RHSA-2021:4104 - Security Advisory

Topic

Red Hat OpenShift Virtualization release 4.9.0 is now available with updates to packages and images that fix several bugs and add enhancements.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform.

This advisory contains the following OpenShift Virtualization 4.9.0 images:

RHEL-8-CNV-4.9
==============
kubevirt-v2v-conversion-container-v4.9.0-9
vm-import-controller-container-v4.9.0-15
cnv-containernetworking-plugins-container-v4.9.0-15
kubemacpool-container-v4.9.0-18
virtio-win-container-v4.9.0-8
vm-import-operator-container-v4.9.0-15
kubevirt-vmware-container-v4.9.0-8
kubevirt-template-validator-container-v4.9.0-14
cluster-network-addons-operator-container-v4.9.0-26
kubernetes-nmstate-handler-container-v4.9.0-25
node-maintenance-operator-container-v4.9.0-13
hostpath-provisioner-container-v4.9.0-6
bridge-marker-container-v4.9.0-13
kubevirt-ssp-operator-container-v4.9.0-28
ovs-cni-marker-container-v4.9.0-16
ovs-cni-plugin-container-v4.9.0-16
vm-import-virtv2v-container-v4.9.0-15
virt-cdi-apiserver-container-v4.9.0-35
virt-cdi-cloner-container-v4.9.0-35
virt-cdi-uploadproxy-container-v4.9.0-35
virt-cdi-controller-container-v4.9.0-35
hostpath-provisioner-operator-container-v4.9.0-15
virt-cdi-importer-container-v4.9.0-35
virt-cdi-uploadserver-container-v4.9.0-35
virt-cdi-operator-container-v4.9.0-35
virt-launcher-container-v4.9.0-58
virt-api-container-v4.9.0-58
virt-handler-container-v4.9.0-58
virt-operator-container-v4.9.0-58
virt-controller-container-v4.9.0-58
virt-artifacts-server-container-v4.9.0-58
libguestfs-tools-container-v4.9.0-58
cnv-must-gather-container-v4.9.0-54
hyperconverged-cluster-operator-container-v4.9.0-57
hyperconverged-cluster-webhook-container-v4.9.0-57
hco-bundle-registry-container-v4.9.0-249

Security Fix(es):

• gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation (CVE-2021-3121)
• golang: net/http: panic in ReadRequest and ReadResponse when reading a very large header (CVE-2021-31525)
• golang: net: lookup functions may return invalid host names (CVE-2021-33195)
• golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty (CVE-2021-33197)
• golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents (CVE-2021-33198)
• golang: crypto/tls: certificate of wrong type is causing TLS client to panic (CVE-2021-34558)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

• Red Hat Container Native Virtualization 4.9 for RHEL 8 x86_64

Fixes

• BZ - 1858777 - Alert for VM with 'evictionStrategy: LiveMigrate' for local PVs set
• BZ - 1891921 - virt-launcher is missing /usr/share/zoneinfo directory, making it impossible to set clock offset of timezone type for the guest RTC
• BZ - 1896469 - In cluster with OVN Kubernetes networking - a node doesn't recover when configuring linux-bridge over its default NIC
• BZ - 1903687 - [scale] 1K DV creation failed
• BZ - 1921650 - CVE-2021-3121 gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation
• BZ - 1933043 - Delete VM just after it turns into "running" is very likely to hit grace period end
• BZ - 1935219 - [CNV-2.5] Set memory and CPU request on hco-operator and hco-webhook deployments
• BZ - 1942726 - test automatic bug creation for a new release
• BZ - 1943164 - Node drain: Sometimes source virt-launcher pod status is Failed and not Completed
• BZ - 1945589 - Live migration with virtiofs is possible
• BZ - 1953481 - New OCP priority classes are not used - Deploy
• BZ - 1953483 - New OCP priority classes are not used - SSP
• BZ - 1953484 - New OCP priority classes are not used - Storage
• BZ - 1955129 - Failed to bindmount hotplug-disk for hostpath-provisioner
• BZ - 1957852 - Could not start VM as restore snapshot was still not Complete
• BZ - 1958341 - CVE-2021-31525 golang: net/http: panic in ReadRequest and ReadResponse when reading a very large header
• BZ - 1963963 - hco.kubevirt.io:config-reader role and rolebinding are not strictly reconciled
• BZ - 1965050 - RoleBinding and ClusterRoleBinding brought in by kubevirt does not get reconciled when kind is ServiceAccount
• BZ - 1973852 - Introduce VM crashloop backoff
• BZ - 1976604 - [CNV-5786] IP connectivity is lost after migration (masquerade)
• BZ - 1976730 - Disk is not usable due to incorrect size for proper alignment
• BZ - 1979631 - virt-chroot: container disk validation crash prevents VMI from starting/migrating
• BZ - 1979659 - 4.9.0 containers
• BZ - 1981345 - 4.9.0 rpms
• BZ - 1983596 - CVE-2021-34558 golang: crypto/tls: certificate of wrong type is causing TLS client to panic
• BZ - 1985083 - VMI Pod fails to terminate due to a zombie qemu process
• BZ - 1985649 - virt-handler Pod is missing xorrisofs command
• BZ - 1985670 - virt-launcher fails to create v1 controller cpu for group: Read-only file system
• BZ - 1985719 - Unprivileged client fails to get guest agent data
• BZ - 1989176 - kube-cni-linux-bridge-plugin Pod is missing bridge CNI plugin
• BZ - 1989263 - VM Snapshot may freeze guest indefinitely
• BZ - 1989269 - Online VM Snapshot storing incorrect VM spec
• BZ - 1989564 - CVE-2021-33195 golang: net: lookup functions may return invalid host names
• BZ - 1989570 - CVE-2021-33197 golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty
• BZ - 1989575 - CVE-2021-33198 golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents
• BZ - 1991691 - Enable DownwardMetrics FeatureGate via HCO CR
• BZ - 1992608 - kubevirt doesn't respect useEmulation: true
• BZ - 1993121 - Rhel9 templates - provider-url should be updated to https://www.redhat.com/
• BZ - 1994389 - Some of the cdi resources missing app labels
• BZ - 1995295 - SCC annotation of ssp-operator was changed to privileged
• BZ - 1996407 - [cdi-functional-tests] cdi-docker-registry-host Pod fails to start
• BZ - 1997014 - Common templates - dataVolumeTemplates API version should be updated
• BZ - 1998054 - RHEL9 template - update template description.
• BZ - 1998656 - no "name" label in ssp-operator pod
• BZ - 1999571 - NFS clone not progressing when clone sizes mismatch (target > source)
• BZ - 1999617 - Unable to create a VM with nonroot VirtLauncher Pods
• BZ - 1999835 - ConsoleCLIDownload | wrong path in virtctl archive URL
• BZ - 2000052 - NNCP creation failures after nmstate-handler pod deletion
• BZ - 2000204 - [4.9.0] [RFE] volumeSnapshotStatuses reason does not check for volume type that do not support snapshots
• BZ - 2001041 - [4.9.0] Importer attempts to shrink an image in certain situations
• BZ - 2001047 - Automatic size detection may not request a PVC that is large enough for an import
• BZ - 2003473 - Failed to Migrate Windows VM with CDROM (readonly)
• BZ - 2005695 - With descheduler during multiple VMIs migrations, some VMs are restarted
• BZ - 2006418 - Clone Strategy does not work as described
• BZ - 2008900 - Eviction of not live migratable VMs due to virt-launcher upgrade can happen outside the upgrade window
• BZ - 2010742 - [CNV-4.9] VMI is in LiveMigrate loop when Upgrading Cluster from 2.6.7/4.7.32 to OCP 4.8.13
• BZ - 2011179 - Cluster-wide live migration limits and timeouts are not suitable
• BZ - 2017394 - After upgrade, live migration is Pending
• BZ - 2018521 - [Storage] Failed to restore VirtualMachineSnapshot after CNV upgrade

CVEs

• CVE-2020-25648
• CVE-2021-3121
• CVE-2021-3653
• CVE-2021-22922
• CVE-2021-22923
• CVE-2021-22924
• CVE-2021-31525
• CVE-2021-33195
• CVE-2021-33197
• CVE-2021-33198
• CVE-2021-34558
• CVE-2021-36222
• CVE-2021-37750

References

• https://access.redhat.com/security/updates/classification/#moderate