Issued:

2022-11-16

Updated:

2022-11-16

RHSA-2022:8502 - Moderate: RHV Manager ovirt-engine - [ovirt-4.5.3] bug fix and security update

Synopsis

Moderate: RHV Manager (ovirt-engine) [ovirt-4.5.3] bug fix and security update

Type/Severity

Security Advisory Moderate

Topic

Updated ovirt-engine packages that fix several bugs and add various enhancements are now available.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

The ovirt-engine package provides the Red Hat Virtualization Manager, a centralized management platform that allows system administrators to view and manage virtual machines. The Manager provides a comprehensive range of features including search capabilities, resource management, live migrations, and virtual infrastructure provisioning.

Security Fix(es):

• follow-redirects: Exposure of Private Personal Information to an Unauthorized Actor (CVE-2022-0155)

• ovirt-engine: RHVM admin password is logged unfiltered when using otopi-style (CVE-2022-2805)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

• Ghost OVFs are written when using floating SD to migrate VMs between 2 RHV environments. (BZ#1705338)

• RHV engine is reporting a delete disk with wipe as completing successfully when it actually fails from a timeout. (BZ#1836318)

• [DR] Failover / Failback HA VM Fails to be started due to 'VM XXX is being imported' (BZ#1968433)

• Virtual Machine with lease fails to run on DR failover (BZ#1974535)

• Disk is missing after importing VM from Storage Domain that was detached from another DC. (BZ#1983567)

• Unable to switch RHV host into maintenance mode as there are image transfer in progress (BZ#2123141)

• not able to import disk in 4.5.2 (BZ#2134549)

Enhancement(s):

• [RFE] Show last events for user VMs (BZ#1886211)

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/2974891

Affected Products

Updated Packages

• ovirt-engine-ui-extensions-1.3.6-1.el8ev.src.rpm
• ovirt-web-ui-1.9.2-1.el8ev.src.rpm
• rhvm-4.5.3.2-1.el8ev.noarch.rpm
• ovirt-web-ui-1.9.2-1.el8ev.noarch.rpm
• ovirt-engine-setup-plugin-ovirt-engine-4.5.3.2-1.el8ev.noarch.rpm
• ovirt-engine-setup-plugin-cinderlib-4.5.3.2-1.el8ev.noarch.rpm
• python3-ovirt-engine-lib-4.5.3.2-1.el8ev.noarch.rpm
• ovirt-engine-dwh-4.5.7-1.el8ev.noarch.rpm
• ovirt-engine-setup-plugin-imageio-4.5.3.2-1.el8ev.noarch.rpm
• ovirt-engine-backend-4.5.3.2-1.el8ev.noarch.rpm
• ovirt-engine-restapi-4.5.3.2-1.el8ev.noarch.rpm
• ovirt-engine-4.5.3.2-1.el8ev.src.rpm
• ovirt-engine-4.5.3.2-1.el8ev.noarch.rpm
• ovirt-engine-dwh-setup-4.5.7-1.el8ev.noarch.rpm
• ovirt-engine-setup-plugin-ovirt-engine-common-4.5.3.2-1.el8ev.noarch.rpm
• ovirt-engine-ui-extensions-1.3.6-1.el8ev.noarch.rpm
• ovirt-engine-vmconsole-proxy-helper-4.5.3.2-1.el8ev.noarch.rpm
• ovirt-engine-dbscripts-4.5.3.2-1.el8ev.noarch.rpm
• ovirt-engine-setup-base-4.5.3.2-1.el8ev.noarch.rpm
• ovirt-engine-setup-plugin-websocket-proxy-4.5.3.2-1.el8ev.noarch.rpm
• ovirt-engine-tools-4.5.3.2-1.el8ev.noarch.rpm
• ovirt-engine-websocket-proxy-4.5.3.2-1.el8ev.noarch.rpm
• ovirt-engine-health-check-bundler-4.5.3.2-1.el8ev.noarch.rpm
• ovirt-engine-webadmin-portal-4.5.3.2-1.el8ev.noarch.rpm
• ovirt-engine-dwh-4.5.7-1.el8ev.src.rpm
• ovirt-engine-tools-backup-4.5.3.2-1.el8ev.noarch.rpm
• ovirt-engine-setup-4.5.3.2-1.el8ev.noarch.rpm
• ovirt-engine-setup-plugin-vmconsole-proxy-helper-4.5.3.2-1.el8ev.noarch.rpm
• ovirt-engine-dwh-grafana-integration-setup-4.5.7-1.el8ev.noarch.rpm

Fixes

• This content is not included.BZ - 1705338
• This content is not included.BZ - 1836318
• This content is not included.BZ - 1886211
• This content is not included.BZ - 1968433
• This content is not included.BZ - 1974535
• This content is not included.BZ - 1983567
• This content is not included.BZ - 2044556
• This content is not included.BZ - 2079545
• This content is not included.BZ - 2118672
• This content is not included.BZ - 2123141
• This content is not included.BZ - 2127836
• This content is not included.BZ - 2134549
• This content is not included.BZ - 2137207

CVEs

• CVE-2022-0155
• CVE-2022-2805

References

• https://access.redhat.com/security/updates/classification/#moderate

Additional information

• The Red Hat security contact is This content is not included.secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
• Offline Security Data data is available for integration with other systems. See Offline Security Data API to get started.