Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Moderate: RHV Manager (ovirt-engine) [ovirt-4.5.0] security update

Related Vulnerabilities: CVE-2021-3807   CVE-2021-23425   CVE-2021-33502   CVE-2021-41182   CVE-2021-41183   CVE-2021-41184  

Source

Synopsis

Moderate: RHV Manager (ovirt-engine) [ovirt-4.5.0] security update

Type/Severity

Security Advisory: Moderate

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

Updated ovirt-engine packages that fix several bugs and add various enhancements are now available.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

The ovirt-engine package provides the Red Hat Virtualization Manager, a centralized management platform that allows system administrators to view and manage virtual machines. The Manager provides a comprehensive range of features including search capabilities, resource management, live migrations, and virtual infrastructure provisioning.

Security Fix(es):

  • nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (CVE-2021-3807)
  • nodejs-trim-off-newlines: ReDoS via string processing (CVE-2021-23425)
  • normalize-url: ReDoS for data URLs (CVE-2021-33502)
  • jquery-ui: XSS in the altField option of the datepicker widget (CVE-2021-41182)
  • jquery-ui: XSS in *Text options of the datepicker widget (CVE-2021-41183)
  • jquery-ui: XSS in the 'of' option of the .position() util (CVE-2021-41184)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

A list of bugs fixed in this update is available in the Technical Notes book:

https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/html-single/technical_notes

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/2974891

Affected Products

  • Red Hat Virtualization Manager 4.4 x86_64

Fixes

  • BZ - 655153 - [RFE] confirmation prompt when suspending a virtual machine - webadmin
  • BZ - 977778 - [RFE] - Mechanism for converting disks for non-running VMS
  • BZ - 1624015 - [RFE] Expose Console Options and Console invocation via API
  • BZ - 1648985 - VM from VM-pool which is already in use by a SuperUser is presented to another User with UserRole permission who can shutdown the VM.
  • BZ - 1667517 - [RFE] add VM Portal setting for set screen mode
  • BZ - 1687845 - Multiple notification for one time host activation
  • BZ - 1781241 - missing ?connect automatically? option in vm portal
  • BZ - 1782056 - [RFE] Integration of built-in ipsec feature in RHV/RHHI-V with OVN
  • BZ - 1849169 - [RFE] add virtualCPUs/physicalCPUs ratio property to evenly_distributed policy
  • BZ - 1878930 - [RFE] Provide warning event if MAC Address Pool free and available addresses are below threshold
  • BZ - 1922977 - [RFE] VM shared disks are not part of the OVF_STORE
  • BZ - 1926625 - [RFE] How to enable HTTP Strict Transport Security (HSTS) on Apache HTTPD for Red Hat Virtualization Manager
  • BZ - 1927985 - [RFE] Speed up export-to-OVA on NFS by aligning loopback device offset
  • BZ - 1944290 - URL to change the password is not shown properly
  • BZ - 1944834 - [RFE] Timer for Console Disconnect Action - Shutdown VM after N minutes of being disconnected (Webadmin-only)
  • BZ - 1956295 - Template import from storage domain fails when quota is enabled.
  • BZ - 1959186 - Enable assignment of user quota when provisioning from a non-blank template via rest-api
  • BZ - 1964208 - [RFE] add new feature for VM's screenshot on RestAPI
  • BZ - 1964461 - CVE-2021-33502 normalize-url: ReDoS for data URLs
  • BZ - 1971622 - Incorrect warning displayed: "The VM CPU does not match the Cluster CPU Type"
  • BZ - 1974741 - Disk images remain in locked state if the HE VM is rebooted during a image transfer
  • BZ - 1979441 - High Performance VMs always have "VM CPU does not match the cluster CPU Type" warning
  • BZ - 1979797 - Ask user for confirmation when the deleted storage domain has leases of VMs that has disk in other SDs
  • BZ - 1980192 - Network statistics copy a U64 into DECIMAL(18,4)
  • BZ - 1986726 - VM imported from OVA gets thin provisioned disk despite of allocation policy set as 'preallocated'
  • BZ - 1986834 - [DOCS] add nodejs and maven to list of subscription streams to be enabled in RHVM installation
  • BZ - 1987121 - [RFE] Support enabling nVidia Unified Memory on mdev vGPU
  • BZ - 1988496 - vmconsole-proxy-helper.cer is not renewed when running engine-setup
  • BZ - 1990462 - [RFE] Add user name and password to ELK integration
  • BZ - 1991240 - Assign user quota when provisioning from a non-blank template via web-ui
  • BZ - 1995793 - CVE-2021-23425 nodejs-trim-off-newlines: ReDoS via string processing
  • BZ - 1996123 - ovf stores capacity/truesize on the storage does not match values in engine database
  • BZ - 1998255 - [RFE] [UI] Add search box for vNIC Profiles in RHVM WebUI on the main vNIC profiles tab
  • BZ - 1999698 - ssl.conf modifications of engine-setup do not conform to best practices (according to red hat insights)
  • BZ - 2000031 - SPM host is rebooted multiple times when engine recovers the host
  • BZ - 2002283 - Make NumOfPciExpressPorts configurable via engine-config
  • BZ - 2003883 - Failed to update the VFs configuration of network interface card type 82599ES and X520
  • BZ - 2003996 - ovirt_snapshot module fails to delete snapshot when there is a "Next Run configuration snapshot"
  • BZ - 2006602 - vm_statistics table has wrong type for guest_mem_* columns.
  • BZ - 2006745 - [MBS] Template disk Copy from data storage domain to Managed Block Storage domain is failing
  • BZ - 2007384 - Failed to parse 'writeRate' value xxxx to integer: For input string: xxxx
  • BZ - 2007557 - CVE-2021-3807 nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes
  • BZ - 2008798 - Older name rhv-openvswitch is not checked in ansible playbook
  • BZ - 2010203 - Log analyzer creates faulty VM unmanaged devices report
  • BZ - 2010903 - I/O operations/sec reporting wrong values
  • BZ - 2013928 - Log analyzer creates faulty non default vdc_option report
  • BZ - 2014888 - oVirt executive dashboard/Virtual Machine dashboard does not actually show disk I/O operations per second, but it shows sum of I/o operations since the boot time of VM
  • BZ - 2015796 - [RFE] RHV Manager should support running on a host with DISA STIG security profile applied
  • BZ - 2019144 - CVE-2021-41182 jquery-ui: XSS in the altField option of the datepicker widget
  • BZ - 2019148 - CVE-2021-41183 jquery-ui: XSS in *Text options of the datepicker widget
  • BZ - 2019153 - CVE-2021-41184 jquery-ui: XSS in the 'of' option of the .position() util
  • BZ - 2021217 - [RFE] Windows 2022 support
  • BZ - 2023250 - [RFE] Use virt:rhel module instead of virt:av in RHEL 8.6+ to get advanced virtualization packages
  • BZ - 2023786 - RHV VM with SAP monitoring configuration does not fail to start if the Host is missing vdsm-hook-vhostmd
  • BZ - 2024202 - RHV Dashboard does not show memory and storage details properly when using Spanish language.
  • BZ - 2025936 - metrics configuration playbooks failing due to rhel-system-role last refactor
  • BZ - 2030596 - [RFE] RHV Manager should support running on a host with the PCI-DSS security profile applied
  • BZ - 2030663 - Update Network statistics types in DWH
  • BZ - 2031027 - The /usr/share/ovirt-engine/ansible-runner-service-project/inventory/hosts fails rpm verification
  • BZ - 2035051 - removing nfs-utils cause ovirt-engine removal due to cinderlib dep tree
  • BZ - 2037115 - rhv-image-discrepancies (rhv-log-collector-analyzer-1.0.11-1.el8ev) tool continues flags OVF_STORE volumes.
  • BZ - 2037121 - RFE: Add Data Center and Storage Domain name in the rhv-image-discrepancies tool output.
  • BZ - 2040361 - Hotplug VirtIO-SCSI disk fails with error "Domain already contains a disk with that address" when IO threads > 1
  • BZ - 2040402 - unable to use --log-size=0 option
  • BZ - 2040474 - [RFE] Add progress tracking for Cluster Upgrade
  • BZ - 2041544 - Admin GUI: Making selection of host while uploading disk it will immediately replace it with the first active host in the list.
  • BZ - 2043146 - Expired /etc/pki/vdsm/libvirt-vnc/server-cert.pem certificate is skipped during Enroll Certificate
  • BZ - 2044273 - Remove the RHV Guest Tools ISO image upload option from engine-setup
  • BZ - 2048546 - sosreport command should be replaced by sos report
  • BZ - 2050566 - Upgrade ovirt-log-collector to 4.4.5
  • BZ - 2050614 - Upgrade rhvm-setup-plugins to 4.5.0
  • BZ - 2051857 - Upgrade rhv-log-collector-analizer to 1.0.13
  • BZ - 2052557 - RHV fails to release mdev vGPU device after VM shutdown
  • BZ - 2052690 - [RFE] Upgrade to ansible-core-2.12 in ovirt-engine
  • BZ - 2054756 - [welcome page] Add link to MTV guide
  • BZ - 2055136 - virt module is not changed to the correct stream during host upgrade
  • BZ - 2056021 - [BUG]: "Enroll Certificate" operation not updating libvirt-vnc cert and key
  • BZ - 2056052 - RHV-H w/ PCI-DSS profile causes OVA export to fail
  • BZ - 2056126 - [RFE] Extend time to warn of upcoming certificate expiration
  • BZ - 2058264 - Export as OVA playbook gets stuck with 'found an incomplete artifacts directory...Possible ansible_runner error?'
  • BZ - 2059521 - [RFE] Upgrade to ansible-core-2.12 in ovirt-engine-metrics
  • BZ - 2059877 - [DOCS][Upgrade] Update RHVM update procedure in Upgrade guide
  • BZ - 2061904 - Unable to attach a RHV Host back into cluster after removing due to networking
  • BZ - 2065052 - [TRACKER] Upgrade to ansible-core-2.12 in RHV 4.4 SP1
  • BZ - 2066084 - vmconsole-proxy-user certificate expired - cannot access serial console
  • BZ - 2066283 - Upgrade from RHV 4.4.10 to RHV 4.5.0 is broken
  • BZ - 2069972 - [Doc][RN]Add cluster-level 4.7 to compatibility table
  • BZ - 2070156 - [TESTONLY] Test upgrade from ovirt-engine-4.4.1
  • BZ - 2071468 - Engine fenced host that was already reconnected and set to Up status.
  • BZ - 2072637 - Build and distribute python38-daemon in RHV channels
  • BZ - 2072639 - Build and distribute ansible-runner in RHV channels
  • BZ - 2072641 - Build and distribute python38-docutils in RHV channels
  • BZ - 2072642 - Build and distribute python38-lockfile in RHV channels
  • BZ - 2072645 - Build and distribute python38-pexpect in RHV channels
  • BZ - 2072646 - Build and distribute python38-ptyprocess in RHV channels
  • BZ - 2075352 - upgrading RHV-H does not renew certificate

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started