Skip to navigation Skip to main content

Utilities

  • Subscriptions
  • Downloads
  • Red Hat Console
  • Get Support
Red Hat Customer Portal
  • Subscriptions
  • Downloads
  • Red Hat Console
  • Get Support
  • Products

    Top Products

    • Red Hat Enterprise Linux
    • Red Hat OpenShift
    • Red Hat Ansible Automation Platform
    All Products

    Downloads and Containers

    • Downloads
    • Packages
    • Containers

    Top Resources

    • Documentation
    • Product Life Cycles
    • Product Compliance
    • Errata
  • Knowledge

    Red Hat Knowledge Center

    • Knowledgebase Solutions
    • Knowledgebase Articles
    • Customer Portal Labs
    • Errata

    Top Product Docs

    • Red Hat Enterprise Linux
    • Red Hat OpenShift
    • Red Hat Ansible Automation Platform
    All Product Docs

    Training and Certification

    • About
    • Course Index
    • Certification Index
    • Skill Assessment
  • Security

    Red Hat Product Security Center

    • Security Updates
    • Security Advisories
    • Red Hat CVE Database
    • Errata

    References

    • Security Bulletins
    • Security Measurement
    • Severity Ratings
    • Security Data

    Top Resources

    • Security Labs
    • Backporting Policies
    • Security Blog
  • Support

    Red Hat Support

    • Support Cases
    • Troubleshoot
    • Get Support
    • Contact Red Hat Support

    Red Hat Community Support

    • Customer Portal Community
    • Community Discussions
    • Red Hat Accelerator Program

    Top Resources

    • Product Life Cycles
    • Customer Portal Labs
    • Red Hat JBoss Supported Configurations
    • Red Hat Insights
Or troubleshoot an issue.

Select Your Language

  • English
  • Français
  • 한국어
  • 日本語
  • 中文 (中国)

Infrastructure and Management

  • Red Hat Enterprise Linux
  • Red Hat Satellite
  • Red Hat Subscription Management
  • Red Hat Insights
  • Red Hat Ansible Automation Platform

Cloud Computing

  • Red Hat OpenShift
  • Red Hat OpenStack Platform
  • Red Hat OpenShift
  • Red Hat OpenShift AI
  • Red Hat OpenShift Dedicated
  • Red Hat Advanced Cluster Security for Kubernetes
  • Red Hat Advanced Cluster Management for Kubernetes
  • Red Hat Quay
  • Red Hat OpenShift Dev Spaces
  • Red Hat OpenShift Service on AWS

Storage

  • Red Hat Gluster Storage
  • Red Hat Hyperconverged Infrastructure
  • Red Hat Ceph Storage
  • Red Hat OpenShift Data Foundation

Runtimes

  • Red Hat Runtimes
  • Red Hat JBoss Enterprise Application Platform
  • Red Hat Data Grid
  • Red Hat JBoss Web Server
  • Red Hat build of Keycloak
  • Red Hat support for Spring Boot
  • Red Hat build of Node.js
  • Red Hat build of Quarkus

Integration and Automation

  • Red Hat Application Foundations
  • Red Hat Fuse
  • Red Hat AMQ
  • Red Hat 3scale API Management
All Products
Red Hat Product Errata RHSA-2022:5555 - Security Advisory
Issued:
2022-07-14
Updated:
2022-07-14

RHSA-2022:5555 - Security Advisory

  • Overview
  • Updated Packages

Synopsis

Moderate: RHV Manager (ovirt-engine) [ovirt-4.5.1] security, bug fix and update

Type/Severity

Security Advisory: Moderate

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

Updated ovirt-engine packages that fix several bugs and add various enhancements are now available.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

The ovirt-engine package provides the Red Hat Virtualization Manager, a centralized management platform that allows system administrators to view and manage virtual machines. The Manager provides a comprehensive range of features including search capabilities, resource management, live migrations, and virtual infrastructure provisioning.

Security Fix(es):

  • nodejs-trim-newlines: ReDoS in .end() method (CVE-2021-33623)
  • apache-commons-compress: infinite loop when reading a specially crafted 7Z archive (CVE-2021-35515)
  • apache-commons-compress: excessive memory allocation when reading a specially crafted 7Z archive (CVE-2021-35516)
  • apache-commons-compress: excessive memory allocation when reading a specially crafted TAR archive (CVE-2021-35517)
  • apache-commons-compress: excessive memory allocation when reading a specially crafted ZIP archive (CVE-2021-36090)
  • nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (CVE-2021-3807)
  • spring-expression: Denial of service via specially crafted SpEL expression (CVE-2022-22950)
  • semantic-release: Masked secrets can be disclosed if they contain characters that are excluded from uri encoding (CVE-2022-31051)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

A list of bugs fixed in this update is available in the Technical Notes book:
https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/html-single/technical_notes

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/2974891

Affected Products

  • Red Hat Virtualization Manager 4.4 x86_64

Fixes

  • BZ - 1663217 - [RFE] Add RHV VM name to the matching between Satellite's content host to RHV (currently only VM FQDN is used)
  • BZ - 1782077 - [RFE] More Flexible RHV CPU Allocation Policy with HyperThreading
  • BZ - 1849045 - Differences between apidoc and REST API documentation about exporting VMs and templates to OVA
  • BZ - 1852308 - Snapshot fails to create with 'Invalid parameter: 'capacity=1073741824'' Exception
  • BZ - 1958032 - Live Storage Migration fails because replication filled the destination volume before extension.
  • BZ - 1966615 - CVE-2021-33623 nodejs-trim-newlines: ReDoS in .end() method
  • BZ - 1976607 - Deprecate QXL
  • BZ - 1981895 - CVE-2021-35515 apache-commons-compress: infinite loop when reading a specially crafted 7Z archive
  • BZ - 1981900 - CVE-2021-35516 apache-commons-compress: excessive memory allocation when reading a specially crafted 7Z archive
  • BZ - 1981903 - CVE-2021-35517 apache-commons-compress: excessive memory allocation when reading a specially crafted TAR archive
  • BZ - 1981909 - CVE-2021-36090 apache-commons-compress: excessive memory allocation when reading a specially crafted ZIP archive
  • BZ - 1994144 - [RHV 4.4.6] Mail recipient is not updated while configuring Event Notifications
  • BZ - 2001574 - Memory usage on Windows client browser while using move or copy disk operations on Admin web
  • BZ - 2001923 - NPE during RemoveSnapshotSingleDisk command
  • BZ - 2006625 - Engine generates VDS_HIGH_MEM_USE events for empty hosts that have most memory reserved by huge pages
  • BZ - 2007557 - CVE-2021-3807 nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes
  • BZ - 2030293 - VM in locked state forever if manager is rebooted while exporting VM as OVA
  • BZ - 2068270 - RHV-M Admin Portal gives '500 - Internal Server Error" with command_entities in EXECUTION_FAILED status
  • BZ - 2069414 - CVE-2022-22950 spring-expression: Denial of service via specially crafted SpEL expression
  • BZ - 2070045 - UploadStreamVDSCommand fails with java.net.SocketTimeoutException after 20 seconds
  • BZ - 2072626 - RHV-M generates SNMPv3 trap with msgAuthoritativeEngineBoots: 0 despite multiple engine restarts
  • BZ - 2081241 - VFIO_MAP_DMA failed: Cannot allocate memory -12 (VM with GPU passthrough, Q35 machine and 16 vcpus)
  • BZ - 2081559 - [RFE] discrepancy tool should detect preallocated cow images that were reduced
  • BZ - 2089856 - [TestOnly] Bug 2015796 - [RFE] RHV Manager should support running on a host with DISA STIG security profile applied
  • BZ - 2092885 - Please say "SP1" on the landing page
  • BZ - 2093795 - Upgrade ovirt-log-collector to 4.4.6
  • BZ - 2097414 - CVE-2022-31051 semantic-release: Masked secrets can be disclosed if they contain characters that are excluded from uri encoding
  • BZ - 2099650 - Upgrade to latest version failed due to failed database schema refresh
  • BZ - 2105296 - cannot live migrate vm from rhv-h 4.4.10 to 4.50 (4.4.11)

CVEs

  • CVE-2021-3807
  • CVE-2021-22096
  • CVE-2021-33623
  • CVE-2021-35515
  • CVE-2021-35516
  • CVE-2021-35517
  • CVE-2021-36090
  • CVE-2022-22950
  • CVE-2022-31051

References

  • https://access.redhat.com/security/updates/classification/#moderate
  • https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/html-single/technical_notes
Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat Virtualization Manager 4.4

SRPM
apache-commons-compress-1.21-1.2.el8ev.src.rpm SHA-256: 9acf06046b9dffd358a314abeeb0eccec39cfd687f4c75ddc0c06dda678898f5
ovirt-dependencies-4.5.2-1.el8ev.src.rpm SHA-256: 2b0e163da04abb53517ba150631fcaf6181472120994959065ea8cac14729034
ovirt-engine-4.5.1.2-0.11.el8ev.src.rpm SHA-256: b643c1868afa8071e06260800804917d83eae47826154442b2b40b98f3843f74
ovirt-engine-dwh-4.5.3-1.el8ev.src.rpm SHA-256: 369473b35753c92d268c55a9c1d418c3ae53b1bafa77b17f1b1c50da9bc2d033
ovirt-engine-ui-extensions-1.3.4-1.el8ev.src.rpm SHA-256: 90a4c2d4d513cfe83ed6e6a417c1a12935409f0cb9857dc287646c7786b573ad
ovirt-log-collector-4.4.6-1.el8ev.src.rpm SHA-256: 5e8c10261bf533a901b387bf9d768dfe3da2bc4e0b1ce26a0fa8c4276fd8fcbc
ovirt-web-ui-1.9.0-1.el8ev.src.rpm SHA-256: ff7ef5296477fb407d38a97f11f37b1ab193ca855bc42cf67372aa33ca1ee078
postgresql-jdbc-42.2.14-1.el8ev.src.rpm SHA-256: db3cd9c96b5df600ec46f7e5f5f67e6a35e38de5b9728621cf4e34fe7a9c5126
rhv-log-collector-analyzer-1.0.14-1.el8ev.src.rpm SHA-256: f024336fe71ff4638a6e9ce78842d4eaa8e68844f68db673be548a4ccec25592
rhvm-branding-rhv-4.5.0-1.el8ev.src.rpm SHA-256: 1ef2c2c576f006f19bb672f68fa517dfa8cd15b86f987c079d8a56454d3b17d4
x86_64
apache-commons-compress-1.21-1.2.el8ev.noarch.rpm SHA-256: 7c7481f1790726cf74f48e78f34671f2d4b7548ee2a530f5a42c2971ce994b5e
apache-commons-compress-javadoc-1.21-1.2.el8ev.noarch.rpm SHA-256: 20641aeab2e9970fd693b4cf0a7b5e2a7edcf217fd7f5c219a692d896f93746d
ovirt-dependencies-4.5.2-1.el8ev.noarch.rpm SHA-256: e7f1f153568ad722cd300936d28c43cfa10af7d1032007b60446c0cb20e20018
ovirt-engine-4.5.1.2-0.11.el8ev.noarch.rpm SHA-256: 2e34f0553408613b1094414394b57b949c466ab89e4a81ea73e012b0b3fc218d
ovirt-engine-backend-4.5.1.2-0.11.el8ev.noarch.rpm SHA-256: 41f58d2b4cabce13772d371cb7f563e6ccd9c0a95bfce1b74f3e768d10e86b8c
ovirt-engine-dbscripts-4.5.1.2-0.11.el8ev.noarch.rpm SHA-256: 34a750105f078145d96e3184f3513c60bda4004994398172f644a93a0b31835d
ovirt-engine-dwh-4.5.3-1.el8ev.noarch.rpm SHA-256: 9a8d4cea20f3e6f8aecffb0fa44e74222be7f2a3af3ed0d92c2a2c9832b728e8
ovirt-engine-dwh-grafana-integration-setup-4.5.3-1.el8ev.noarch.rpm SHA-256: 148cdfab0464044d97f8bf0b4e17970ad5fb1ed149afd9db3eba6f71f63d4e54
ovirt-engine-dwh-setup-4.5.3-1.el8ev.noarch.rpm SHA-256: bd5ddd3226144fbdcb0dd1f617f5a2a093ffe8f90caa4a0d4f88bbaa45626fe5
ovirt-engine-health-check-bundler-4.5.1.2-0.11.el8ev.noarch.rpm SHA-256: 3317cf5a9e4dc4b018cc5ee306181fe62d9ec4d9c0bd9ccf7784bc61ce19c6f7
ovirt-engine-restapi-4.5.1.2-0.11.el8ev.noarch.rpm SHA-256: 8bfba48e6d294f860240096fa5b30b3c99b6472ed845cd0d51be730daad4eb5d
ovirt-engine-setup-4.5.1.2-0.11.el8ev.noarch.rpm SHA-256: 6d4da1c098c1cf7a4699c98098c78503b3b6893bc7acc44bcc47ba2b6c443dde
ovirt-engine-setup-base-4.5.1.2-0.11.el8ev.noarch.rpm SHA-256: 135ddbf9fc09ed0720635baac448378bd327946018b0112da9d1132bfe880df5
ovirt-engine-setup-plugin-cinderlib-4.5.1.2-0.11.el8ev.noarch.rpm SHA-256: 18356515f8dd9eec45014f74d4645f2169af4af99ee86a9809c246405374c1cf
ovirt-engine-setup-plugin-imageio-4.5.1.2-0.11.el8ev.noarch.rpm SHA-256: aef0bcb4f351f82736e7cb2bec092598506141f44289baa5f8d7c91da88d055e
ovirt-engine-setup-plugin-ovirt-engine-4.5.1.2-0.11.el8ev.noarch.rpm SHA-256: 5669539291c2c9fe7277ba41596475684c4b89a3a8a57cca767e835f3120ad53
ovirt-engine-setup-plugin-ovirt-engine-common-4.5.1.2-0.11.el8ev.noarch.rpm SHA-256: d7fbc3bb8c1d91f8ab53298f821b955219b6f79f8d0aedd537a9f143a081332a
ovirt-engine-setup-plugin-vmconsole-proxy-helper-4.5.1.2-0.11.el8ev.noarch.rpm SHA-256: e2fffda04604c9175fd56243cf1ffecc4032f57a42872a0a85902f83abb4d529
ovirt-engine-setup-plugin-websocket-proxy-4.5.1.2-0.11.el8ev.noarch.rpm SHA-256: ddd19081379543b925c7f2fa29be3bf8ccd94da70fb67735d24dd70fa725e39e
ovirt-engine-tools-4.5.1.2-0.11.el8ev.noarch.rpm SHA-256: 552612c3b957f14f1aed21bfb740a2d9415e8f144b18661cc9a8f3a0c60fc279
ovirt-engine-tools-backup-4.5.1.2-0.11.el8ev.noarch.rpm SHA-256: 5978d3893559d73d56f5076813c306ebe1f0bd544724c0af14e1cc636cbfb9b7
ovirt-engine-ui-extensions-1.3.4-1.el8ev.noarch.rpm SHA-256: 7f177df6c88de515207729d5fb09e48c3974e20131ddca3e38aaa11bf61288ab
ovirt-engine-vmconsole-proxy-helper-4.5.1.2-0.11.el8ev.noarch.rpm SHA-256: 9ca4dc548fd717aeeb76e134dcba0f0ae9a58808968abed4b8d8bfcb2378076d
ovirt-engine-webadmin-portal-4.5.1.2-0.11.el8ev.noarch.rpm SHA-256: 5b503e016712db7949f679fec2e5ef078a634bbf5927d36990d30d0dc6916bb3
ovirt-engine-websocket-proxy-4.5.1.2-0.11.el8ev.noarch.rpm SHA-256: 99383d9191c9231cb0afcf4e5944cf5f5e2f256d217da31e470bab2286950d35
ovirt-log-collector-4.4.6-1.el8ev.noarch.rpm SHA-256: bd68b58ecd0782e64b288ada8ee94fb3631fb4df81634229ecb9d932f40e2ede
ovirt-web-ui-1.9.0-1.el8ev.noarch.rpm SHA-256: 99aeac179bc8300fc2a516d7febad0462973ac3750f309f16b10edf67dcfe698
postgresql-jdbc-42.2.14-1.el8ev.noarch.rpm SHA-256: 7beb0da467d074a32b0239db896b2ca1a0d60945b691fb441e41638e84e778fa
postgresql-jdbc-javadoc-42.2.14-1.el8ev.noarch.rpm SHA-256: 74115e17075e4fcfba185b26cd0493688d731b4730a141d037513c068f0a1592
python3-ovirt-engine-lib-4.5.1.2-0.11.el8ev.noarch.rpm SHA-256: decc6098b4baa5b57c2625f0765e5f2c25d152ff0e49d218bd31452bf2daebb4
rhv-log-collector-analyzer-1.0.14-1.el8ev.noarch.rpm SHA-256: b6b05e80f98327092b84aed32b1a0ea7e8cae029cd7c68c0c493ae1112d733a6
rhvm-4.5.1.2-0.11.el8ev.noarch.rpm SHA-256: 585ac00ac182014028ed547934d34dcbfb5de4952fcdd7d7dd21a6492f17ddd0
rhvm-branding-rhv-4.5.0-1.el8ev.noarch.rpm SHA-256: 5f1f9ba9c37291acc639fe10b0dfb1fe47144c79ca0d123c1f4076a14e0316ad

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Red Hat LinkedIn YouTube Facebook X, formerly Twitter

Quick Links

  • Downloads
  • Subscriptions
  • Support Cases
  • Customer Service
  • Product Documentation

Help

  • Contact Us
  • Customer Portal FAQ
  • Log-in Assistance

Site Info

  • Trust Red Hat
  • Browser Support Policy
  • Accessibility
  • Awards and Recognition
  • Colophon

Related Sites

  • redhat.com
  • developers.redhat.com
  • connect.redhat.com
  • cloud.redhat.com

Red Hat legal and privacy links

  • About Red Hat
  • Jobs
  • Events
  • Locations
  • Contact Red Hat
  • Red Hat Blog
  • Inclusion at Red Hat
  • Cool Stuff Store
  • Red Hat Summit
© 2025 Red Hat

Red Hat legal and privacy links

  • Privacy statement
  • Terms of use
  • All policies and guidelines
  • Digital accessibility