Issued:
2020-08-04
Updated:
2020-08-04

RHSA-2020:3247 - Important: RHV Manager ovirt-engine - 4.4 security, bug fix, and enhancement update

Synopsis

Important: RHV Manager (ovirt-engine) 4.4 security, bug fix, and enhancement update

Type/Severity

Security Advisory Important

Topic

Updated ovirt-engine packages that fix several bugs and add various enhancements are now available.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

The ovirt-engine package provides the Red Hat Virtualization Manager, a centralized management platform that allows system administrators to view and manage virtual machines. The Manager provides a comprehensive range of features including search capabilities, resource management, live migrations, and virtual infrastructure provisioning.

The Manager is a JBoss Application Server application that provides several interfaces through which the virtual environment can be accessed and interacted with, including an Administration Portal, a VM Portal, and a Representational State Transfer (REST) Application Programming Interface (API).

A list of bugs fixed in this update is available in the Technical Notes book:

https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/html-single/technical_notes

Security Fix(es):

  • apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default (CVE-2019-10086)

  • libquartz: XXE attacks via job description (CVE-2019-13990)

  • novnc: XSS vulnerability via the messages propagated to the status field (CVE-2017-18635)

  • bootstrap: XSS in the tooltip or popover data-template attribute (CVE-2019-8331)

  • nimbus-jose-jwt: Uncaught exceptions while parsing a JWT (CVE-2019-17195)

  • ovirt-engine: response_type parameter allows reflected XSS (CVE-2019-19336)

  • nodejs-minimist: prototype pollution allows adding or modifying properties of Object.prototype using a constructor or proto payload (CVE-2020-7598)

  • ovirt-engine: Redirect to arbitrary URL allows for phishing (CVE-2020-10775)

  • Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022)

  • jQuery: passing HTML containing

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/2974891

Affected Products

ProductVersionArch
Red Hat Virtualization Manager4.4x86_64

Updated Packages

  • ovirt-engine-api-explorer-0.0.6-1.el8ev.noarch.rpm
  • ovirt-engine-extension-aaa-ldap-setup-1.4.0-1.el8ev.noarch.rpm
  • rhv-log-collector-analyzer-1.0.2-1.el8ev.noarch.rpm
  • xmlrpc-javadoc-3.1.3-1.el8ev.noarch.rpm
  • ovirt-engine-ui-extensions-1.2.2-1.el8ev.noarch.rpm
  • openstack-java-resteasy-connector-3.2.9-1.el8ev.noarch.rpm
  • ovirt-engine-metrics-1.4.1.1-1.el8ev.src.rpm
  • ed25519-java-0.3.0-1.el8ev.noarch.rpm
  • ovirt-engine-setup-plugin-imageio-4.4.1.8-0.7.el8ev.noarch.rpm
  • apache-commons-vfs-examples-2.4.1-1.el8ev.noarch.rpm
  • rhvm-branding-rhv-4.4.4-1.el8ev.src.rpm
  • engine-db-query-1.6.1-1.el8ev.noarch.rpm
  • apache-commons-collections4-4.4-1.el8ev.src.rpm
  • ovirt-fast-forward-upgrade-1.1.6-0.el8ev.src.rpm
  • ovirt-engine-api-explorer-0.0.6-1.el8ev.src.rpm
  • ovirt-engine-dwh-4.4.1.2-1.el8ev.src.rpm
  • openstack-java-nova-client-3.2.9-1.el8ev.noarch.rpm
  • python3-flask-1.0.2-2.el8ost.noarch.rpm
  • openstack-java-sdk-3.2.9-1.el8ev.src.rpm
  • rhvm-4.4.1.8-0.7.el8ev.noarch.rpm
  • ovirt-web-ui-1.6.3-1.el8ev.src.rpm
  • ovirt-engine-extension-logger-log4j-1.1.0-1.el8ev.src.rpm
  • vdsm-jsonrpc-java-1.5.4-1.el8ev.src.rpm
  • python3-ovirt-engine-lib-4.4.1.8-0.7.el8ev.noarch.rpm
  • python3-werkzeug-0.16.0-1.el8ost.noarch.rpm
  • apache-commons-vfs-2.4.1-1.el8ev.src.rpm
  • ebay-cors-filter-1.0.1-4.el8ev.src.rpm
  • ovirt-engine-4.4.1.8-0.7.el8ev.noarch.rpm
  • python3-notario-0.0.16-2.el8cp.noarch.rpm
  • openstack-java-keystone-client-3.2.9-1.el8ev.noarch.rpm
  • ovirt-scheduler-proxy-0.1.9-1.el8ev.noarch.rpm
  • apache-commons-compress-1.18-1.el8ev.src.rpm
  • apache-commons-vfs-javadoc-2.4.1-1.el8ev.noarch.rpm
  • openstack-java-quantum-client-3.2.9-1.el8ev.noarch.rpm
  • apache-commons-jexl-2.1.1-1.el8ev.src.rpm
  • ovirt-engine-setup-4.4.1.8-0.7.el8ev.noarch.rpm
  • rhv-log-collector-analyzer-1.0.2-1.el8ev.src.rpm
  • makeself-2.4.0-4.el8ev.src.rpm
  • apache-commons-jexl-javadoc-2.1.1-1.el8ev.noarch.rpm
  • openstack-java-glance-model-3.2.9-1.el8ev.noarch.rpm
  • java-client-kubevirt-0.5.0-1.el8ev.noarch.rpm
  • ansible-runner-1.4.5-1.el8ar.src.rpm
  • rhvm-setup-plugins-4.4.2-1.el8ev.src.rpm
  • ovirt-engine-setup-plugin-ovirt-engine-common-4.4.1.8-0.7.el8ev.noarch.rpm
  • ovirt-engine-webadmin-portal-4.4.1.8-0.7.el8ev.noarch.rpm
  • ovirt-engine-metrics-1.4.1.1-1.el8ev.noarch.rpm
  • ovirt-engine-extension-aaa-ldap-1.4.0-1.el8ev.src.rpm
  • ovirt-cockpit-sso-0.1.4-1.el8ev.src.rpm
  • python-netaddr-0.7.19-8.1.el8ost.src.rpm
  • m2crypto-0.35.2-5.el8ev.src.rpm
  • ovirt-engine-extensions-api-javadoc-1.0.1-1.el8ev.noarch.rpm
  • openstack-java-cinder-model-3.2.9-1.el8ev.noarch.rpm
  • python3-ansible-runner-1.4.5-1.el8ar.noarch.rpm
  • openstack-java-cinder-client-3.2.9-1.el8ev.noarch.rpm
  • apache-sshd-2.5.1-1.el8ev.src.rpm
  • ovirt-engine-extensions-api-1.0.1-1.el8ev.noarch.rpm
  • java-client-kubevirt-0.5.0-1.el8ev.src.rpm
  • ovirt-web-ui-1.6.3-1.el8ev.noarch.rpm
  • python3-ovsdbapp-0.17.1-0.20191216120142.206cf14.el8ost.noarch.rpm
  • apache-commons-jxpath-javadoc-1.3-29.el8ev.noarch.rpm
  • python3-pbr-5.1.2-2.el8ost.noarch.rpm
  • openstack-java-heat-model-3.2.9-1.el8ev.noarch.rpm
  • python3-websocket-client-0.54.0-1.el8ost.noarch.rpm
  • ovirt-engine-setup-base-4.4.1.8-0.7.el8ev.noarch.rpm
  • apache-commons-jxpath-1.3-29.el8ev.noarch.rpm
  • m2crypto-debugsource-0.35.2-5.el8ev.x86_64.rpm
  • openstack-java-glance-client-3.2.9-1.el8ev.noarch.rpm
  • xmlrpc-3.1.3-1.el8ev.src.rpm
  • ovirt-engine-extensions-api-1.0.1-1.el8ev.src.rpm
  • openstack-java-swift-model-3.2.9-1.el8ev.noarch.rpm
  • apache-commons-compress-javadoc-1.18-1.el8ev.noarch.rpm
  • python3-netaddr-0.7.19-8.1.el8ost.noarch.rpm
  • python3-m2crypto-debuginfo-0.35.2-5.el8ev.x86_64.rpm
  • rhvm-setup-plugins-4.4.2-1.el8ev.noarch.rpm
  • apache-commons-vfs-ant-2.4.1-1.el8ev.noarch.rpm
  • ovirt-engine-ui-extensions-1.2.2-1.el8ev.src.rpm
  • python2-netaddr-0.7.19-8.1.el8ost.noarch.rpm
  • apache-commons-compress-1.18-1.el8ev.noarch.rpm
  • unboundid-ldapsdk-4.0.14-1.el8ev.noarch.rpm
  • unboundid-ldapsdk-javadoc-4.0.14-1.el8ev.noarch.rpm
  • ovirt-engine-setup-plugin-cinderlib-4.4.1.8-0.7.el8ev.noarch.rpm
  • rhvm-dependencies-4.4.0-1.el8ev.noarch.rpm
  • apache-commons-vfs-2.4.1-1.el8ev.noarch.rpm
  • openstack-java-client-3.2.9-1.el8ev.noarch.rpm
  • makeself-2.4.0-4.el8ev.noarch.rpm
  • python-flask-1.0.2-2.el8ost.src.rpm
  • ovirt-engine-backend-4.4.1.8-0.7.el8ev.noarch.rpm
  • ovirt-engine-dwh-setup-4.4.1.2-1.el8ev.noarch.rpm
  • rhvm-branding-rhv-4.4.4-1.el8ev.noarch.rpm
  • python-werkzeug-0.16.0-1.el8ost.src.rpm
  • python3-flask-restful-0.3.6-8.el8ost.noarch.rpm
  • ovirt-engine-tools-backup-4.4.1.8-0.7.el8ev.noarch.rpm
  • ansible-runner-1.4.5-1.el8ar.noarch.rpm
  • ansible-runner-service-1.0.2-1.el8ev.noarch.rpm
  • ovirt-fast-forward-upgrade-1.1.6-0.el8ev.noarch.rpm
  • python-aniso8601-0.82-4.el8ost.src.rpm
  • apache-commons-jexl-2.1.1-1.el8ev.noarch.rpm
  • ovirt-scheduler-proxy-0.1.9-1.el8ev.src.rpm
  • openstack-java-heat-client-3.2.9-1.el8ev.noarch.rpm
  • novnc-1.1.0-1.el8ost.noarch.rpm
  • ed25519-java-javadoc-0.3.0-1.el8ev.noarch.rpm
  • ws-commons-util-1.0.2-1.el8ev.src.rpm
  • ovirt-engine-setup-plugin-ovirt-engine-4.4.1.8-0.7.el8ev.noarch.rpm
  • snmp4j-2.4.1-1.el8ev.noarch.rpm
  • log4j12-javadoc-1.2.17-22.el8ev.noarch.rpm
  • ovirt-log-collector-4.4.2-1.el8ev.noarch.rpm
  • ovirt-engine-4.4.1.8-0.7.el8ev.src.rpm
  • novnc-1.1.0-1.el8ost.src.rpm
  • ovirt-engine-websocket-proxy-4.4.1.8-0.7.el8ev.noarch.rpm
  • apache-sshd-javadoc-2.5.1-1.el8ev.noarch.rpm
  • ebay-cors-filter-1.0.1-4.el8ev.noarch.rpm
  • ed25519-java-0.3.0-1.el8ev.src.rpm
  • python3-six-1.12.0-1.el8ost.noarch.rpm
  • ovirt-engine-extension-aaa-jdbc-1.2.0-1.el8ev.src.rpm
  • ansible-runner-service-1.0.2-1.el8ev.src.rpm
  • apache-commons-collections4-4.4-1.el8ev.noarch.rpm
  • ovirt-engine-dbscripts-4.4.1.8-0.7.el8ev.noarch.rpm
  • python2-six-1.12.0-1.el8ost.noarch.rpm
  • python3-aniso8601-0.82-4.el8ost.noarch.rpm
  • openstack-java-javadoc-3.2.9-1.el8ev.noarch.rpm
  • python-flask-restful-0.3.6-8.el8ost.src.rpm
  • rhvm-dependencies-4.4.0-1.el8ev.src.rpm
  • openstack-java-nova-model-3.2.9-1.el8ev.noarch.rpm
  • snmp4j-javadoc-2.4.1-1.el8ev.noarch.rpm
  • log4j12-1.2.17-22.el8ev.noarch.rpm
  • ovirt-cockpit-sso-0.1.4-1.el8ev.noarch.rpm
  • ovirt-engine-extension-aaa-jdbc-1.2.0-1.el8ev.noarch.rpm
  • ovirt-engine-health-check-bundler-4.4.1.8-0.7.el8ev.noarch.rpm
  • openstack-java-ceilometer-model-3.2.9-1.el8ev.noarch.rpm
  • ovirt-log-collector-4.4.2-1.el8ev.src.rpm
  • python3-m2crypto-0.35.2-5.el8ev.x86_64.rpm
  • ws-commons-util-1.0.2-1.el8ev.noarch.rpm
  • engine-db-query-1.6.1-1.el8ev.src.rpm
  • snmp4j-2.4.1-1.el8ev.src.rpm
  • ovirt-engine-extension-aaa-misc-1.1.0-1.el8ev.noarch.rpm
  • xmlrpc-common-3.1.3-1.el8ev.noarch.rpm
  • ws-commons-util-javadoc-1.0.2-1.el8ev.noarch.rpm
  • python2-pbr-5.1.2-2.el8ost.noarch.rpm
  • log4j12-1.2.17-22.el8ev.src.rpm
  • apache-sshd-2.5.1-1.el8ev.noarch.rpm
  • python-flask-doc-1.0.2-2.el8ost.noarch.rpm
  • apache-commons-configuration-1.10-1.el8ev.src.rpm
  • ovirt-engine-restapi-4.4.1.8-0.7.el8ev.noarch.rpm
  • xmlrpc-client-3.1.3-1.el8ev.noarch.rpm
  • python-pbr-5.1.2-2.el8ost.src.rpm
  • ovirt-engine-vmconsole-proxy-helper-4.4.1.8-0.7.el8ev.noarch.rpm
  • openstack-java-swift-client-3.2.9-1.el8ev.noarch.rpm
  • unboundid-ldapsdk-4.0.14-1.el8ev.src.rpm
  • apache-commons-jxpath-1.3-29.el8ev.src.rpm
  • ovirt-engine-extension-aaa-ldap-1.4.0-1.el8ev.noarch.rpm
  • ovirt-engine-dwh-grafana-integration-setup-4.4.1.2-1.el8ev.noarch.rpm
  • ovirt-engine-extension-logger-log4j-1.1.0-1.el8ev.noarch.rpm
  • openstack-java-keystone-model-3.2.9-1.el8ev.noarch.rpm
  • openstack-java-ceilometer-client-3.2.9-1.el8ev.noarch.rpm
  • python-six-1.12.0-1.el8ost.src.rpm
  • ovirt-engine-dwh-4.4.1.2-1.el8ev.noarch.rpm
  • python-notario-0.0.16-2.el8cp.src.rpm
  • ovirt-engine-setup-plugin-vmconsole-proxy-helper-4.4.1.8-0.7.el8ev.noarch.rpm
  • xmlrpc-server-3.1.3-1.el8ev.noarch.rpm
  • python-ovsdbapp-0.17.1-0.20191216120142.206cf14.el8ost.src.rpm
  • python-websocket-client-0.54.0-1.el8ost.src.rpm
  • ovirt-engine-setup-plugin-websocket-proxy-4.4.1.8-0.7.el8ev.noarch.rpm
  • openstack-java-quantum-model-3.2.9-1.el8ev.noarch.rpm
  • apache-commons-collections4-javadoc-4.4-1.el8ev.noarch.rpm
  • python3-werkzeug-doc-0.16.0-1.el8ost.noarch.rpm
  • ovirt-engine-tools-4.4.1.8-0.7.el8ev.noarch.rpm
  • ovirt-engine-extension-aaa-misc-1.1.0-1.el8ev.src.rpm
  • vdsm-jsonrpc-java-1.5.4-1.el8ev.noarch.rpm
  • apache-commons-configuration-1.10-1.el8ev.noarch.rpm

Fixes

CVEs

References

Additional information