- Issued:
- 2022-06-02
- Updated:
- 2022-06-03
RHSA-2022:4896 - Important: Red Hat Virtualization security, bug fix, and enhancement update [ovirt-4.5.0]
Synopsis
Important: Red Hat Virtualization security, bug fix, and enhancement update [ovirt-4.5.0]
Type/Severity
Security Advisory Important
Topic
An update for imgbased, redhat-release-virtualization-host, and redhat-virtualization-host is now available for Red Hat Virtualization 4 for Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
The redhat-virtualization-host packages provide the Red Hat Virtualization Host. These packages include redhat-release-virtualization-host, ovirt-node, and rhev-hypervisor. Red Hat Virtualization Hosts (RHVH) are installed using a special build of Red Hat Enterprise Linux with only the packages required to host virtual machines. RHVH features a Cockpit user interface for monitoring the host's resources and performing administrative tasks.
Security Fix(es):
-
kernel: use-after-free in RDMA listen() (CVE-2021-4028)
-
kernel: fget: check that the fd still exists after getting a ref to it (CVE-2021-4083)
-
kernel: heap out of bounds write in nf_dup_netdev.c (CVE-2022-25636)
-
openssl: Infinite loop in BN_mod_sqrt() reachable when parsing certificates (CVE-2022-0778)
-
zlib: A flaw found in zlib when compressing (not decompressing) certain inputs (CVE-2018-25032)
-
gzip: arbitrary-file-write vulnerability (CVE-2022-1271)
-
rsyslog: Heap-based overflow in TCP syslog server (CVE-2022-24903)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Bug Fixes:
-
elfutils package has been update within RHV-H Channel to match the same version released in RHEL (BZ#2038081)
-
Rebase package(s) to version 1.2.24 For highlights, important fixes, or notable enhancements: see bugs in "Depend On". (BZ#2057338)
-
Rebase package(s) to version: 4.5.0
Highlights, important fixes, or notable enhancements: (BZ#2057342)
-
Rebase package(s) to version anaconda-33.16.6.6-1.el8 For highlights and important bug fixes: include UI change for blocking installation if root password is not set. (BZ#1899821)
-
Red hat Virtualization Host has been rebased on Red Hat Enterprise Linux 8.6 (BZ#1997074)
-
Previously, concurrent executions of LV refresh (lvchange) failed. This hindered simultaneous starts of virtual machines that have thin-provisioned disks based on the same disk on a block storage domain. In this release, concurrent execution of LV refresh has been fixed in LVM2. (BZ#2020497)
-
Red Hat Virtualization Host has been rebased on latest Ceph 4.3 (BZ#2090138)
-
In previous releases systemtap package could have been installed on top of RHV-H from RHV-H channel. With 4.4 SP1 systemtap package installation is not supported anymore (BZ#2052963)
Solution
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/2974891
Affected Products
| Product | Version | Arch |
|---|---|---|
| Red Hat Virtualization | 4 | x86_64 |
| Red Hat Virtualization Host | 4 | x86_64 |
Updated Packages
- elfutils-debuginfod-debuginfo-0.186-1.el8.x86_64.rpm
- redhat-virtualization-host-productimg-4.5.0-2.el8.x86_64.rpm
- elfutils-debuginfo-0.186-1.el8.x86_64.rpm
- elfutils-libs-debuginfo-0.186-1.el8.x86_64.rpm
- redhat-virtualization-host-image-update-placeholder-4.5.0-5.el8ev.noarch.rpm
- redhat-virtualization-host-productimg-4.5.0-2.el8.src.rpm
- redhat-release-virtualization-host-4.5.0-5.el8ev.x86_64.rpm
- redhat-release-virtualization-host-4.5.0-5.el8ev.src.rpm
- ovirt-node-ng-nodectl-4.4.2-1.el8ev.noarch.rpm
- redhat-virtualization-host-image-update-4.5.0-202205291010_8.6.x86_64.rpm
- elfutils-debuginfod-client-debuginfo-0.186-1.el8.x86_64.rpm
- imgbased-1.2.24-1.el8ev.noarch.rpm
- ovirt-node-ng-4.4.2-1.el8ev.src.rpm
- elfutils-devel-0.186-1.el8.x86_64.rpm
- elfutils-0.186-1.el8.src.rpm
- elfutils-debugsource-0.186-1.el8.x86_64.rpm
- elfutils-libelf-debuginfo-0.186-1.el8.x86_64.rpm
- redhat-release-virtualization-host-content-4.5.0-5.el8ev.x86_64.rpm
- elfutils-debuginfod-client-0.186-1.el8.x86_64.rpm
- imgbased-1.2.24-1.el8ev.src.rpm
- python3-imgbased-1.2.24-1.el8ev.noarch.rpm
- python3-ovirt-node-ng-nodectl-4.4.2-1.el8ev.noarch.rpm
- redhat-virtualization-host-4.5.0-202205291010_8.6.src.rpm
Fixes
- This content is not included.BZ - 1899821
- This content is not included.BZ - 1997074
- This content is not included.BZ - 2020497
- This content is not included.BZ - 2027201
- This content is not included.BZ - 2029923
- This content is not included.BZ - 2038081
- This content is not included.BZ - 2052963
- This content is not included.BZ - 2056334
- This content is not included.BZ - 2056745
- This content is not included.BZ - 2056830
- This content is not included.BZ - 2057338
- This content is not included.BZ - 2057342
- This content is not included.BZ - 2062202
- This content is not included.BZ - 2067945
- This content is not included.BZ - 2073310
- This content is not included.BZ - 2081353
- This content is not included.BZ - 2086834
- This content is not included.BZ - 2090138
CVEs
- CVE-2018-25032
- CVE-2021-4028
- CVE-2021-4083
- CVE-2022-0778
- CVE-2022-1271
- CVE-2022-24903
- CVE-2022-25636
References
Additional information
- The Red Hat security contact is This content is not included.secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
- Offline Security Data data is available for integration with other systems. See Offline Security Data API to get started.