-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: RHV Manager security update (ovirt-engine) [ovirt-4.4.6] Advisory ID: RHSA-2021:2179-01 Product: Red Hat Virtualization Advisory URL: https://access.redhat.com/errata/RHSA-2021:2179 Issue date: 2021-06-01 CVE Names: CVE-2020-28500 CVE-2021-23337 ==================================================================== 1. Summary: Updated ovirt-engine packages that fix several bugs , security flaws and add various enhancements are now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4 - noarch 3. Description: The ovirt-engine package provides the manager for virtualization environments. This manager enables admins to define hosts and networks, as well as to add storage, create VMs and manage user permissions. A list of bugs fixed in this update is available in the Technical Notes book: https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/ht ml-single/technical_notes Security Fix(es): * nodejs-lodash: command injection via template (CVE-2021-23337) * nodejs-lodash: ReDoS via the toNumber, trim and trimEnd functions (CVE-2020-28500) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * This release adds the queue attribute to the virtio-scsi driver in the virtual machine configuration. This improvement enables multi-queue performance with the virtio-scsi driver. (BZ#911394) * With this release, source-load-balancing has been added as a new sub-option for xmit_hash_policy. It can be configured for bond modes balance-xor (2), 802.3ad (4) and balance-tlb (5), by specifying xmit_hash_policy=vlan+srcmac. (BZ#1683987) * The default DataCenter/Cluster will be set to compatibility level 4.6 on new installations of Red Hat Virtualization 4.4.6.; (BZ#1950348) * With this release, support has been added for copying disks between regular Storage Domains and Managed Block Storage Domains. It is now possible to migrate disks between Managed Block Storage Domains and regular Storage Domains. (BZ#1906074) * Previously, the engine-config value LiveSnapshotPerformFreezeInEngine was set by default to false and was supposed to be uses in cluster compatibility levels below 4.4. The value was set to general version. With this release, each cluster level has it's own value, defaulting to false for 4.4 and above. This will reduce unnecessary overhead in removing time outs of the file system freeze command. (BZ#1932284) * With this release, running virtual machines is supported for up to 16TB of RAM on x86_64 architectures. (BZ#1944723) * This release adds the gathering of oVirt/RHV related certificates to allow easier debugging of issues for faster customer help and issue resolution. Information from certificates is now included as part of the sosreport. Note that no corresponding private key information is gathered, due to security considerations. (BZ#1845877) 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/2974891 5. Bugs fixed (https://bugzilla.redhat.com/): 1113630 - [RFE] indicate vNICs that are out-of-sync from their configuration on engine 1310330 - [RFE] Provide a way to remove stale LUNs from hypervisors 1589763 - [downstream clone] Error changing CD for a running VM when ISO image is on a block domain 1621421 - [RFE] indicate vNIC is out of sync on network QoS modification on engine 1717411 - improve engine logging when migration fail 1766414 - [downstream] [UI] hint after updating mtu on networks connected to running VMs 1775145 - Incorrect message from hot-plugging memory 1821199 - HP VM fails to migrate between identical hosts (the same cpu flags) not supporting TSC. 1845877 - [RFE] Collect information about RHV PKI 1875363 - engine-setup failing on FIPS enabled rhel8 machine 1906074 - [RFE] Support disks copy between regular and managed block storage domains 1910858 - vm_ovf_generations is not cleared while detaching the storage domain causing VM import with old stale configuration 1917718 - [RFE] Collect memory usage from guests without ovirt-guest-agent and memory ballooning 1919195 - Unable to create snapshot without saving memory of running VM from VM Portal. 1919984 - engine-setup failse to deploy the grafana service in an external DWH server 1924610 - VM Portal shows N/A as the VM IP address even if the guest agent is running and the IP is shown in the webadmin portal 1926018 - Failed to run VM after FIPS mode is enabled 1926823 - Integrating ELK with RHV-4.4 fails as RHVH is missing 'rsyslog-gnutls' package. 1928158 - Rename 'CA Certificate' link in welcome page to 'Engine CA certificate' 1928188 - Failed to parse 'writeOps' value 'XXXX' to integer: For input string: "XXXX" 1928937 - CVE-2021-23337 nodejs-lodash: command injection via template 1928954 - CVE-2020-28500 nodejs-lodash: ReDoS via the toNumber, trim and trimEnd functions 1929211 - Failed to parse 'writeOps' value 'XXXX' to integer: For input string: "XXXX" 1930522 - [RHV-4.4.5.5] Failed to deploy RHEL AV 8.4.0 host to RHV with error "missing groups or modules: virt:8.4" 1930565 - Host upgrade failed in imgbased but RHVM shows upgrade successful 1930895 - RHEL 8 virtual machine with qemu-guest-agent installed displays Guest OS Memory Free/Cached/Buffered: Not Configured 1932284 - Engine handled FS freeze is not fast enough for Windows systems 1935073 - Ansible ovirt_disk module can create disks with conflicting IDs that cannot be removed 1942083 - upgrade ovirt-cockpit-sso to 0.1.4-2 1943267 - Snapshot creation is failing for VM having vGPU. 1944723 - [RFE] Support virtual machines with 16TB memory 1948577 - [welcome page] remove "Infrastructure Migration" section (obsoleted) 1949543 - rhv-log-collector-analyzer fails to run MAC Pools rule 1949547 - rhv-log-collector-analyzer report contains 'b characters 1950348 - Set compatibility level 4.6 for Default DataCenter/Cluster during new installations of RHV 4.4.6 1950466 - Host installation failed 1954401 - HP VMs pinning is wiped after edit->ok and pinned to first physical CPUs. 6. Package List: RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4: Source: engine-db-query-1.6.3-1.el8ev.src.rpm ovirt-cockpit-sso-0.1.4-2.el8ev.src.rpm ovirt-engine-4.4.6.6-0.10.el8ev.src.rpm ovirt-engine-dwh-4.4.6.2-1.el8ev.src.rpm ovirt-engine-ui-extensions-1.2.6-1.el8ev.src.rpm ovirt-web-ui-1.6.9-1.el8ev.src.rpm rhv-log-collector-analyzer-1.0.8-1.el8ev.src.rpm rhvm-branding-rhv-4.4.8-1.el8ev.src.rpm noarch: engine-db-query-1.6.3-1.el8ev.noarch.rpm ovirt-cockpit-sso-0.1.4-2.el8ev.noarch.rpm ovirt-engine-4.4.6.6-0.10.el8ev.noarch.rpm ovirt-engine-backend-4.4.6.6-0.10.el8ev.noarch.rpm ovirt-engine-dbscripts-4.4.6.6-0.10.el8ev.noarch.rpm ovirt-engine-dwh-4.4.6.2-1.el8ev.noarch.rpm ovirt-engine-dwh-grafana-integration-setup-4.4.6.2-1.el8ev.noarch.rpm ovirt-engine-dwh-setup-4.4.6.2-1.el8ev.noarch.rpm ovirt-engine-health-check-bundler-4.4.6.6-0.10.el8ev.noarch.rpm ovirt-engine-restapi-4.4.6.6-0.10.el8ev.noarch.rpm ovirt-engine-setup-4.4.6.6-0.10.el8ev.noarch.rpm ovirt-engine-setup-base-4.4.6.6-0.10.el8ev.noarch.rpm ovirt-engine-setup-plugin-cinderlib-4.4.6.6-0.10.el8ev.noarch.rpm ovirt-engine-setup-plugin-imageio-4.4.6.6-0.10.el8ev.noarch.rpm ovirt-engine-setup-plugin-ovirt-engine-4.4.6.6-0.10.el8ev.noarch.rpm ovirt-engine-setup-plugin-ovirt-engine-common-4.4.6.6-0.10.el8ev.noarch.rpm ovirt-engine-setup-plugin-vmconsole-proxy-helper-4.4.6.6-0.10.el8ev.noarch.rpm ovirt-engine-setup-plugin-websocket-proxy-4.4.6.6-0.10.el8ev.noarch.rpm ovirt-engine-tools-4.4.6.6-0.10.el8ev.noarch.rpm ovirt-engine-tools-backup-4.4.6.6-0.10.el8ev.noarch.rpm ovirt-engine-ui-extensions-1.2.6-1.el8ev.noarch.rpm ovirt-engine-vmconsole-proxy-helper-4.4.6.6-0.10.el8ev.noarch.rpm ovirt-engine-webadmin-portal-4.4.6.6-0.10.el8ev.noarch.rpm ovirt-engine-websocket-proxy-4.4.6.6-0.10.el8ev.noarch.rpm ovirt-web-ui-1.6.9-1.el8ev.noarch.rpm python3-ovirt-engine-lib-4.4.6.6-0.10.el8ev.noarch.rpm rhv-log-collector-analyzer-1.0.8-1.el8ev.noarch.rpm rhvm-4.4.6.6-0.10.el8ev.noarch.rpm rhvm-branding-rhv-4.4.8-1.el8ev.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-28500 https://access.redhat.com/security/cve/CVE-2021-23337 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/html-single/technical_notes 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYLY1ttzjgjWX9erEAQho8w//ev/3kbr5iqtF6pJtKIDLPH0kVIo7hhdq UBpj2veWY2gcWtsBBur7VcRgzTqRsYyofl6JeQseLQAyJxWgLzSUBlSQ/0n28McX WRjpJXsJp96ye4fWUnfbdzAAuH5kAheBIXDtKPxvpRNSFs6dzQJ6qK86deTwwmqx 1wO3TObR29U9rbqpmArARsGSgJtxF63YMxRqmLeYIjj356KGr4CLNJa3NYOFkvSk d8KY5Dvgi6CgaKL4oyY8Ee3AetqcteAjmri5k8+u2SPLbo7945E8tAdrxJffAzIz uqAwvCV9Uy6XmIeMFBpVfM6AcTO8tfFQ6tkxvJ3gOljceHNiul7lBkgJ0kqYdI4/ LllL/fljxwDj3W3L1JB240XCwU6/fJ6JCP2TpaGqhLtEI2W6BbYSCMy5MOywN2q6 7vcG/AP3LbtJ62rlgQdoByqetJ7YdNfizpJ9VToXPYvsjzj9h7U4MfK0+UiH0S+f sbLOKSfUttgqFyW/YpETLYFzuyrUyGXWER4AkQpJq2E1OaVjU9Ht3mrEugmA9R/V OpWtJ1hLz2y7ZAx8XD2XEMpvmNXisd/Ur8nkIvUMI6BNWmn4NPTrSe7TWtU085JR 7y0RT9pZjzaJlavhUuLeq1gtoRdi440te0t/jGm+XTuW8GzwVgM/bFnU+jpWFuBb F7ggBTzqxt8=L+W4 -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce