Alerts This Week
Warning Icon 1 758
Alerts This Week
Warning Icon 1 758

Red Hat OpenShift 2.4.0 Important Security: Man-in-the-Middle Attack

red hat
Calendar Grey July 28, 2020
Dist Redhat Esm H88
Red Hat OpenShift Virtualization 2.4.0 introduces crucial security patches addressing significant vulnerabilities and bugs. Protect your environment today.
Red Hat OpenShift Virtualization release 2.4.0 is now available with updates to packages and images that fix several bugs and add enhancements

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Summary

OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform.
Security Fix(es):
* kubevirt: VMIs can be used to access host files (CVE-2020-14316)
* containernetworking/plugins: IPv6 router advertisements allow for MitM attacks on IPv4 clusters (CVE-2020-10749)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
This update also fixes several bugs and adds various enhancements.
This advisory contains the following OpenShift Virtualization 2.4.0 images:
RHEL-7-CNV-2.4 =============kubevirt-ssp-operator-container-v2.4.0-71
RHEL-8-CNV-2.4 =============virt-cdi-controller-container-v2.4.0-29 virt-cdi-uploadproxy-container-v2.4.0-29 hostpath-provisioner-container-v2.4.0-25 virt-cdi-operator-container-v2.4.0-29 kubevirt-metrics-collector-container-v2.4.0-18 cnv-containernetworking-plugins-container-v2.4.0-36 kubevirt-kvm-info-nfd-plugin-container-v2.4.0-18 hostpath-provisioner-operator-container-v2.4.0-31 virt-cdi-uploadserver-container-v2.4.0-29 virt-cdi-apiserver-container-v2.4.0-29 virt-controller-container-v2.4.0-58 virt-cdi-cloner-container-v2.4.0-29 kubevirt-template-validator-container-v2.4.0-21 vm-import-operator-container-v2.4.0-21 kubernetes-nmstate-handler-container-v2.4.0-37 node-maintenance-operator-container-v2.4.0-27 virt-operator-container-v2.4.0-58 kubevirt-v2v-conversion-container-v2.4.0-23 cnv-must-gather-container-v2.4.0-73 virtio-win-container-v2.4.0-15 kubevirt-cpu-node-labeller-container-v2.4.0-19 ovs-cni-plugin-container-v2.4.0-37 kubevirt-vmware-container-v2.4.0-21 hyperconverged-cluster-operator-container-v2.4.0-70 virt-handler-container-v2.4.0-58 virt-cdi-importer-container-v2.4.0-29 virt-launcher-container-v2.4.0-58 kubevirt-cpu-model-nfd-plugin-container-v2.4.0-17 virt-api-container-v2.4.0-58 ovs-cni-marker-container-v2.4.0-38 kubemacpool-container-v2.4.0-39 cluster-network-addons-operator-container-v2.4.0-38 bridge-marker-container-v2.4.0-39 vm-import-controller-container-v2.4.0-21 hco-bundle-registry-container-v2.3.0-497

References

https://access.redhat.com/security/cve/CVE-2018-7263 https://access.redhat.com/security/cve/CVE-2018-9251 https://access.redhat.com/security/cve/CVE-2018-14404 https://access.redhat.com/security/cve/CVE-2018-18074 https://access.redhat.com/security/cve/CVE-2018-19519 https://access.redhat.com/security/cve/CVE-2018-20060 https://access.redhat.com/security/cve/CVE-2018-20337 https://access.redhat.com/security/cve/CVE-2018-20852 https://access.redhat.com/security/cve/CVE-2019-1547 https://access.redhat.com/security/cve/CVE-2019-1549 https://access.redhat.com/security/cve/CVE-2019-1563 https://access.redhat.com/security/cve/CVE-2019-3016 https://access.redhat.com/security/cve/CVE-2019-3825 https://access.redhat.com/security/cve/CVE-2019-3843 https://access.redhat.com/security/cve/CVE-2019-3844 https://access.redhat.com/security/cve/CVE-2019-5094 https://access.redhat.com/security/cve/CVE-2019-5436 https://access.redhat.com/security/cve/CVE-2019-5481 https://access.redhat.com/security/cve/CVE-2019-5482 https://access.redhat.com/security/cve/CVE-2019-8457 https://access.redhat.com/security/cve/CVE-2019-11236 https://access.redhat.com/security/cve/CVE-2019-11324 https://access.redhat.com/security/cve/CVE-2019-12447 https://access.redhat.com/security/cve/CVE-2019-12448 Read the Full Advisory

Package List


Severity
important
Lowest
Low
Medium
High
Critical

Advisory ID: RHSA-2020:3194-01
Product: Container-native Virtualization
Issue date: 2020-07-28
Keywords: cnv,kubevirt,virtualization

Topic

Red Hat OpenShift Virtualization release 2.4.0 is now available withupdates to packages and images that fix several bugs and add enhancements.Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.

Relevant Releases Architectures

Bugs Fixed

1684772 - virt-launcher images do not have the edk2-ovmf package installed

1716329 - missing Status, Version and Label for a number of CNV components, and Status term inconsistency

1724978 - [RFE][v2v] Improve the way we display progress percent in UI

1725672 - CDI: getting error with "unknown reason" when trying to create UploadTokenRequest for a none existing pvc

1727117 - [RFE] Reduce installed libvirt components

1780473 - Delete VM is hanging if the corresponding template does not exist anymore

1787213 - KubeMacpool may not work from time to time since it is skipped when we face certificate issue.

1789564 - Failed to allocate a SRIOV VF to VMI

1795889 - internal IP shown on VMI spec instead of public one on VMI with guest-agent

1796342 - VM Failing to start since hard disk not ready

1802554 - [SSP] cpu-feature-lahf_lm and Conroe are enabled on one worker (test issue)

1805044 - No mem/filesystem/Network Utilization in VM overview

1806288 - [CDI] fails to import images that comes from url that reject HEAD requests

1806436 - [SSP] Windows common templates - Windows10 should be removed from windows-server* templates, windows-server* should not have desktop version

1811111 - All the VM templates are visible in the developer catalog but not really/easily instantiable

1811417 - Failed to install cnv-2.4 on top of ocp 4.4 (hco operator in crashLoopBackOff state)

Read the Full Advisory

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here