Issued:: 2022-11-22
Updated:: 2022-11-22

RHSA-2022:8598 - Security Advisory

Overview
Updated Packages

Synopsis

Important: Red Hat Virtualization Host security update [ovirt-4.5.3-1]

Type/Severity

Security Advisory: Important

Red Hat Lightspeed patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for redhat-release-virtualization-host, redhat-virtualization-host, and redhat-virtualization-host-productimg is now available for Red Hat Virtualization 4 for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

The redhat-virtualization-host packages provide the Red Hat Virtualization Host. These packages include redhat-release-virtualization-host, ovirt-node, and rhev-hypervisor. Red Hat Virtualization Hosts (RHVH) are installed using a special build of Red Hat Enterprise Linux with only the packages required to host virtual machines. RHVH features a Cockpit user interface for monitoring the host's resources and performing administrative tasks.

The ovirt-node-ng packages provide the Red Hat Virtualization Host. These packages include redhat-release-virtualization-host, ovirt-node, and rhev-hypervisor. Red Hat Virtualization Hosts (RHVH) are installed using a special build of Red Hat Enterprise Linux with only the packages required to host virtual machines. RHVH features a Cockpit user interface for monitoring the host's resources and performing administrative tasks.

The following packages have been upgraded to a later upstream version: redhat-release-virtualization-host (4.5.2), redhat-virtualization-host (4.5.2), redhat-virtualization-host-productimg (4.5.2). (BZ#2070049, BZ#2093195)

Security Fix(es):

libksba: integer overflow may lead to remote code execution (CVE-2022-3515)
bind: memory leak in ECDSA DNSSEC verification code (CVE-2022-38177)
bind: memory leaks in EdDSA DNSSEC verification code (CVE-2022-38178)
expat: a use-after-free in the doContent function in xmlparse.c (CVE-2022-40674)
device-mapper-multipath: Authorization bypass, multipathd daemon listens for client connections on an abstract Unix socket (CVE-2022-41974)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/2974891

Affected Products

Red Hat Virtualization 4 for RHEL 8 x86_64
Red Hat Virtualization Host 4 for RHEL 8 x86_64

Fixes

BZ - 2127936 - Upgrade redhat-release-virtualization-host to 4.5.3
BZ - 2128601 - CVE-2022-38177 bind: memory leak in ECDSA DNSSEC verification code
BZ - 2128602 - CVE-2022-38178 bind: memory leaks in EdDSA DNSSEC verification code
BZ - 2128986 - Rebase RHV-H 4.4 SP1 on RHEL 8.6.0.4
BZ - 2130769 - CVE-2022-40674 expat: a use-after-free in the doContent function in xmlparse.c
BZ - 2133988 - CVE-2022-41974 device-mapper-multipath: Authorization bypass, multipathd daemon listens for client connections on an abstract Unix socket
BZ - 2135610 - CVE-2022-3515 libksba: integer overflow may lead to remote code execution

CVEs

References

https://access.redhat.com/security/updates/classification/#important

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat Virtualization 4 for RHEL 8

SRPM
redhat-release-virtualization-host-4.5.3-1.el8ev.src.rpm	SHA-256: d24f021edef23036b4074ea822d7c4c642951eb8d405a9858e5fcac27e090550
redhat-virtualization-host-productimg-4.5.3-1.el8.src.rpm	SHA-256: ab38d39a5a130c6d54dc71d698ffd8215bcef23a6cd411af8f61f41d1184cc27
x86_64
redhat-release-virtualization-host-4.5.3-1.el8ev.x86_64.rpm	SHA-256: 8ee8ed25dc4f340d3aa920a241e1d637609dd99b36ef4c22f86127f37e5dc6dc
redhat-release-virtualization-host-content-4.5.3-1.el8ev.x86_64.rpm	SHA-256: d61f212b7bb48019cab42cc842dd3aea006236fc766c29308a5ba50f9c8d7e80
redhat-virtualization-host-image-update-placeholder-4.5.3-1.el8ev.noarch.rpm	SHA-256: 0e8af25d4b2a5a5f90d297cade551464a980717ec96d5cb78296cf9b589c60d3
redhat-virtualization-host-productimg-4.5.3-1.el8.x86_64.rpm	SHA-256: 5e47dec8eb82ec540bc97195905a70287eac218fd6ecac625908bbe09062f99f

Red Hat Virtualization Host 4 for RHEL 8

SRPM
redhat-virtualization-host-4.5.3-202211170828_8.6.src.rpm	SHA-256: 8274b1d5eedd11f94aee04154dec83e0164262d95e047ae75e613231e57150a7
x86_64
redhat-virtualization-host-image-update-4.5.3-202211170828_8.6.x86_64.rpm	SHA-256: f3956d3970624d501b2e260c3ba64ee1bef6641a2ccbe448944cc5ce5a7fd08f

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

Runtimes

Integration and Automation