Moderate: OpenShift Virtualization 4.13.0 Images security, bug fix, and enhancement update

Topic

Red Hat OpenShift Virtualization release 4.13.0 is now available with updates to packages and images that fix several bugs and add enhancements.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform.

This advisory contains OpenShift Virtualization 4.13.0 images.

Security Fix(es):

• golang: archive/tar: unbounded memory consumption when reading headers (CVE-2022-2879)
• golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters (CVE-2022-2880)
• golang: net/http: handle server errors after sending GOAWAY (CVE-2022-27664)
• golang: golang.org/x/text/language: ParseAcceptLanguage takes a long time to parse complex tags (CVE-2022-32149)
• golang: net/url: JoinPath does not strip relative path components in all circumstances (CVE-2022-32190)
• golang: regexp/syntax: limit memory used by parsing regexps (CVE-2022-41715)
• golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests (CVE-2022-41717)
• golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service (CVE-2022-32189)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

This update also fixes several bugs and adds various enhancements. Documentation for these changes is available from the Release Notes document linked to in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

• Red Hat Container Native Virtualization 4.13 for RHEL 9 x86_64

Fixes

• BZ - 2023393 - [CNV] [UI]Additional information needed for cloning when default storageclass in not defined in target datavolume
• BZ - 2029391 - VM status flipping between Paused and Running
• BZ - 2052556 - Metric "kubevirt_num_virt_handlers_by_node_running_virt_launcher" reporting incorrect value
• BZ - 2060499 - [RFE] Cannot add additional service (or other objects) to VM template
• BZ - 2070132 - [RFE][CNV] Ability to export and import virtual machines disks between clusters
• BZ - 2087540 - [RFE] Improve CPU info
• BZ - 2101390 - Easy to miss the "tick" when adding GPU device to vm via UI
• BZ - 2104424 - Enable descheduler or hide it on template's scheduling tab
• BZ - 2104479 - [4.12] Cloned VM's snapshot restore fails if the source VM disk is deleted
• BZ - 2104859 - [RFE] Add "Copy SSH command" to VM action list
• BZ - 2110562 - CNV introduces a compliance check fail in "ocp4-moderate" profile - routes-protected-by-tls
• BZ - 2111794 - the virtlogd process is taking too much RAM! (17468Ki > 17Mi)
• BZ - 2113814 - CVE-2022-32189 golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service
• BZ - 2114922 - Can run with host-Model cpuModel even if it is in ObsoleteCPUModels
• BZ - 2116562 - NodeNetworkConfigurationPolicy "ERROR: State editing already in progress. Commit, roll back or wait before retrying"
• BZ - 2117803 - Cannot edit ssh even vm is stopped
• BZ - 2122119 - Virtual machine fails to start with error "Unable to use native AIO: failed to create linux AIO context: Resource temporarily unavailable"
• BZ - 2122168 - Error while running virtctl - GLIBC_2.34 is not found in the package of virtctl - which is required by virtctl
• BZ - 2123209 - CNV runs non-root VMs by default which removes cap_sys_nice from the launchers and caused the real time VM failed to boot up
• BZ - 2124668 - CVE-2022-32190 golang: net/url: JoinPath does not strip relative path components in all circumstances
• BZ - 2124669 - CVE-2022-27664 golang: net/http: handle server errors after sending GOAWAY
• BZ - 2132867 - CVE-2022-2879 golang: archive/tar: unbounded memory consumption when reading headers
• BZ - 2132868 - CVE-2022-2880 golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters
• BZ - 2132872 - CVE-2022-41715 golang: regexp/syntax: limit memory used by parsing regexps
• BZ - 2132873 - VM is removed before virt-launcher pod exits, new VM with same name points to old VMI/virt-launcher pod still terminating
• BZ - 2134010 - CVE-2022-32149 golang: golang.org/x/text/language: ParseAcceptLanguage takes a long time to parse complex tags
• BZ - 2138199 - Win11 and Win22 templates are not filtered properly by Template provider
• BZ - 2138653 - Saving Template prameters reloads the page
• BZ - 2138664 - VM that was created with SSH key fails to start
• BZ - 2139235 - unlike other CNV components, Kubevirt uses its own cipher for tls 1.2
• BZ - 2139257 - Cannot add disk via "Using an existing PVC"
• BZ - 2139260 - Clone button is disabled while VM is running
• BZ - 2139293 - Non-admin user cannot load VM list page
• BZ - 2139296 - Non-admin cannot load MigrationPolicies page
• BZ - 2139299 - No auto-generated VM name while creating VM by non-admin user
• BZ - 2139306 - Non-admin cannot create VM via customize mode
• BZ - 2139479 - virtualization overview crashes for non-priv user
• BZ - 2139574 - VM name gets "emptyname" if click the create button quickly
• BZ - 2139651 - non-priv user can click create when have no permissions
• BZ - 2139687 - catalog shows template list for non-priv users
• BZ - 2139820 - non-priv user cant reach vm details
• BZ - 2140730 - Links on Virtualization Overview page lead to wrong namespace for non-priv user
• BZ - 2140977 - Alerts number is not correct on Virtualization overview
• BZ - 2140982 - The base template of cloned template is "Not available"
• BZ - 2140998 - Incorrect information shows in overview page per namespace
• BZ - 2142511 - Enhance alerts card in overview
• BZ - 2143039 - Some liveMigrationConfig options cannot be used for cluster-wide setting
• BZ - 2143498 - Could not load template while creating VM from catalog
• BZ - 2143716 - [4.13]VMExport: fix DV Error message when trying to import without certConfigMap and secretExtraHeaders
• BZ - 2144580 - "?" icon is too big in VM Template Disk tab
• BZ - 2145092 - "No MigrationPolicies are defined yet" flash by on MigrationPolicies page
• BZ - 2145126 - Cant start VM with "clock" virtualMachinePreference
• BZ - 2145137 - Machine type is not updated to rhel9.2.0 in Templates
• BZ - 2145223 - VM with missing source datasource pvc is started without any error messages
• BZ - 2147582 - Add Y axis to all graphs under metrics tab (same as Pod metrics tab)
• BZ - 2148322 - Add help text to DataImportCron
• BZ - 2148849 - The help text of items in DataSource details page includes incorrect url link
• BZ - 2148850 - Help text is missing in MigrationPolicies details page
• BZ - 2149118 - virt-handler leaks VNC sockets
• BZ - 2149201 - Incorrect pending changes warning about memory and CPU while starting a VM in a namespace with limitranges
• BZ - 2149227 - VMs requiring vTPM fails to create
• BZ - 2149897 - The context menu of the serial console does not contain a paste command
• BZ - 2150364 - Deletion of VM deletes referenced secret
• BZ - 2150653 - VMExport for VMSnapshot - volume names should be the same as the VMs volume names
• BZ - 2150832 - vCPU number is not correct in Virtualization -> Overview
• BZ - 2151053 - The scripts tab of Windows VM cannot be saved
• BZ - 2151056 - Improve descriptive text of cloud-init and ssh-key
• BZ - 2151427 - Virtualization -> Overview is crashed when creating VM in other browser session
• BZ - 2151508 - Add login username to virtctl ssh command
• BZ - 2151521 - No username set in cloud-init in the template example yaml
• BZ - 2151759 - "No available boot source" shows while creating VM from upload image
• BZ - 2151766 - "No available boot source" shows while creating VM from existing PVC
• BZ - 2151831 - Time format in VM utilization card is not correct
• BZ - 2152122 - VM can't start if disk io is default
• BZ - 2152534 - Default CPU request in namespace limitrange takes precedence over the VMs configured vCPU
• BZ - 2152537 - [4.13]Better to have a more friendly error when missing storage size in clone
• BZ - 2155403 - ssh related information displayed in OpenShift console for Windows VMs created from template
• BZ - 2155409 - PVC details page crashing
• BZ - 2155796 - windows10-installer contains upstream example url
• BZ - 2156392 - In the VM latency checkup, the max_desired_latency_milliseconds field has no meaning when the measured latency is less than 1[ms]
• BZ - 2156902 - VM latency checkup - Checkup not performing a teardown in case of setup failure
• BZ - 2158060 - [console] Source project list for selecting existing PVC is not sorted alphabetically
• BZ - 2158079 - "Storage" and "?" are not aligned in customize wizard (Firefox only)
• BZ - 2158362 - PVC should be filtered by status in pvc dropdown list while creating vm or adding disk
• BZ - 2158424 - Cannot select Network Attachment Definitions from the global namespaces
• BZ - 2158515 - Guestfs image url not constructed correctly
• BZ - 2159715 - VM Memory does not show in details card of overview or details tab
• BZ - 2159975 - The prefix "docker://docker://" was added to the container image while editing the rootdisk (registry)
• BZ - 2160298 - YAML Switcher text should be just ?YAML?
• BZ - 2161274 - CVE-2022-41717 golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests
• BZ - 2161340 - HCO taking long to reconcile ConsolePlugin kubevirt-plugin
• BZ - 2162016 - hostpath provisioner operator consuming stray k8s API
• BZ - 2162333 - PVC created using non default storage class on fresh cluster
• BZ - 2163460 - Can't set resources.requests.memory when using instance type
• BZ - 2164590 - VM with InstanceType validation webhook when checking hugepage size
• BZ - 2164807 - Migration metrics values are not sum up values from all VMIs
• BZ - 2164814 - [4.13]virtualmachineclones.clone.kubevirt.io and virtualmachineexports.export.kubevirt.io are not part of system:cluster-readers group
• BZ - 2164838 - KubeVirtComponentExceedsRequestedMemory Alert for virt-api pod
• BZ - 2165618 - Overhead of management layer in virt-launcher is not calculated accurately
• BZ - 2165943 - Error While applying Migration Policy
• BZ - 2166165 - Two elements about vm-name-input shows on VM creation page
• BZ - 2166394 - cdi.kubevirt.io/storage.bind.immediate.requested is not propagated down to the DataVolume if set on an existing DataImportCronTemplate
• BZ - 2166507 - The loading time of Virtualization -> Overview -> Settings page is a bit longer
• BZ - 2166508 - Virtualization -> Overview -> Settings page is crashed when the user have no permission to list network-attachment-definitions
• BZ - 2166512 - VM can't start because of requests/limits CPU number mismatch after adding the overallocated one
• BZ - 2167012 - Unable to create a vm with network bridge
• BZ - 2167226 - Sorting Network Interface by 'Network' or 'Type' does not work.
• BZ - 2167251 - Virtualization -> Overview page is crashed
• BZ - 2167661 - Alerts card always show the ?Info? although it?s 0
• BZ - 2167979 - qemu.log are no longer getting collected for cnv must-gather (vm gather) in 4.13.0
• BZ - 2168032 - Error happens while selecting ssh types between "SSH over NodePort" and "SSH over LoadBalancer"
• BZ - 2168111 - VM template loses storage information if a required parameter has no value
• BZ - 2168165 - [4.13]preallocation is always applied when importing image to block storage
• BZ - 2168180 - Correct the pod name of kubevirt-console-plugin from `kubevirt-plugin-xxx` to `kubevirt-console-plugin-xxx`
• BZ - 2168480 - VM -> Metrics tab: ?Virtualization dashboard? link is wrong
• BZ - 2168484 - VM -> Metrics tab: Add dates to the X axis
• BZ - 2168486 - "Restore template settings" is disabled while editing VM's CPU/Mem
• BZ - 2168488 - Add text to VM workload profile
• BZ - 2168561 - Strorage IOPS card in VM Metrics has wrong case
• BZ - 2168770 - "Not migratable" label should only be added to running VM
• BZ - 2168859 - Cannot attach an existing secret while creating the VM as a regular user
• BZ - 2168861 - "Attach existing sysprep" should not try to get resource at cluster scope when logged in with regular user
• BZ - 2169699 - [e2e] Add data-test-id for SSH service type
• BZ - 2169880 - virt-handler should not delete any pre-configured mediated devices i these are provided by an external provider
• BZ - 2170703 - "Filter by keyword" not working in catalog
• BZ - 2170740 - Deleting vm with --cascade=orphan is not working properly
• BZ - 2171395 - virt-controller crashes because of out-of-bound slice access in evacuation controller
• BZ - 2172371 - "Restore template settings" change the memory to zero if the VM has no template
• BZ - 2172375 - Error happens while deleting secret from VM
• BZ - 2172612 - [4.13] VMSnaphot and WaitForFirstConsumer storage: VMRestore is not Complete
• BZ - 2172842 - Fix "Templates project" and "Templates catalog"
• BZ - 2172952 - Cannot change first vNIC to virtio in "Review and create VirtualMachine"
• BZ - 2173527 - VM details: Machine type- should it be just q35 or everything?
• BZ - 2173562 - The ?play? button is not clickable in the mini console
• BZ - 2173563 - The "YAML view" position is not consistent in VM tabs
• BZ - 2173593 - Virtualization -> Overview -> Top-consumers is crashed
• BZ - 2173595 - Cluster reader cannot view VM list page
• BZ - 2174288 - No storageClass is selected by default while adding/editing a disk
• BZ - 2174324 - "Add" should be "Add volume" in Bootable volumes page
• BZ - 2174334 - VM's disk is not deleted along with the VM if the VM is created from upload image
• BZ - 2174619 - No boot order items while editing the boot order
• BZ - 2174636 - Visit Virtualization -> Overview -> Migrations crashes the app
• BZ - 2174742 - Machine type is not updated to rhel9.2.0 in KV CR
• BZ - 2175054 - Delete bootable volume crashes the page
• BZ - 2175171 - Internal workaround for nonRoot->Root FG on Kubevirt
• BZ - 2175256 - Error when accessing Catalog page
• BZ - 2175274 - Error after trying to edit VM CPU | Memory field in VM Details
• BZ - 2175571 - [RFE] Sort templates in grid view
• BZ - 2175601 - Cannot select Network Attachment Definitions from the global namespaces
• BZ - 2175636 - VMI with x86_Icelake fail when mpx feature is missing
• BZ - 2175641 - Add volume from existing PVC not working
• BZ - 2175643 - The "Add volume" button has a loading time in "Bootable volumes" page
• BZ - 2175888 - [cnv-4.13] Mark Windows 11 as TechPreview
• BZ - 2175890 - [cnv-4.13] Ensure Windows 2022 Templates are marked as TechPreview like it is done now for Windows 11
• BZ - 2175974 - The default rows of volume table should at least includes all default volumes
• BZ - 2175976 - "Select InstanceType" should show the volume's default instanceType
• BZ - 2175977 - The Create VM button should be disabled until everything is selected
• BZ - 2175979 - "Cores" should be "CPU" in instanceTypes page
• BZ - 2175983 - Improve the delete button and the text on delete modal for bootable volumes
• BZ - 2175985 - "Clone existing PVC ?" should be accessible on hover
• BZ - 2175986 - Improve message when different storageclass is selected
• BZ - 2175988 - Remove descriptive text of the volume name
• BZ - 2176353 - Cannot enable headless mode in catalog
• BZ - 2176355 - Show a reason on VM console tab when headless mode is ON
• BZ - 2176422 - getting wrong error message when trying to upload dv when pvc already exist
• BZ - 2176706 - Click the item link in Pending Changes get a blank page below
• BZ - 2176708 - The disk name "Make Persistent disk" in "Pending Changes" should be the actual disk name
• BZ - 2176725 - "Start this VirtualMachine after creation" is not carried over to next dialog during VM creation
• BZ - 2176753 - Remove the dashed line from the Configurations in MigrationPolicy details page
• BZ - 2176804 - VM created with instanceType from UI cannot be started due to secret missing
• BZ - 2176843 - "No bootable device" shows in VM console if it's created with instanceType
• BZ - 2177091 - Edit buttons are added to "Hardware devices" in quick creation page but not editable
• BZ - 2177578 - Set width for columns in volume list tab
• BZ - 2177586 - No pod networking added to the VM while creating it from instanceType
• BZ - 2177589 - Preference in Virt -> Bootable volumes -> Add volume modal is not sorted
• BZ - 2177668 - [DPDK latency checkup] Traffic generator cannot start due to multiple environment vars with PCIDEVICE_ prefix
• BZ - 2177763 - clusterInstanceType and clusterPreference show in "get all" command
• BZ - 2177888 - VM with cpu.cores and memory.guest raises false notification
• BZ - 2177961 - 'GiB' is displayed incompletely
• BZ - 2177973 - Add "CloneInProgress" badge to volumes while it's still been cloning
• BZ - 2178037 - VM termination stuck until instancetype/preference revisionName is cleared
• BZ - 2178628 - VM mutator panics when inferring instancetype from DataSource without specifying namespace
• BZ - 2178629 - [DPDK latency checkup] Traffic generator cannot start due to error in scappy server
• BZ - 2179225 - Improve "Use existing secret" in catalog -> instanceTypes
• BZ - 2179226 - Improve the name of "Add new" secret in catalog -> instanceTypes
• BZ - 2179565 - VM Overview card links are broken
• BZ - 2179626 - Filter can not be cleared in VM Diagnostic tab
• BZ - 2179811 - Sometimes the preference list is empty in Bootable volumes -> Add volume modal
• BZ - 2180146 - upgrade cnv from 4.12.1 to v4.13.0.rhel9-1819 is stuck
• BZ - 2180279 - VM cannot be started while creating from a template which has 2nd disk added
• BZ - 2180553 - Cannot remove description from volume
• BZ - 2180853 - The console goes blank after trying to clone a virtual machine
• BZ - 2182006 - Rename of Network Interface duplicates it, breaks VM start
• BZ - 2182097 - "Cancel" button on instanceType should exit the flow instead of clearing data
• BZ - 2182534 - spec.firmware.bootloader is not copied while cloning a UEFI VM
• BZ - 2182535 - "Copy SSH command" get undefined user
• BZ - 2182536 - The volume in instanceTypes page should be selected automatically just after it's been added
• BZ - 2182538 - Cloned VM should not use the same PVC of the source VM
• BZ - 2182539 - [Nonpriv] VM Memory does not show in details card of overview or details tab
• BZ - 2182661 - Restore VM's pretty names
• BZ - 2183026 - Console is almost frozen if scroll down and up in VM metrics tab
• BZ - 2183205 - [DPDK latency checkup] Traffic generator cannot start due to missing dedicated ServiceAccount
• BZ - 2183397 - Trend charts are empty when looking at ?All projects?
• BZ - 2183968 - CNV4.13 SVVP Test:job 'Check SMBIOS Table Specific Requirements' failed on win2022
• BZ - 2186767 - VM metrics graphs are render incorrectly
• BZ - 2187437 - The storageclass option is not respected in add volume modal for "Use existing volume"
• BZ - 2187547 - non-privileged user cannot add new nic
• BZ - 2187581 - "No data available" shows on Virtualization overview metrics chart

CVEs

• CVE-2022-2879
• CVE-2022-2880
• CVE-2022-27664
• CVE-2022-32149
• CVE-2022-32189
• CVE-2022-32190
• CVE-2022-41715
• CVE-2022-41717

References

• https://access.redhat.com/security/updates/classification/#moderate