Skip to navigation Skip to main content

Utilities

  • Subscriptions
  • Downloads
  • Containers
  • Support Cases
Red Hat Customer Portal
  • Subscriptions
  • Downloads
  • Containers
  • Support Cases
  • Products & Services

    Products

    Support

    • Production Support
    • Development Support
    • Product Life Cycles

    Services

    • Consulting
    • Technical Account Management
    • Training & Certifications

    Documentation

    • Red Hat Enterprise Linux
    • Red Hat JBoss Enterprise Application Platform
    • Red Hat OpenStack Platform
    • Red Hat OpenShift Container Platform
    All Documentation

    Ecosystem Catalog

    • Red Hat Partner Ecosystem
    • Partner Resources
  • Tools

    Tools

    • Troubleshoot a product issue
    • Packages
    • Errata

    Customer Portal Labs

    • Configuration
    • Deployment
    • Security
    • Troubleshoot
    All labs

    Red Hat Insights

    Increase visibility into IT operations to detect and resolve technical issues before they impact your business.

    Learn More
    Go to Insights
  • Security

    Red Hat Product Security Center

    Engage with our Red Hat Product Security team, access security updates, and ensure your environments are not exposed to any known security vulnerabilities.

    Product Security Center

    Security Updates

    • Security Advisories
    • Red Hat CVE Database
    • Security Labs

    Keep your systems secure with Red Hat's specialized responses to security vulnerabilities.

    View Responses

    Resources

    • Security Blog
    • Security Measurement
    • Severity Ratings
    • Backporting Policies
    • Product Signing (GPG) Keys
  • Community

    Customer Portal Community

    • Discussions
    • Private Groups
    Community Activity

    Customer Events

    • Red Hat Convergence
    • Red Hat Summit

    Stories

    • Red Hat Subscription Value
    • You Asked. We Acted.
    • Open Source Communities
Or troubleshoot an issue.

Select Your Language

  • English
  • 한국어
  • 日本語
  • 中文 (中国)

Infrastructure and Management

  • Red Hat Enterprise Linux
  • Red Hat Virtualization
  • Red Hat Identity Management
  • Red Hat Directory Server
  • Red Hat Certificate System
  • Red Hat Satellite
  • Red Hat Subscription Management
  • Red Hat Update Infrastructure
  • Red Hat Insights
  • Red Hat Ansible Automation Platform

Cloud Computing

  • Red Hat OpenShift
  • Red Hat CloudForms
  • Red Hat OpenStack Platform
  • Red Hat OpenShift Container Platform
  • Red Hat OpenShift Data Science
  • Red Hat OpenShift Online
  • Red Hat OpenShift Dedicated
  • Red Hat Advanced Cluster Security for Kubernetes
  • Red Hat Advanced Cluster Management for Kubernetes
  • Red Hat Quay
  • Red Hat CodeReady Workspaces
  • Red Hat OpenShift Service on AWS

Storage

  • Red Hat Gluster Storage
  • Red Hat Hyperconverged Infrastructure
  • Red Hat Ceph Storage
  • Red Hat OpenShift Data Foundation

Runtimes

  • Red Hat Runtimes
  • Red Hat JBoss Enterprise Application Platform
  • Red Hat Data Grid
  • Red Hat JBoss Web Server
  • Red Hat Single Sign On
  • Red Hat support for Spring Boot
  • Red Hat build of Node.js
  • Red Hat build of Thorntail
  • Red Hat build of Eclipse Vert.x
  • Red Hat build of OpenJDK
  • Red Hat build of Quarkus

Integration and Automation

  • Red Hat Integration
  • Red Hat Fuse
  • Red Hat AMQ
  • Red Hat 3scale API Management
  • Red Hat JBoss Data Virtualization
  • Red Hat Process Automation
  • Red Hat Process Automation Manager
  • Red Hat Decision Manager
All Products
Red Hat Product Errata RHSA-2021:2865 - Security Advisory
Issued:
2021-07-22
Updated:
2021-07-22

RHSA-2021:2865 - Security Advisory

  • Overview
  • Updated Packages

Synopsis

Moderate: RHV Manager (ovirt-engine) security update [ovirt-4.4.7]

Type/Severity

Security Advisory: Moderate

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

Updated ovirt-engine packages that fix several bugs and add various enhancements are now available.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

The ovirt-engine package provides the manager for virtualization environments.
This manager enables admins to define hosts and networks, as well as to add
storage, create VMs and manage user permissions.

Security Fix(es):

  • nodejs-underscore: Arbitrary code execution via the template function (CVE-2021-23358)
  • nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469)
  • nodejs-ua-parser-js: Regular expression denial of service via the regex (CVE-2020-7733)
  • nodejs-path-parse: ReDoS via splitDeviceRe, splitTailRe and splitPathRe (CVE-2021-23343)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

  • Foreman integration, which allows you to provision bare metal hosts from the Administration Portal using Foreman and then added to the Manager, was deprecated in oVirt 4.4.6 / RHV 4.4.6 and removed completely in oVirt 4.4.7 / RHV 4.4.7.

Similar functionality to provision bare metal hosts can be achieved using Foreman directly and adding an already provisioned host using the Administration Portal or the REST API. (BZ#1901011)

  • Adding a message banner to the web administration welcome page is straight forward using custom branding that only contains a preamble section.

An example of preamble branding is given here: https://bugzilla.redhat.com/attachment.cgi?id=1783329.

In an engine upgrade, the custom preamble brand remains in place and will work without issue.

During engine backup and subsequent restore, on engine restore the custom preamble branding needs to be manually restored/reinstalled and verified. (BZ#1804774)

  • The column name threads_per_core in the Red hat Virtualization manager Dashboard is being deprecated, and will be removed in a future release.

In version 4.4.7.2 the column name for threads_per_core will be changed to number_of_threads.
In the Data Warehouse, the old name will be retained as an additional alias, resulting in 2 columns providing the same data: number_of_threads and threads_per_core, and threads_per_core will be removed in a future version. (BZ#1896359)

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/2974891

Affected Products

  • Red Hat Virtualization Manager 4.4 x86_64

Fixes

  • BZ - 1752996 - [RFE] Option in VM Portal to Full Screen
  • BZ - 1765644 - VM portal on RHV-M 4.3.6 doesn't show the VM "Console Setting" functionality.
  • BZ - 1779983 - After memory hot plug, Why the VM is showing icon for "server with the newer configuration for next run"?
  • BZ - 1804774 - Simplify the process to add a msg on the RHVM Admin Portal Login
  • BZ - 1817346 - [UI] SHA1 fingerprint shown to the user for approval
  • BZ - 1877478 - [RFE] collect network metrics in DWH ( rx and tx drop )
  • BZ - 1879733 - CVE-2020-7733 nodejs-ua-parser-js: Regular expression denial of service via the regex
  • BZ - 1887434 - LVM IDs and Machine ID are same for all new VMs created from sealed template
  • BZ - 1888354 - rhv-log-collector-analyzer 0.2.16 from RHV 4.3 and up does not gather information about storage domains or LUN.
  • BZ - 1896359 - "Count threads as cores" option is not honored by the RHV Dashboard CPU graph
  • BZ - 1901011 - [RFE] Remove Foreman integration from engine
  • BZ - 1902179 - Ignore message about not using latest kernel after upgrade when a host hasn't been rebooted
  • BZ - 1937714 - [RFE] Add rx and tx drop to Grafana
  • BZ - 1939198 - Refresh LUN operation via Admin Portal fails with "No host was found to perform the operation"
  • BZ - 1941581 - [RFE] Add to API external template import
  • BZ - 1944286 - CVE-2021-23358 nodejs-underscore: Arbitrary code execution via the template function
  • BZ - 1945459 - CVE-2020-28469 nodejs-glob-parent: Regular expression denial of service
  • BZ - 1946876 - automatic Maximum Memory exceeds possible maximum on new VM dialog
  • BZ - 1951579 - RHV api issues when account has only "UserRole" permissions
  • BZ - 1954878 - [RFE] Auto Pinning Policy: improve tooltip description and policy names
  • BZ - 1955582 - rhv-image-discrepancies reports "different attribute voltype on storage(SHARED) and on DB(LEAF)" for template volumes
  • BZ - 1956818 - CVE-2021-23343 nodejs-path-parse: ReDoS via splitDeviceRe, splitTailRe and splitPathRe
  • BZ - 1960968 - Disable checking of SSH connection when adding a host into the ansible-runner-service inventory
  • BZ - 1961338 - [CodeChange][i18n] oVirt 4.4.7 rhv branding - translation update
  • BZ - 1967169 - rhv-log-collector-analyzer --json fails with AttributeError
  • BZ - 1970718 - Engine hits NPE when importing template with disks on 2 storage domains

CVEs

  • CVE-2020-7733
  • CVE-2020-28469
  • CVE-2021-23343
  • CVE-2021-23358

References

  • https://access.redhat.com/security/updates/classification/#moderate
Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat Virtualization Manager 4.4

SRPM
ovirt-engine-4.4.7.6-0.11.el8ev.src.rpm SHA-256: 91c2a733112a6cce5f4e213383688ff210657c0f0d9d36d5515be5c49fc76282
ovirt-engine-dwh-4.4.7.3-1.el8ev.src.rpm SHA-256: cafac86388e32ae63e1ed1e0583e4788034061ea571896368a4606c3937fae1f
ovirt-engine-extension-aaa-ldap-1.4.4-1.el8ev.src.rpm SHA-256: 98f734c6a56969c868e3662ff829e5141d43c5fe7e8df27511fd3fbcb423b092
ovirt-engine-ui-extensions-1.2.7-1.el8ev.src.rpm SHA-256: f936a66a514b588573f2f3bf3342fec4d545d2958ddf0634a9286b4742a93a68
ovirt-web-ui-1.7.0-1.el8ev.src.rpm SHA-256: b0e42105b737e24d0f92fe947aaf646202fcfcf3120e43f28f3851827e0b3862
rhv-log-collector-analyzer-1.0.10-1.el8ev.src.rpm SHA-256: 84e6524a9b05c52869a51394ccdeeb634396a83d54d17e6a3f8c1c7cf666c0b4
rhvm-branding-rhv-4.4.9-1.el8ev.src.rpm SHA-256: 8cbc3ac795cb59c33f169f1e3569d95522b427f40272222a9f50d08bf19df119
x86_64
ovirt-engine-4.4.7.6-0.11.el8ev.noarch.rpm SHA-256: a41b3844daaf41dc553a9c9227f03cd808c6a5db61ac32e6e1fa943fb660c8ae
ovirt-engine-backend-4.4.7.6-0.11.el8ev.noarch.rpm SHA-256: e48b9bf497e179af41893a128fb43abc5e61e210f43af260261be9ccb6abd15a
ovirt-engine-dbscripts-4.4.7.6-0.11.el8ev.noarch.rpm SHA-256: fa5892e83521f9cdd04e969c6c02d2bd0e6fa92e5c8cd23b96a11f5c4abfe0b8
ovirt-engine-dwh-4.4.7.3-1.el8ev.noarch.rpm SHA-256: d48af6bc6dea4e7417ae63d1ac0f285d7da6aeefbd0bec23c1692aa90a65ca8d
ovirt-engine-dwh-grafana-integration-setup-4.4.7.3-1.el8ev.noarch.rpm SHA-256: 0cd2b74282f861b89616f356f69de2839fc834d3153e7c6df26dbe02fb6ef8ef
ovirt-engine-dwh-setup-4.4.7.3-1.el8ev.noarch.rpm SHA-256: 55b6f7a9e5367a5088a236a244d3056285287f383f18899490a2152d73da0068
ovirt-engine-extension-aaa-ldap-1.4.4-1.el8ev.noarch.rpm SHA-256: f9a51600e7c50199f549d42fa545f1316701a4d3b9e4ab8c00a753b57e0254fe
ovirt-engine-extension-aaa-ldap-setup-1.4.4-1.el8ev.noarch.rpm SHA-256: 898b48d88d7d141c8e8edc9c8c9503940ae4f21ef79a180b9beeaf6c738f6222
ovirt-engine-health-check-bundler-4.4.7.6-0.11.el8ev.noarch.rpm SHA-256: af64060f24df2a3bacfc80553e0b42a95a2f96a7019f8aa9a98cbb7e860dfd24
ovirt-engine-restapi-4.4.7.6-0.11.el8ev.noarch.rpm SHA-256: 52c7e687166ab6f96da649d4fe429bb0605e9f839b945e5001ac47493f2b1a81
ovirt-engine-setup-4.4.7.6-0.11.el8ev.noarch.rpm SHA-256: cbd90b064b66f3435448090934da0c8a5bddbe3483f35451d2e627d2ae84e20f
ovirt-engine-setup-base-4.4.7.6-0.11.el8ev.noarch.rpm SHA-256: ec2b587941648939ac449ba2eafe77f80882e3e9289b3445f6a78c7c7d00754a
ovirt-engine-setup-plugin-cinderlib-4.4.7.6-0.11.el8ev.noarch.rpm SHA-256: ef110950ac00b8dec278096822542ba90d476f4f51516773459e250a96328538
ovirt-engine-setup-plugin-imageio-4.4.7.6-0.11.el8ev.noarch.rpm SHA-256: cd3b22f1e7e2b6c23d15cef4eb7c4d758814d4f1298bca2ae4de1294c3dcc18a
ovirt-engine-setup-plugin-ovirt-engine-4.4.7.6-0.11.el8ev.noarch.rpm SHA-256: 3cd5e610cbed83470d9ff020a3ba2c4307757fbb8c83d7442c773d161e02db83
ovirt-engine-setup-plugin-ovirt-engine-common-4.4.7.6-0.11.el8ev.noarch.rpm SHA-256: 5bb9585e4bb6422c50d27f8d054b9238254719eaf3204348c77d69cb4ef7ba42
ovirt-engine-setup-plugin-vmconsole-proxy-helper-4.4.7.6-0.11.el8ev.noarch.rpm SHA-256: e1f68a3eb1defcf34e15cf9007ee6faf472a325ce76f46b1f0b180352a005f59
ovirt-engine-setup-plugin-websocket-proxy-4.4.7.6-0.11.el8ev.noarch.rpm SHA-256: 1cf9125e3bd6b428450a7f3a0ee48b44220bb9208a85c9687c6c4e137c6aa6f8
ovirt-engine-tools-4.4.7.6-0.11.el8ev.noarch.rpm SHA-256: 55c5dd7ad3c1f05c0e6be871c1689c8e5767604db0ecf876a80c1e0f94e3b742
ovirt-engine-tools-backup-4.4.7.6-0.11.el8ev.noarch.rpm SHA-256: 76521bded137cf69c5193a8acb1d0e1ae7470df08e6798ceca6fa92b3b199c37
ovirt-engine-ui-extensions-1.2.7-1.el8ev.noarch.rpm SHA-256: 6e43c32b9c1549cf397be0590459b7fcb1dc122268e01644e274aa095476d2f8
ovirt-engine-vmconsole-proxy-helper-4.4.7.6-0.11.el8ev.noarch.rpm SHA-256: f40a984fc208b37d06d4a42b953e4155dfb22fbad72afaa03e08767d1ab7daf9
ovirt-engine-webadmin-portal-4.4.7.6-0.11.el8ev.noarch.rpm SHA-256: 3e5975acadf80d7ebb52c3737c51490e2197e35d932a19d418fd9441e5407e9b
ovirt-engine-websocket-proxy-4.4.7.6-0.11.el8ev.noarch.rpm SHA-256: d2ae96cfb545a55be17a3218ab26a97fa03aebdbcc36d0bc9bf73391618c456b
ovirt-web-ui-1.7.0-1.el8ev.noarch.rpm SHA-256: 55b333f679f8b8e50a0e53bc8b28737967084b27638f9f82db8db4c923cce1c3
python3-ovirt-engine-lib-4.4.7.6-0.11.el8ev.noarch.rpm SHA-256: dea361c7c4625a1b58deeaaf7350bc866a26b223929409d39a803373f0ce4fd1
rhv-log-collector-analyzer-1.0.10-1.el8ev.noarch.rpm SHA-256: 9b0815aec2bf82515eb5e42be271edd9294ea4ea04173a552437669966b62618
rhvm-4.4.7.6-0.11.el8ev.noarch.rpm SHA-256: d79191fbc26ee4560b835b515fa3a5c50643b77c76f5304a32ba4996b69c336f
rhvm-branding-rhv-4.4.9-1.el8ev.noarch.rpm SHA-256: 3d693c2938016c25f96d1b3961f02016411f8d3ba33ba2a407c2bf99e867baf0

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Red Hat

Quick Links

  • Downloads
  • Subscriptions
  • Support Cases
  • Customer Service
  • Product Documentation

Help

  • Contact Us
  • Customer Portal FAQ
  • Log-in Assistance

Site Info

  • Trust Red Hat
  • Browser Support Policy
  • Accessibility
  • Awards and Recognition
  • Colophon

Related Sites

  • redhat.com
  • developers.redhat.com
  • connect.redhat.com
  • cloud.redhat.com

About

  • Red Hat Subscription Value
  • About Red Hat
  • Red Hat Jobs
2023
  • Privacy Statement
  • Customer Portal Terms of Use
  • All Policies and Guidelines
Twitter Facebook