Issued:: 2022-12-01
Updated:: 2022-12-01

RHSA-2022:8750 - Moderate: OpenShift Virtualization 4.11.1 security and bug fix update

Synopsis

Moderate: OpenShift Virtualization 4.11.1 security and bug fix update

Type/Severity

Security Advisory Moderate

Topic

Red Hat OpenShift Virtualization release 4.11.1 is now available with updates to packages and images that fix several bugs and add enhancements.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform.

Security Fix(es):

golang: out-of-bounds read in golang.org/x/text/language leads to DoS (CVE-2021-38561)
golang: encoding/pem: fix stack overflow in Decode (CVE-2022-24675)
golang: regexp: stack exhaustion via a deeply nested expression (CVE-2022-24921)
golang: crypto/elliptic: panic caused by oversized scalar (CVE-2022-28327)
golang: crypto/tls: session tickets lack random ticket_age_add (CVE-2022-30629)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

Cloning a Block DV to VM with Filesystem with not big enough size comes to endless loop - using pvc api (BZ#2033191)
Restart of VM Pod causes SSH keys to be regenerated within VM (BZ#2087177)
Import gzipped raw file causes image to be downloaded and uncompressed to TMPDIR (BZ#2089391)
[4.11] VM Snapshot Restore hangs indefinitely when backed by a snapshotclass (BZ#2098225)
Fedora version in DataImportCrons is not 'latest' (BZ#2102694)
[4.11] Cloned VM's snapshot restore fails if the source VM disk is deleted (BZ#2109407)
CNV introduces a compliance check fail in "ocp4-moderate" profile - routes-protected-by-tls (BZ#2110562)
Nightly build: v4.11.0-578: index format was changed in 4.11 to file-based instead of sqlite-based (BZ#2112643)
Unable to start windows VMs on PSI setups (BZ#2115371)
[4.11.1]virt-launcher cannot be started on OCP 4.12 due to PodSecurity restricted:v1.24 (BZ#2128997)
Mark Windows 11 as TechPreview (BZ#2129013)
4.11.1 rpms (BZ#2139453)

This advisory contains the following OpenShift Virtualization 4.11.1 images.

RHEL-8-CNV-4.11

virt-cdi-operator-container-v4.11.1-5 virt-cdi-uploadserver-container-v4.11.1-5 virt-cdi-apiserver-container-v4.11.1-5 virt-cdi-importer-container-v4.11.1-5 virt-cdi-controller-container-v4.11.1-5 virt-cdi-cloner-container-v4.11.1-5 virt-cdi-uploadproxy-container-v4.11.1-5 checkup-framework-container-v4.11.1-3 kubevirt-tekton-tasks-wait-for-vmi-status-container-v4.11.1-7 kubevirt-tekton-tasks-create-datavolume-container-v4.11.1-7 kubevirt-template-validator-container-v4.11.1-4 virt-handler-container-v4.11.1-5 hostpath-provisioner-operator-container-v4.11.1-4 virt-api-container-v4.11.1-5 vm-network-latency-checkup-container-v4.11.1-3 cluster-network-addons-operator-container-v4.11.1-5 virtio-win-container-v4.11.1-4 virt-launcher-container-v4.11.1-5 ovs-cni-marker-container-v4.11.1-5 hyperconverged-cluster-webhook-container-v4.11.1-7 virt-controller-container-v4.11.1-5 virt-artifacts-server-container-v4.11.1-5 kubevirt-tekton-tasks-modify-vm-template-container-v4.11.1-7 kubevirt-tekton-tasks-disk-virt-customize-container-v4.11.1-7 libguestfs-tools-container-v4.11.1-5 hostpath-provisioner-container-v4.11.1-4 kubevirt-tekton-tasks-disk-virt-sysprep-container-v4.11.1-7 kubevirt-tekton-tasks-copy-template-container-v4.11.1-7 cnv-containernetworking-plugins-container-v4.11.1-5 bridge-marker-container-v4.11.1-5 virt-operator-container-v4.11.1-5 hostpath-csi-driver-container-v4.11.1-4 kubevirt-tekton-tasks-create-vm-from-template-container-v4.11.1-7 kubemacpool-container-v4.11.1-5 hyperconverged-cluster-operator-container-v4.11.1-7 kubevirt-ssp-operator-container-v4.11.1-4 ovs-cni-plugin-container-v4.11.1-5 kubevirt-tekton-tasks-cleanup-vm-container-v4.11.1-7 kubevirt-tekton-tasks-operator-container-v4.11.1-2 cnv-must-gather-container-v4.11.1-8 kubevirt-console-plugin-container-v4.11.1-9 hco-bundle-registry-container-v4.11.1-49

Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

Product	Version	Arch
Red Hat Container Native Virtualization	4.11	x86_64
Red Hat Container Native Virtualization	4.11	x86_64

Fixes

CVEs

CVE-2015-20107
CVE-2016-3709
CVE-2020-0256
CVE-2020-35525
CVE-2020-35527
CVE-2021-0308
CVE-2021-38561
CVE-2022-0391
CVE-2022-0934
CVE-2022-1292
CVE-2022-1304
CVE-2022-1586
CVE-2022-1785
CVE-2022-1897
CVE-2022-1927
CVE-2022-2068
CVE-2022-2097
CVE-2022-2509
CVE-2022-3515
CVE-2022-22624
CVE-2022-22628
CVE-2022-22629
CVE-2022-22662
CVE-2022-24675
CVE-2022-24795
CVE-2022-24921
CVE-2022-25308
CVE-2022-25309
CVE-2022-25310
CVE-2022-26700
CVE-2022-26709
CVE-2022-26710
CVE-2022-26716
CVE-2022-26717
CVE-2022-26719
CVE-2022-27404
CVE-2022-27405
CVE-2022-27406
CVE-2022-28327
CVE-2022-29154
CVE-2022-30293
CVE-2022-30629
CVE-2022-30698
CVE-2022-30699
CVE-2022-32206
CVE-2022-32208
CVE-2022-34903
CVE-2022-37434
CVE-2022-38177
CVE-2022-38178
CVE-2022-40674

References

https://access.redhat.com/security/updates/classification/#moderate

Additional information

The Red Hat security contact is This content is not included.secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
Offline Security Data data is available for integration with other systems. See Offline Security Data API to get started.