RHSA-2022:4711 - Security Advisory

Topic

Updated ovirt-engine packages that fix several bugs and add various enhancements are now available.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

The ovirt-engine package provides the Red Hat Virtualization Manager, a centralized management platform that allows system administrators to view and manage virtual machines. The Manager provides a comprehensive range of features including search capabilities, resource management, live migrations, and virtual infrastructure provisioning.

Security Fix(es):

• nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (CVE-2021-3807)
• nodejs-trim-off-newlines: ReDoS via string processing (CVE-2021-23425)
• normalize-url: ReDoS for data URLs (CVE-2021-33502)
• jquery-ui: XSS in the altField option of the datepicker widget (CVE-2021-41182)
• jquery-ui: XSS in *Text options of the datepicker widget (CVE-2021-41183)
• jquery-ui: XSS in the 'of' option of the .position() util (CVE-2021-41184)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

A list of bugs fixed in this update is available in the Technical Notes book:

https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/html-single/technical_notes

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/2974891

Affected Products

• Red Hat Virtualization Manager 4.4 x86_64

Fixes

• BZ - 655153 - [RFE] confirmation prompt when suspending a virtual machine - webadmin
• BZ - 977778 - [RFE] - Mechanism for converting disks for non-running VMS
• BZ - 1624015 - [RFE] Expose Console Options and Console invocation via API
• BZ - 1648985 - VM from VM-pool which is already in use by a SuperUser is presented to another User with UserRole permission who can shutdown the VM.
• BZ - 1667517 - [RFE] add VM Portal setting for set screen mode
• BZ - 1687845 - Multiple notification for one time host activation
• BZ - 1781241 - missing ?connect automatically? option in vm portal
• BZ - 1782056 - [RFE] Integration of built-in ipsec feature in RHV/RHHI-V with OVN
• BZ - 1849169 - [RFE] add virtualCPUs/physicalCPUs ratio property to evenly_distributed policy
• BZ - 1878930 - [RFE] Provide warning event if MAC Address Pool free and available addresses are below threshold
• BZ - 1922977 - [RFE] VM shared disks are not part of the OVF_STORE
• BZ - 1926625 - [RFE] How to enable HTTP Strict Transport Security (HSTS) on Apache HTTPD for Red Hat Virtualization Manager
• BZ - 1927985 - [RFE] Speed up export-to-OVA on NFS by aligning loopback device offset
• BZ - 1944290 - URL to change the password is not shown properly
• BZ - 1944834 - [RFE] Timer for Console Disconnect Action - Shutdown VM after N minutes of being disconnected (Webadmin-only)
• BZ - 1956295 - Template import from storage domain fails when quota is enabled.
• BZ - 1959186 - Enable assignment of user quota when provisioning from a non-blank template via rest-api
• BZ - 1964208 - [RFE] add new feature for VM's screenshot on RestAPI
• BZ - 1964461 - CVE-2021-33502 normalize-url: ReDoS for data URLs
• BZ - 1971622 - Incorrect warning displayed: "The VM CPU does not match the Cluster CPU Type"
• BZ - 1974741 - Disk images remain in locked state if the HE VM is rebooted during a image transfer
• BZ - 1979441 - High Performance VMs always have "VM CPU does not match the cluster CPU Type" warning
• BZ - 1979797 - Ask user for confirmation when the deleted storage domain has leases of VMs that has disk in other SDs
• BZ - 1980192 - Network statistics copy a U64 into DECIMAL(18,4)
• BZ - 1986726 - VM imported from OVA gets thin provisioned disk despite of allocation policy set as 'preallocated'
• BZ - 1986834 - [DOCS] add nodejs and maven to list of subscription streams to be enabled in RHVM installation
• BZ - 1987121 - [RFE] Support enabling nVidia Unified Memory on mdev vGPU
• BZ - 1988496 - vmconsole-proxy-helper.cer is not renewed when running engine-setup
• BZ - 1990462 - [RFE] Add user name and password to ELK integration
• BZ - 1991240 - Assign user quota when provisioning from a non-blank template via web-ui
• BZ - 1995793 - CVE-2021-23425 nodejs-trim-off-newlines: ReDoS via string processing
• BZ - 1996123 - ovf stores capacity/truesize on the storage does not match values in engine database
• BZ - 1998255 - [RFE] [UI] Add search box for vNIC Profiles in RHVM WebUI on the main vNIC profiles tab
• BZ - 1999698 - ssl.conf modifications of engine-setup do not conform to best practices (according to red hat insights)
• BZ - 2000031 - SPM host is rebooted multiple times when engine recovers the host
• BZ - 2002283 - Make NumOfPciExpressPorts configurable via engine-config
• BZ - 2003883 - Failed to update the VFs configuration of network interface card type 82599ES and X520
• BZ - 2003996 - ovirt_snapshot module fails to delete snapshot when there is a "Next Run configuration snapshot"
• BZ - 2006602 - vm_statistics table has wrong type for guest_mem_* columns.
• BZ - 2006745 - [MBS] Template disk Copy from data storage domain to Managed Block Storage domain is failing
• BZ - 2007384 - Failed to parse 'writeRate' value xxxx to integer: For input string: xxxx
• BZ - 2007557 - CVE-2021-3807 nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes
• BZ - 2008798 - Older name rhv-openvswitch is not checked in ansible playbook
• BZ - 2010203 - Log analyzer creates faulty VM unmanaged devices report
• BZ - 2010903 - I/O operations/sec reporting wrong values
• BZ - 2013928 - Log analyzer creates faulty non default vdc_option report
• BZ - 2014888 - oVirt executive dashboard/Virtual Machine dashboard does not actually show disk I/O operations per second, but it shows sum of I/o operations since the boot time of VM
• BZ - 2015796 - [RFE] RHV Manager should support running on a host with DISA STIG security profile applied
• BZ - 2019144 - CVE-2021-41182 jquery-ui: XSS in the altField option of the datepicker widget
• BZ - 2019148 - CVE-2021-41183 jquery-ui: XSS in *Text options of the datepicker widget
• BZ - 2019153 - CVE-2021-41184 jquery-ui: XSS in the 'of' option of the .position() util
• BZ - 2021217 - [RFE] Windows 2022 support
• BZ - 2023250 - [RFE] Use virt:rhel module instead of virt:av in RHEL 8.6+ to get advanced virtualization packages
• BZ - 2023786 - RHV VM with SAP monitoring configuration does not fail to start if the Host is missing vdsm-hook-vhostmd
• BZ - 2024202 - RHV Dashboard does not show memory and storage details properly when using Spanish language.
• BZ - 2025936 - metrics configuration playbooks failing due to rhel-system-role last refactor
• BZ - 2030596 - [RFE] RHV Manager should support running on a host with the PCI-DSS security profile applied
• BZ - 2030663 - Update Network statistics types in DWH
• BZ - 2031027 - The /usr/share/ovirt-engine/ansible-runner-service-project/inventory/hosts fails rpm verification
• BZ - 2035051 - removing nfs-utils cause ovirt-engine removal due to cinderlib dep tree
• BZ - 2037115 - rhv-image-discrepancies (rhv-log-collector-analyzer-1.0.11-1.el8ev) tool continues flags OVF_STORE volumes.
• BZ - 2037121 - RFE: Add Data Center and Storage Domain name in the rhv-image-discrepancies tool output.
• BZ - 2040361 - Hotplug VirtIO-SCSI disk fails with error "Domain already contains a disk with that address" when IO threads > 1
• BZ - 2040402 - unable to use --log-size=0 option
• BZ - 2040474 - [RFE] Add progress tracking for Cluster Upgrade
• BZ - 2041544 - Admin GUI: Making selection of host while uploading disk it will immediately replace it with the first active host in the list.
• BZ - 2043146 - Expired /etc/pki/vdsm/libvirt-vnc/server-cert.pem certificate is skipped during Enroll Certificate
• BZ - 2044273 - Remove the RHV Guest Tools ISO image upload option from engine-setup
• BZ - 2048546 - sosreport command should be replaced by sos report
• BZ - 2050566 - Upgrade ovirt-log-collector to 4.4.5
• BZ - 2050614 - Upgrade rhvm-setup-plugins to 4.5.0
• BZ - 2051857 - Upgrade rhv-log-collector-analizer to 1.0.13
• BZ - 2052557 - RHV fails to release mdev vGPU device after VM shutdown
• BZ - 2052690 - [RFE] Upgrade to ansible-core-2.12 in ovirt-engine
• BZ - 2054756 - [welcome page] Add link to MTV guide
• BZ - 2055136 - virt module is not changed to the correct stream during host upgrade
• BZ - 2056021 - [BUG]: "Enroll Certificate" operation not updating libvirt-vnc cert and key
• BZ - 2056052 - RHV-H w/ PCI-DSS profile causes OVA export to fail
• BZ - 2056126 - [RFE] Extend time to warn of upcoming certificate expiration
• BZ - 2058264 - Export as OVA playbook gets stuck with 'found an incomplete artifacts directory...Possible ansible_runner error?'
• BZ - 2059521 - [RFE] Upgrade to ansible-core-2.12 in ovirt-engine-metrics
• BZ - 2059877 - [DOCS][Upgrade] Update RHVM update procedure in Upgrade guide
• BZ - 2061904 - Unable to attach a RHV Host back into cluster after removing due to networking
• BZ - 2065052 - [TRACKER] Upgrade to ansible-core-2.12 in RHV 4.4 SP1
• BZ - 2066084 - vmconsole-proxy-user certificate expired - cannot access serial console
• BZ - 2066283 - Upgrade from RHV 4.4.10 to RHV 4.5.0 is broken
• BZ - 2069972 - [Doc][RN]Add cluster-level 4.7 to compatibility table
• BZ - 2070156 - [TESTONLY] Test upgrade from ovirt-engine-4.4.1
• BZ - 2071468 - Engine fenced host that was already reconnected and set to Up status.
• BZ - 2072637 - Build and distribute python38-daemon in RHV channels
• BZ - 2072639 - Build and distribute ansible-runner in RHV channels
• BZ - 2072641 - Build and distribute python38-docutils in RHV channels
• BZ - 2072642 - Build and distribute python38-lockfile in RHV channels
• BZ - 2072645 - Build and distribute python38-pexpect in RHV channels
• BZ - 2072646 - Build and distribute python38-ptyprocess in RHV channels
• BZ - 2075352 - upgrading RHV-H does not renew certificate

CVEs

• CVE-2021-3807
• CVE-2021-23425
• CVE-2021-33502
• CVE-2021-41182
• CVE-2021-41183
• CVE-2021-41184

References

• https://access.redhat.com/security/updates/classification/#moderate
• https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/html-single/technical_notes