Moderate: OpenShift Virtualization 4.11.1 security and bug fix update

Topic

Red Hat OpenShift Virtualization release 4.11.1 is now available with updates to packages and images that fix several bugs and add enhancements.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform.

Security Fix(es):

• golang: out-of-bounds read in golang.org/x/text/language leads to DoS (CVE-2021-38561)
• golang: encoding/pem: fix stack overflow in Decode (CVE-2022-24675)
• golang: regexp: stack exhaustion via a deeply nested expression (CVE-2022-24921)
• golang: crypto/elliptic: panic caused by oversized scalar (CVE-2022-28327)
• golang: crypto/tls: session tickets lack random ticket_age_add (CVE-2022-30629)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

• Cloning a Block DV to VM with Filesystem with not big enough size comes to endless loop - using pvc api (BZ#2033191)
• Restart of VM Pod causes SSH keys to be regenerated within VM (BZ#2087177)
• Import gzipped raw file causes image to be downloaded and uncompressed to TMPDIR (BZ#2089391)
• [4.11] VM Snapshot Restore hangs indefinitely when backed by a snapshotclass (BZ#2098225)
• Fedora version in DataImportCrons is not 'latest' (BZ#2102694)
• [4.11] Cloned VM's snapshot restore fails if the source VM disk is deleted (BZ#2109407)
• CNV introduces a compliance check fail in "ocp4-moderate" profile - routes-protected-by-tls (BZ#2110562)
• Nightly build: v4.11.0-578: index format was changed in 4.11 to file-based instead of sqlite-based (BZ#2112643)
• Unable to start windows VMs on PSI setups (BZ#2115371)
• [4.11.1]virt-launcher cannot be started on OCP 4.12 due to PodSecurity restricted:v1.24 (BZ#2128997)
• Mark Windows 11 as TechPreview (BZ#2129013)
• 4.11.1 rpms (BZ#2139453)

This advisory contains the following OpenShift Virtualization 4.11.1 images.

RHEL-8-CNV-4.11

virt-cdi-operator-container-v4.11.1-5
virt-cdi-uploadserver-container-v4.11.1-5
virt-cdi-apiserver-container-v4.11.1-5
virt-cdi-importer-container-v4.11.1-5
virt-cdi-controller-container-v4.11.1-5
virt-cdi-cloner-container-v4.11.1-5
virt-cdi-uploadproxy-container-v4.11.1-5
checkup-framework-container-v4.11.1-3
kubevirt-tekton-tasks-wait-for-vmi-status-container-v4.11.1-7
kubevirt-tekton-tasks-create-datavolume-container-v4.11.1-7
kubevirt-template-validator-container-v4.11.1-4
virt-handler-container-v4.11.1-5
hostpath-provisioner-operator-container-v4.11.1-4
virt-api-container-v4.11.1-5
vm-network-latency-checkup-container-v4.11.1-3
cluster-network-addons-operator-container-v4.11.1-5
virtio-win-container-v4.11.1-4
virt-launcher-container-v4.11.1-5
ovs-cni-marker-container-v4.11.1-5
hyperconverged-cluster-webhook-container-v4.11.1-7
virt-controller-container-v4.11.1-5
virt-artifacts-server-container-v4.11.1-5
kubevirt-tekton-tasks-modify-vm-template-container-v4.11.1-7
kubevirt-tekton-tasks-disk-virt-customize-container-v4.11.1-7
libguestfs-tools-container-v4.11.1-5
hostpath-provisioner-container-v4.11.1-4
kubevirt-tekton-tasks-disk-virt-sysprep-container-v4.11.1-7
kubevirt-tekton-tasks-copy-template-container-v4.11.1-7
cnv-containernetworking-plugins-container-v4.11.1-5
bridge-marker-container-v4.11.1-5
virt-operator-container-v4.11.1-5
hostpath-csi-driver-container-v4.11.1-4
kubevirt-tekton-tasks-create-vm-from-template-container-v4.11.1-7
kubemacpool-container-v4.11.1-5
hyperconverged-cluster-operator-container-v4.11.1-7
kubevirt-ssp-operator-container-v4.11.1-4
ovs-cni-plugin-container-v4.11.1-5
kubevirt-tekton-tasks-cleanup-vm-container-v4.11.1-7
kubevirt-tekton-tasks-operator-container-v4.11.1-2
cnv-must-gather-container-v4.11.1-8
kubevirt-console-plugin-container-v4.11.1-9
hco-bundle-registry-container-v4.11.1-49

Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

• Red Hat Container Native Virtualization 4.11 for RHEL 8 x86_64
• Red Hat Container Native Virtualization 4.11 for RHEL 7 x86_64

Fixes

• BZ - 2033191 - Cloning a Block DV to VM with Filesystem with not big enough size comes to endless loop - using pvc api
• BZ - 2064857 - CVE-2022-24921 golang: regexp: stack exhaustion via a deeply nested expression
• BZ - 2070772 - When specifying pciAddress for several SR-IOV NIC they are not correctly propagated to libvirt XML
• BZ - 2077688 - CVE-2022-24675 golang: encoding/pem: fix stack overflow in Decode
• BZ - 2077689 - CVE-2022-28327 golang: crypto/elliptic: panic caused by oversized scalar
• BZ - 2087177 - Restart of VM Pod causes SSH keys to be regenerated within VM
• BZ - 2089391 - Import gzipped raw file causes image to be downloaded and uncompressed to TMPDIR
• BZ - 2091856 - ?Edit BootSource? action should have more explicit information when disabled
• BZ - 2092793 - CVE-2022-30629 golang: crypto/tls: session tickets lack random ticket_age_add
• BZ - 2098225 - [4.11] VM Snapshot Restore hangs indefinitely when backed by a snapshotclass
• BZ - 2100495 - CVE-2021-38561 golang: out-of-bounds read in golang.org/x/text/language leads to DoS
• BZ - 2102694 - Fedora version in DataImportCrons is not 'latest'
• BZ - 2109407 - [4.11] Cloned VM's snapshot restore fails if the source VM disk is deleted
• BZ - 2110562 - CNV introduces a compliance check fail in "ocp4-moderate" profile - routes-protected-by-tls
• BZ - 2112643 - Nightly build: v4.11.0-578: index format was changed in 4.11 to file-based instead of sqlite-based
• BZ - 2115371 - Unable to start windows VMs on PSI setups
• BZ - 2119613 - GiB changes to B in Template's Edit boot source reference modal
• BZ - 2128554 - The storageclass of VM disk is different from quick created and customize created after changed the default storageclass
• BZ - 2128872 - [4.11]Can't restore cloned VM
• BZ - 2128997 - [4.11.1]virt-launcher cannot be started on OCP 4.12 due to PodSecurity restricted:v1.24
• BZ - 2129013 - Mark Windows 11 as TechPreview
• BZ - 2129235 - [RFE] Add "Copy SSH command" to VM action list
• BZ - 2134668 - Cannot edit ssh even vm is stopped
• BZ - 2139453 - 4.11.1 rpms

CVEs

• CVE-2015-20107
• CVE-2016-3709
• CVE-2020-0256
• CVE-2020-35525
• CVE-2020-35527
• CVE-2021-0308
• CVE-2021-38561
• CVE-2022-0391
• CVE-2022-0934
• CVE-2022-1292
• CVE-2022-1304
• CVE-2022-1586
• CVE-2022-1785
• CVE-2022-1897
• CVE-2022-1927
• CVE-2022-2068
• CVE-2022-2097
• CVE-2022-2509
• CVE-2022-3515
• CVE-2022-22624
• CVE-2022-22628
• CVE-2022-22629
• CVE-2022-22662
• CVE-2022-24675
• CVE-2022-24795
• CVE-2022-24921
• CVE-2022-25308
• CVE-2022-25309
• CVE-2022-25310
• CVE-2022-26700
• CVE-2022-26709
• CVE-2022-26710
• CVE-2022-26716
• CVE-2022-26717
• CVE-2022-26719
• CVE-2022-27404
• CVE-2022-27405
• CVE-2022-27406
• CVE-2022-28327
• CVE-2022-29154
• CVE-2022-30293
• CVE-2022-30629
• CVE-2022-30698
• CVE-2022-30699
• CVE-2022-32206
• CVE-2022-32208
• CVE-2022-34903
• CVE-2022-37434
• CVE-2022-38177
• CVE-2022-38178
• CVE-2022-40674

References

• https://access.redhat.com/security/updates/classification/#moderate