- Issued:
- 2022-07-14
- Updated:
- 2022-07-14
RHSA-2022:5555 - Moderate: RHV Manager ovirt-engine - [ovirt-4.5.1] security, bug fix and update
Synopsis
Moderate: RHV Manager (ovirt-engine) [ovirt-4.5.1] security, bug fix and update
Type/Severity
Security Advisory Moderate
Topic
Updated ovirt-engine packages that fix several bugs and add various enhancements are now available.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
The ovirt-engine package provides the Red Hat Virtualization Manager, a centralized management platform that allows system administrators to view and manage virtual machines. The Manager provides a comprehensive range of features including search capabilities, resource management, live migrations, and virtual infrastructure provisioning.
Security Fix(es):
-
nodejs-trim-newlines: ReDoS in .end() method (CVE-2021-33623)
-
apache-commons-compress: infinite loop when reading a specially crafted 7Z archive (CVE-2021-35515)
-
apache-commons-compress: excessive memory allocation when reading a specially crafted 7Z archive (CVE-2021-35516)
-
apache-commons-compress: excessive memory allocation when reading a specially crafted TAR archive (CVE-2021-35517)
-
apache-commons-compress: excessive memory allocation when reading a specially crafted ZIP archive (CVE-2021-36090)
-
nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (CVE-2021-3807)
-
spring-expression: Denial of service via specially crafted SpEL expression (CVE-2022-22950)
-
semantic-release: Masked secrets can be disclosed if they contain characters that are excluded from uri encoding (CVE-2022-31051)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
A list of bugs fixed in this update is available in the Technical Notes book: https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/html-single/technical_notes
Solution
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/2974891
Affected Products
| Product | Version | Arch |
|---|---|---|
| Red Hat Virtualization Manager | 4.4 | x86_64 |
Updated Packages
- ovirt-engine-health-check-bundler-4.5.1.2-0.11.el8ev.noarch.rpm
- rhvm-branding-rhv-4.5.0-1.el8ev.src.rpm
- postgresql-jdbc-42.2.14-1.el8ev.src.rpm
- ovirt-engine-setup-plugin-vmconsole-proxy-helper-4.5.1.2-0.11.el8ev.noarch.rpm
- ovirt-dependencies-4.5.2-1.el8ev.noarch.rpm
- ovirt-web-ui-1.9.0-1.el8ev.noarch.rpm
- ovirt-log-collector-4.4.6-1.el8ev.noarch.rpm
- ovirt-web-ui-1.9.0-1.el8ev.src.rpm
- ovirt-engine-ui-extensions-1.3.4-1.el8ev.src.rpm
- ovirt-engine-dwh-setup-4.5.3-1.el8ev.noarch.rpm
- ovirt-dependencies-4.5.2-1.el8ev.src.rpm
- ovirt-engine-setup-plugin-ovirt-engine-common-4.5.1.2-0.11.el8ev.noarch.rpm
- rhvm-4.5.1.2-0.11.el8ev.noarch.rpm
- apache-commons-compress-1.21-1.2.el8ev.noarch.rpm
- ovirt-engine-webadmin-portal-4.5.1.2-0.11.el8ev.noarch.rpm
- ovirt-engine-restapi-4.5.1.2-0.11.el8ev.noarch.rpm
- rhv-log-collector-analyzer-1.0.14-1.el8ev.src.rpm
- apache-commons-compress-javadoc-1.21-1.2.el8ev.noarch.rpm
- ovirt-engine-tools-4.5.1.2-0.11.el8ev.noarch.rpm
- postgresql-jdbc-javadoc-42.2.14-1.el8ev.noarch.rpm
- ovirt-engine-setup-4.5.1.2-0.11.el8ev.noarch.rpm
- ovirt-engine-setup-plugin-imageio-4.5.1.2-0.11.el8ev.noarch.rpm
- ovirt-log-collector-4.4.6-1.el8ev.src.rpm
- ovirt-engine-4.5.1.2-0.11.el8ev.src.rpm
- ovirt-engine-dwh-4.5.3-1.el8ev.noarch.rpm
- ovirt-engine-dbscripts-4.5.1.2-0.11.el8ev.noarch.rpm
- ovirt-engine-4.5.1.2-0.11.el8ev.noarch.rpm
- ovirt-engine-setup-base-4.5.1.2-0.11.el8ev.noarch.rpm
- ovirt-engine-setup-plugin-cinderlib-4.5.1.2-0.11.el8ev.noarch.rpm
- ovirt-engine-vmconsole-proxy-helper-4.5.1.2-0.11.el8ev.noarch.rpm
- rhvm-branding-rhv-4.5.0-1.el8ev.noarch.rpm
- python3-ovirt-engine-lib-4.5.1.2-0.11.el8ev.noarch.rpm
- ovirt-engine-backend-4.5.1.2-0.11.el8ev.noarch.rpm
- postgresql-jdbc-42.2.14-1.el8ev.noarch.rpm
- ovirt-engine-tools-backup-4.5.1.2-0.11.el8ev.noarch.rpm
- ovirt-engine-dwh-4.5.3-1.el8ev.src.rpm
- ovirt-engine-websocket-proxy-4.5.1.2-0.11.el8ev.noarch.rpm
- ovirt-engine-dwh-grafana-integration-setup-4.5.3-1.el8ev.noarch.rpm
- ovirt-engine-ui-extensions-1.3.4-1.el8ev.noarch.rpm
- ovirt-engine-setup-plugin-ovirt-engine-4.5.1.2-0.11.el8ev.noarch.rpm
- rhv-log-collector-analyzer-1.0.14-1.el8ev.noarch.rpm
- apache-commons-compress-1.21-1.2.el8ev.src.rpm
- ovirt-engine-setup-plugin-websocket-proxy-4.5.1.2-0.11.el8ev.noarch.rpm
Fixes
- This content is not included.BZ - 1663217
- This content is not included.BZ - 1782077
- This content is not included.BZ - 1849045
- This content is not included.BZ - 1852308
- This content is not included.BZ - 1958032
- This content is not included.BZ - 1966615
- This content is not included.BZ - 1976607
- This content is not included.BZ - 1981895
- This content is not included.BZ - 1981900
- This content is not included.BZ - 1981903
- This content is not included.BZ - 1981909
- This content is not included.BZ - 1994144
- This content is not included.BZ - 2001574
- This content is not included.BZ - 2001923
- This content is not included.BZ - 2006625
- This content is not included.BZ - 2007557
- This content is not included.BZ - 2030293
- This content is not included.BZ - 2068270
- This content is not included.BZ - 2069414
- This content is not included.BZ - 2070045
- This content is not included.BZ - 2072626
- This content is not included.BZ - 2081241
- This content is not included.BZ - 2081559
- This content is not included.BZ - 2089856
- This content is not included.BZ - 2092885
- This content is not included.BZ - 2093795
- This content is not included.BZ - 2097414
- This content is not included.BZ - 2099650
- This content is not included.BZ - 2105296
CVEs
- CVE-2021-3807
- CVE-2021-22096
- CVE-2021-33623
- CVE-2021-35515
- CVE-2021-35516
- CVE-2021-35517
- CVE-2021-36090
- CVE-2022-22950
- CVE-2022-31051
References
- https://access.redhat.com/security/updates/classification/#moderate
- https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/html-single/technical_notes
Additional information
- The Red Hat security contact is This content is not included.secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
- Offline Security Data data is available for integration with other systems. See Offline Security Data API to get started.