtualization Host security and bug fix update [ovirt-4.4.7]
Type/Severity
Security Advisory: Important
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
Topic
An update for imgbased, redhat-release-virtualization-host, and redhat-virtualization-host is now available for Red Hat Virtualization 4 for Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
The redhat-virtualization-host packages provide the Red Hat Virtualization Host. These packages include redhat-release-virtualization-host, ovirt-node, and rhev-hypervisor. Red Hat Virtualization Hosts (RHVH) are installed using a special build of Red Hat Enterprise Linux with only the packages required to host virtual machines. RHVH features a Cockpit user interface for monitoring the host's resources and performing administrative tasks.
The redhat-virtualization-host packages provide the Red Hat Virtualization Host. These packages include redhat-release-virtualization-host, ovirt-node, and rhev-hypervisor. Red Hat Virtualization Hosts (RHVH) are installed using a special build of Red Hat Enterprise Linux with only the packages required to host virtual machines. RHVH features a Cockpit user interface for monitoring the host's resources and performing administrative tasks.
The ovirt-node-ng packages provide the Red Hat Virtualization Host. These packages include redhat-release-virtualization-host, ovirt-node, and rhev-hypervisor. Red Hat Virtualization Hosts (RHVH) are installed using a special build of Red Hat Enterprise Linux with only the packages required to host virtual machines. RHVH features a Cockpit user interface for monitoring the host's resources and performing administrative tasks.
Security Fix(es):
- kernel: size_t-to-int conversion vulnerability in the filesystem layer (CVE-2021-33909)
- systemd: uncontrolled allocation on the stack in function unit_name_path_escape leads to crash (CVE-2021-33910)
- kernel: use-after-free in net/bluetooth/hci_event.c when destroying an hci_chan (CVE-2021-33034)
- ansible: multiple modules expose secured values (CVE-2021-3447)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Bug Fix(es):
- The redhat-release-virtualization-host package no longer requires vdsm-hooks. In this release, the installation of vdsm-hooks is not mandatory for the Red Hat Virtualization Host. (BZ#1976095)
- Previously, rhsmcertd was not enabled by default on the Red Hat Virtualization Host. As a result, the systems did not regularly report to RHSM while the subscription-manager reported no obvious issues and repositories were properly enabled.
In this release, rhsmcertd is enabled by default in RHVH, and as a result, RHSM now receives reports regularly. (BZ#1958145)
- In this release, the Red Hat Virtualization Host has been rebased on top of the RHEL 8.4.0 Batch #1 update. For more information, see the RHEL release notes. (BZ#1957242)
- Red Hat Virtualization Host now includes an updated scap-security-guide-rhv which allows you to apply a PCI DSS security profile to the system during installation, (BZ#1883793)
Solution
For details on how to apply this update, which includes the changes described in this advisory, refer to:
Affected Products
- Red Hat Virtualization 4 for RHEL 8 x86_64
- Red Hat Virtualization Host 4 for RHEL 8 x86_64
Fixes
- BZ - 1883793 - [RFE] RHV installation with PCI DSS compliance
- BZ - 1939349 - CVE-2021-3447 ansible: multiple modules expose secured values
- BZ - 1955415 - RHVH 4.4: There are AVC denied errors in audit.log after upgrade
- BZ - 1957242 - Rebase RHV-H 4.4.7 on RHEL 8.4.0.1
- BZ - 1958145 - [RHVH 4.4.5] Need to enable rhsmcertd service on the host by default
- BZ - 1961305 - CVE-2021-33034 kernel: use-after-free in net/bluetooth/hci_event.c when destroying an hci_chan
- BZ - 1970273 - CVE-2021-33909 kernel: size_t-to-int conversion vulnerability in the filesystem layer
- BZ - 1970887 - CVE-2021-33910 systemd: uncontrolled allocation on the stack in function unit_name_path_escape leads to crash
- BZ - 1970970 - Rebase RHVH 4.4.6 host image with kernel fix for fnic issue
- BZ - 1976005 - No swap on RHVH 4.4.6
- BZ - 1976095 - redhat-release-virtualization-host-content shouldn't have hard dependency on vdsm hooks
- BZ - 1976118 - Failed to enable unit: Unit file rdma.service does not exist in %post execution
- BZ - 1976146 - Include fcoe-utils package into CDN: rhvh-4-for-rhel-8-x86_64-rpms
- BZ - 1976148 - Include vhostmd package into CDN: rhvh-4-for-rhel-8-x86_64-rpms
Red Hat Virtualization 4 for RHEL 8
| SRPM | |
|---|---|
| imgbased-1.2.21-1.el8ev.src.rpm | SHA-256: 9c034e100786659856ed094a35df2beaf9b31c140bb7013702f41e60ad63c945 |
| redhat-release-virtualization-host-4.4.7-3.el8ev.src.rpm | SHA-256: 5107edb5ed233047ad05c7f340d59d3accb4bea3ab29eb11bd1f9e28ea20785f |
| scap-security-guide-0.1.54-2.el8ev.src.rpm | SHA-256: 01bbdc1179c23ff8a94fa38f2e6056546a0c0d93b3c90215ba5a9caf30f42898 |
| x86_64 | |
| imgbased-1.2.21-1.el8ev.noarch.rpm | SHA-256: 91884c35d0834d3b00f750252f0948e8e723f80ebd1c5e6d68383ff6c619b2f7 |
| python3-imgbased-1.2.21-1.el8ev.noarch.rpm | SHA-256: 2909b1466880056506ce639c96471f128499e9dc1485dcf40f983b783cc6a8ec |
| redhat-release-virtualization-host-4.4.7-3.el8ev.x86_64.rpm | SHA-256: c0acb3d1b28d617482cfef5d9c2f0a8c4ac45a8d48e0af4eb02ba10929bf4861 |
| redhat-virtualization-host-image-update-placeholder-4.4.7-3.el8ev.noarch.rpm | SHA-256: 28ccd1c3f20cbe78da590ad2c7b657a85df3fc2c9a0c945d3ff9418fb654137a |
| scap-security-guide-rhv-0.1.54-2.el8ev.noarch.rpm | SHA-256: 57c86a75ccd28b84d69645d69ca9b75738c5527d10c9a7bd0f32c1add416b10a |
Red Hat Virtualization Host 4 for RHEL 8
| SRPM | |
|---|---|
| fcoe-utils-1.0.33-3.git848bcc6.el8.src.rpm | SHA-256: 0df1c75a769488e346fabb726f60ae01e32b33c8250018249951d2aae41566f1 |
| redhat-virtualization-host-4.4.7-20210715.1.el8_4.src.rpm | SHA-256: f1840c680544df653ac455256214dcf0baa5b9406b76cd87e59398ed125536e4 |
| vhostmd-1.1-5.el8.src.rpm | SHA-256: a9e3ada3c37ed414fe1d25a9891a0d2fd6c159c9c2146901609b59533587d860 |
| x86_64 | |
| fcoe-utils-1.0.33-3.git848bcc6.el8.x86_64.rpm | SHA-256: cfa3fc199b542118bab84e47172eaa2d898448bc8d978356562c7f9ae140d23d |
| fcoe-utils-debuginfo-1.0.33-3.git848bcc6.el8.x86_64.rpm | SHA-256: 324a3b99b3329bee6253c1688a4365134252d44c8fbd18cd4c54f159f57857c1 |
| fcoe-utils-debugsource-1.0.33-3.git848bcc6.el8.x86_64.rpm | SHA-256: 17368d3a6a7a32b40a8ee0141bc72a5720020e1d6b0b9a9b18f6f2f89d882a3d |
| redhat-virtualization-host-image-update-4.4.7-20210715.1.el8_4.x86_64.rpm | SHA-256: f9562b4887b911839de50856d6b0f995ef9e41588a9ddcd63d3dae670a880b1d |
| vhostmd-1.1-5.el8.x86_64.rpm | SHA-256: a55539a02cadc5e051ee443bb819836f3acf11072a5adb1e02e7de6331d73ceb |
| vhostmd-debuginfo-1.1-5.el8.x86_64.rpm | SHA-256: 285dcd6a120dfd3ed146094fda10510e02dbc0d2f432f061a049ffadbf5dc6be |
| vhostmd-debugsource-1.1-5.el8.x86_64.rpm | SHA-256: e7281c2d3ad65e28af78bf697fbf0126186b6e82b2649c9dcf9d2f1d3886dd44 |
| vm-dump-metrics-1.1-5.el8.x86_64.rpm | SHA-256: e69ab07bebf1ba7df0616c8de0a4ce74eafe66c6a851dbe285836dc591aab5cf |
| vm-dump-metrics-debuginfo-1.1-5.el8.x86_64.rpm | SHA-256: 61744e238de36ec9026c0b9b5e718d5d3e55b18bb1636d05efedc800a692938c |
| vm-dump-metrics-devel-1.1-5.el8.x86_64.rpm | SHA-256: 8ac215a78676274dc5fd08f401a335e51bb89d05e3cf951a51bfc26f6f98a387 |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.