Issued:
2020-09-23
Updated:
2020-09-23

RHSA-2020:3807 - Moderate: Red Hat Virtualization security, bug fix, and enhancement update

Synopsis

Moderate: Red Hat Virtualization security, bug fix, and enhancement update

Type/Severity

Security Advisory Moderate

Topic

An update is now available for Red Hat Virtualization Engine 4.4.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

The org.ovirt.engine-root is a core component of oVirt.

The following packages have been upgraded to a later upstream version: ansible-runner-service (1.0.5), org.ovirt.engine-root (4.4.2.3), ovirt-engine-dwh (4.4.2.1), ovirt-engine-extension-aaa-ldap (1.4.1), ovirt-engine-ui-extensions (1.2.3), ovirt-log-collector (4.4.3), ovirt-web-ui (1.6.4), rhvm-branding-rhv (4.4.5), rhvm-dependencies (4.4.1), vdsm-jsonrpc-java (1.5.5). (BZ#1674420, BZ#1866734)

A list of bugs fixed in this update is available in the Technical Notes book:

https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/html-single/technical_notes

Security Fix(es):

  • nodejs-lodash: prototype pollution in zipObjectDeep function (CVE-2020-8203)

  • jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022)

  • jQuery: passing HTML containing

  • ovirt-engine: Reflected cross site scripting vulnerability (CVE-2020-14333)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

  • Cannot assign direct LUN from FC storage - grayed out (BZ#1625499)

  • VM portal always asks how to open console.vv even it has been set to default application. (BZ#1638217)

  • RESTAPI Not able to remove the QoS from a disk profile (BZ#1643520)

  • On OVA import, qemu-img fails to write to NFS storage domain (BZ#1748879)

  • Possible missing block path for a SCSI host device needs to be handled in the UI (BZ#1801206)

  • Scheduling Memory calculation disregards huge-pages (BZ#1804037)

  • Engine does not reduce scheduling memory when a VM with dynamic hugepages runs. (BZ#1804046)

  • In Admin Portal, "Huge Pages (size: amount)" needs to be clarified (BZ#1806339)

  • Refresh LUN is using host from different Data Center to scan the LUN (BZ#1838051)

  • Unable to create Windows VM's with Mozilla Firefox version 74.0.1 and greater for RHV-M GUI/Webadmin portal (BZ#1843234)

  • [RHV-CNV] - NPE when creating new VM in cnv cluster (BZ#1854488)

  • [CNV&RHV] Add-Disk operation failed to complete. (BZ#1855377)

  • Cannot create KubeVirt VM as a normal user (BZ#1859460)

  • Welcome page - remove Metrics Store links and update "Insights Guide" link (BZ#1866466)

  • [RHV 4.4] Change in CPU model name after RHVH upgrade (BZ#1869209)

  • VM vm-name is down with error. Exit message: unsupported configuration: Can't add USB input device. USB bus is disabled. (BZ#1871235)

  • spec_ctrl host feature not detected (BZ#1875609)

Enhancement(s):

  • [RFE] API for changed blocks/sectors for a disk for incremental backup usage (BZ#1139877)

  • [RFE] Improve workflow for storage migration of VMs with multiple disks (BZ#1749803)

  • [RFE] Move the Remove VM button to the drop down menu when viewing details such as snapshots (BZ#1763812)

  • [RFE] enhance search filter for Storage Domains with free argument (BZ#1819260)

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/2974891

Affected Products

ProductVersionArch
Red Hat Virtualization Manager4.4x86_64

Updated Packages

  • vdsm-jsonrpc-java-1.5.5-1.el8ev.src.rpm
  • ovirt-log-collector-4.4.3-1.el8ev.src.rpm
  • ovirt-engine-4.4.2.3-0.6.el8ev.noarch.rpm
  • ovirt-engine-health-check-bundler-4.4.2.3-0.6.el8ev.noarch.rpm
  • ovirt-engine-dwh-4.4.2.1-1.el8ev.noarch.rpm
  • ovirt-engine-setup-plugin-ovirt-engine-4.4.2.3-0.6.el8ev.noarch.rpm
  • rhvm-branding-rhv-4.4.5-1.el8ev.src.rpm
  • ovirt-engine-dwh-grafana-integration-setup-4.4.2.1-1.el8ev.noarch.rpm
  • ovirt-engine-backend-4.4.2.3-0.6.el8ev.noarch.rpm
  • ovirt-engine-extension-aaa-ldap-setup-1.4.1-1.el8ev.noarch.rpm
  • vdsm-jsonrpc-java-1.5.5-1.el8ev.noarch.rpm
  • ovirt-engine-4.4.2.3-0.6.el8ev.src.rpm
  • ovirt-engine-setup-base-4.4.2.3-0.6.el8ev.noarch.rpm
  • rhvm-4.4.2.3-0.6.el8ev.noarch.rpm
  • ovirt-engine-extension-aaa-ldap-1.4.1-1.el8ev.src.rpm
  • ovirt-engine-restapi-4.4.2.3-0.6.el8ev.noarch.rpm
  • ovirt-engine-setup-plugin-websocket-proxy-4.4.2.3-0.6.el8ev.noarch.rpm
  • ovirt-engine-setup-4.4.2.3-0.6.el8ev.noarch.rpm
  • ovirt-engine-tools-4.4.2.3-0.6.el8ev.noarch.rpm
  • ovirt-engine-websocket-proxy-4.4.2.3-0.6.el8ev.noarch.rpm
  • rhvm-dependencies-4.4.1-1.el8ev.noarch.rpm
  • rhvm-dependencies-4.4.1-1.el8ev.src.rpm
  • ovirt-engine-dwh-setup-4.4.2.1-1.el8ev.noarch.rpm
  • ovirt-log-collector-4.4.3-1.el8ev.noarch.rpm
  • ovirt-engine-tools-backup-4.4.2.3-0.6.el8ev.noarch.rpm
  • ovirt-engine-dwh-4.4.2.1-1.el8ev.src.rpm
  • ovirt-engine-setup-plugin-cinderlib-4.4.2.3-0.6.el8ev.noarch.rpm
  • ovirt-engine-vmconsole-proxy-helper-4.4.2.3-0.6.el8ev.noarch.rpm
  • ovirt-web-ui-1.6.4-1.el8ev.src.rpm
  • python3-ovirt-engine-lib-4.4.2.3-0.6.el8ev.noarch.rpm
  • ovirt-engine-setup-plugin-vmconsole-proxy-helper-4.4.2.3-0.6.el8ev.noarch.rpm
  • ovirt-engine-ui-extensions-1.2.3-1.el8ev.noarch.rpm
  • ansible-runner-service-1.0.5-1.el8ev.noarch.rpm
  • ovirt-engine-ui-extensions-1.2.3-1.el8ev.src.rpm
  • ansible-runner-service-1.0.5-1.el8ev.src.rpm
  • ovirt-web-ui-1.6.4-1.el8ev.noarch.rpm
  • ovirt-engine-dbscripts-4.4.2.3-0.6.el8ev.noarch.rpm
  • ovirt-engine-extension-aaa-ldap-1.4.1-1.el8ev.noarch.rpm
  • ovirt-engine-setup-plugin-ovirt-engine-common-4.4.2.3-0.6.el8ev.noarch.rpm
  • ovirt-engine-webadmin-portal-4.4.2.3-0.6.el8ev.noarch.rpm
  • ovirt-engine-setup-plugin-imageio-4.4.2.3-0.6.el8ev.noarch.rpm
  • rhvm-branding-rhv-4.4.5-1.el8ev.noarch.rpm

Fixes

CVEs

References

Additional information