-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: RHV 4.4 SP1 [ovirt-4.5.3-3] security update Advisory ID: RHSA-2023:0074-01 Product: Red Hat Virtualization Advisory URL: https://access.redhat.com/errata/RHSA-2023:0074 Issue date: 2023-01-11 CVE Names: CVE-2021-30483 CVE-2022-45047 ===================================================================== 1. Summary: Updated RHV packages that fix several bugs and add various enhancements are now available. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4 - noarch Red Hat Virtualization 4 Hypervisor for RHEL 8 - noarch, x86_64 Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts - noarch, ppc64le, x86_64 3. Description: The ovirt-engine package provides the Red Hat Virtualization Manager, a centralized management platform that allows system administrators to view and manage virtual machines. The Manager provides a comprehensive range of features including search capabilities, resource management, live migrations, and virtual infrastructure provisioning. Security fix(es): * mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047) * isomorphic-git: Directory traversal via a crafted repository (CVE-2021-30483) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * With this release, SELinux rules for the Grafana HTTP port are now properly set up for new remote DWH installations as part of the Red Hat Virtualization Manager engine-setup. (BZ#2126778) * Previously, search conditions were not applied properly when a non-admin user tried to search for Clusters or Data Centers over the REST API. In this release, both admin and non-admin users can search for clusters properly using the REST API. (BZ#2144346) * Previously, stale bitmaps in the base image during a cold or live internal merge caused the operation to fail. In this release, the merge operation succeeds. (BZ#2141371) 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/2974891 5. Bugs fixed (https://bugzilla.redhat.com/): 1988539 - CVE-2021-30483 isomorphic-git: Directory traversal via a crafted repository 2126778 - Port 3000 blocked between engine and remote DWH with Grafana 2141371 - Incorrect image chain when deleting an intermediate snapshot 2144346 - Search returns all entities the permissions allow if the user is not admin 2145194 - CVE-2022-45047 mina-sshd: Java unsafe deserialization vulnerability 2152015 - Discrepancy tool fails with KeyError 2152845 - Storage stabilization for 4.5.3 6. Package List: Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts: Source: vdsm-4.50.3.6-1.el8ev.src.rpm noarch: vdsm-api-4.50.3.6-1.el8ev.noarch.rpm vdsm-client-4.50.3.6-1.el8ev.noarch.rpm vdsm-common-4.50.3.6-1.el8ev.noarch.rpm vdsm-hook-cpuflags-4.50.3.6-1.el8ev.noarch.rpm vdsm-hook-ethtool-options-4.50.3.6-1.el8ev.noarch.rpm vdsm-hook-fcoe-4.50.3.6-1.el8ev.noarch.rpm vdsm-hook-localdisk-4.50.3.6-1.el8ev.noarch.rpm vdsm-hook-nestedvt-4.50.3.6-1.el8ev.noarch.rpm vdsm-hook-openstacknet-4.50.3.6-1.el8ev.noarch.rpm vdsm-hook-vhostmd-4.50.3.6-1.el8ev.noarch.rpm vdsm-http-4.50.3.6-1.el8ev.noarch.rpm vdsm-jsonrpc-4.50.3.6-1.el8ev.noarch.rpm vdsm-python-4.50.3.6-1.el8ev.noarch.rpm vdsm-yajsonrpc-4.50.3.6-1.el8ev.noarch.rpm ppc64le: vdsm-4.50.3.6-1.el8ev.ppc64le.rpm vdsm-hook-checkips-4.50.3.6-1.el8ev.ppc64le.rpm vdsm-hook-extra-ipv4-addrs-4.50.3.6-1.el8ev.ppc64le.rpm vdsm-network-4.50.3.6-1.el8ev.ppc64le.rpm x86_64: vdsm-4.50.3.6-1.el8ev.x86_64.rpm vdsm-gluster-4.50.3.6-1.el8ev.x86_64.rpm vdsm-hook-checkips-4.50.3.6-1.el8ev.x86_64.rpm vdsm-hook-extra-ipv4-addrs-4.50.3.6-1.el8ev.x86_64.rpm vdsm-network-4.50.3.6-1.el8ev.x86_64.rpm Red Hat Virtualization 4 Hypervisor for RHEL 8: Source: vdsm-4.50.3.6-1.el8ev.src.rpm noarch: vdsm-hook-cpuflags-4.50.3.6-1.el8ev.noarch.rpm vdsm-hook-ethtool-options-4.50.3.6-1.el8ev.noarch.rpm vdsm-hook-fcoe-4.50.3.6-1.el8ev.noarch.rpm vdsm-hook-localdisk-4.50.3.6-1.el8ev.noarch.rpm vdsm-hook-nestedvt-4.50.3.6-1.el8ev.noarch.rpm vdsm-hook-openstacknet-4.50.3.6-1.el8ev.noarch.rpm vdsm-hook-vhostmd-4.50.3.6-1.el8ev.noarch.rpm x86_64: vdsm-hook-checkips-4.50.3.6-1.el8ev.x86_64.rpm vdsm-hook-extra-ipv4-addrs-4.50.3.6-1.el8ev.x86_64.rpm RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4: Source: apache-sshd-2.9.2-0.1.el8ev.src.rpm ovirt-engine-4.5.3.5-1.el8ev.src.rpm ovirt-engine-ui-extensions-1.3.7-1.el8ev.src.rpm ovirt-web-ui-1.9.3-1.el8ev.src.rpm rhv-log-collector-analyzer-1.0.16-1.el8ev.src.rpm noarch: apache-sshd-2.9.2-0.1.el8ev.noarch.rpm apache-sshd-javadoc-2.9.2-0.1.el8ev.noarch.rpm ovirt-engine-4.5.3.5-1.el8ev.noarch.rpm ovirt-engine-backend-4.5.3.5-1.el8ev.noarch.rpm ovirt-engine-dbscripts-4.5.3.5-1.el8ev.noarch.rpm ovirt-engine-health-check-bundler-4.5.3.5-1.el8ev.noarch.rpm ovirt-engine-restapi-4.5.3.5-1.el8ev.noarch.rpm ovirt-engine-setup-4.5.3.5-1.el8ev.noarch.rpm ovirt-engine-setup-base-4.5.3.5-1.el8ev.noarch.rpm ovirt-engine-setup-plugin-cinderlib-4.5.3.5-1.el8ev.noarch.rpm ovirt-engine-setup-plugin-imageio-4.5.3.5-1.el8ev.noarch.rpm ovirt-engine-setup-plugin-ovirt-engine-4.5.3.5-1.el8ev.noarch.rpm ovirt-engine-setup-plugin-ovirt-engine-common-4.5.3.5-1.el8ev.noarch.rpm ovirt-engine-setup-plugin-vmconsole-proxy-helper-4.5.3.5-1.el8ev.noarch.rpm ovirt-engine-setup-plugin-websocket-proxy-4.5.3.5-1.el8ev.noarch.rpm ovirt-engine-tools-4.5.3.5-1.el8ev.noarch.rpm ovirt-engine-tools-backup-4.5.3.5-1.el8ev.noarch.rpm ovirt-engine-ui-extensions-1.3.7-1.el8ev.noarch.rpm ovirt-engine-vmconsole-proxy-helper-4.5.3.5-1.el8ev.noarch.rpm ovirt-engine-webadmin-portal-4.5.3.5-1.el8ev.noarch.rpm ovirt-engine-websocket-proxy-4.5.3.5-1.el8ev.noarch.rpm ovirt-web-ui-1.9.3-1.el8ev.noarch.rpm python3-ovirt-engine-lib-4.5.3.5-1.el8ev.noarch.rpm rhv-log-collector-analyzer-1.0.16-1.el8ev.noarch.rpm rhvm-4.5.3.5-1.el8ev.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2021-30483 https://access.redhat.com/security/cve/CVE-2022-45047 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2023 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBY77lENzjgjWX9erEAQgN9A/9G5NYjt87qCs93u5tgnYP1G5A8GCojNtd G3TglbeCMHIgGlA67TSE5vXvppHdYHCN2QoT+d+9iz0SHbIOOn7Ztc4I/KyIgX3Y T6e2trOCry7KWz8TX+DTyoJamnGVRbvKnvmoUB6rrZbhoa9wP68ZwhvNdVzuGi27 p8xa2zPv1LDz1gyf2Ko1dtb0i7CtYWhL1dRcAByA4dvACiQJe1NMwCyLZf/vb3Zu 64pO4La8QWn3SJut9HJ8PhoGbtPWBWGCIF1ghKVAysrUjpe6QceIElLd6ADVTa29 GPbsxwcUUyJFIzennM47GVMf+X3uKnHH5MbLuv3ghEjguaBsQ9M9TNNAyFz9wO+k cTVmxkZfB45t7teRQCoAF5uLLza2xLkzZBvVEgKsiGCKXJrN4nc8mWTXKkbtEXej kmrVT85brDs0+IgNsian/8Zyn48//5CZJm/TsQne0vRf3GYDOUMabrd3XmOzHH4a XVw3u57eKZ4dtmQ9KNsgzFKUJOe/w1HWyIbk7XVawNPZX4K0waXXaiBLJZxYTjWP 5Fve+MpRPBCtOrV8LKVLdbz4eZRG4q+Z2N92ZOc6X4omJUhGYHRmmPL5C/iLsXiA kI3NoANDaeMvgqoR8J1FB4N3Tvk5kKE5yBXCELG/+ZpLgjLecElyxHFCeibogY3s ZiUYms4Cl8s= =Z3Jw -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce