Updated ovirt-engine packages that fix several bugs and add various enhancements are now available.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
The ovirt-engine package provides the Red Hat Virtualization Manager, a centralized management platform that allows system administrators to view and manage virtual machines. The Manager provides a comprehensive range of features including search capabilities, resource management, live migrations, and virtual infrastructure provisioning.
The Manager is a JBoss Application Server application that provides several interfaces through which the virtual environment can be accessed and interacted with, including an Administration Portal, a VM Portal, and a Representational State Transfer (REST) Application Programming Interface (API).
A list of bugs fixed in this update is available in the Technical Notes book:
nodejs-minimist: prototype pollution allows adding or modifying properties of Object.prototype using a constructor or __proto__ payload (CVE-2020-7598)
ovirt-engine: Redirect to arbitrary URL allows for phishing (CVE-2020-10775)
Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022)
jQuery: passing HTML containing
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Solution
Before applying this update, make sure all previously released errata relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/2974891
Affected Products
Red Hat Virtualization Manager 4.4 x86_64
Fixes
BZ - 1080097 - [RFE] Allow editing disks details in the Disks tab
BZ - 1325468 - [RFE] Autostart of VMs that are down (with Engine assistance - Engine has to be up)
BZ - 1546838 - [RFE] Refuse to deploy on localhost.localdomain
BZ - 1547937 - [RFE] Live Storage Migration progress bar.
BZ - 1585986 - [HE] When lowering the cluster compatibility, we need to force update the HE storage OVF store to ensure it can start up (migration will not work).
BZ - 1593800 - [RFE] forbid new mac pools with overlapping ranges
BZ - 1596178 - inconsistent display between automatic and manual Pool Type
BZ - 1600059 - [RFE] Add by default a storage lease to HA VMs
BZ - 1610212 - After updating to RHV 4.1 while trying to edit the disk, getting error "Cannot edit Virtual Disk. Cannot edit Virtual Disk. Disk extension combined with disk compat version update isn't supported. Please perform the updates separately."
BZ - 1611395 - Unable to list Compute Templates in RHV 4.2 from Satellite 6.3.2
BZ - 1616451 - [UI] add a tooltip to explain the supported matrix for the combination of disk allocation policies, formats and the combination result
BZ - 1637172 - Live Merge hung in the volume deletion phase, leaving snapshot in a LOCKED state
BZ - 1640908 - Javascript Error popup when Managing StorageDomain with LUNs and 400+ paths
BZ - 1642273 - [UI] - left nav border highlight missing in RHV
BZ - 1647440 - [RFE][UI] Provide information about the VM next run
BZ - 1648345 - Jobs are not properly cleaned after a failed task.
BZ - 1650417 - HA is broken for VMs having disks in NFS storage domain because of Qemu OFD locking
BZ - 1650505 - Increase of ClusterCompatibilityVersion to Cluster with virtual machines with outstanding configuration changes, those changes will be reverted
BZ - 1651406 - [RFE] Allow Maintenance of Host with Enforcing VM Affinity Rules (hard affinity)
BZ - 1651939 - a new size of the direct LUN not updated in Admin Portal
BZ - 1687345 - Snapshot with memory volumes can fail if the memory dump takes more than 180 seconds
BZ - 1690026 - [RFE] - Creating an NFS storage domain the engine should let the user specify exact NFS version v4.0 and not just v4
BZ - 1690155 - Disk migration progress bar not clearly visible and unusable.
BZ - 1690475 - When a live storage migration fails, the auto generated snapshot does not get removed
BZ - 1691562 - Cluster level changes are not increasing VMs generation numbers and so a new OVF_STORE content is not copied to the shared storage
BZ - 1692592 - "Enable menu to select boot device shows 10 device listed with cdrom at 10th slot but when selecting 10 option the VM took 1 as option and boot with disk
BZ - 1693628 - Engine generates too many updates to vm_dynamic table due to the session change
BZ - 1693813 - Do not change DC level if there are VMs running/paused with older CL.
BZ - 1695026 - Failure in creating snapshots during "Live Storage Migration" can result in a nonexistent snapshot
BZ - 1695635 - [RFE] Improve Host Drop-down menu in different Dialogs (i.e. Alphabetical sort of Hosts in Remove|New StorageDomains)
BZ - 1696245 - [RFE] Allow full customization while cloning a VM
BZ - 1698102 - Print a warning message to engine-setup, which highlights that other clusters than the Default one are not modified to use ovirt-provider-ovn as the default network provider
BZ - 1700021 - [RFE] engine-setup should warn and prompt if ca.pem is missing but other generated pki files exist
BZ - 1700036 - [RFE] Add RedFish API for host power management for RHEV
BZ - 1700319 - VM is going to pause state with "storage I/O error".
BZ - 1700338 - [RFE] Alternate method to configure the email Event Notifier for a user in RHV through API (instead of RHV GUI)
BZ - 1700725 - [scale] RHV-M runs out of memory due to to much data reported by the guest agent
BZ - 1703112 - PCI address of NICs are not stored in the database after a hotplug of passthrough NIC resulting in change of network device name in VM after a reboot
BZ - 1703428 - VMs migrated from KVM to RHV show warning 'The latest guest agent needs to be installed and running on the guest'
BZ - 1707225 - [cinderlib] Cinderlib DB is missing a backup and restore option
BZ - 1720795 - New guest tools are available mark in case of guest tool located on Data Domain
BZ - 1724959 - RHV recommends reporting issues to GitHub rather than access.redhat.com (ovirt->RHV rebrand glitch?)
BZ - 1727025 - NPE in DestroyImage endAction during live merge leaving a task in DB for hours causing operations depending on host clean tasks to fail as Deactivate host/StopSPM/deactivate SD
BZ - 1728472 - Engine reports network out of sync due to ipv6 default gateway via ND RA on a non default route network.
BZ - 1729511 - engine-setup fails to upgrade to 4.3 with Unicode characters in CA subject
BZ - 1729811 - [scale] updatevmdynamic broken if too many users logged in - psql ERROR: value too long for type character varying(255)
BZ - 1730264 - VMs will fail to start if the vnic profile attached is having port mirroring enabled and have name greater than 15 characters
BZ - 1730436 - Snapshot creation was successful, but snapshot remains locked
BZ - 1731212 - RHV 4.4 landing page does not show login or allow scrolling.
BZ - 1731590 - Cannot preview snapshot, it fails and VM remains locked.
BZ - 1733031 - [RFE] Add warning when importing data domains to newer DC that may trigger SD format upgrade
BZ - 1733529 - Consume python-ovsdbapp dependencies from OSP in RHEL 8 RHV 4.4
BZ - 1733843 - Export to OVA fails if VM is running on the Host doing the export
BZ - 1734839 - Unable to start guests in our Power9 cluster without running in headless mode.
BZ - 1737234 - Attach a non-existent ISO to vm by the API return 201 and marks the Attach CD checkbox as ON
BZ - 1737684 - Engine deletes the leaf volume when SnapshotVDSCommand timed out without checking if the volume is still used by the VM
BZ - 1740978 - [RFE] Warn or Block importing VMs/Templates from unsupported compatibility levels.
BZ - 1741102 - host activation causes RHHI nodes to lose the quorum
BZ - 1741271 - Move/Copy disk are blocked if there is less space in source SD than the size of the disk
BZ - 1741625 - VM fails to be re-started with error: Failed to acquire lock: No space left on device
BZ - 1743690 - Commit and Undo buttons active when no snapshot selected
BZ - 1744557 - RHV 4.3 throws an exception when trying to access VMs which have snapshots from unsupported compatibility levels
BZ - 1809875 - rhv-image-discrepancies only compares images on the last DC
BZ - 1809877 - rhv-image-discrepancies sends dump-volume-chains with parameter that is ignored
BZ - 1810893 - mountOptions is ignored for "import storage domain" from GUI
BZ - 1811865 - [Scale] Host Monitoring generates excessive amount of qos related sql queries
BZ - 1811869 - [Scale] Webadmin\REST for host interface list response time is too long because of excessive amount of qos related sql queries
BZ - 1812875 - Unable to create VMs when french Language is selected for the rhvm gui.
BZ - 1813305 - Engine updating SLA policies of VMs continuously in an environment which is not having any QOS configured
BZ - 1813344 - CVE-2020-7598 nodejs-minimist: prototype pollution allows adding or modifying properties of Object.prototype using a constructor or __proto__ payload
BZ - 1814197 - [CNV&RHV] when provider is remover DC is left behind and active
BZ - 1814215 - [CNV&RHV] Adding new provider to engine fails after succesfull test