RHSA-2021:3259 - Security Advisory

Topic

Red Hat OpenShift Virtualization release 4.8.1 is now available with updates to packages and images that fix several bugs and add enhancements.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform.

This advisory contains the following OpenShift Virtualization 4.8.1 images:

RHEL-8-CNV-4.8
==============

kubevirt-v2v-conversion-container-v4.8.1-1
bridge-marker-container-v4.8.1-2
node-maintenance-operator-container-v4.8.1-1
cnv-containernetworking-plugins-container-v4.8.1-1
virtio-win-container-v4.8.1-1
ovs-cni-plugin-container-v4.8.1-2
kubevirt-vmware-container-v4.8.1-1
kubernetes-nmstate-handler-container-v4.8.1-2
cluster-network-addons-operator-container-v4.8.1-2
kubemacpool-container-v4.8.1-2
ovs-cni-marker-container-v4.8.1-2
cnv-must-gather-container-v4.8.1-4
virt-operator-container-v4.8.1-2
vm-import-virtv2v-container-v4.8.1-2
vm-import-operator-container-v4.8.1-2
vm-import-controller-container-v4.8.1-2
kubevirt-template-validator-container-v4.8.1-2
virt-cdi-cloner-container-v4.8.1-5
virt-cdi-controller-container-v4.8.1-5
virt-cdi-operator-container-v4.8.1-5
virt-cdi-apiserver-container-v4.8.1-5
hostpath-provisioner-operator-container-v4.8.1-3
virt-cdi-uploadproxy-container-v4.8.1-5
virt-cdi-importer-container-v4.8.1-5
hyperconverged-cluster-operator-container-v4.8.1-3
virt-cdi-uploadserver-container-v4.8.1-5
hyperconverged-cluster-webhook-container-v4.8.1-3
hostpath-provisioner-container-v4.8.1-2
kubevirt-ssp-operator-container-v4.8.1-5
virt-launcher-container-v4.8.1-3
virt-api-container-v4.8.1-3
virt-handler-container-v4.8.1-3
virt-controller-container-v4.8.1-3
hco-bundle-registry-container-v4.8.1-18

Security Fix(es):

• gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation (CVE-2021-3121)
• golang: crypto/tls: certificate of wrong type is causing TLS client to panic (CVE-2021-34558)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

• [CNV 2.4.3] oc vm delete doesn't complete sometimes (BZ#1900631)
• Migration fails with read only cdrom drive attached (BZ#1927378)
• [CNV-2.5] Manifests in openshift-cnv missing resource requirements - Network (BZ#1935218)
• [RFE][v2v] Expose the vddk library version loaded by nbdkit (BZ#1937405)
• New OCP priority classes are not used - Network (BZ#1953482)
• Migration fails with read only cdrom drive attached on "timed out waiting for domain to be defined" (BZ#1966903)
• cfgMap kubevirt-ca brought in by kubevirt does not get reconciled (BZ#1968410)
• Update nmstate version in CNV (BZ#1971262)
• virt-api - deprecated API is used (BZ#1972762)
• Pending VMIs when creating concurrent bulk of VMs backed by WFFC DVs (BZ#1974289)
• Migration of 'Migratable' VMs fails although live migration is enabled for the target environment (BZ#1977277)
• CDI importer doesn't report AwaitingVDDK like it used to (BZ#1979957)
• [4.8.1] Cloning DataVolumes between namespaces fails while creating cdi-upload pod (BZ#1982269)
• VMs Migration from a specific VMware fails the importer, on NfcFssrvrProcessErrorMsg (BZ#1984775)
• [RFE] Keep the VddkInitImage value in the v2v-vmware conigMap when upgrading CNV from 2.6 to CNV-4.8 (BZ#1984801)
• CDI Importer fails on large qcow2.gz (BZ#1989170)
• 4.8.1 containers (BZ#1989410)
• [hpp] CNV Daemonsets have maxUnavailable set to 1 which leads to very slow upgrades on large clusters (BZ#1990063)

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://docs.openshift.com/container-platform/4.8/virt/upgrading-virt.html

Affected Products

• Red Hat Container Native Virtualization 4.8 for RHEL 8 x86_64
• Red Hat Container Native Virtualization 4.8 for RHEL 7 x86_64

Fixes

• BZ - 1900631 - [CNV 2.4.3] oc vm delete doesn't complete sometimes
• BZ - 1921650 - CVE-2021-3121 gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation
• BZ - 1927378 - Migration fails with read only cdrom drive attached
• BZ - 1935218 - [CNV-2.5] Manifests in openshift-cnv missing resource requirements - Network
• BZ - 1937405 - [RFE][v2v] Expose the vddk library version loaded by nbdkit
• BZ - 1953482 - New OCP priority classes are not used - Network
• BZ - 1966903 - Migration fails with read only cdrom drive attached on "timed out waiting for domain to be defined"
• BZ - 1968410 - cfgMap kubevirt-ca brought in by kubevirt does not get reconciled
• BZ - 1971262 - Update nmstate version in CNV
• BZ - 1972762 - virt-api - deprecated API is used
• BZ - 1974289 - Pending VMIs when creating concurrent bulk of VMs backed by WFFC DVs
• BZ - 1977277 - Migration of 'Migratable' VMs fails although live migration is enabled for the target environment
• BZ - 1979957 - CDI importer doesn't report AwaitingVDDK like it used to
• BZ - 1982269 - [4.8.1] Cloning DataVolumes between namespaces fails while creating cdi-upload pod
• BZ - 1983596 - CVE-2021-34558 golang: crypto/tls: certificate of wrong type is causing TLS client to panic
• BZ - 1984775 - VMs Migration from a specific VMware fails the importer, on NfcFssrvrProcessErrorMsg
• BZ - 1984801 - [RFE] Keep the VddkInitImage value in the v2v-vmware conigMap when upgrading CNV from 2.6 to CNV-4.8
• BZ - 1989170 - CDI Importer fails on large qcow2.gz
• BZ - 1989410 - 4.8.1 containers
• BZ - 1990063 - [hpp] CNV Daemonsets have maxUnavailable set to 1 which leads to very slow upgrades on large clusters

CVEs

• CVE-2015-8011
• CVE-2020-8203
• CVE-2021-3121
• CVE-2021-3516
• CVE-2021-3517
• CVE-2021-3518
• CVE-2021-3520
• CVE-2021-3537
• CVE-2021-3541
• CVE-2021-20271
• CVE-2021-27218
• CVE-2021-32399
• CVE-2021-33909
• CVE-2021-33910
• CVE-2021-34558

References

• https://access.redhat.com/security/updates/classification/#moderate