Issued:
2018-06-27
Updated:
2018-06-27

RHSA-2018:2071 - Moderate: Red Hat Virtualization Manager security, bug fix, and enhancement update

Synopsis

Moderate: Red Hat Virtualization Manager security, bug fix, and enhancement update

Type/Severity

Security Advisory Moderate

Topic

An update for org.ovirt.engine-root is now available for Red Hat Virtualization Manager 4.2.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

The Red Hat Virtualization Manager is a centralized management platform that allows system administrators to view and manage virtual machines. The Manager provides a comprehensive range of features including search capabilities, resource management, live migrations, and virtual infrastructure provisioning.

The Manager is a JBoss Application Server application that provides several interfaces through which the virtual environment can be accessed and interacted with, including an Administration Portal, a User Portal, and a Representational State Transfer (REST) Application Programming Interface (API).

The following packages have been upgraded to a later version:

  • org.ovirt.engine-root (4.2.4.5). (BZ#1576752)

Security Fix(es):

  • ovirt-engine: Unfiltered password when choosing manual db provisioning (CVE-2018-1075)

  • ovirt-engine-setup: unfiltered db password in engine-backup log (CVE-2018-1072)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

These issues were discovered by Yedidyah Bar David (Red Hat).

Bug Fix(es):

  • This update enables engine-setup to upgrade PostgreSQL 9.2 to 9.5, even when the locale of the 9.2 database is different from the system locale. (BZ#1579268)

  • This update fixes an inefficient query that is generated when users click on the 'Users' tab in the Administration Portal. The fix ensures that the tab loads quicker. (BZ#1583619)

Enhancement(s):

  • The storage domain's General sub-tab in the Administration Portal now shows the number of images on the storage domain under the rubric "Images", this corresponds to the number of LVs on a block domain. (BZ#1587885)

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/2974891

Affected Products

ProductVersionArch
Red Hat Virtualization Manager4.2x86_64

Updated Packages

  • ovirt-engine-extensions-api-impl-4.2.4.5-0.1.el7_3.noarch.rpm
  • ovirt-engine-dbscripts-4.2.4.5-0.1.el7_3.noarch.rpm
  • ovirt-engine-4.2.4.5-0.1.el7_3.noarch.rpm
  • ovirt-engine-restapi-4.2.4.5-0.1.el7_3.noarch.rpm
  • ovirt-engine-setup-plugin-websocket-proxy-4.2.4.5-0.1.el7_3.noarch.rpm
  • ovirt-engine-webadmin-portal-4.2.4.5-0.1.el7_3.noarch.rpm
  • ovirt-engine-vmconsole-proxy-helper-4.2.4.5-0.1.el7_3.noarch.rpm
  • ovirt-engine-4.2.4.5-0.1.el7_3.src.rpm
  • ovirt-engine-backend-4.2.4.5-0.1.el7_3.noarch.rpm
  • ovirt-engine-extensions-api-impl-javadoc-4.2.4.5-0.1.el7_3.noarch.rpm
  • ovirt-engine-setup-plugin-vmconsole-proxy-helper-4.2.4.5-0.1.el7_3.noarch.rpm
  • ovirt-engine-setup-base-4.2.4.5-0.1.el7_3.noarch.rpm
  • ovirt-engine-setup-plugin-ovirt-engine-4.2.4.5-0.1.el7_3.noarch.rpm
  • ovirt-engine-lib-4.2.4.5-0.1.el7_3.noarch.rpm
  • ovirt-engine-setup-plugin-ovirt-engine-common-4.2.4.5-0.1.el7_3.noarch.rpm
  • ovirt-engine-health-check-bundler-4.2.4.5-0.1.el7_3.noarch.rpm
  • ovirt-engine-setup-4.2.4.5-0.1.el7_3.noarch.rpm
  • ovirt-engine-tools-4.2.4.5-0.1.el7_3.noarch.rpm
  • ovirt-engine-websocket-proxy-4.2.4.5-0.1.el7_3.noarch.rpm
  • rhvm-4.2.4.5-0.1.el7_3.noarch.rpm
  • ovirt-engine-tools-backup-4.2.4.5-0.1.el7_3.noarch.rpm

Fixes

CVEs

References

Additional information