- Issued:
- 2021-07-27
- Updated:
- 2021-07-27
RHSA-2021:2920 - Security Advisory
Synopsis
Moderate: OpenShift Virtualization 4.8.0 Images
Type/Severity
Security Advisory: Moderate
Topic
Red Hat OpenShift Virtualization release 4.8.0 is now available with updates to packages and images that fix several bugs and add enhancements.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform.
This advisory contains the following OpenShift Virtualization 4.8.0 images:
RHEL-8-CNV-4.8
==============
kubevirt-template-validator-container-v4.8.0-9
kubevirt-ssp-operator-container-v4.8.0-41
virt-cdi-uploadserver-container-v4.8.0-25
cnv-must-gather-container-v4.8.0-50
virt-cdi-uploadproxy-container-v4.8.0-25
virt-cdi-cloner-container-v4.8.0-25
virt-cdi-apiserver-container-v4.8.0-25
kubevirt-v2v-conversion-container-v4.8.0-10
hostpath-provisioner-operator-container-v4.8.0-17
hyperconverged-cluster-webhook-container-v4.8.0-62
hyperconverged-cluster-operator-container-v4.8.0-62
virt-cdi-operator-container-v4.8.0-25
virt-cdi-importer-container-v4.8.0-25
virt-cdi-controller-container-v4.8.0-25
cnv-containernetworking-plugins-container-v4.8.0-14
kubemacpool-container-v4.8.0-22
ovs-cni-plugin-container-v4.8.0-17
ovs-cni-marker-container-v4.8.0-17
bridge-marker-container-v4.8.0-17
cluster-network-addons-operator-container-v4.8.0-28
kubernetes-nmstate-handler-container-v4.8.0-21
virtio-win-container-v4.8.0-9
kubevirt-vmware-container-v4.8.0-11
hostpath-provisioner-container-v4.8.0-14
node-maintenance-operator-container-v4.8.0-19
virt-launcher-container-v4.8.0-67
vm-import-virtv2v-container-v4.8.0-18
vm-import-controller-container-v4.8.0-18
vm-import-operator-container-v4.8.0-18
virt-handler-container-v4.8.0-67
virt-api-container-v4.8.0-67
virt-controller-container-v4.8.0-67
virt-operator-container-v4.8.0-67
hco-bundle-registry-container-v4.8.0-451
Security Fix(es):
- golang: crypto/ssh: crafted authentication request can lead to nil pointer dereference (CVE-2020-29652)
- gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation (CVE-2021-3121)
- golang-github-gorilla-websocket: integer overflow leads to denial of service (CVE-2020-27813)
- golang: crypto/elliptic: incorrect operations on the P-224 curve (CVE-2021-3114)
- ulikunitz/xz: Infinite loop in readUvarint allows for denial of service (CVE-2021-29482)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Solution
For details on how to apply this update, which includes the changes described in this advisory, refer to:
Affected Products
- Red Hat Container Native Virtualization 4.8 for RHEL 8 x86_64
Fixes
- BZ - 1663162 - [RFE][Hyper-V] Configure Hyper-V enlightenments for Windows guests
- BZ - 1731819 - Migration pod become "Evicted" due to low on resource: ephemeral-storage on node after running quite a few migrations
- BZ - 1827793 - CDI: invalid large qcow2 is imported successfully instead of being rejected
- BZ - 1860671 - Node draining is blocked by virt-launcher eviction error due to PDB in a MachineConfig update
- BZ - 1862701 - OpenShift Virtualization defaults to LiveMigration eviction strategy even when not available (VM creation fails)
- BZ - 1862997 - secrets created by GCP IPI cannot be read by KubeVirt
- BZ - 1868099 - virt-operator does not continually reconcile objects
- BZ - 1868359 - SR-IOV : Changes in VM's IP on SR-IOV NIC are not reflected in VMI status
- BZ - 1873555 - One critical alert is constantly firing per running VM
- BZ - 1893790 - VM stuck in pending state
- BZ - 1896387 - [CNV-2.5] virt-launcher pod being stuck in termination state
- BZ - 1896795 - Upstream Disk API documentation doesn't specify the "cache" string format
- BZ - 1896797 - Upstream Device API documentation doesn't state the default value of blockMultiQueue
- BZ - 1898999 - Windows VMs created from templates should only be scheduled on hyper-v-capable nodes
- BZ - 1900273 - VM MAC Address changes everytime VM is restarted
- BZ - 1901335 - [CNV][Chaos] Vm is not paused when connection to storage is lost
- BZ - 1901859 - NodeNetworkConfigurationPolicy failed to retrieve default gw - create VLAN interface
- BZ - 1902111 - CVE-2020-27813 golang-github-gorilla-websocket: integer overflow leads to denial of service
- BZ - 1903667 - VMIs get created with an undefined state field, which is confusing to the user
- BZ - 1903679 - [scale] 1K batch start VMS fail
- BZ - 1907707 - SR-IOV: secondary interface comes and goes in vmi status
- BZ - 1908883 - CVE-2020-29652 golang: crypto/ssh: crafted authentication request can lead to nil pointer dereference
- BZ - 1911590 - RFE - Block VM creation with sata disk and ioThreadsPolicy settings
- BZ - 1915474 - Container-native Virtualization 4.8.0 Images
- BZ - 1917380 - virt-handler removed from node when node label changed if workload placement specified
- BZ - 1918750 - CVE-2021-3114 golang: crypto/elliptic: incorrect operations on the P-224 curve
- BZ - 1921280 - [VMIO] [vmware] Import a running VM without vmware tools installed causes the import to remain in after validation (0% in the UI)
- BZ - 1921650 - CVE-2021-3121 gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation
- BZ - 1923243 - Error when deleting an instance of hostpath provisioner
- BZ - 1923251 - Confusing/duplicated parameter in "YAML View" when creating a deployment
- BZ - 1924479 - VMI resource guest OS info is not available after a number of minutes
- BZ - 1926019 - The reason of disk does not support snapshot is unreadable
- BZ - 1926746 - VM connect to SSH and consoles is not responsive after VM is up for 25 days
- BZ - 1926986 - nmstate interprets interface names as float64 and subsequently crashes on state update
- BZ - 1927473 - virtctl image-upload dv to an empty pvc times out when using virtctl-2.6.0
- BZ - 1927853 - el6 hosts can't work with the ballooning device because it defaults to virtio-non-transitional
- BZ - 1927886 - Kubevirt hotplug attacher pod is getting killed by oom-killer
- BZ - 1929351 - hostpath-provisioner does not reconcile clusterrole/binding via kubectl
- BZ - 1931519 - [CNV-2.5] Manifests in openshift-cnv missing resource requirements - Virt
- BZ - 1932672 - [RFE]Quick start - Connecting a virtual machine to an external network
- BZ - 1936432 - VMs disconnected from nmstate-defined bridge when nmstatectl gets retriggered
- BZ - 1936926 - VM is created with kubevirt.io/v1 version, virt-template-validator fails to validate the VM
- BZ - 1936932 - Common templats - VirtualMachine api version should be updated to kubevirt.io/v1
- BZ - 1937307 - kubevirt version is not reported correctly
- BZ - 1937873 - Import fails due to nbdkit-curl-plugin missing
- BZ - 1937920 - Multiple live migration can be created at once for the same VMI, they will run in parallel and make a mess
- BZ - 1938241 - [SSP] Pod placement configuration - dry run is not performed for all the configuration stanza
- BZ - 1939987 - Live Migrating a PAUSED VM gets it into UNPAUSED state on the migrated node
- BZ - 1941811 - Cant start VM backed by a PVC that is owned by a DataVolume
- BZ - 1942424 - HCO: KubeVirt jsonpatch Annotations cannot be applied
- BZ - 1943217 - [certificate renewal] certConfig is a struct and not a pointer
- BZ - 1944379 - HostDevice allocatable & capacity count on nodes doesn't update when device no longer allowlisted in HCO CR
- BZ - 1945522 - [VM import from RHV to CNV] Disk lock after importer failure prevents importer retry
- BZ - 1945606 - Add RHEL8.4 to common templates
- BZ - 1945608 - Update machine-type in common templates
- BZ - 1946100 - Import DV with https fails
- BZ - 1949392 - virt-handler Pod is missing `node-labeller.sh` script
- BZ - 1949795 - The defaulting mechanism on HCO CR is not working if the user completely omit the spec stanza
- BZ - 1950776 - virtctl version returns wrong client version
- BZ - 1951551 - Live migration fails when VMI has specified port any of [22222, 49152, 49153]
- BZ - 1952033 - must-gatger: nft table data is not collected.
- BZ - 1952034 - must-gatger: nft table data is not collected.
- BZ - 1952036 - must-gatger: bridge data is not collected.
- BZ - 1952041 - must-gatger: var/lib/cni/bin data is not collected.
- BZ - 1952052 - must-gather: ip data is not collected.
- BZ - 1952619 - Update kubevirt machinetype to pc-q35-rhel8.4.0
- BZ - 1953604 - Common templates - update deployed templates bundle
- BZ - 1953796 - must-gather: dev_vfio data is not collected
- BZ - 1953999 - NNCP fails to Configure - Internal Error
- BZ - 1954017 - VM Rename causes loss of data when a VM defines dataVolumeTemplates
- BZ - 1954368 - CVE-2021-29482 ulikunitz/xz: Infinite loop in readUvarint allows for denial of service
- BZ - 1954470 - [RFE] Add Fedora34 to Fedora common templates
- BZ - 1954486 - Default cluster configuration for obsoleteCPUs and minCPU does not exist
- BZ - 1954498 - The example in virtctl removevolume help information is not accurate
- BZ - 1954663 - VMs cannot be deleted
- BZ - 1954667 - VM should be rejected when set clountinit without defining cloudinit volume in spec.domain.devices.disk
- BZ - 1956245 - [certificate renewal] not enforcing small time values and duration < renewBefore
- BZ - 1956304 - KubevirtHyperconvergedClusterOperatorCRModification alert doesn't work as expected
- BZ - 1956792 - Node labeller - add node annotation to avoid reconciliation
- BZ - 1957423 - 100 Windows VM's are failing to start with Windows BSOD saying “inaccessible boot device”
- BZ - 1957521 - CDI Operator not interpreting custom cert params correctly
- BZ - 1958108 - KubeMacPool fails to start due to OOM likely caused by a high number of Pods running in the cluster
- BZ - 1958862 - Missing default values for permitted host devices + misleading API naming
- BZ - 1961222 - Claim lost when smart cloning from a boot source
- BZ - 1961227 - Block DV using new storage spec creates PVC too large
- BZ - 1962135 - [Upgrade from 2.6.2 to 4.8.0] kubevirt configMap migrations are not adopted
- BZ - 1962604 - CNV 2.6 -> 4.8 upgrade: extra set of HPP resources when using custom CR name
- BZ - 1964483 - openshift-virtualization is still shipping CRDs defined as apiextensions.k8s.io/v1beta1 in its bundle
- BZ - 1964583 - No Virtual Machine Templates Found [EDIT - all templates are marked as depracted]
- BZ - 1965390 - CDI using deprecated admissionregistration, apiregistration v1beta1
- BZ - 1967526 - Excessive logging of KMP
- BZ - 1967771 - nmstate is not progressing on a node and not configuring vlan filtering that causes an outage for VMs
- BZ - 1968196 - [strict reconciliation] resourceVersion not updated in HCO CR relatedObjects entry for kubevirt-storage-class-defaults
- BZ - 1969272 - [v2v] no kind VirtualMachine is registered for version \"kubevirt.io/v1\" i...
- BZ - 1969894 - [Regression][VMIO][Warm] The third precopy does not end in warm migration
- BZ - 1969912 - PCI passthrough devices are enabled by default
- BZ - 1972895 - CDI importer pod fails when VMware password contains special characters
- BZ - 1974297 - [v2v][VM import from VMware dialog via UI] VMs list is not loaded
- BZ - 1977179 - PVC keeps in pending when using hostpath-provisioner
CVEs
- CVE-2016-10228
- CVE-2017-14502
- CVE-2019-2708
- CVE-2019-3842
- CVE-2019-9169
- CVE-2019-13012
- CVE-2019-14866
- CVE-2019-25013
- CVE-2019-25032
- CVE-2019-25034
- CVE-2019-25035
- CVE-2019-25036
- CVE-2019-25037
- CVE-2019-25038
- CVE-2019-25039
- CVE-2019-25040
- CVE-2019-25041
- CVE-2019-25042
- CVE-2020-8231
- CVE-2020-8284
- CVE-2020-8285
- CVE-2020-8286
- CVE-2020-8927
- CVE-2020-9948
- CVE-2020-9951
- CVE-2020-9983
- CVE-2020-12362
- CVE-2020-12363
- CVE-2020-12364
- CVE-2020-13434
- CVE-2020-13543
- CVE-2020-13584
- CVE-2020-13776
- CVE-2020-14344
- CVE-2020-14345
- CVE-2020-14346
- CVE-2020-14347
- CVE-2020-14360
- CVE-2020-14361
- CVE-2020-14362
- CVE-2020-14363
- CVE-2020-15358
- CVE-2020-24977
- CVE-2020-25659
- CVE-2020-25712
- CVE-2020-26116
- CVE-2020-26137
- CVE-2020-26541
- CVE-2020-27618
- CVE-2020-27619
- CVE-2020-27813
- CVE-2020-28196
- CVE-2020-28935
- CVE-2020-29361
- CVE-2020-29362
- CVE-2020-29363
- CVE-2020-29652
- CVE-2020-36242
- CVE-2021-3114
- CVE-2021-3121
- CVE-2021-3177
- CVE-2021-3326
- CVE-2021-3516
- CVE-2021-3517
- CVE-2021-3518
- CVE-2021-3520
- CVE-2021-3537
- CVE-2021-3541
- CVE-2021-3560
- CVE-2021-20201
- CVE-2021-20271
- CVE-2021-23239
- CVE-2021-23240
- CVE-2021-23336
- CVE-2021-25215
- CVE-2021-25217
- CVE-2021-27219
- CVE-2021-28211
- CVE-2021-29482
- CVE-2021-33034
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.