Synopsis
Low: RHV-M(ovirt-engine) 4.4.z security, bug fix, enhancement update [ovirt-4.4.4]
Type/Severity
Security Advisory: Low
Topic
Updated ovirt-engine packages that fix several bugs and add various enhancements are now available.
Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
The ovirt-engine package provides the Red Hat Virtualization Manager, a centralized management platform that allows system administrators to view and manage virtual machines. The Manager provides a comprehensive range of features including search capabilities, resource management, live migrations, and virtual infrastructure provisioning.
The Manager is a JBoss Application Server application that provides several interfaces through which the virtual environment can be accessed and interacted with, including an Administration Portal, a VM Portal, and a Representational State Transfer (REST) Application Programming Interface (API).
Security Fix(es):
- jackson-databind: FasterXML DOMDeserializer insecure entity expansion is vulnerable to XML external entity (XXE) (CVE-2020-25649)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
Bug Fix(es):
- Red Hat Virtualization Manager now requires Ansible 2.9.15. (BZ#1901946)
Solution
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/2974891
Affected Products
-
Red Hat Virtualization Manager 4.4 x86_64
Fixes
- BZ - 1627997 - [RFE] Allow SPM switching if all tasks have finished via REST-API
- BZ - 1702237 - [RFE] add API for listing disksnapshots under disk resource
- BZ - 1796231 - VM disk remains in locked state if image transfer (image download) timesout due to inactivity.
- BZ - 1868114 - RHV-M UI/Webadmin: The "Disk Snapshots" tab reflects incorrect "Creation Date" information.
- BZ - 1875951 - Disk hot-unplug fails on engine side with NPE in setDiskVmElements after unplugging from the VM.
- BZ - 1879655 - [RFE] Implement searching VM's with partial name or case sensitive vm names in VM Portal.
- BZ - 1880015 - oVirt metrics example Kibana dashboards are broken in Kibana 7.x
- BZ - 1881115 - RHEL VM icons squashed, please adhere to brand rules
- BZ - 1881357 - German language greeting page says Red Hat®
- BZ - 1887664 - CVE-2020-25649 jackson-databind: FasterXML DOMDeserializer insecure entity expansion is vulnerable to XML external entity (XXE)
- BZ - 1893035 - rhv-log-collector-analyzer: check for double quotes in IPTablesConfigSiteCustom
- BZ - 1894298 - ModuleNotFoundError: No module named 'ovirt_engine' raised when starting ovirt-engine-dwhd.py in dev env
- BZ - 1901946 - [RFE] Bump ovirt-engine version lock to the newest Ansible version
- BZ - 1903385 - RFE: rhv-image-discrepancies should report if the truesize from VDSM has different size in images in the engine.
- BZ - 1903595 - [PPC] Can't add PPC host to Engine
CVEs
References