-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: OpenShift Virtualization 4.13.0 Images security, bug fix, and enhancement update Advisory ID: RHSA-2023:3205-01 Product: OpenShift Virtualization Advisory URL: https://access.redhat.com/errata/RHSA-2023:3205 Issue date: 2023-05-18 CVE Names: CVE-2022-2879 CVE-2022-2880 CVE-2022-27664 CVE-2022-32149 CVE-2022-32189 CVE-2022-32190 CVE-2022-41715 CVE-2022-41717 ==================================================================== 1. Summary: Red Hat OpenShift Virtualization release 4.13.0 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform. This advisory contains OpenShift Virtualization 4.13.0 images. Security Fix(es): * golang: archive/tar: unbounded memory consumption when reading headers (CVE-2022-2879) * golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters (CVE-2022-2880) * golang: net/http: handle server errors after sending GOAWAY (CVE-2022-27664) * golang: golang.org/x/text/language: ParseAcceptLanguage takes a long time to parse complex tags (CVE-2022-32149) * golang: net/url: JoinPath does not strip relative path components in all circumstances (CVE-2022-32190) * golang: regexp/syntax: limit memory used by parsing regexps (CVE-2022-41715) * golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests (CVE-2022-41717) * golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service (CVE-2022-32189) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: This update also fixes several bugs and adds various enhancements. Documentation for these changes is available from the Release Notes document linked to in the References section. 3. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 4. Bugs fixed (https://bugzilla.redhat.com/): 2023393 - [CNV] [UI]Additional information needed for cloning when default storageclass in not defined in target datavolume 2029391 - VM status flipping between Paused and Running 2052556 - Metric "kubevirt_num_virt_handlers_by_node_running_virt_launcher" reporting incorrect value 2060499 - [RFE] Cannot add additional service (or other objects) to VM template 2070132 - [RFE][CNV] Ability to export and import virtual machines disks between clusters 2087540 - [RFE] Improve CPU info 2101390 - Easy to miss the "tick" when adding GPU device to vm via UI 2104424 - Enable descheduler or hide it on template's scheduling tab 2104479 - [4.12] Cloned VM's snapshot restore fails if the source VM disk is deleted 2104859 - [RFE] Add "Copy SSH command" to VM action list 2110562 - CNV introduces a compliance check fail in "ocp4-moderate" profile - routes-protected-by-tls 2111794 - the virtlogd process is taking too much RAM! (17468Ki > 17Mi) 2113814 - CVE-2022-32189 golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service 2114922 - Can run with host-Model cpuModel even if it is in ObsoleteCPUModels 2116562 - NodeNetworkConfigurationPolicy "ERROR: State editing already in progress. Commit, roll back or wait before retrying" 2117803 - Cannot edit ssh even vm is stopped 2122119 - Virtual machine fails to start with error "Unable to use native AIO: failed to create linux AIO context: Resource temporarily unavailable" 2122168 - Error while running virtctl - GLIBC_2.34 is not found in the package of virtctl - which is required by virtctl 2123209 - CNV runs non-root VMs by default which removes cap_sys_nice from the launchers and caused the real time VM failed to boot up 2124668 - CVE-2022-32190 golang: net/url: JoinPath does not strip relative path components in all circumstances 2124669 - CVE-2022-27664 golang: net/http: handle server errors after sending GOAWAY 2132867 - CVE-2022-2879 golang: archive/tar: unbounded memory consumption when reading headers 2132868 - CVE-2022-2880 golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters 2132872 - CVE-2022-41715 golang: regexp/syntax: limit memory used by parsing regexps 2132873 - VM is removed before virt-launcher pod exits, new VM with same name points to old VMI/virt-launcher pod still terminating 2134010 - CVE-2022-32149 golang: golang.org/x/text/language: ParseAcceptLanguage takes a long time to parse complex tags 2138199 - Win11 and Win22 templates are not filtered properly by Template provider 2138653 - Saving Template prameters reloads the page 2138664 - VM that was created with SSH key fails to start 2139235 - unlike other CNV components, Kubevirt uses its own cipher for tls 1.2 2139257 - Cannot add disk via "Using an existing PVC" 2139260 - Clone button is disabled while VM is running 2139293 - Non-admin user cannot load VM list page 2139296 - Non-admin cannot load MigrationPolicies page 2139299 - No auto-generated VM name while creating VM by non-admin user 2139306 - Non-admin cannot create VM via customize mode 2139479 - virtualization overview crashes for non-priv user 2139574 - VM name gets "emptyname" if click the create button quickly 2139651 - non-priv user can click create when have no permissions 2139687 - catalog shows template list for non-priv users 2139820 - non-priv user cant reach vm details 2140730 - Links on Virtualization Overview page lead to wrong namespace for non-priv user 2140977 - Alerts number is not correct on Virtualization overview 2140982 - The base template of cloned template is "Not available" 2140998 - Incorrect information shows in overview page per namespace 2142511 - Enhance alerts card in overview 2143039 - Some liveMigrationConfig options cannot be used for cluster-wide setting 2143498 - Could not load template while creating VM from catalog 2143716 - [4.13]VMExport: fix DV Error message when trying to import without certConfigMap and secretExtraHeaders 2144580 - "?" icon is too big in VM Template Disk tab 2145092 - "No MigrationPolicies are defined yet" flash by on MigrationPolicies page 2145126 - Cant start VM with "clock" virtualMachinePreference 2145137 - Machine type is not updated to rhel9.2.0 in Templates 2145223 - VM with missing source datasource pvc is started without any error messages 2147582 - Add Y axis to all graphs under metrics tab (same as Pod metrics tab) 2148322 - Add help text to DataImportCron 2148849 - The help text of items in DataSource details page includes incorrect url link 2148850 - Help text is missing in MigrationPolicies details page 2149118 - virt-handler leaks VNC sockets 2149201 - Incorrect pending changes warning about memory and CPU while starting a VM in a namespace with limitranges 2149227 - VMs requiring vTPM fails to create 2149897 - The context menu of the serial console does not contain a paste command 2150364 - Deletion of VM deletes referenced secret 2150653 - VMExport for VMSnapshot - volume names should be the same as the VMs volume names 2150832 - vCPU number is not correct in Virtualization -> Overview 2151053 - The scripts tab of Windows VM cannot be saved 2151056 - Improve descriptive text of cloud-init and ssh-key 2151427 - Virtualization -> Overview is crashed when creating VM in other browser session 2151508 - Add login username to virtctl ssh command 2151521 - No username set in cloud-init in the template example yaml 2151759 - "No available boot source" shows while creating VM from upload image 2151766 - "No available boot source" shows while creating VM from existing PVC 2151831 - Time format in VM utilization card is not correct 2152122 - VM can't start if disk io is default 2152534 - Default CPU request in namespace limitrange takes precedence over the VMs configured vCPU 2152537 - [4.13]Better to have a more friendly error when missing storage size in clone 2155403 - ssh related information displayed in OpenShift console for Windows VMs created from template 2155409 - PVC details page crashing 2155796 - windows10-installer contains upstream example url 2156392 - In the VM latency checkup, the max_desired_latency_milliseconds field has no meaning when the measured latency is less than 1[ms] 2156902 - VM latency checkup - Checkup not performing a teardown in case of setup failure 2158060 - [console] Source project list for selecting existing PVC is not sorted alphabetically 2158079 - "Storage" and "?" are not aligned in customize wizard (Firefox only) 2158362 - PVC should be filtered by status in pvc dropdown list while creating vm or adding disk 2158424 - Cannot select Network Attachment Definitions from the global namespaces 2158515 - Guestfs image url not constructed correctly 2159715 - VM Memory does not show in details card of overview or details tab 2159975 - The prefix "docker://docker://" was added to the container image while editing the rootdisk (registry) 2160298 - YAML Switcher text should be just ?YAML? 2161274 - CVE-2022-41717 golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests 2161340 - HCO taking long to reconcile ConsolePlugin kubevirt-plugin 2162016 - hostpath provisioner operator consuming stray k8s API 2162333 - PVC created using non default storage class on fresh cluster 2163460 - Can't set resources.requests.memory when using instance type 2164590 - VM with InstanceType validation webhook when checking hugepage size 2164807 - Migration metrics values are not sum up values from all VMIs 2164814 - [4.13]virtualmachineclones.clone.kubevirt.io and virtualmachineexports.export.kubevirt.io are not part of system:cluster-readers group 2164838 - KubeVirtComponentExceedsRequestedMemory Alert for virt-api pod 2165618 - Overhead of management layer in virt-launcher is not calculated accurately 2165943 - Error While applying Migration Policy 2166165 - Two elements about vm-name-input shows on VM creation page 2166394 - cdi.kubevirt.io/storage.bind.immediate.requested is not propagated down to the DataVolume if set on an existing DataImportCronTemplate 2166507 - The loading time of Virtualization -> Overview -> Settings page is a bit longer 2166508 - Virtualization -> Overview -> Settings page is crashed when the user have no permission to list network-attachment-definitions 2166512 - VM can't start because of requests/limits CPU number mismatch after adding the overallocated one 2167012 - Unable to create a vm with network bridge 2167226 - Sorting Network Interface by 'Network' or 'Type' does not work. 2167251 - Virtualization -> Overview page is crashed 2167661 - Alerts card always show the ?Info? although it?s 0 2167979 - qemu.log are no longer getting collected for cnv must-gather (vm gather) in 4.13.0 2168032 - Error happens while selecting ssh types between "SSH over NodePort" and "SSH over LoadBalancer" 2168111 - VM template loses storage information if a required parameter has no value 2168165 - [4.13]preallocation is always applied when importing image to block storage 2168180 - Correct the pod name of kubevirt-console-plugin from `kubevirt-plugin-xxx` to `kubevirt-console-plugin-xxx` 2168480 - VM -> Metrics tab: ?Virtualization dashboard? link is wrong 2168484 - VM -> Metrics tab: Add dates to the X axis 2168486 - "Restore template settings" is disabled while editing VM's CPU/Mem 2168488 - Add text to VM workload profile 2168561 - Strorage IOPS card in VM Metrics has wrong case 2168770 - "Not migratable" label should only be added to running VM 2168859 - Cannot attach an existing secret while creating the VM as a regular user 2168861 - "Attach existing sysprep" should not try to get resource at cluster scope when logged in with regular user 2169699 - [e2e] Add data-test-id for SSH service type 2169880 - virt-handler should not delete any pre-configured mediated devices i these are provided by an external provider 2170703 - "Filter by keyword" not working in catalog 2170740 - Deleting vm with --cascade=orphan is not working properly 2171395 - virt-controller crashes because of out-of-bound slice access in evacuation controller 2172371 - "Restore template settings" change the memory to zero if the VM has no template 2172375 - Error happens while deleting secret from VM 2172612 - [4.13] VMSnaphot and WaitForFirstConsumer storage: VMRestore is not Complete 2172842 - Fix "Templates project" and "Templates catalog" 2172952 - Cannot change first vNIC to virtio in "Review and create VirtualMachine" 2173527 - VM details: Machine type- should it be just q35 or everything? 2173562 - The ?play? button is not clickable in the mini console 2173563 - The "YAML view" position is not consistent in VM tabs 2173593 - Virtualization -> Overview -> Top-consumers is crashed 2173595 - Cluster reader cannot view VM list page 2174288 - No storageClass is selected by default while adding/editing a disk 2174324 - "Add" should be "Add volume" in Bootable volumes page 2174334 - VM's disk is not deleted along with the VM if the VM is created from upload image 2174619 - No boot order items while editing the boot order 2174636 - Visit Virtualization -> Overview -> Migrations crashes the app 2174742 - Machine type is not updated to rhel9.2.0 in KV CR 2175054 - Delete bootable volume crashes the page 2175171 - Internal workaround for nonRoot->Root FG on Kubevirt 2175256 - Error when accessing Catalog page 2175274 - Error after trying to edit VM CPU | Memory field in VM Details 2175571 - [RFE] Sort templates in grid view 2175601 - Cannot select Network Attachment Definitions from the global namespaces 2175636 - VMI with x86_Icelake fail when mpx feature is missing 2175641 - Add volume from existing PVC not working 2175643 - The "Add volume" button has a loading time in "Bootable volumes" page 2175888 - [cnv-4.13] Mark Windows 11 as TechPreview 2175890 - [cnv-4.13] Ensure Windows 2022 Templates are marked as TechPreview like it is done now for Windows 11 2175974 - The default rows of volume table should at least includes all default volumes 2175976 - "Select InstanceType" should show the volume's default instanceType 2175977 - The Create VM button should be disabled until everything is selected 2175979 - "Cores" should be "CPU" in instanceTypes page 2175983 - Improve the delete button and the text on delete modal for bootable volumes 2175985 - "Clone existing PVC ?" should be accessible on hover 2175986 - Improve message when different storageclass is selected 2175988 - Remove descriptive text of the volume name 2176353 - Cannot enable headless mode in catalog 2176355 - Show a reason on VM console tab when headless mode is ON 2176422 - getting wrong error message when trying to upload dv when pvc already exist 2176706 - Click the item link in Pending Changes get a blank page below 2176708 - The disk name "Make Persistent disk" in "Pending Changes" should be the actual disk name 2176725 - "Start this VirtualMachine after creation" is not carried over to next dialog during VM creation 2176753 - Remove the dashed line from the Configurations in MigrationPolicy details page 2176804 - VM created with instanceType from UI cannot be started due to secret missing 2176843 - "No bootable device" shows in VM console if it's created with instanceType 2177091 - Edit buttons are added to "Hardware devices" in quick creation page but not editable 2177578 - Set width for columns in volume list tab 2177586 - No pod networking added to the VM while creating it from instanceType 2177589 - Preference in Virt -> Bootable volumes -> Add volume modal is not sorted 2177668 - [DPDK latency checkup] Traffic generator cannot start due to multiple environment vars with PCIDEVICE_ prefix 2177763 - clusterInstanceType and clusterPreference show in "get all" command 2177888 - VM with cpu.cores and memory.guest raises false notification 2177961 - 'GiB' is displayed incompletely 2177973 - Add "CloneInProgress" badge to volumes while it's still been cloning 2178037 - VM termination stuck until instancetype/preference revisionName is cleared 2178628 - VM mutator panics when inferring instancetype from DataSource without specifying namespace 2178629 - [DPDK latency checkup] Traffic generator cannot start due to error in scappy server 2179225 - Improve "Use existing secret" in catalog -> instanceTypes 2179226 - Improve the name of "Add new" secret in catalog -> instanceTypes 2179565 - VM Overview card links are broken 2179626 - Filter can not be cleared in VM Diagnostic tab 2179811 - Sometimes the preference list is empty in Bootable volumes -> Add volume modal 2180146 - upgrade cnv from 4.12.1 to v4.13.0.rhel9-1819 is stuck 2180279 - VM cannot be started while creating from a template which has 2nd disk added 2180553 - Cannot remove description from volume 2180853 - The console goes blank after trying to clone a virtual machine 2182006 - Rename of Network Interface duplicates it, breaks VM start 2182097 - "Cancel" button on instanceType should exit the flow instead of clearing data 2182534 - spec.firmware.bootloader is not copied while cloning a UEFI VM 2182535 - "Copy SSH command" get undefined user 2182536 - The volume in instanceTypes page should be selected automatically just after it's been added 2182538 - Cloned VM should not use the same PVC of the source VM 2182539 - [Nonpriv] VM Memory does not show in details card of overview or details tab 2182661 - Restore VM's pretty names 2183026 - Console is almost frozen if scroll down and up in VM metrics tab 2183205 - [DPDK latency checkup] Traffic generator cannot start due to missing dedicated ServiceAccount 2183397 - Trend charts are empty when looking at ?All projects? 2183968 - CNV4.13 SVVP Test:job 'Check SMBIOS Table Specific Requirements' failed on win2022 2186767 - VM metrics graphs are render incorrectly 2187437 - The storageclass option is not respected in add volume modal for "Use existing volume" 2187547 - non-privileged user cannot add new nic 2187581 - "No data available" shows on Virtualization overview metrics chart 5. References: https://access.redhat.com/security/cve/CVE-2022-2879 https://access.redhat.com/security/cve/CVE-2022-2880 https://access.redhat.com/security/cve/CVE-2022-27664 https://access.redhat.com/security/cve/CVE-2022-32149 https://access.redhat.com/security/cve/CVE-2022-32189 https://access.redhat.com/security/cve/CVE-2022-32190 https://access.redhat.com/security/cve/CVE-2022-41715 https://access.redhat.com/security/cve/CVE-2022-41717 https://access.redhat.com/security/updates/classification/#moderate 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2023 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBZGW9gtzjgjWX9erEAQj46g//c5OCySy5sJv4Os+hxOe+9sMjLoWYae8f NWt4DyyJYnEdWuNW83SXw0BOVfbAghoBC+joQkbUYJ4wDZnrul71GhXaAE7R74Kg Upe+Bfe0cM/EeR2OK+3tTiG1YT0W6IQ6KhP9V3wJpy/hIqTw0oBh+u1CXyhtWLUd hy4eGaYcJ8QAaEvCpaAUpF2Khl+PieamQfLUr2s6MAkaYPkeZEAPmn+cGj2nzE+o ZjRTnw0aj+j+vcmBcntuC32pJuN/mGJuQb8gqP4IM6OCSY8ngOcJVot5z++83O/g wV4l8Po/x0CCrL3lwH8gds+l5rRaXofNe9SNlJBy1KpDJWzEXhBUrWOBXEGXeTjZ H2lqF4p9xouv5I969l9OeBilSuN8ywUIqZXp8h9FRpuCqb53ccbNO+sVS4b4mTuS t7ErSYnSa1oojTHnE0Cv3rOKqaHsLQSP7l1KoR2xr+8mrkTuC5XTBTy9zDErbJ4N 6g1g3qloGVSgwdMp0OPC3bWoH3w/KsQQwP+8/6n035QstoPE+8mfuZBHMV9WXBxd EBsHVRLFrZOvzmEygx+km41qVPrBWMV0VxOqccPwtGa4gK1gxtIbP0fj7s66milD SEPyRxYamwQQOO+6dvllqcmh3is6aKizedj+5bXEumUQl02eo7KsiwRbrdr86kzH G8aOGgmZiNM=xSd9 -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce