Issued:
2021-07-22
Updated:
2021-07-22

RHSA-2021:2865 - Moderate: RHV Manager ovirt-engine - security update [ovirt-4.4.7]

Synopsis

Moderate: RHV Manager (ovirt-engine) security update [ovirt-4.4.7]

Type/Severity

Security Advisory Moderate

Topic

Updated ovirt-engine packages that fix several bugs and add various enhancements are now available.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

The ovirt-engine package provides the manager for virtualization environments. This manager enables admins to define hosts and networks, as well as to add storage, create VMs and manage user permissions.

Security Fix(es):

  • nodejs-underscore: Arbitrary code execution via the template function (CVE-2021-23358)

  • nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469)

  • nodejs-ua-parser-js: Regular expression denial of service via the regex (CVE-2020-7733)

  • nodejs-path-parse: ReDoS via splitDeviceRe, splitTailRe and splitPathRe (CVE-2021-23343)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

  • Foreman integration, which allows you to provision bare metal hosts from the Administration Portal using Foreman and then added to the Manager, was deprecated in oVirt 4.4.6 / RHV 4.4.6 and removed completely in oVirt 4.4.7 / RHV 4.4.7.

Similar functionality to provision bare metal hosts can be achieved using Foreman directly and adding an already provisioned host using the Administration Portal or the REST API. (BZ#1901011)

  • Adding a message banner to the web administration welcome page is straight forward using custom branding that only contains a preamble section. An example of preamble branding is given here: https://bugzilla.redhat.com/attachment.cgi?id=1783329.

In an engine upgrade, the custom preamble brand remains in place and will work without issue.

During engine backup and subsequent restore, on engine restore the custom preamble branding needs to be manually restored/reinstalled and verified. (BZ#1804774)

  • The column name threads_per_core in the Red hat Virtualization manager Dashboard is being deprecated, and will be removed in a future release. In version 4.4.7.2 the column name for threads_per_core will be changed to number_of_threads. In the Data Warehouse, the old name will be retained as an additional alias, resulting in 2 columns providing the same data: number_of_threads and threads_per_core, and threads_per_core will be removed in a future version. (BZ#1896359)

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/2974891

Affected Products

ProductVersionArch
Red Hat Virtualization Manager4.4x86_64

Updated Packages

  • ovirt-engine-dwh-setup-4.4.7.3-1.el8ev.noarch.rpm
  • rhv-log-collector-analyzer-1.0.10-1.el8ev.noarch.rpm
  • ovirt-engine-setup-plugin-ovirt-engine-common-4.4.7.6-0.11.el8ev.noarch.rpm
  • ovirt-engine-4.4.7.6-0.11.el8ev.noarch.rpm
  • rhvm-4.4.7.6-0.11.el8ev.noarch.rpm
  • python3-ovirt-engine-lib-4.4.7.6-0.11.el8ev.noarch.rpm
  • ovirt-engine-4.4.7.6-0.11.el8ev.src.rpm
  • ovirt-engine-ui-extensions-1.2.7-1.el8ev.src.rpm
  • ovirt-engine-webadmin-portal-4.4.7.6-0.11.el8ev.noarch.rpm
  • rhvm-branding-rhv-4.4.9-1.el8ev.src.rpm
  • rhvm-branding-rhv-4.4.9-1.el8ev.noarch.rpm
  • ovirt-engine-websocket-proxy-4.4.7.6-0.11.el8ev.noarch.rpm
  • ovirt-engine-dwh-4.4.7.3-1.el8ev.noarch.rpm
  • ovirt-engine-ui-extensions-1.2.7-1.el8ev.noarch.rpm
  • ovirt-engine-health-check-bundler-4.4.7.6-0.11.el8ev.noarch.rpm
  • ovirt-engine-backend-4.4.7.6-0.11.el8ev.noarch.rpm
  • ovirt-engine-dbscripts-4.4.7.6-0.11.el8ev.noarch.rpm
  • ovirt-engine-dwh-4.4.7.3-1.el8ev.src.rpm
  • ovirt-web-ui-1.7.0-1.el8ev.src.rpm
  • ovirt-engine-setup-plugin-websocket-proxy-4.4.7.6-0.11.el8ev.noarch.rpm
  • rhv-log-collector-analyzer-1.0.10-1.el8ev.src.rpm
  • ovirt-engine-vmconsole-proxy-helper-4.4.7.6-0.11.el8ev.noarch.rpm
  • ovirt-engine-setup-plugin-cinderlib-4.4.7.6-0.11.el8ev.noarch.rpm
  • ovirt-engine-extension-aaa-ldap-setup-1.4.4-1.el8ev.noarch.rpm
  • ovirt-engine-setup-4.4.7.6-0.11.el8ev.noarch.rpm
  • ovirt-engine-setup-base-4.4.7.6-0.11.el8ev.noarch.rpm
  • ovirt-engine-setup-plugin-vmconsole-proxy-helper-4.4.7.6-0.11.el8ev.noarch.rpm
  • ovirt-engine-tools-4.4.7.6-0.11.el8ev.noarch.rpm
  • ovirt-engine-dwh-grafana-integration-setup-4.4.7.3-1.el8ev.noarch.rpm
  • ovirt-engine-extension-aaa-ldap-1.4.4-1.el8ev.noarch.rpm
  • ovirt-engine-setup-plugin-ovirt-engine-4.4.7.6-0.11.el8ev.noarch.rpm
  • ovirt-engine-restapi-4.4.7.6-0.11.el8ev.noarch.rpm
  • ovirt-engine-extension-aaa-ldap-1.4.4-1.el8ev.src.rpm
  • ovirt-engine-tools-backup-4.4.7.6-0.11.el8ev.noarch.rpm
  • ovirt-web-ui-1.7.0-1.el8ev.noarch.rpm
  • ovirt-engine-setup-plugin-imageio-4.4.7.6-0.11.el8ev.noarch.rpm

Fixes

CVEs

References

Additional information