Home / mailings [RHSA-2022:4711-01] Moderate: RHV Manager (ovirt-engine) [ovirt-4.5.0] security update
Posted on 26 May 2022
RedHat===================================================================== Red Hat Security Advisory
Synopsis: Moderate: RHV Manager (ovirt-engine) [ovirt-4.5.0] security update
Advisory ID: RHSA-2022:4711-01
Product: Red Hat Virtualization
Advisory URL: https://access.redhat.com/errata/RHSA-2022:4711
Issue date: 2022-05-26
CVE Names: CVE-2021-3807 CVE-2021-23425 CVE-2021-33502
CVE-2021-41182 CVE-2021-41183 CVE-2021-41184
=====================================================================
1. Summary:
Updated ovirt-engine packages that fix several bugs and add various
enhancements are now available.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4 - noarch
3. Description:
The ovirt-engine package provides the Red Hat Virtualization Manager, a
centralized management platform that allows system administrators to view
and manage virtual machines. The Manager provides a comprehensive range of
features including search capabilities, resource management, live
migrations, and virtual infrastructure provisioning.
Security Fix(es):
* nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching
ANSI escape codes (CVE-2021-3807)
* nodejs-trim-off-newlines: ReDoS via string processing (CVE-2021-23425)
* normalize-url: ReDoS for data URLs (CVE-2021-33502)
* jquery-ui: XSS in the altField option of the datepicker widget
(CVE-2021-41182)
* jquery-ui: XSS in *Text options of the datepicker widget (CVE-2021-41183)
* jquery-ui: XSS in the 'of' option of the .position() util
(CVE-2021-41184)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
A list of bugs fixed in this update is available in the Technical Notes
book:
https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/html-single/technical_notes
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/2974891
5. Bugs fixed (https://bugzilla.redhat.com/):
655153 - [RFE] confirmation prompt when suspending a virtual machine - webadmin
977778 - [RFE] - Mechanism for converting disks for non-running VMS
1624015 - [RFE] Expose Console Options and Console invocation via API
1648985 - VM from VM-pool which is already in use by a SuperUser is presented to another User with UserRole permission who can shutdown the VM.
1667517 - [RFE] add VM Portal setting for set screen mode
1687845 - Multiple notification for one time host activation
1781241 - missing ?connect automatically? option in vm portal
1782056 - [RFE] Integration of built-in ipsec feature in RHV/RHHI-V with OVN
1849169 - [RFE] add virtualCPUs/physicalCPUs ratio property to evenly_distributed policy
1878930 - [RFE] Provide warning event if MAC Address Pool free and available addresses are below threshold
1922977 - [RFE] VM shared disks are not part of the OVF_STORE
1926625 - [RFE] How to enable HTTP Strict Transport Security (HSTS) on Apache HTTPD for Red Hat Virtualization Manager
1927985 - [RFE] Speed up export-to-OVA on NFS by aligning loopback device offset
1944290 - URL to change the password is not shown properly
1944834 - [RFE] Timer for Console Disconnect Action - Shutdown VM after N minutes of being disconnected (Webadmin-only)
1956295 - Template import from storage domain fails when quota is enabled.
1959186 - Enable assignment of user quota when provisioning from a non-blank template via rest-api
1964208 - [RFE] add new feature for VM's screenshot on RestAPI
1964461 - CVE-2021-33502 normalize-url: ReDoS for data URLs
1971622 - Incorrect warning displayed: "The VM CPU does not match the Cluster CPU Type"
1974741 - Disk images remain in locked state if the HE VM is rebooted during a image transfer
1979441 - High Performance VMs always have "VM CPU does not match the cluster CPU Type" warning
1979797 - Ask user for confirmation when the deleted storage domain has leases of VMs that has disk in other SDs
1980192 - Network statistics copy a U64 into DECIMAL(18,4)
1986726 - VM imported from OVA gets thin provisioned disk despite of allocation policy set as 'preallocated'
1986834 - [DOCS] add nodejs and maven to list of subscription streams to be enabled in RHVM installation
1987121 - [RFE] Support enabling nVidia Unified Memory on mdev vGPU
1988496 - vmconsole-proxy-helper.cer is not renewed when running engine-setup
1990462 - [RFE] Add user name and password to ELK integration
1991240 - Assign user quota when provisioning from a non-blank template via web-ui
1995793 - CVE-2021-23425 nodejs-trim-off-newlines: ReDoS via string processing
1996123 - ovf stores capacity/truesize on the storage does not match values in engine database
1998255 - [RFE] [UI] Add search box for vNIC Profiles in RHVM WebUI on the main vNIC profiles tab
1999698 - ssl.conf modifications of engine-setup do not conform to best practices (according to red hat insights)
2000031 - SPM host is rebooted multiple times when engine recovers the host
2002283 - Make NumOfPciExpressPorts configurable via engine-config
2003883 - Failed to update the VFs configuration of network interface card type 82599ES and X520
2003996 - ovirt_snapshot module fails to delete snapshot when there is a "Next Run configuration snapshot"
2006602 - vm_statistics table has wrong type for guest_mem_* columns.
2006745 - [MBS] Template disk Copy from data storage domain to Managed Block Storage domain is failing
2007384 - Failed to parse 'writeRate' value xxxx to integer: For input string: xxxx
2007557 - CVE-2021-3807 nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes
2008798 - Older name rhv-openvswitch is not checked in ansible playbook
2010203 - Log analyzer creates faulty VM unmanaged devices report
2010903 - I/O operations/sec reporting wrong values
2013928 - Log analyzer creates faulty non default vdc_option report
2014888 - oVirt executive dashboard/Virtual Machine dashboard does not actually show disk I/O operations per second, but it shows sum of I/o operations since the boot time of VM
2015796 - [RFE] RHV Manager should support running on a host with DISA STIG security profile applied
2019144 - CVE-2021-41182 jquery-ui: XSS in the altField option of the datepicker widget
2019148 - CVE-2021-41183 jquery-ui: XSS in *Text options of the datepicker widget
2019153 - CVE-2021-41184 jquery-ui: XSS in the 'of' option of the .position() util
2021217 - [RFE] Windows 2022 support
2023250 - [RFE] Use virt:rhel module instead of virt:av in RHEL 8.6+ to get advanced virtualization packages
2023786 - RHV VM with SAP monitoring configuration does not fail to start if the Host is missing vdsm-hook-vhostmd
2024202 - RHV Dashboard does not show memory and storage details properly when using Spanish language.
2025936 - metrics configuration playbooks failing due to rhel-system-role last refactor
2030596 - [RFE] RHV Manager should support running on a host with the PCI-DSS security profile applied
2030663 - Update Network statistics types in DWH
2031027 - The /usr/share/ovirt-engine/ansible-runner-service-project/inventory/hosts fails rpm verification
2035051 - removing nfs-utils cause ovirt-engine removal due to cinderlib dep tree
2037115 - rhv-image-discrepancies (rhv-log-collector-analyzer-1.0.11-1.el8ev) tool continues flags OVF_STORE volumes.
2037121 - RFE: Add Data Center and Storage Domain name in the rhv-image-discrepancies tool output.
2040361 - Hotplug VirtIO-SCSI disk fails with error "Domain already contains a disk with that address" when IO threads > 1
2040402 - unable to use --log-size=0 option
2040474 - [RFE] Add progress tracking for Cluster Upgrade
2041544 - Admin GUI: Making selection of host while uploading disk it will immediately replace it with the first active host in the list.
2043146 - Expired /etc/pki/vdsm/libvirt-vnc/server-cert.pem certificate is skipped during Enroll Certificate
2044273 - Remove the RHV Guest Tools ISO image upload option from engine-setup
2048546 - sosreport command should be replaced by sos report
2050566 - Upgrade ovirt-log-collector to 4.4.5
2050614 - Upgrade rhvm-setup-plugins to 4.5.0
2051857 - Upgrade rhv-log-collector-analizer to 1.0.13
2052557 - RHV fails to release mdev vGPU device after VM shutdown
2052690 - [RFE] Upgrade to ansible-core-2.12 in ovirt-engine
2054756 - [welcome page] Add link to MTV guide
2055136 - virt module is not changed to the correct stream during host upgrade
2056021 - [BUG]: "Enroll Certificate" operation not updating libvirt-vnc cert and key
2056052 - RHV-H w/ PCI-DSS profile causes OVA export to fail
2056126 - [RFE] Extend time to warn of upcoming certificate expiration
2058264 - Export as OVA playbook gets stuck with 'found an incomplete artifacts directory...Possible ansible_runner error?'
2059521 - [RFE] Upgrade to ansible-core-2.12 in ovirt-engine-metrics
2059877 - [DOCS][Upgrade] Update RHVM update procedure in Upgrade guide
2061904 - Unable to attach a RHV Host back into cluster after removing due to networking
2065052 - [TRACKER] Upgrade to ansible-core-2.12 in RHV 4.4 SP1
2066084 - vmconsole-proxy-user certificate expired - cannot access serial console
2066283 - Upgrade from RHV 4.4.10 to RHV 4.5.0 is broken
2069972 - [Doc][RN]Add cluster-level 4.7 to compatibility table
2070156 - [TESTONLY] Test upgrade from ovirt-engine-4.4.1
2071468 - Engine fenced host that was already reconnected and set to Up status.
2072637 - Build and distribute python38-daemon in RHV channels
2072639 - Build and distribute ansible-runner in RHV channels
2072641 - Build and distribute python38-docutils in RHV channels
2072642 - Build and distribute python38-lockfile in RHV channels
2072645 - Build and distribute python38-pexpect in RHV channels
2072646 - Build and distribute python38-ptyprocess in RHV channels
2075352 - upgrading RHV-H does not renew certificate
6. Package List:
RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4:
Source:
ansible-runner-2.1.3-1.el8ev.src.rpm
apache-sshd-2.8.0-0.1.el8ev.src.rpm
engine-db-query-1.6.4-1.el8ev.src.rpm
ovirt-dependencies-4.5.1-1.el8ev.src.rpm
ovirt-engine-4.5.0.7-0.9.el8ev.src.rpm
ovirt-engine-dwh-4.5.2-1.el8ev.src.rpm
ovirt-engine-metrics-1.6.0-1.el8ev.src.rpm
ovirt-engine-ui-extensions-1.3.3-1.el8ev.src.rpm
ovirt-log-collector-4.4.5-1.el8ev.src.rpm
ovirt-web-ui-1.8.1-2.el8ev.src.rpm
rhv-log-collector-analyzer-1.0.13-1.el8ev.src.rpm
rhvm-branding-rhv-4.4.11-1.el8ev.src.rpm
rhvm-setup-plugins-4.5.0-2.el8ev.src.rpm
vdsm-jsonrpc-java-1.7.1-2.el8ev.src.rpm
noarch:
ansible-runner-2.1.3-1.el8ev.noarch.rpm
apache-sshd-2.8.0-0.1.el8ev.noarch.rpm
apache-sshd-javadoc-2.8.0-0.1.el8ev.noarch.rpm
engine-db-query-1.6.4-1.el8ev.noarch.rpm
ovirt-dependencies-4.5.1-1.el8ev.noarch.rpm
ovirt-engine-4.5.0.7-0.9.el8ev.noarch.rpm
ovirt-engine-backend-4.5.0.7-0.9.el8ev.noarch.rpm
ovirt-engine-dbscripts-4.5.0.7-0.9.el8ev.noarch.rpm
ovirt-engine-dwh-4.5.2-1.el8ev.noarch.rpm
ovirt-engine-dwh-grafana-integration-setup-4.5.2-1.el8ev.noarch.rpm
ovirt-engine-dwh-setup-4.5.2-1.el8ev.noarch.rpm
ovirt-engine-health-check-bundler-4.5.0.7-0.9.el8ev.noarch.rpm
ovirt-engine-metrics-1.6.0-1.el8ev.noarch.rpm
ovirt-engine-restapi-4.5.0.7-0.9.el8ev.noarch.rpm
ovirt-engine-setup-4.5.0.7-0.9.el8ev.noarch.rpm
ovirt-engine-setup-base-4.5.0.7-0.9.el8ev.noarch.rpm
ovirt-engine-setup-plugin-cinderlib-4.5.0.7-0.9.el8ev.noarch.rpm
ovirt-engine-setup-plugin-imageio-4.5.0.7-0.9.el8ev.noarch.rpm
ovirt-engine-setup-plugin-ovirt-engine-4.5.0.7-0.9.el8ev.noarch.rpm
ovirt-engine-setup-plugin-ovirt-engine-common-4.5.0.7-0.9.el8ev.noarch.rpm
ovirt-engine-setup-plugin-vmconsole-proxy-helper-4.5.0.7-0.9.el8ev.noarch.rpm
ovirt-engine-setup-plugin-websocket-proxy-4.5.0.7-0.9.el8ev.noarch.rpm
ovirt-engine-tools-4.5.0.7-0.9.el8ev.noarch.rpm
ovirt-engine-tools-backup-4.5.0.7-0.9.el8ev.noarch.rpm
ovirt-engine-ui-extensions-1.3.3-1.el8ev.noarch.rpm
ovirt-engine-vmconsole-proxy-helper-4.5.0.7-0.9.el8ev.noarch.rpm
ovirt-engine-webadmin-portal-4.5.0.7-0.9.el8ev.noarch.rpm
ovirt-engine-websocket-proxy-4.5.0.7-0.9.el8ev.noarch.rpm
ovirt-log-collector-4.4.5-1.el8ev.noarch.rpm
ovirt-web-ui-1.8.1-2.el8ev.noarch.rpm
python3-ovirt-engine-lib-4.5.0.7-0.9.el8ev.noarch.rpm
python38-ansible-runner-2.1.3-1.el8ev.noarch.rpm
python38-docutils-0.14-12.4.el8ev.noarch.rpm
rhv-log-collector-analyzer-1.0.13-1.el8ev.noarch.rpm
rhvm-4.5.0.7-0.9.el8ev.noarch.rpm
rhvm-branding-rhv-4.4.11-1.el8ev.noarch.rpm
rhvm-setup-plugins-4.5.0-2.el8ev.noarch.rpm
vdsm-jsonrpc-java-1.7.1-2.el8ev.noarch.rpm
vdsm-jsonrpc-java-javadoc-1.7.1-2.el8ev.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2021-3807
https://access.redhat.com/security/cve/CVE-2021-23425
https://access.redhat.com/security/cve/CVE-2021-33502
https://access.redhat.com/security/cve/CVE-2021-41182
https://access.redhat.com/security/cve/CVE-2021-41183
https://access.redhat.com/security/cve/CVE-2021-41184
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/html-single/technical_notes
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2022 Red Hat, Inc.