Skip to navigation Skip to main content

Utilities

  • Subscriptions
  • Downloads
  • Containers
  • Support Cases
Red Hat Customer Portal
  • Subscriptions
  • Downloads
  • Containers
  • Support Cases
  • Products & Services

    Products

    Support

    • Production Support
    • Development Support
    • Product Life Cycles

    Services

    • Consulting
    • Technical Account Management
    • Training & Certifications

    Documentation

    • Red Hat Enterprise Linux
    • Red Hat JBoss Enterprise Application Platform
    • Red Hat OpenStack Platform
    • Red Hat OpenShift Container Platform
    All Documentation

    Ecosystem Catalog

    • Red Hat Partner Ecosystem
    • Partner Resources
  • Tools

    Tools

    • Troubleshoot a product issue
    • Packages
    • Errata

    Customer Portal Labs

    • Configuration
    • Deployment
    • Security
    • Troubleshoot
    All labs

    Red Hat Insights

    Increase visibility into IT operations to detect and resolve technical issues before they impact your business.

    Learn More
    Go to Insights
  • Security

    Red Hat Product Security Center

    Engage with our Red Hat Product Security team, access security updates, and ensure your environments are not exposed to any known security vulnerabilities.

    Product Security Center

    Security Updates

    • Security Advisories
    • Red Hat CVE Database
    • Security Labs

    Keep your systems secure with Red Hat's specialized responses to security vulnerabilities.

    View Responses

    Resources

    • Security Blog
    • Security Measurement
    • Severity Ratings
    • Backporting Policies
    • Product Signing (GPG) Keys
  • Community

    Customer Portal Community

    • Discussions
    • Private Groups
    Community Activity

    Customer Events

    • Red Hat Convergence
    • Red Hat Summit

    Stories

    • Red Hat Subscription Value
    • You Asked. We Acted.
    • Open Source Communities
Or troubleshoot an issue.

Select Your Language

  • English
  • 한국어
  • 日本語
  • 中文 (中国)

Infrastructure and Management

  • Red Hat Enterprise Linux
  • Red Hat Virtualization
  • Red Hat Identity Management
  • Red Hat Directory Server
  • Red Hat Certificate System
  • Red Hat Satellite
  • Red Hat Subscription Management
  • Red Hat Update Infrastructure
  • Red Hat Insights
  • Red Hat Ansible Automation Platform

Cloud Computing

  • Red Hat OpenShift
  • Red Hat CloudForms
  • Red Hat OpenStack Platform
  • Red Hat OpenShift Container Platform
  • Red Hat OpenShift Data Science
  • Red Hat OpenShift Online
  • Red Hat OpenShift Dedicated
  • Red Hat Advanced Cluster Security for Kubernetes
  • Red Hat Advanced Cluster Management for Kubernetes
  • Red Hat Quay
  • Red Hat CodeReady Workspaces
  • Red Hat OpenShift Service on AWS

Storage

  • Red Hat Gluster Storage
  • Red Hat Hyperconverged Infrastructure
  • Red Hat Ceph Storage
  • Red Hat OpenShift Data Foundation

Runtimes

  • Red Hat Runtimes
  • Red Hat JBoss Enterprise Application Platform
  • Red Hat Data Grid
  • Red Hat JBoss Web Server
  • Red Hat Single Sign On
  • Red Hat support for Spring Boot
  • Red Hat build of Node.js
  • Red Hat build of Thorntail
  • Red Hat build of Eclipse Vert.x
  • Red Hat build of OpenJDK
  • Red Hat build of Quarkus

Integration and Automation

  • Red Hat Integration
  • Red Hat Fuse
  • Red Hat AMQ
  • Red Hat 3scale API Management
  • Red Hat JBoss Data Virtualization
  • Red Hat Process Automation
  • Red Hat Process Automation Manager
  • Red Hat Decision Manager
All Products
Red Hat Product Errata RHSA-2021:4104 - Security Advisory
Issued:
2021-11-02
Updated:
2021-11-02

RHSA-2021:4104 - Security Advisory

  • Overview

Synopsis

Moderate: OpenShift Virtualization 4.9.0 Images security and bug fix update

Type/Severity

Security Advisory: Moderate

Topic

Red Hat OpenShift Virtualization release 4.9.0 is now available with updates to packages and images that fix several bugs and add enhancements.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform.

This advisory contains the following OpenShift Virtualization 4.9.0 images:

RHEL-8-CNV-4.9
==============
kubevirt-v2v-conversion-container-v4.9.0-9
vm-import-controller-container-v4.9.0-15
cnv-containernetworking-plugins-container-v4.9.0-15
kubemacpool-container-v4.9.0-18
virtio-win-container-v4.9.0-8
vm-import-operator-container-v4.9.0-15
kubevirt-vmware-container-v4.9.0-8
kubevirt-template-validator-container-v4.9.0-14
cluster-network-addons-operator-container-v4.9.0-26
kubernetes-nmstate-handler-container-v4.9.0-25
node-maintenance-operator-container-v4.9.0-13
hostpath-provisioner-container-v4.9.0-6
bridge-marker-container-v4.9.0-13
kubevirt-ssp-operator-container-v4.9.0-28
ovs-cni-marker-container-v4.9.0-16
ovs-cni-plugin-container-v4.9.0-16
vm-import-virtv2v-container-v4.9.0-15
virt-cdi-apiserver-container-v4.9.0-35
virt-cdi-cloner-container-v4.9.0-35
virt-cdi-uploadproxy-container-v4.9.0-35
virt-cdi-controller-container-v4.9.0-35
hostpath-provisioner-operator-container-v4.9.0-15
virt-cdi-importer-container-v4.9.0-35
virt-cdi-uploadserver-container-v4.9.0-35
virt-cdi-operator-container-v4.9.0-35
virt-launcher-container-v4.9.0-58
virt-api-container-v4.9.0-58
virt-handler-container-v4.9.0-58
virt-operator-container-v4.9.0-58
virt-controller-container-v4.9.0-58
virt-artifacts-server-container-v4.9.0-58
libguestfs-tools-container-v4.9.0-58
cnv-must-gather-container-v4.9.0-54
hyperconverged-cluster-operator-container-v4.9.0-57
hyperconverged-cluster-webhook-container-v4.9.0-57
hco-bundle-registry-container-v4.9.0-249

Security Fix(es):

  • gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation (CVE-2021-3121)
  • golang: net/http: panic in ReadRequest and ReadResponse when reading a very large header (CVE-2021-31525)
  • golang: net: lookup functions may return invalid host names (CVE-2021-33195)
  • golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty (CVE-2021-33197)
  • golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents (CVE-2021-33198)
  • golang: crypto/tls: certificate of wrong type is causing TLS client to panic (CVE-2021-34558)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat Container Native Virtualization 4.9 for RHEL 8 x86_64

Fixes

  • BZ - 1858777 - Alert for VM with 'evictionStrategy: LiveMigrate' for local PVs set
  • BZ - 1891921 - virt-launcher is missing /usr/share/zoneinfo directory, making it impossible to set clock offset of timezone type for the guest RTC
  • BZ - 1896469 - In cluster with OVN Kubernetes networking - a node doesn't recover when configuring linux-bridge over its default NIC
  • BZ - 1903687 - [scale] 1K DV creation failed
  • BZ - 1921650 - CVE-2021-3121 gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation
  • BZ - 1933043 - Delete VM just after it turns into "running" is very likely to hit grace period end
  • BZ - 1935219 - [CNV-2.5] Set memory and CPU request on hco-operator and hco-webhook deployments
  • BZ - 1942726 - test automatic bug creation for a new release
  • BZ - 1943164 - Node drain: Sometimes source virt-launcher pod status is Failed and not Completed
  • BZ - 1945589 - Live migration with virtiofs is possible
  • BZ - 1953481 - New OCP priority classes are not used - Deploy
  • BZ - 1953483 - New OCP priority classes are not used - SSP
  • BZ - 1953484 - New OCP priority classes are not used - Storage
  • BZ - 1955129 - Failed to bindmount hotplug-disk for hostpath-provisioner
  • BZ - 1957852 - Could not start VM as restore snapshot was still not Complete
  • BZ - 1958341 - CVE-2021-31525 golang: net/http: panic in ReadRequest and ReadResponse when reading a very large header
  • BZ - 1963963 - hco.kubevirt.io:config-reader role and rolebinding are not strictly reconciled
  • BZ - 1965050 - RoleBinding and ClusterRoleBinding brought in by kubevirt does not get reconciled when kind is ServiceAccount
  • BZ - 1973852 - Introduce VM crashloop backoff
  • BZ - 1976604 - [CNV-5786] IP connectivity is lost after migration (masquerade)
  • BZ - 1976730 - Disk is not usable due to incorrect size for proper alignment
  • BZ - 1979631 - virt-chroot: container disk validation crash prevents VMI from starting/migrating
  • BZ - 1979659 - 4.9.0 containers
  • BZ - 1981345 - 4.9.0 rpms
  • BZ - 1983596 - CVE-2021-34558 golang: crypto/tls: certificate of wrong type is causing TLS client to panic
  • BZ - 1985083 - VMI Pod fails to terminate due to a zombie qemu process
  • BZ - 1985649 - virt-handler Pod is missing xorrisofs command
  • BZ - 1985670 - virt-launcher fails to create v1 controller cpu for group: Read-only file system
  • BZ - 1985719 - Unprivileged client fails to get guest agent data
  • BZ - 1989176 - kube-cni-linux-bridge-plugin Pod is missing bridge CNI plugin
  • BZ - 1989263 - VM Snapshot may freeze guest indefinitely
  • BZ - 1989269 - Online VM Snapshot storing incorrect VM spec
  • BZ - 1989564 - CVE-2021-33195 golang: net: lookup functions may return invalid host names
  • BZ - 1989570 - CVE-2021-33197 golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty
  • BZ - 1989575 - CVE-2021-33198 golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents
  • BZ - 1991691 - Enable DownwardMetrics FeatureGate via HCO CR
  • BZ - 1992608 - kubevirt doesn't respect useEmulation: true
  • BZ - 1993121 - Rhel9 templates - provider-url should be updated to https://www.redhat.com/
  • BZ - 1994389 - Some of the cdi resources missing app labels
  • BZ - 1995295 - SCC annotation of ssp-operator was changed to privileged
  • BZ - 1996407 - [cdi-functional-tests] cdi-docker-registry-host Pod fails to start
  • BZ - 1997014 - Common templates - dataVolumeTemplates API version should be updated
  • BZ - 1998054 - RHEL9 template - update template description.
  • BZ - 1998656 - no "name" label in ssp-operator pod
  • BZ - 1999571 - NFS clone not progressing when clone sizes mismatch (target > source)
  • BZ - 1999617 - Unable to create a VM with nonroot VirtLauncher Pods
  • BZ - 1999835 - ConsoleCLIDownload | wrong path in virtctl archive URL
  • BZ - 2000052 - NNCP creation failures after nmstate-handler pod deletion
  • BZ - 2000204 - [4.9.0] [RFE] volumeSnapshotStatuses reason does not check for volume type that do not support snapshots
  • BZ - 2001041 - [4.9.0] Importer attempts to shrink an image in certain situations
  • BZ - 2001047 - Automatic size detection may not request a PVC that is large enough for an import
  • BZ - 2003473 - Failed to Migrate Windows VM with CDROM (readonly)
  • BZ - 2005695 - With descheduler during multiple VMIs migrations, some VMs are restarted
  • BZ - 2006418 - Clone Strategy does not work as described
  • BZ - 2008900 - Eviction of not live migratable VMs due to virt-launcher upgrade can happen outside the upgrade window
  • BZ - 2010742 - [CNV-4.9] VMI is in LiveMigrate loop when Upgrading Cluster from 2.6.7/4.7.32 to OCP 4.8.13
  • BZ - 2011179 - Cluster-wide live migration limits and timeouts are not suitable
  • BZ - 2017394 - After upgrade, live migration is Pending
  • BZ - 2018521 - [Storage] Failed to restore VirtualMachineSnapshot after CNV upgrade

CVEs

  • CVE-2020-25648
  • CVE-2021-3121
  • CVE-2021-3653
  • CVE-2021-22922
  • CVE-2021-22923
  • CVE-2021-22924
  • CVE-2021-31525
  • CVE-2021-33195
  • CVE-2021-33197
  • CVE-2021-33198
  • CVE-2021-34558
  • CVE-2021-36222
  • CVE-2021-37750

References

  • https://access.redhat.com/security/updates/classification/#moderate

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Red Hat

Quick Links

  • Downloads
  • Subscriptions
  • Support Cases
  • Customer Service
  • Product Documentation

Help

  • Contact Us
  • Customer Portal FAQ
  • Log-in Assistance

Site Info

  • Trust Red Hat
  • Browser Support Policy
  • Accessibility
  • Awards and Recognition
  • Colophon

Related Sites

  • redhat.com
  • developers.redhat.com
  • connect.redhat.com
  • cloud.redhat.com

About

  • Red Hat Subscription Value
  • About Red Hat
  • Red Hat Jobs
2023
  • Privacy Statement
  • Customer Portal Terms of Use
  • All Policies and Guidelines
Twitter Facebook