Hash: SHA256
====================================================================
Red Hat Security Advisory
Synopsis: Moderate: RHV Manager (ovirt-engine) security update
[ovirt-4.4.7]
Advisory ID: RHSA-2021:2865-01
Product: Red Hat Virtualization
Advisory URL: https://access.redhat.com/errata/RHSA-2021:2865
Issue date: 2021-07-22
CVE Names: CVE-2020-7733 CVE-2020-28469 CVE-2021-23343
CVE-2021-23358
====================================================================
1. Summary:
Updated ovirt-engine packages that fix several bugs and add
various
enhancements are now available.
Red Hat Product Security has rated this update as having a
security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base
score, which
gives a detailed severity rating, is available for each
vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4 - noarch
3. Description:
The ovirt-engine package provides the manager for
virtualization
environments.
This manager enables admins to define hosts and networks, as well
as to add
storage, create VMs and manage user permissions.
Security Fix(es):
* nodejs-underscore: Arbitrary code execution via the template
function
(CVE-2021-23358)
* nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469)
* nodejs-ua-parser-js: Regular expression denial of service via
the regex
(CVE-2020-7733)
* nodejs-path-parse: ReDoS via splitDeviceRe, splitTailRe and
splitPathRe
(CVE-2021-23343)
For more details about the security issue(s), including the
impact, a CVSS
score, and other related information, refer to the CVE page(s)
listed in
the References section.
Bug Fix(es):
* Foreman integration, which allows you to provision bare metal
hosts from
the Administration Portal using Foreman and then added to the
Manager, was
deprecated in oVirt 4.4.6 / RHV 4.4.6 and removed completely in
oVirt 4.4.7
/ RHV 4.4.7.
Similar functionality to provision bare metal hosts can be
achieved using
Foreman directly and adding an already provisioned host using
the
Administration Portal or the REST API. (BZ#1901011)
* Adding a message banner to the web administration welcome page
is
straight forward using custom branding that only contains a
preamble
section.
An example of preamble branding is given here:
https://bugzilla.redhat.com/attachment.cgi?id83329.
In an engine upgrade, the custom preamble brand remains in place
and will
work without issue.
During engine backup and subsequent restore, on engine restore
the custom
preamble branding needs to be manually restored/reinstalled and
verified.
(BZ#1804774)
* The column name threads_per_core in the Red hat Virtualization
manager
Dashboard is being deprecated, and will be removed in a future
release.
In version 4.4.7.2 the column name for threads_per_core will be
changed to
number_of_threads.
In the Data Warehouse, the old name will be retained as an
additional
alias, resulting in 2 columns providing the same data:
number_of_threads
and threads_per_core, and threads_per_core will be removed in a
future
version. (BZ#1896359)
4. Solution:
For details on how to apply this update, which includes the
changes
described in this advisory, refer to:
https://access.redhat.com/articles/2974891
5. Bugs fixed (https://bugzilla.redhat.com/):
1752996 - [RFE] Option in VM Portal to Full Screen
1765644 - VM portal on RHV-M 4.3.6 doesn't show the VM "Console
Setting" functionality.
1779983 - After memory hot plug, Why the VM is showing icon for
"server with the newer configuration for next run"?
1804774 - Simplify the process to add a msg on the RHVM Admin
Portal Login
1817346 - [UI] SHA1 fingerprint shown to the user for approval
1877478 - [RFE] collect network metrics in DWH ( rx and tx drop
)
1879733 - CVE-2020-7733 nodejs-ua-parser-js: Regular expression
denial of service via the regex
1887434 - LVM IDs and Machine ID are same for all new VMs created
from sealed template
1888354 - rhv-log-collector-analyzer 0.2.16 from RHV 4.3 and up
does not gather information about storage domains or LUN.
1896359 - "Count threads as cores" option is not honored by the RHV
Dashboard CPU graph
1901011 - [RFE] Remove Foreman integration from engine
1902179 - Ignore message about not using latest kernel after
upgrade when a host hasn't been rebooted
1937714 - [RFE] Add rx and tx drop to Grafana
1939198 - Refresh LUN operation via Admin Portal fails with "No
host was found to perform the operation"
1941581 - [RFE] Add to API external template import
1944286 - CVE-2021-23358 nodejs-underscore: Arbitrary code
execution via the template function
1945459 - CVE-2020-28469 nodejs-glob-parent: Regular expression
denial of service
1946876 - automatic Maximum Memory exceeds possible maximum on new
VM dialog
1951579 - RHV api issues when account has only "UserRole"
permissions
1954878 - [RFE] Auto Pinning Policy: improve tooltip description
and policy names
1955582 - rhv-image-discrepancies reports "different attribute
voltype on storage(SHARED) and on DB(LEAF)" for template
volumes
1956818 - CVE-2021-23343 nodejs-path-parse: ReDoS via
splitDeviceRe, splitTailRe and splitPathRe
1960968 - Disable checking of SSH connection when adding a host
into the ansible-runner-service inventory
1961338 - [CodeChange][i18n] oVirt 4.4.7 rhv branding - translation
update
1967169 - rhv-log-collector-analyzer --json fails with
AttributeError
1970718 - Engine hits NPE when importing template with disks on 2
storage domains
6. Package List:
RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4:
Source:
ovirt-engine-4.4.7.6-0.11.el8ev.src.rpm
ovirt-engine-dwh-4.4.7.3-1.el8ev.src.rpm
ovirt-engine-extension-aaa-ldap-1.4.4-1.el8ev.src.rpm
ovirt-engine-ui-extensions-1.2.7-1.el8ev.src.rpm
ovirt-web-ui-1.7.0-1.el8ev.src.rpm
rhv-log-collector-analyzer-1.0.10-1.el8ev.src.rpm
rhvm-branding-rhv-4.4.9-1.el8ev.src.rpm
noarch:
ovirt-engine-4.4.7.6-0.11.el8ev.noarch.rpm
ovirt-engine-backend-4.4.7.6-0.11.el8ev.noarch.rpm
ovirt-engine-dbscripts-4.4.7.6-0.11.el8ev.noarch.rpm
ovirt-engine-dwh-4.4.7.3-1.el8ev.noarch.rpm
ovirt-engine-dwh-grafana-integration-setup-4.4.7.3-1.el8ev.noarch.rpm
ovirt-engine-dwh-setup-4.4.7.3-1.el8ev.noarch.rpm
ovirt-engine-extension-aaa-ldap-1.4.4-1.el8ev.noarch.rpm
ovirt-engine-extension-aaa-ldap-setup-1.4.4-1.el8ev.noarch.rpm
ovirt-engine-health-check-bundler-4.4.7.6-0.11.el8ev.noarch.rpm
ovirt-engine-restapi-4.4.7.6-0.11.el8ev.noarch.rpm
ovirt-engine-setup-4.4.7.6-0.11.el8ev.noarch.rpm
ovirt-engine-setup-base-4.4.7.6-0.11.el8ev.noarch.rpm
ovirt-engine-setup-plugin-cinderlib-4.4.7.6-0.11.el8ev.noarch.rpm
ovirt-engine-setup-plugin-imageio-4.4.7.6-0.11.el8ev.noarch.rpm
ovirt-engine-setup-plugin-ovirt-engine-4.4.7.6-0.11.el8ev.noarch.rpm
ovirt-engine-setup-plugin-ovirt-engine-common-4.4.7.6-0.11.el8ev.noarch.rpm
ovirt-engine-setup-plugin-vmconsole-proxy-helper-4.4.7.6-0.11.el8ev.noarch.rpm
ovirt-engine-setup-plugin-websocket-proxy-4.4.7.6-0.11.el8ev.noarch.rpm
ovirt-engine-tools-4.4.7.6-0.11.el8ev.noarch.rpm
ovirt-engine-tools-backup-4.4.7.6-0.11.el8ev.noarch.rpm
ovirt-engine-ui-extensions-1.2.7-1.el8ev.noarch.rpm
ovirt-engine-vmconsole-proxy-helper-4.4.7.6-0.11.el8ev.noarch.rpm
ovirt-engine-webadmin-portal-4.4.7.6-0.11.el8ev.noarch.rpm
ovirt-engine-websocket-proxy-4.4.7.6-0.11.el8ev.noarch.rpm
ovirt-web-ui-1.7.0-1.el8ev.noarch.rpm
python3-ovirt-engine-lib-4.4.7.6-0.11.el8ev.noarch.rpm
rhv-log-collector-analyzer-1.0.10-1.el8ev.noarch.rpm
rhvm-4.4.7.6-0.11.el8ev.noarch.rpm
rhvm-branding-rhv-4.4.9-1.el8ev.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key
and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2020-7733
https://access.redhat.com/security/cve/CVE-2020-28469
https://access.redhat.com/security/cve/CVE-2021-23343
https://access.redhat.com/security/cve/CVE-2021-23358
https://access.redhat.com/security/updates/classification/#moderate
8. Contact:
The Red Hat security contact is <
details at https://access.redhat.com/security/team/contact/
Copyright 2021 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBYPmLO9zjgjWX9erEAQjJcQ//a3A/5akbg1AWahPTZpaRMzJgPPvtzMgO
YQGrVOPA4ISUIBW1RQKkvSofLNF0RtazAazqf+2xY2AMuTHujiwPJkIAi0vmUM4V
G2oQdSHrU1Pj5cqwVp2E8/gjJD3MSMGzQT99rmA2oTKyqcMn8L6vOH6n6xis0Gti
q6VNmAV3twiO06bnPLpSxfkhhahYMflBp7yVudq1SCcNfUXjB30DN/5NcrgaNrPo
VNj5Q1EMsYA65eCoKKU1pwrE+BWVWKjRX9hOcIUEQ3cUTqeYyytBXWIENKrTxpkj
xsKGO7uhIg2u792mMvuDJcOdtwywRmSsSNFTyUOVDbrL8nI1ihZAJ4Fs7Kp/9c4e
P+TJRWHGVigaZK80/JlKqjlmpg3dL8tHy0/mwEnEUNUsti/fgXHpvcVTaDEYMEGW
ZQEBbDspSa1+Ar7rUVqPLUrUxlYPNUDvdZ6t1xcL0DY7Djw88VziOFZqOfdEti3B
CiZJA/B0xzz5yt+YkQypTVT5+ya9upyeqnvQNvNZqzpeuN7Td9+SWW2PaQeQ8Ppn
7jLgVXlExYs5W75/NNCaM/t5PTey7AdJ4PPZSeR+kqj1QR6gcSR5M1IvoROyqcgi
fxkGGY0NfOaeUZHNsoATOYv+ToxDzhgPEQpT2IHK+bMxptVzcwGFqAEIRpZORD/j
2JM0wA+XaQY=/4Xn
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
https://listman.redhat.com/mailman/listinfo/rhsa-announce
Read more https://packetstormsecurity.com/files/163635/RHSA-2021-2865-01.txt