Issued:
2020-11-24
Updated:
2020-11-24

RHSA-2020:5179 - Low: Red Hat Virtualization security, bug fix, and enhancement update

Synopsis

Low: Red Hat Virtualization security, bug fix, and enhancement update

Type/Severity

Security Advisory Low

Topic

An update is now available for Red Hat Virtualization Engine 4.4.

Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

The org.ovirt.engine-root is a core component of oVirt.

The following packages have been upgraded to a later upstream version: engine-db-query (1.6.2), org.ovirt.engine-root (4.4.3.8), ovirt-engine-dwh (4.4.3.1), ovirt-engine-extension-aaa-ldap (1.4.2), ovirt-engine-extension-logger-log4j (1.1.1), ovirt-engine-metrics (1.4.2.1), ovirt-engine-ui-extensions (1.2.4), ovirt-log-collector (4.4.4), ovirt-web-ui (1.6.5), rhv-log-collector-analyzer (1.0.5), rhvm-branding-rhv (4.4.6). (BZ#1866981, BZ#1879377)

Security Fix(es):

  • nodejs-handlebars: lookup helper fails to properly validate templates allowing for arbitrary JavaScript execution (CVE-2019-20920)

  • nodejs-handlebars: an endless loop while processing specially-crafted templates leads to DoS (CVE-2019-20922)

  • nodejs-lodash: prototype pollution in zipObjectDeep function (CVE-2020-8203)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

  • send --nowait to libvirt when we collect qemu stats, to consume bz#1552092 (BZ#1613514)

  • Block moving HE hosts into different Data Centers and make HE host moved to different cluster NonOperational after activation (BZ#1702016)

  • If an in-use MAC is held by a VM on a different cluster, the engine does not attempt to get the next free MAC. (BZ#1760170)

  • Search backend cannot find VMs which name starts with a search keyword (BZ#1797717)

  • [Permissions] DataCenterAdmin role defined on DC level does not allow Cluster creation (BZ#1808320)

  • enable-usb-autoshare is always 0 in console.vv and usb-filter option is listed two times (BZ#1811466)

  • NumaPinningHelper is not huge pages aware, denies migration to suitable host (BZ#1812316)

  • Adding quota to group doesn't propagate to users (BZ#1822372)

  • Engine adding PCI-E elements on XML of i440FX SeaBIOS VM created from Q35 Template (BZ#1829691)

  • Live Migration Bandwidth unit is different from Engine configuration (Mbps) and VDSM (MBps) (BZ#1845397)

  • RHV-M shows successful operation if OVA export/import failed during "qemu-img convert" phase (BZ#1854888)

  • Cannot hotplug disk reports libvirtError: Requested operation is not valid: Domain already contains a disk with that address (BZ#1855305)

  • rhv-log-collector-analyzer --json fails with TypeError (BZ#1859314)

  • RHV 4.4 on AMD EPYC 7742 throws an NUMA related error on VM run (BZ#1866862)

  • Issue with dashboards creation when sending metrics to external Elasticsearch (BZ#1870133)

  • HostedEngine VM is broken after Cluster changed to UEFI (BZ#1871694)

  • [CNV&RHV]Notification about VM creation contain string (BZ#1873136)

  • VM stuck in Migrating status after migration completed due to incorrect status reported by VDSM after restart (BZ#1877632)

  • Use 4.5 as compatibility level for the Default DataCenter and the Default Cluster during installation (BZ#1879280)

  • unable to create/add index pattern in step 5 from kcs articles#4921101 (BZ#1881634)

  • [CNV&RHV] Remove warning about no active storage domain for Kubevirt VMs (BZ#1883844)

  • Deprecate and remove ovirt-engine-api-explorer (BZ#1884146)

  • [CNV&RHV] Disable creating new disks for Kubevirt VM (BZ#1884634)

  • Require ansible-2.9.14 in ovirt-engine (BZ#1888626)

Enhancement(s):

  • [RFE] Virtualization support for NVDIMM - RHV (BZ#1361718)

  • [RFE] - enable renaming HostedEngine VM name (BZ#1657294)

  • [RFE] Enabling Icelake new NIs - RHV (BZ#1745024)

  • [RFE] Show vCPUs and allocated memory in virtual machines summary (BZ#1752751)

  • [RFE] RHV-M Deployment/Install Needs it's own UUID (BZ#1825020)

  • [RFE] Destination Host in migrate VM dialog has to be searchable and sortable (BZ#1851865)

  • [RFE] Expose the "reinstallation required" flag of the hosts in the API (BZ#1856671)

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/2974891

Affected Products

ProductVersionArch
Red Hat Virtualization Manager4.4x86_64

Updated Packages

  • ovirt-engine-extension-logger-log4j-1.1.1-1.el8ev.noarch.rpm
  • ovirt-engine-dwh-grafana-integration-setup-4.4.3.1-1.el8ev.noarch.rpm
  • ovirt-engine-dbscripts-4.4.3.8-0.1.el8ev.noarch.rpm
  • ovirt-engine-restapi-4.4.3.8-0.1.el8ev.noarch.rpm
  • ovirt-engine-extension-aaa-ldap-1.4.2-1.el8ev.src.rpm
  • ovirt-engine-extension-aaa-ldap-1.4.2-1.el8ev.noarch.rpm
  • ovirt-engine-tools-backup-4.4.3.8-0.1.el8ev.noarch.rpm
  • ovirt-engine-4.4.3.8-0.1.el8ev.src.rpm
  • ovirt-engine-setup-plugin-ovirt-engine-4.4.3.8-0.1.el8ev.noarch.rpm
  • ovirt-engine-metrics-1.4.2.1-1.el8ev.noarch.rpm
  • ovirt-web-ui-1.6.5-1.el8ev.noarch.rpm
  • ovirt-engine-health-check-bundler-4.4.3.8-0.1.el8ev.noarch.rpm
  • rhvm-branding-rhv-4.4.6-1.el8ev.src.rpm
  • rhv-log-collector-analyzer-1.0.5-1.el8ev.noarch.rpm
  • ovirt-engine-setup-plugin-ovirt-engine-common-4.4.3.8-0.1.el8ev.noarch.rpm
  • ovirt-engine-setup-plugin-imageio-4.4.3.8-0.1.el8ev.noarch.rpm
  • ovirt-engine-extension-logger-log4j-1.1.1-1.el8ev.src.rpm
  • ovirt-engine-backend-4.4.3.8-0.1.el8ev.noarch.rpm
  • ovirt-log-collector-4.4.4-1.el8ev.noarch.rpm
  • ovirt-engine-dwh-setup-4.4.3.1-1.el8ev.noarch.rpm
  • ovirt-engine-ui-extensions-1.2.4-1.el8ev.src.rpm
  • engine-db-query-1.6.2-1.el8ev.src.rpm
  • ovirt-engine-setup-plugin-websocket-proxy-4.4.3.8-0.1.el8ev.noarch.rpm
  • ovirt-engine-setup-plugin-vmconsole-proxy-helper-4.4.3.8-0.1.el8ev.noarch.rpm
  • ovirt-engine-setup-plugin-cinderlib-4.4.3.8-0.1.el8ev.noarch.rpm
  • ovirt-engine-tools-4.4.3.8-0.1.el8ev.noarch.rpm
  • engine-db-query-1.6.2-1.el8ev.noarch.rpm
  • ovirt-engine-setup-4.4.3.8-0.1.el8ev.noarch.rpm
  • ovirt-engine-ui-extensions-1.2.4-1.el8ev.noarch.rpm
  • ovirt-engine-websocket-proxy-4.4.3.8-0.1.el8ev.noarch.rpm
  • ovirt-engine-dwh-4.4.3.1-1.el8ev.noarch.rpm
  • ovirt-engine-vmconsole-proxy-helper-4.4.3.8-0.1.el8ev.noarch.rpm
  • ovirt-log-collector-4.4.4-1.el8ev.src.rpm
  • ovirt-engine-metrics-1.4.2.1-1.el8ev.src.rpm
  • ovirt-web-ui-1.6.5-1.el8ev.src.rpm
  • python3-ovirt-engine-lib-4.4.3.8-0.1.el8ev.noarch.rpm
  • rhvm-branding-rhv-4.4.6-1.el8ev.noarch.rpm
  • ovirt-engine-webadmin-portal-4.4.3.8-0.1.el8ev.noarch.rpm
  • ovirt-engine-extension-aaa-ldap-setup-1.4.2-1.el8ev.noarch.rpm
  • ovirt-engine-dwh-4.4.3.1-1.el8ev.src.rpm
  • ovirt-engine-4.4.3.8-0.1.el8ev.noarch.rpm
  • ovirt-engine-setup-base-4.4.3.8-0.1.el8ev.noarch.rpm
  • rhv-log-collector-analyzer-1.0.5-1.el8ev.src.rpm
  • rhvm-4.4.3.8-0.1.el8ev.noarch.rpm

Fixes

CVEs

References

Additional information