Issued:: 2021-09-09
Updated:: 2021-09-09

RHSA-2021:3477 - Security Advisory

Overview
Updated Packages

Synopsis

Important: RHV-H security update (redhat-virtualization-host) 4.3.18

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for redhat-release-virtualization-host and redhat-virtualization-host is now available for Red Hat Virtualization 4 for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

The redhat-virtualization-host packages provide the Red Hat Virtualization Host.
These packages include redhat-release-virtualization-host. Red Hat
Virtualization Hosts (RHVH) are installed using a special build of Red Hat
Enterprise Linux with only the packages required to host virtual machines. RHVH features a Cockpit user interface for monitoring the host's resources and
performing administrative tasks.

Security Fix(es):

sssd: shell command injection in sssctl (CVE-2021-3621)
kernel: use-after-free in route4_change() in net/sched/cls_route.c (CVE-2021-3715)
kernel: out-of-bounds write in xt_compat_target_from_user() in net/netfilter/x_tables.c (CVE-2021-22555)
libX11: missing request length checks (CVE-2021-31535)
kernel: race condition for removal of the HCI controller (CVE-2021-32399)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/2974891

Affected Products

Red Hat Virtualization 4 for RHEL 7 x86_64
Red Hat Virtualization Host 4 for RHEL 7 x86_64

Fixes

BZ - 1961822 - CVE-2021-31535 libX11: missing request length checks
BZ - 1970807 - CVE-2021-32399 kernel: race condition for removal of the HCI controller
BZ - 1975142 - CVE-2021-3621 sssd: shell command injection in sssctl
BZ - 1980101 - CVE-2021-22555 kernel: out-of-bounds write in xt_compat_target_from_user() in net/netfilter/x_tables.c
BZ - 1993988 - CVE-2021-3715 kernel: use-after-free in route4_change() in net/sched/cls_route.c

CVEs

References

https://access.redhat.com/security/updates/classification/#important

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat Virtualization 4 for RHEL 7

SRPM
redhat-release-virtualization-host-4.3.18-1.el7ev.src.rpm	SHA-256: 2d489d907f3e764914208da8bae40db053406724495782b4ae937e9ea91896f0
redhat-virtualization-host-4.3.18-20210903.0.el7_9.src.rpm	SHA-256: 164c100b504d1fbd80743d8ed2183879de797b5a921ba1937a7630313d980ffa
x86_64
redhat-release-virtualization-host-4.3.18-1.el7ev.x86_64.rpm	SHA-256: a732a8a8fa4ab8ef21d13ca864f5fd40542cefbc29c4ce123a47a011766a4b9b
redhat-virtualization-host-image-update-4.3.18-20210903.0.el7_9.noarch.rpm	SHA-256: 536b91f0d73c36cb39c1b8b5b75cddcd71201158c4be3ed9bc722a134bfbf422
redhat-virtualization-host-image-update-placeholder-4.3.18-1.el7ev.noarch.rpm	SHA-256: 23c38e353f99b890591a168c81980ecf8808310a335c0aa2d43cf4a6b76b8350

Red Hat Virtualization Host 4 for RHEL 7

SRPM
redhat-virtualization-host-4.3.18-20210903.0.el7_9.src.rpm	SHA-256: 164c100b504d1fbd80743d8ed2183879de797b5a921ba1937a7630313d980ffa
x86_64
redhat-virtualization-host-image-update-4.3.18-20210903.0.el7_9.noarch.rpm	SHA-256: 536b91f0d73c36cb39c1b8b5b75cddcd71201158c4be3ed9bc722a134bfbf422

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

Runtimes

Integration and Automation