Moderate: virt:rhel and virt-devel:rhel security, bug fix, and enhancement update

Topic

An update for the virt:rhel and virt-devel:rhel modules is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Kernel-based Virtual Machine (KVM) offers a full virtualization solution for Linux on numerous hardware platforms. The virt:rhel module contains packages which provide user-space components used to run virtual machines using KVM. The packages also provide APIs for managing and interacting with the virtualized systems.

The following packages have been upgraded to a later upstream version: qemu-kvm (6.2.0), libvirt (8.0.0), libvirt-python (8.0.0), perl-Sys-Virt (8.0.0), seabios (1.15.0), libtpms (0.9.1). (BZ#1997410, BZ#2012802, BZ#2012806, BZ#2012813, BZ#2018392, BZ#2027716, BZ#2029355)

Security Fix(es):

• QEMU: virtio-net: heap use-after-free in virtio_net_receive_rcu (CVE-2021-3748)
• ntfs-3g: Out-of-bounds heap buffer access in ntfs_get_attribute_value() due to incorrect check of bytes_in_use value in MFT records (CVE-2021-33285)
• ntfs-3g: Heap buffer overflow triggered by a specially crafted Unicode string (CVE-2021-33286)
• ntfs-3g: Heap buffer overflow in ntfs_attr_pread_i() triggered by specially crafted NTFS attributes (CVE-2021-33287)
• ntfs-3g: Heap buffer overflow triggered by a specially crafted MFT section (CVE-2021-33289)
• ntfs-3g: Heap buffer overflow triggered by a specially crafted NTFS inode pathname (CVE-2021-35266)
• ntfs-3g: Stack buffer overflow triggered when correcting differences between MFT and MFTMirror sections (CVE-2021-35267)
• ntfs-3g: Heap buffer overflow in ntfs_inode_real_open() triggered by a specially crafted NTFS inode (CVE-2021-35268)
• ntfs-3g: Heap buffer overflow in ntfs_attr_setup_flag() triggered by a specially crafted NTFS attribute from MFT (CVE-2021-35269)
• ntfs-3g: NULL pointer dereference in ntfs_extent_inode_open() (CVE-2021-39251)
• ntfs-3g: Out-of-bounds read in ntfs_ie_lookup() (CVE-2021-39252)
• ntfs-3g: Out-of-bounds read in ntfs_runlists_merge_i() (CVE-2021-39253)
• ntfs-3g: Integer overflow in memmove() leading to heap buffer overflow in ntfs_attr_record_resize() (CVE-2021-39254)
• ntfs-3g: Out-of-bounds read ntfs_attr_find_in_attrdef() triggered by an invalid attribute (CVE-2021-39255)
• ntfs-3g: Heap buffer overflow in ntfs_inode_lookup_by_name() (CVE-2021-39256)
• ntfs-3g: Endless recursion from ntfs_attr_pwrite() triggered by an unallocated bitmap (CVE-2021-39257)
• ntfs-3g: Out-of-bounds reads in ntfs_attr_find() and ntfs_external_attr_find() (CVE-2021-39258)
• ntfs-3g: Out-of-bounds access in ntfs_inode_lookup_by_name() caused by an unsanitized attribute length (CVE-2021-39259)
• ntfs-3g: Out-of-bounds access in ntfs_inode_sync_standard_information() (CVE-2021-39260)
• ntfs-3g: Heap buffer overflow in ntfs_compressed_pwrite() (CVE-2021-39261)
• ntfs-3g: Out-of-bounds access in ntfs_decompress() (CVE-2021-39262)
• ntfs-3g: Heap buffer overflow in ntfs_get_attribute_value() caused by an unsanitized attribute (CVE-2021-39263)
• libnbd: nbdcopy: missing error handling may create corrupted destination image (CVE-2022-0485)
• hivex: stack overflow due to recursive call of _get_children() (CVE-2021-3622)
• nbdkit: NBD_OPT_STRUCTURED_REPLY injection on STARTTLS (CVE-2021-3716)
• libvirt: segmentation fault during VM shutdown can lead to vdsm hang (CVE-2021-3975)
• QEMU: NULL pointer dereference in mirror_wait_on_conflicts() in block/mirror.c (CVE-2021-4145)
• QEMU: NULL pointer dereference in pci_write() in hw/acpi/pcihp.c (CVE-2021-4158)
• QEMU: block: fdc: null pointer dereference may lead to guest crash (CVE-2021-20196)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.6 Release Notes linked from the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

• Red Hat Enterprise Linux for x86_64 8 x86_64
• Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.6 x86_64
• Red Hat Enterprise Linux Server - AUS 8.6 x86_64
• Red Hat Enterprise Linux for IBM z Systems 8 s390x
• Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.6 s390x
• Red Hat Enterprise Linux for Power, little endian 8 ppc64le
• Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.6 ppc64le
• Red Hat Enterprise Linux Server - TUS 8.6 x86_64
• Red Hat Enterprise Linux for ARM 64 8 aarch64
• Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.6 ppc64le
• Red Hat Enterprise Linux Server for x86_64 - Update Services for SAP Solutions 8.6 x86_64
• Red Hat CodeReady Linux Builder for x86_64 8 x86_64
• Red Hat CodeReady Linux Builder for Power, little endian 8 ppc64le
• Red Hat CodeReady Linux Builder for ARM 64 8 aarch64
• Red Hat CodeReady Linux Builder for IBM z Systems 8 s390x
• Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.6 aarch64
• Red Hat CodeReady Linux Builder for x86_64 - Extended Update Support 8.6 x86_64
• Red Hat CodeReady Linux Builder for Power, little endian - Extended Update Support 8.6 ppc64le
• Red Hat CodeReady Linux Builder for IBM z Systems - Extended Update Support 8.6 s390x
• Red Hat CodeReady Linux Builder for ARM 64 - Extended Update Support 8.6 aarch64

Fixes

• BZ - 1510237 - Libvirt should use ovs-vsctl for setting QoS for TAPs plugged into ovs.
• BZ - 1677608 - Libvirt cannot get disk info of the guest with sata disk installed on VMware
• BZ - 1689202 - RFE: check limit on number of SEV guests
• BZ - 1738392 - Libvirt cannot get disk info of the guest installed on vmware when disk Minor device number >15
• BZ - 1743098 - QEMU core dumped after unplug balloon device under q35 with Win2019 guest
• BZ - 1806857 - "An error occurred, but the cause is unknown" raised when starting VM with non-existed numa node in <numatune>
• BZ - 1810863 - virtlogd does not start while staring virtqemud service
• BZ - 1836094 - virt-inspector fails to display the applications of RHEL 9 and OpenSUSE Tumbleweed (using sqlite rpmdb)
• BZ - 1845468 - [backport] libvirt crashes when stopping daemon after virsh command
• BZ - 1852762 - [RHEL8.6]Error message need update when boot guest with '-M pc -cpu Icelake-Server,+intel-pt'
• BZ - 1867087 - Forward-port 'blockdev-reopen' enablement upstream
• BZ - 1919210 - CVE-2021-20196 QEMU: block: fdc: null pointer dereference may lead to guest crash
• BZ - 1924972 - Guest whose os is installed multiple disks but boot partition is installed on single disk can't boot into OS on RHEL 8
• BZ - 1926508 - [RFE] network: allow configuring dhcp lease time
• BZ - 1942275 - Can not restore guest from a block device
• BZ - 1943203 - Virt-v2v should set video type as qxl after converting win10, win2016 and win2019 to local
• BZ - 1953389 - libvirt qemu capabilities cache not invalidated after TSX enable/disable.
• BZ - 1965140 - RFE: Support to define automatically start mdev device after reboot by 'virsh nodedev-define'
• BZ - 1965589 - Taint message generated during vm running is not preserved during libvirtd restart
• BZ - 1965638 - Guest kernel panic when booting with qemu-6.0.50 using custom libvirt XML
• BZ - 1972515 - Windows Installation blocked on 4k disk when using blk+raw+iothread
• BZ - 1975489 - CVE-2021-3622 hivex: stack overflow due to recursive call of _get_children()
• BZ - 1975840 - Windows guest hangs after updating and restarting from the guest OS
• BZ - 1978574 - allocpages fails silently on arch without NUMA (s390x)
• BZ - 1981782 - qemu segfault after the 2rd postcopy live migration with vhost-user
• BZ - 1982993 - migrate failed on no-socket protocol when open multifd
• BZ - 1983684 - Wrong socket address in qemu while using 'tight=on'
• BZ - 1984721 - Unclear error message while hotplugging the same chardev
• BZ - 1985451 - Remove downstream-only commit allowing x-blockdev-reopen for libvirt when rebasing to qemu-6.1+
• BZ - 1988104 - [AMD 8.6 bugs] Support protection keys in an AMD EPYC-Milan VM
• BZ - 1988986 - [WRB][QEMU6.1]hotplug and hot-unplug all can not plug/un-plug the virtio device successfully
• BZ - 1989338 - [Upstream] QEMU core dumped if launch with '-smp , maxcpus=4'
• BZ - 1989520 - Reduce container size that uses libguestfs-tools
• BZ - 1990135 - Fix data corruption in nbdkit-cow-filter and nbdkit-cache-filter
• BZ - 1994695 - CVE-2021-3716 nbdkit: NBD_OPT_STRUCTURED_REPLY injection on STARTTLS
• BZ - 1995865 - Wrong backing-fmt in QMP command when do push mode incremental backup for luks encrypted qcow2 disk
• BZ - 1996530 - There Is ' VFIO_MAP_DMA failed' Info in HMP When Rebooting Guest After Installation
• BZ - 1997410 - Rebase to QEMU 6.1.0
• BZ - 1998514 - CVE-2021-3748 QEMU: virtio-net: heap use-after-free in virtio_net_receive_rcu
• BZ - 1998947 - Add machine type compatibility update for 6.1 rebase [aarch64]
• BZ - 1998949 - Add machine type compatibility update for 6.1 rebase [ppc64le]
• BZ - 1998950 - Add machine type compatibility update for 6.1 rebase [s390x]
• BZ - 2000225 - Initial rebase for virt:rhel components based on AV
• BZ - 2001525 - [WRB][virtual network][qemu-6.1.50-1]Can not boot up guest with 14 devices via pcie-root-port
• BZ - 2001608 - CVE-2021-33285 ntfs-3g: Out-of-bounds heap buffer access in ntfs_get_attribute_value() due to incorrect check of bytes_in_use value in MFT records
• BZ - 2001609 - CVE-2021-33286 ntfs-3g: Heap buffer overflow triggered by a specially crafted Unicode string
• BZ - 2001613 - CVE-2021-33287 ntfs-3g: Heap buffer overflow in ntfs_attr_pread_i() triggered by specially crafted NTFS attributes
• BZ - 2001616 - CVE-2021-33289 ntfs-3g: Heap buffer overflow triggered by a specially crafted MFT section
• BZ - 2001619 - CVE-2021-35266 ntfs-3g: Heap buffer overflow triggered by a specially crafted NTFS inode pathname
• BZ - 2001621 - CVE-2021-35267 ntfs-3g: Stack buffer overflow triggered when correcting differences between MFT and MFTMirror sections
• BZ - 2001623 - CVE-2021-35268 ntfs-3g: Heap buffer overflow in ntfs_inode_real_open() triggered by a specially crafted NTFS inode
• BZ - 2001645 - CVE-2021-35269 ntfs-3g: Heap buffer overflow in ntfs_attr_setup_flag() triggered by a specially crafted NTFS attribute from MFT
• BZ - 2001649 - CVE-2021-39251 ntfs-3g: NULL pointer dereference in ntfs_extent_inode_open()
• BZ - 2001650 - CVE-2021-39252 ntfs-3g: Out-of-bounds read in ntfs_ie_lookup()
• BZ - 2001651 - CVE-2021-39253 ntfs-3g: Out-of-bounds read in ntfs_runlists_merge_i()
• BZ - 2001652 - CVE-2021-39254 ntfs-3g: Integer overflow in memmove() leading to heap buffer overflow in ntfs_attr_record_resize()
• BZ - 2001653 - CVE-2021-39255 ntfs-3g: Out-of-bounds read ntfs_attr_find_in_attrdef() triggered by an invalid attribute
• BZ - 2001654 - CVE-2021-39256 ntfs-3g: Heap buffer overflow in ntfs_inode_lookup_by_name()
• BZ - 2001656 - CVE-2021-39257 ntfs-3g: Endless recursion from ntfs_attr_pwrite() triggered by an unallocated bitmap
• BZ - 2001658 - CVE-2021-39258 ntfs-3g: Out-of-bounds reads in ntfs_attr_find() and ntfs_external_attr_find()
• BZ - 2001659 - CVE-2021-39259 ntfs-3g: Out-of-bounds access in ntfs_inode_lookup_by_name() caused by an unsanitized attribute length
• BZ - 2001661 - CVE-2021-39260 ntfs-3g: Out-of-bounds access in ntfs_inode_sync_standard_information()
• BZ - 2001662 - CVE-2021-39261 ntfs-3g: Heap buffer overflow in ntfs_compressed_pwrite()
• BZ - 2001665 - CVE-2021-39262 ntfs-3g: Out-of-bounds access in ntfs_decompress()
• BZ - 2001667 - CVE-2021-39263 ntfs-3g: Heap buffer overflow in ntfs_get_attribute_value() caused by an unsanitized attribute
• BZ - 2002607 - CVE-2021-4145 virt:rhel/qemu-kvm: QEMU: NULL pointer dereference in mirror_wait_on_conflicts() in block/mirror.c [rhel-8.6.0]
• BZ - 2002694 - remove qemu-kiwi rpm from qemu-kvm sources in rhel-8.6
• BZ - 2002907 - Unexpectedly failed when managedsave the guest which has qxl video device
• BZ - 2003071 - qemu-kvm scsi: change default passthrough timeout to non-infinite [rhel-8.6.0]
• BZ - 2003679 - qemu-kvm crashes after I use virt-viewer/virt-manager connect to a vnc vm which listening on unix socket
• BZ - 2004416 - fails to revert snapshot of a VM [balloon/page-poison]
• BZ - 2004812 - [WRB][QEMU-6.1.50]Hit error "Driver 'copy-before-write' is not whitelisted" when execute "blockdev-backup"
• BZ - 2007129 - pcie hotplug emulation has various problems due to insufficient state tracking
• BZ - 2009236 - Qemu coredump when backup with x-perf
• BZ - 2012385 - virt-host-validate: Detetion results of AMD SEV is not expected
• BZ - 2012802 - Rebase libvirt in RHEL 8.6.0
• BZ - 2012806 - Rebase libvirt-python in RHEL 8.6.0
• BZ - 2012813 - Rebase perl-Sys-Virt in RHEL 8.6.0
• BZ - 2013916 - virt-sparsify fails with the error: Backing file specified without backing format
• BZ - 2017928 - [incremental_backup] Expose scratch disk allocation (wr_highest_offset) in the API
• BZ - 2018173 - There is nbdkit curl error info if convert a guest from VMware without vddk by administrator account
• BZ - 2018392 - [rebase] update seabios to nov '21 release
• BZ - 2020630 - qemu crash when rebooting VM with vhost-vdpa port
• BZ - 2021778 - Qemu core dump when do full backup during system reset
• BZ - 2022604 - Update machine type compatibility for QEMU 6.2.0 update [x86_64][RHEL-8.6.0]
• BZ - 2022606 - Update machine type compatibility for QEMU 6.2.0 update [s390x][RHEL-8.6.0]
• BZ - 2022607 - Update machine type compatibility for QEMU 6.2.0 update [aarch64][RHEL-8.6.0]
• BZ - 2022608 - Update machine type compatibility for QEMU 6.2.0 update [ppc64le][RHEL-8.6.0]
• BZ - 2023279 - Correct regexps used to fix schtasks command when the ShortDatePattern uses dots instead of / (eg. yy.M.d)
• BZ - 2024326 - CVE-2021-3975 libvirt: segmentation fault during VM shutdown can lead to vdsm hang
• BZ - 2024419 - virsh update-device guest --live --config: Operation not supported: cannot modify field 'address' of the disk
• BZ - 2025769 - virt-v2v fails with the error: Backing file specified without backing format
• BZ - 2026834 - [ppc64le]Hardly install a rhel8.6 guest with iso by manual
• BZ - 2027208 - [virtual network][vDPA] qemu crash after hot unplug vdpa device
• BZ - 2027716 - Rebase to QEMU 6.2.0 [rhel.8.6]
• BZ - 2029355 - Rebase libtpms to at least 0.9.1 for 8.6
• BZ - 2029380 - Incompatibilities between 8.5 virsh and libvirtd from virt:av
• BZ - 2029582 - [8.6] machine types: 6.2: Fix prefer_sockets
• BZ - 2029612 - Rebase swtpm to at least 0.7.0 for rhel-8.6
• BZ - 2029647 - The flag Sys::Virt::NWFilterBinding::CREATE_VALIDATE does not work
• BZ - 2030119 - [aarch64]: virsh xml operation slow down on libvirt-7.10.0-1
• BZ - 2030435 - Libvirt does not report SEV metadata needed to calculate guest measurement
• BZ - 2030437 - Error using NULL monitor when querying launch security info for shutoff guest
• BZ - 2030438 - virDomainGetLaunchSecurityInfo and virNodeGetSEVInfo are not exposed in virsh
• BZ - 2031035 - Add rhel-8.6.0 machine types for RHEL 8.6 [x86]
• BZ - 2031039 - Add rhel-8.6.0 machine types for RHEL 8.6 [aarch64]
• BZ - 2031041 - Add rhel-8.6.0 machine types for RHEL 8.6 [ppc64le]
• BZ - 2033279 - [wrb][qemu-kvm 6.2] The hot-unplugged device can not be hot-plugged back
• BZ - 2034602 - CVE-2021-4145 QEMU: NULL pointer dereference in mirror_wait_on_conflicts() in block/mirror.c
• BZ - 2035002 - CVE-2021-4158 QEMU: NULL pointer dereference in pci_write() in hw/acpi/pcihp.c
• BZ - 2035177 - v2v conversion is failed with PCI: slot 2 function 0 not available for virtio-scsi-pci, in use by virtio-net-pci [code=1 int1=-1]
• BZ - 2035185 - Qemu core dump when start guest with nbd node or do block jobs to nbd node
• BZ - 2035237 - devices not removed from the definition after hot-unplug when JSON syntax for -device is used
• BZ - 2035714 - libvirtd crashed when start->reload->restart libvirtd
• BZ - 2036178 - Qemu core dumped when do block-stream to a snapshot node on non-enough space storage
• BZ - 2037135 - Booting from Local Snapshot Core Dumped Whose Backing File Is Based on RBD
• BZ - 2041480 - [incremental_backup] Inconsistent block status reply in qemu-nbd
• BZ - 2041610 - virt-install: "ERROR internal error: cannot parse process status data for pid" on guest reboot
• BZ - 2043584 - Snapshot-revert failed with 'cause is unknown' error
• BZ - 2045945 - Can't build nbdkit packages from src nbdkit-1.24.0-3.module+el8.6.0 package
• BZ - 2046172 - Possible hang or crash of libvirtd/virtqemud when starting a VM and device mapper is not available
• BZ - 2050324 - CVE-2022-0485 libnbd: nbdcopy: missing error handling may create corrupted destination image
• BZ - 2050697 - Libvirt does not validate domain XML on migration
• BZ - 2050702 - Libvirt can't start a guest if virtio-mem/virtio-pmem is on PCI bus != 0
• BZ - 2054597 - Do operation to disk will hang in the guest of target host after hotplugging and migrating
• BZ - 2059311 - Guest can not start with SLIC acpi table
• BZ - 2065314 - Demote netcat to Recommends

CVEs

• CVE-2021-3622
• CVE-2021-3716
• CVE-2021-3748
• CVE-2021-3975
• CVE-2021-4145
• CVE-2021-4158
• CVE-2021-20196
• CVE-2021-33285
• CVE-2021-33286
• CVE-2021-33287
• CVE-2021-33289
• CVE-2021-35266
• CVE-2021-35267
• CVE-2021-35268
• CVE-2021-35269
• CVE-2021-39251
• CVE-2021-39252
• CVE-2021-39253
• CVE-2021-39254
• CVE-2021-39255
• CVE-2021-39256
• CVE-2021-39257
• CVE-2021-39258
• CVE-2021-39259
• CVE-2021-39260
• CVE-2021-39261
• CVE-2021-39262
• CVE-2021-39263
• CVE-2022-0485

References

• https://access.redhat.com/security/updates/classification/#moderate
• https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.6_release_notes/