Red Hat Product Errata RHSA-2021:5035 - Security Advisory
Issued:
2021-12-08
Updated:
2021-12-08

RHSA-2021:5035 - Security Advisory

Synopsis

Critical: RHV-H security update (redhat-virtualization-host) 4.3.20

Type/Severity

Security Advisory: Critical

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for redhat-release-virtualization-host and redhat-virtualization-host is now available for Red Hat Virtualization 4 for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

The redhat-virtualization-host packages provide the Red Hat Virtualization Host.
These packages include redhat-release-virtualization-host. Red Hat
Virtualization Hosts (RHVH) are installed using a special build of Red Hat
Enterprise Linux with only the packages required to host virtual machines. RHVH features a Cockpit user interface for monitoring the host's resources and
performing administrative tasks.

Security Fix(es):

  • nss: Memory corruption in decodeECorDsaSignature with DSA signatures (and RSA-PSS) (CVE-2021-43527)
  • kernel: use-after-free in drivers/infiniband/core/ucma.c ctx use-after-free (CVE-2020-36385)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/2974891

Affected Products

  • Red Hat Virtualization 4 for RHEL 7 x86_64
  • Red Hat Virtualization Host 4 for RHEL 7 x86_64

Fixes

  • BZ - 1974319 - CVE-2020-36385 kernel: use-after-free in drivers/infiniband/core/ucma.c ctx use-after-free
  • BZ - 2024370 - CVE-2021-43527 nss: Memory corruption in decodeECorDsaSignature with DSA signatures (and RSA-PSS)

Red Hat Virtualization 4 for RHEL 7

SRPM
redhat-release-virtualization-host-4.3.20-1.el7ev.src.rpm SHA-256: ff604b69d10b9e67921d3e98951d68f89db5b5f281dc7e69489c7d23373a3423
redhat-virtualization-host-4.3.20-20211202.1.el7_9.src.rpm SHA-256: d7b59ba7fafd3b4d6d80f221a03907cd5dec416dbc136b8134bd99e0ea27f533
x86_64
redhat-release-virtualization-host-4.3.20-1.el7ev.x86_64.rpm SHA-256: c1720fe989d58818aab4913d2a609081d4f51e482f47cbdc204d52159c4c75a2
redhat-virtualization-host-image-update-4.3.20-20211202.1.el7_9.noarch.rpm SHA-256: 28d2a63da3f7f6353922122a75a98f2f8fa3b7c2426e18fcfb8a2489cfc90123
redhat-virtualization-host-image-update-placeholder-4.3.20-1.el7ev.noarch.rpm SHA-256: 148327ec2e7cc8eb97cd62fee3f79837ad5f369cf881996cf7750cc206178a42

Red Hat Virtualization Host 4 for RHEL 7

SRPM
redhat-virtualization-host-4.3.20-20211202.1.el7_9.src.rpm SHA-256: d7b59ba7fafd3b4d6d80f221a03907cd5dec416dbc136b8134bd99e0ea27f533
x86_64
redhat-virtualization-host-image-update-4.3.20-20211202.1.el7_9.noarch.rpm SHA-256: 28d2a63da3f7f6353922122a75a98f2f8fa3b7c2426e18fcfb8a2489cfc90123

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.