- Issued:
- 2022-03-24
- Updated:
- 2022-03-24
RHSA-2022:1053 - Security Advisory
Synopsis
Important: Red Hat Virtualization Host security and enhancement update [ovirt-4.4.10] Async #2
Type/Severity
Security Advisory: Important
Red Hat Lightspeed patch analysis
Identify and remediate systems affected by this advisory.
Topic
An update for redhat-release-virtualization-host and redhat-virtualization-host is now available for Red Hat Virtualization 4 for Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
The redhat-virtualization-host packages provide the Red Hat Virtualization Host. These packages include redhat-release-virtualization-host, ovirt-node, and rhev-hypervisor. Red Hat Virtualization Hosts (RHVH) are installed using a special build of Red Hat Enterprise Linux with only the packages required to host virtual machines. RHVH features a Cockpit user interface for monitoring the host's resources and performing administrative tasks.
Security Fix(es):
- expat: Malformed 2- and 3-byte UTF-8 sequences can lead to arbitrary code execution (CVE-2022-25235)
- expat: Namespace-separator characters in "xmlns[:prefix]" attribute values can lead to arbitrary code execution (CVE-2022-25236)
- expat: Integer overflow in storeRawNames() (CVE-2022-25315)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Bug Fix(es):
- Red Hat Virtualization Host was rebased on Red Hat Enterprise Linux 8.5.0.3. (BZ#2048407)
- Rebase package(s) to version: libvirt-7.6.0-6.1.module+el8.5.0+14474+b3410d40
Highlights and important bug fixes: consume libvirt fix for failure to connect socket to '/run/libvirt/virtlogd-sock' - possibly caused by too many open files from libvirtd. (BZ#2057048)
Solution
For details on how to apply this update, which includes the changes described in this advisory, refer to:
Affected Products
- Red Hat Virtualization 4 for RHEL 8 x86_64
- Red Hat Virtualization Host 4 for RHEL 8 x86_64
Fixes
- BZ - 2034626 - Upgrade elfutils to elfutils-0.185-1.el8
- BZ - 2048407 - Rebase RHV-H 4.4.10 on RHEL 8.5.0.3
- BZ - 2056363 - CVE-2022-25315 expat: Integer overflow in storeRawNames()
- BZ - 2056366 - CVE-2022-25235 expat: Malformed 2- and 3-byte UTF-8 sequences can lead to arbitrary code execution
- BZ - 2056370 - CVE-2022-25236 expat: Namespace-separator characters in "xmlns[:prefix]" attribute values can lead to arbitrary code execution
- BZ - 2057048 - consume libvirt fix for: Failed to connect socket to '/run/libvirt/virtlogd-sock' - possibly caused by Too many open files from libvirtd
Red Hat Virtualization 4 for RHEL 8
| SRPM | |
|---|---|
| redhat-release-virtualization-host-4.4.10-3.el8ev.src.rpm | SHA-256: 4d45d8a951cf55718d3b7fcfcd46003911a184cac3b278b75022ae54a250a1a0 |
| x86_64 | |
| redhat-release-virtualization-host-4.4.10-3.el8ev.x86_64.rpm | SHA-256: 804aef23e6358ce24abf3934ae3068602fb82b8a4c9e9a239f3de1cada26c60d |
| redhat-release-virtualization-host-content-4.4.10-3.el8ev.x86_64.rpm | SHA-256: 6c8bb4932aa3f121b1f15c021aaf29da6734b1d139c50a6dfc7145e74a7b651d |
| redhat-virtualization-host-image-update-placeholder-4.4.10-3.el8ev.noarch.rpm | SHA-256: 474a5f80b6280cb4c48d934640804559d93848d219ab4f241cbceb963b81971f |
Red Hat Virtualization Host 4 for RHEL 8
| SRPM | |
|---|---|
| elfutils-0.185-1.el8.src.rpm | SHA-256: 3e34cfbe0ee504e295857f3b353df0c3bb5363847742115a70e12ede1613129c |
| redhat-virtualization-host-4.4.10-202203211649_8.5.src.rpm | SHA-256: 37485fbdb8b263ae572bbbf7efef7beb97233748b78a31327350e67c35852b6d |
| x86_64 | |
| elfutils-debuginfo-0.185-1.el8.x86_64.rpm | SHA-256: 4be8907ec6043585ab64712aadfead57f7609461c9a5ef831cfaf1cef2f73c12 |
| elfutils-debuginfod-client-0.185-1.el8.x86_64.rpm | SHA-256: 1291973fb1c479d3d3dab62d7dbcda052ab998779a0eb2e45427d0e2257d8db4 |
| elfutils-debuginfod-client-debuginfo-0.185-1.el8.x86_64.rpm | SHA-256: a911308d4bc58505f6146da97e1f1a29fe4157e3513611e5ef0bcdc6ccc61750 |
| elfutils-debuginfod-debuginfo-0.185-1.el8.x86_64.rpm | SHA-256: 040cf6d9ad2aab17a3b17cd0937e37ff074a62f4cbc60410f95201d0203fd5a3 |
| elfutils-debugsource-0.185-1.el8.x86_64.rpm | SHA-256: fc6d11f080b1196f8aaec22d80b779ff41d091474a39d1ac015c26afab02dcb0 |
| elfutils-devel-0.185-1.el8.x86_64.rpm | SHA-256: 5001917a5c97fec5397792750adfd8efde1e096feab427f35fa807d7c0f3ec7d |
| elfutils-libelf-debuginfo-0.185-1.el8.x86_64.rpm | SHA-256: 0ecf63f61a91e5d9ec58401f0401473e1908392980c5ddee7f8017ce3d895c4b |
| elfutils-libs-debuginfo-0.185-1.el8.x86_64.rpm | SHA-256: 9c127db613b96a75b9d2406ecab9b2f928a2da408b2f64c2ecb78040e69649cc |
| redhat-virtualization-host-image-update-4.4.10-202203211649_8.5.x86_64.rpm | SHA-256: 6c55ff91106447e58340a445fad019a98c92b72dd93837a76e0f0c2f40324b0c |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
