Moderate: OpenShift Virtualization 4.10.0 Images security and bug fix update

Topic

Red Hat OpenShift Virtualization release 4.10.0 is now available with updates to packages and images that fix several bugs and add enhancements.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform.

This advisory contains the following OpenShift Virtualization 4.10.0 images:

RHEL-8-CNV-4.10

==============

kubevirt-velero-plugin-container-v4.10.0-8
virtio-win-container-v4.10.0-10
kubevirt-template-validator-container-v4.10.0-16
hostpath-csi-driver-container-v4.10.0-32
hostpath-provisioner-container-v4.10.0-32
hostpath-provisioner-operator-container-v4.10.0-62
cnv-must-gather-container-v4.10.0-110
virt-cdi-controller-container-v4.10.0-90
virt-cdi-apiserver-container-v4.10.0-90
virt-cdi-uploadserver-container-v4.10.0-90
virt-cdi-uploadproxy-container-v4.10.0-90
virt-cdi-operator-container-v4.10.0-90
virt-cdi-cloner-container-v4.10.0-90
virt-cdi-importer-container-v4.10.0-90
kubevirt-ssp-operator-container-v4.10.0-50
virt-api-container-v4.10.0-217
hyperconverged-cluster-webhook-container-v4.10.0-133
libguestfs-tools-container-v4.10.0-217
virt-handler-container-v4.10.0-217
virt-launcher-container-v4.10.0-217
virt-artifacts-server-container-v4.10.0-217
virt-controller-container-v4.10.0-217
node-maintenance-operator-container-v4.10.0-48
hyperconverged-cluster-operator-container-v4.10.0-133
virt-operator-container-v4.10.0-217
cnv-containernetworking-plugins-container-v4.10.0-49
kubemacpool-container-v4.10.0-49
bridge-marker-container-v4.10.0-49
ovs-cni-marker-container-v4.10.0-49
ovs-cni-plugin-container-v4.10.0-49
kubernetes-nmstate-handler-container-v4.10.0-49
cluster-network-addons-operator-container-v4.10.0-49
hco-bundle-registry-container-v4.10.0-696

Security Fix(es):

• golang: net/http: limit growth of header canonicalization cache (CVE-2021-44716)
• golang: net: incorrect parsing of extraneous zero characters at the beginning of an IP address octet (CVE-2021-29923)
• golang: net: lookup functions may return invalid host names (CVE-2021-33195)
• golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty (CVE-2021-33197)
• golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents (CVE-2021-33198)
• golang: crypto/tls: certificate of wrong type is causing TLS client to panic (CVE-2021-34558)
• golang: net/http/httputil: panic due to racy read of persistConn after handler panic (CVE-2021-36221)
• golang: syscall: don't close fd 0 on ForkExec error (CVE-2021-44717)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

• Red Hat Container Native Virtualization 4.10 for RHEL 8 x86_64
• Red Hat Container Native Virtualization 4.10 for RHEL 7 x86_64

Fixes

• BZ - 1760028 - CPU compatibility is not checked when migrating host-model VMs
• BZ - 1855182 - [Storage] Clone could not be continued after virtctl stop the vm if the clone dv have been created for more than 3 minutes
• BZ - 1906151 - High CPU/Memory usage of Kube API server following a CNV installation
• BZ - 1918294 - VM created from template when OCS is default SC fails to start on "source volumeMode (Block) and target volumeMode (Filesystem) do not match"
• BZ - 1935217 - [CNV-2.5] Manifests in openshift-cnv missing resource requirements - Storage
• BZ - 1945586 - CPU pinning is incorrect after live migration
• BZ - 1958085 - No option to deploy the templates to a non-shared (non default) namespace
• BZ - 1959039 - must-gather doesn't collect iptables info of CNV VM anymore
• BZ - 1975978 - canary-release-openshift-origin-installer-e2e-aws-4.7-cnv is permfailing
• BZ - 1983079 - No "permittedHostDevices" section in HCO CR, allows any hostdevice in the VM spec.
• BZ - 1983596 - CVE-2021-34558 golang: crypto/tls: certificate of wrong type is causing TLS client to panic
• BZ - 1986970 - Node outages can lead to (legitimate) mass restarts of VMs which can block our controller
• BZ - 1987009 - [tracker] CNV Daemonsets have maxUnavailable set to 1 which leads to very slow upgrades on large clusters
• BZ - 1989564 - CVE-2021-33195 golang: net: lookup functions may return invalid host names
• BZ - 1989570 - CVE-2021-33197 golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty
• BZ - 1989575 - CVE-2021-33198 golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents
• BZ - 1990061 - [virt] CNV Daemonsets have maxUnavailable set to 1 which leads to very slow upgrades on large clusters
• BZ - 1992006 - CVE-2021-29923 golang: net: incorrect parsing of extraneous zero characters at the beginning of an IP address octet
• BZ - 1992231 - hostpath-provisioner Pods are not created
• BZ - 1993454 - Improve ImageIO import performance
• BZ - 1995656 - CVE-2021-36221 golang: net/http/httputil: panic due to racy read of persistConn after handler panic
• BZ - 1997540 - Missing kcs: OpenShift Virtualization limits
• BZ - 1998300 - CNV VMs do not contain the cluster domain name in the FQDN
• BZ - 1999110 - 4.10.0 containers
• BZ - 1999636 - 4.10.0 rpms
• BZ - 2000480 - Using depreacted 1.25 API calls
• BZ - 2001984 - VM not in running state with nonroot VirtLauncher Pods with volumeMode as Filesystem and using a PVC
• BZ - 2001987 - VM not in running state with nonroot VirtLauncher Pods with volumeMode as Filesystem and using a DV
• BZ - 2002272 - Unable to LiveMigrate a VM with nonroot VirtLauncher Pod
• BZ - 2003704 - Switch live migration to use unix sockets
• BZ - 2007397 - Unexpected killing of virt-launcher pod, can result in loss of data for hotplugged volumes
• BZ - 2008140 - [4.10.0] CNV fails to deploy due to unavailable SSP virt-template-validator
• BZ - 2008411 - [4.10.0] SSP operator creates kubevirt-os-images instead of openshift-virtualization-os-images namespace
• BZ - 2008938 - missing spec.priorityClassName for pod hyperconverged-cluster-cli-download
• BZ - 2008949 - Multiple storage pods are missing spec.priorityClassName
• BZ - 2008975 - v4.10.0-142 CNV contains outdated ssp-operator and virt-template-validator
• BZ - 2010540 - HCO.status.relatedObjects are not getting updated with correct resourceVersion of reconciled resources
• BZ - 2010908 - [MTV] VM remains in printableStatus: Provisioning in cold migration
• BZ - 2012920 - nncp in progressing state forever when cluster is having Windows node
• BZ - 2013160 - Create an offline VM with storageClass HPP is always in 'Provisioning‘ status
• BZ - 2013455 - Guest agent reports unreliable status when mac address is changed
• BZ - 2015327 - hostpath-provisioner pods do not have any resources.requests values set up
• BZ - 2017255 - Migration of VM doesn't clean up the target pod in time in case of failed migration
• BZ - 2018457 - Windows high performance templates should use virtio storage
• BZ - 2018925 - Metric kubevirt_vmi_memory_used_total_bytes is not reporting correct value
• BZ - 2018970 - RHEL9 alpha template - support level is "Full"
• BZ - 2019053 - DV with immediate bind remains in WaitForFirstConsumer
• BZ - 2021992 - [cnv-4.10.0] After upgrade, live migration is Pending
• BZ - 2025295 - Windows VMs fail to start on air-gapped environments for non-admin users
• BZ - 2025750 - must-gather | nft files are not collected for nodes
• BZ - 2025878 - The import cron pod is not deleted after delete the dataimportcron if the import is failed
• BZ - 2026336 - [SNO] We see multiple replicas of virt-api, virt-controller and virt-operator.
• BZ - 2026363 - kubemacpool is rotating kubernetes-nmstate certificates
• BZ - 2026665 - Unable to ssh to a VM when running with Service Mesh
• BZ - 2026667 - Alerts: SSPDown and SSPTemplateValidatorDown are constantly in Firing state
• BZ - 2027420 - [SNO] SR-IOV operator fails to install after CNV is installed
• BZ - 2027922 - Typo on LowKVMNodesCount summary
• BZ - 2029343 - High performance VM fail to start on libvirt error (kvm-hint-dedicated)
• BZ - 2029767 - Enactment goes to pending even when maxunavailable is set to 100% in nncp
• BZ - 2030660 - ImageSteam rhel8-guest and rhel9-guest are managed by HCO but they are not getting reconciled
• BZ - 2030686 - must-gather | missing SRIOV namespace subdir under collected dir
• BZ - 2030801 - CVE-2021-44716 golang: net/http: limit growth of header canonicalization cache
• BZ - 2030806 - CVE-2021-44717 golang: syscall: don't close fd 0 on ForkExec error
• BZ - 2031033 - VM migration from VMware fail on missing v2v-vmware ConfigMap in OCP-4.10/CNV-4.10
• BZ - 2031688 - hostpath-provisioner-operator deployment is referencing upstream images
• BZ - 2031727 - [CNV-4.10] kubemacpool & nmstate pods stuck in pending state
• BZ - 2031919 - [SNO] we cannot cleanly remove the product on SNO due to kubevirt apiservices leftovers
• BZ - 2032045 - When alert VirtControllerRESTErrorsHigh triggered it keeps in Firing state for hours (even when there are no failed api calls anymore)
• BZ - 2032845 - SSP CR | reason field's value in SSP CR status.conditions is not CamelCased
• BZ - 2032873 - [4.9] Windows VMs fail to start on air-gapped environments for non-admin users
• BZ - 2032876 - [4.8] Windows VMs fail to start on air-gapped environments for non-admin users
• BZ - 2033240 - Templates golden image parameters names should be updated
• BZ - 2033252 - nncp changing it's status between "ConfigurationProgressing" to "SuccessfullyConfigured" every few minutes
• BZ - 2034544 - disk.img file is resized up for HPP and NFS storage classes
• BZ - 2035008 - Auto-update boot sources: CDI tries to import even when a PVC already exists; dataSources are not updated
• BZ - 2035324 - Trying to uninstall CNV with `uninstallStrategy: RemoveWorkloads` and existing workloads lefts the system in a corrupted state
• BZ - 2035658 - NMPolicy can't replace strings using captures, making teardown not possible
• BZ - 2035677 - Windows10 VM with CDROM migration fails
• BZ - 2036220 - Recommended disk image url is outdated in Fedora 33+ template description
• BZ - 2036483 - HCO Enablement | reconciliation error adding a custom cron template
• BZ - 2036605 - Auto-update boot sources: DataSource Ready status is not updated if there's no DataImportCron associated with it
• BZ - 2037270 - Auto-update boot sources: CentOs and Fedora DVs fail to import due to docker references
• BZ - 2037290 - Dataimportcron keeps re-creating when enable the feature gate
• BZ - 2037312 - CNV occasionally cannot be removed due to leftovers dataImportCrons
• BZ - 2037421 - SSP default log level should be set to "info"
• BZ - 2038679 - Clone with volume mode file system using Storage API fails
• BZ - 2038825 - Ubuntu, centos6 and opensuse templates should be removed from common templates bundle in downstream
• BZ - 2038831 - SAP HANA template should not contain evictionStrategy: LiveMigrate
• BZ - 2038985 - No feedback when HPP path is sharing host filesystem
• BZ - 2039196 - DataImportCron with imagestream source does not support image tags
• BZ - 2039208 - Recording Rule "kubevirt_vm_container_free_memory_bytes" is not working
• BZ - 2039489 - KubePersistentVolumeFillingUp Firing for VM disk Filesystem PVCs
• BZ - 2039683 - HANA Template - remove default values for network names
• BZ - 2039686 - SAP HANA template - container disk registry should be updated
• BZ - 2039691 - SAP HANA template - set node label instead of node for node selection
• BZ - 2040113 - The component value of virt-operator label is different with other virt components
• BZ - 2040115 - Labels "part-of" and "version" in virt components are missing
• BZ - 2041519 - Custom DataImportCron with the same name as CNV-provided DataImportCron can be added via HCO overwriting configuration
• BZ - 2041530 - HPP CSI CR can't be deleted if it's a combination of a basic storage pool, and a pvcTemplate
• BZ - 2042139 - HPP-operator reconciling CSI even if nothing is happening
• BZ - 2042799 - All existing templates are marked as deprecated after CNV upgrade
• BZ - 2042842 - SAP HANA template - SR-IOV NICs should not specify model virtio
• BZ - 2042856 - Getting 'jq' error while running 'must-gather' command.
• BZ - 2042880 - 'yq' command is missing in downstream must-gather image.
• BZ - 2042908 - hotplugs not included in VMSnapshot
• BZ - 2044348 - VM with ocs-storagecluster-cephfs sc keeps in CrashLoopBackOff
• BZ - 2044398 - SSP should not update DataSource managed by DataImportCron
• BZ - 2046271 - virt-cdi-importer fails to import a VM image when clusterwide proxy configured
• BZ - 2048227 - Common templates - DATA_SOURCE_NAMESPACE value should be updated in d/s
• BZ - 2048275 - HPP mounter deployment crashes on parsing lsblk output
• BZ - 2051105 - DataSources, managed by DataImportCron, are not reconciled when edited
• BZ - 2051693 - DataSource (which has a golden image and was opted-in/out using cdi label) will be reconciled and will not actually be opted out
• BZ - 2051968 - virt-freezer binary missing from downstream virt-launcher
• BZ - 2052489 - KubevirtVmHighMemoryUsage is based on limit not request
• BZ - 2053027 - nmpolicy cannot clone IP config of the default NIC carrying static IPv6
• BZ - 2058167 - Post deploy on a baremetal cluster SSP is looping attempting to reconcile

CVEs

• CVE-2021-29923
• CVE-2021-33195
• CVE-2021-33197
• CVE-2021-33198
• CVE-2021-34558
• CVE-2021-36221
• CVE-2021-44716
• CVE-2021-44717
• CVE-2022-24407

References

• https://access.redhat.com/security/updates/classification/#moderate