Red Hat Product Errata RHSA-2022:1053 - Security Advisory
Issued:
2022-03-24
Updated:
2022-03-24

RHSA-2022:1053 - Security Advisory

Synopsis

Important: Red Hat Virtualization Host security and enhancement update [ovirt-4.4.10] Async #2

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for redhat-release-virtualization-host and redhat-virtualization-host is now available for Red Hat Virtualization 4 for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

The redhat-virtualization-host packages provide the Red Hat Virtualization Host. These packages include redhat-release-virtualization-host, ovirt-node, and rhev-hypervisor. Red Hat Virtualization Hosts (RHVH) are installed using a special build of Red Hat Enterprise Linux with only the packages required to host virtual machines. RHVH features a Cockpit user interface for monitoring the host's resources and performing administrative tasks.

Security Fix(es):

  • expat: Malformed 2- and 3-byte UTF-8 sequences can lead to arbitrary code execution (CVE-2022-25235)
  • expat: Namespace-separator characters in "xmlns[:prefix]" attribute values can lead to arbitrary code execution (CVE-2022-25236)
  • expat: Integer overflow in storeRawNames() (CVE-2022-25315)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

  • Red Hat Virtualization Host was rebased on Red Hat Enterprise Linux 8.5.0.3. (BZ#2048407)
  • Rebase package(s) to version: libvirt-7.6.0-6.1.module+el8.5.0+14474+b3410d40

Highlights and important bug fixes: consume libvirt fix for failure to connect socket to '/run/libvirt/virtlogd-sock' - possibly caused by too many open files from libvirtd. (BZ#2057048)

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/2974891

Affected Products

  • Red Hat Virtualization 4 for RHEL 8 x86_64
  • Red Hat Virtualization Host 4 for RHEL 8 x86_64

Fixes

  • BZ - 2034626 - Upgrade elfutils to elfutils-0.185-1.el8
  • BZ - 2048407 - Rebase RHV-H 4.4.10 on RHEL 8.5.0.3
  • BZ - 2056363 - CVE-2022-25315 expat: Integer overflow in storeRawNames()
  • BZ - 2056366 - CVE-2022-25235 expat: Malformed 2- and 3-byte UTF-8 sequences can lead to arbitrary code execution
  • BZ - 2056370 - CVE-2022-25236 expat: Namespace-separator characters in "xmlns[:prefix]" attribute values can lead to arbitrary code execution
  • BZ - 2057048 - consume libvirt fix for: Failed to connect socket to '/run/libvirt/virtlogd-sock' - possibly caused by Too many open files from libvirtd

Red Hat Virtualization 4 for RHEL 8

SRPM
redhat-release-virtualization-host-4.4.10-3.el8ev.src.rpm SHA-256: 4d45d8a951cf55718d3b7fcfcd46003911a184cac3b278b75022ae54a250a1a0
x86_64
redhat-release-virtualization-host-4.4.10-3.el8ev.x86_64.rpm SHA-256: 804aef23e6358ce24abf3934ae3068602fb82b8a4c9e9a239f3de1cada26c60d
redhat-release-virtualization-host-content-4.4.10-3.el8ev.x86_64.rpm SHA-256: 6c8bb4932aa3f121b1f15c021aaf29da6734b1d139c50a6dfc7145e74a7b651d
redhat-virtualization-host-image-update-placeholder-4.4.10-3.el8ev.noarch.rpm SHA-256: 474a5f80b6280cb4c48d934640804559d93848d219ab4f241cbceb963b81971f

Red Hat Virtualization Host 4 for RHEL 8

SRPM
elfutils-0.185-1.el8.src.rpm SHA-256: 3e34cfbe0ee504e295857f3b353df0c3bb5363847742115a70e12ede1613129c
redhat-virtualization-host-4.4.10-202203211649_8.5.src.rpm SHA-256: 37485fbdb8b263ae572bbbf7efef7beb97233748b78a31327350e67c35852b6d
x86_64
elfutils-debuginfo-0.185-1.el8.x86_64.rpm SHA-256: 4be8907ec6043585ab64712aadfead57f7609461c9a5ef831cfaf1cef2f73c12
elfutils-debuginfod-client-0.185-1.el8.x86_64.rpm SHA-256: 1291973fb1c479d3d3dab62d7dbcda052ab998779a0eb2e45427d0e2257d8db4
elfutils-debuginfod-client-debuginfo-0.185-1.el8.x86_64.rpm SHA-256: a911308d4bc58505f6146da97e1f1a29fe4157e3513611e5ef0bcdc6ccc61750
elfutils-debuginfod-debuginfo-0.185-1.el8.x86_64.rpm SHA-256: 040cf6d9ad2aab17a3b17cd0937e37ff074a62f4cbc60410f95201d0203fd5a3
elfutils-debugsource-0.185-1.el8.x86_64.rpm SHA-256: fc6d11f080b1196f8aaec22d80b779ff41d091474a39d1ac015c26afab02dcb0
elfutils-devel-0.185-1.el8.x86_64.rpm SHA-256: 5001917a5c97fec5397792750adfd8efde1e096feab427f35fa807d7c0f3ec7d
elfutils-libelf-debuginfo-0.185-1.el8.x86_64.rpm SHA-256: 0ecf63f61a91e5d9ec58401f0401473e1908392980c5ddee7f8017ce3d895c4b
elfutils-libs-debuginfo-0.185-1.el8.x86_64.rpm SHA-256: 9c127db613b96a75b9d2406ecab9b2f928a2da408b2f64c2ecb78040e69649cc
redhat-virtualization-host-image-update-4.4.10-202203211649_8.5.x86_64.rpm SHA-256: 6c55ff91106447e58340a445fad019a98c92b72dd93837a76e0f0c2f40324b0c

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.