RedHat: RHSA-2020-3194:01 Important: Container-native Virtualization

    Date 28 Jul 2020
    130
    Posted By LinuxSecurity Advisories
    Red Hat OpenShift Virtualization release 2.4.0 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA256
    
    =====================================================================
                       Red Hat Security Advisory
    
    Synopsis:          Important: Container-native Virtualization security, bug fix, and enhancement update
    Advisory ID:       RHSA-2020:3194-01
    Product:           Container-native Virtualization
    Advisory URL:      https://access.redhat.com/errata/RHSA-2020:3194
    Issue date:        2020-07-28
    Keywords:          cnv,kubevirt,virtualization
    CVE Names:         CVE-2018-7263 CVE-2018-9251 CVE-2018-14404 
                       CVE-2018-18074 CVE-2018-19519 CVE-2018-20060 
                       CVE-2018-20337 CVE-2018-20852 CVE-2019-1547 
                       CVE-2019-1549 CVE-2019-1563 CVE-2019-3016 
                       CVE-2019-3825 CVE-2019-3843 CVE-2019-3844 
                       CVE-2019-5094 CVE-2019-5436 CVE-2019-5481 
                       CVE-2019-5482 CVE-2019-8457 CVE-2019-11236 
                       CVE-2019-11324 CVE-2019-12447 CVE-2019-12448 
                       CVE-2019-12449 CVE-2019-13232 CVE-2019-13752 
                       CVE-2019-13753 CVE-2019-14563 CVE-2019-14822 
                       CVE-2019-15847 CVE-2019-16056 CVE-2019-17451 
                       CVE-2019-18934 CVE-2019-19126 CVE-2019-19232 
                       CVE-2019-19807 CVE-2019-19923 CVE-2019-19924 
                       CVE-2019-19925 CVE-2019-19959 CVE-2019-1010180 
                       CVE-2019-1010204 CVE-2020-8616 CVE-2020-8617 
                       CVE-2020-10749 CVE-2020-10754 CVE-2020-10757 
                       CVE-2020-10766 CVE-2020-10767 CVE-2020-10768 
                       CVE-2020-11008 CVE-2020-11080 CVE-2020-11501 
                       CVE-2020-12049 CVE-2020-12653 CVE-2020-12654 
                       CVE-2020-12662 CVE-2020-12663 CVE-2020-12888 
                       CVE-2020-13777 CVE-2020-14316 
    =====================================================================
    
    1. Summary:
    
    Red Hat OpenShift Virtualization release 2.4.0 is now available with
    updates to packages and images that fix several bugs and add enhancements.
    
    Red Hat Product Security has rated this update as having a security impact
    of Important. A Common Vulnerability Scoring System (CVSS) base score,
    which gives a detailed severity rating, is available for each vulnerability
    from the CVE link(s) in the References section.
    
    2. Description:
    
    OpenShift Virtualization is Red Hat's virtualization solution designed for
    Red Hat OpenShift Container Platform.
    
    Security Fix(es):
    
    * kubevirt: VMIs can be used to access host files (CVE-2020-14316)
    
    * containernetworking/plugins: IPv6 router advertisements allow for MitM
    attacks on IPv4 clusters (CVE-2020-10749)
    
    For more details about the security issue(s), including the impact, a CVSS
    score, acknowledgments, and other related information, refer to the CVE
    page(s) listed in the References section.
    
    Additional Changes:
    
    This update also fixes several bugs and adds various enhancements.
    
    This advisory contains the following OpenShift Virtualization 2.4.0 images:
    
    RHEL-7-CNV-2.4
    ==============
    kubevirt-ssp-operator-container-v2.4.0-71
    
    RHEL-8-CNV-2.4
    ==============
    virt-cdi-controller-container-v2.4.0-29
    virt-cdi-uploadproxy-container-v2.4.0-29
    hostpath-provisioner-container-v2.4.0-25
    virt-cdi-operator-container-v2.4.0-29
    kubevirt-metrics-collector-container-v2.4.0-18
    cnv-containernetworking-plugins-container-v2.4.0-36
    kubevirt-kvm-info-nfd-plugin-container-v2.4.0-18
    hostpath-provisioner-operator-container-v2.4.0-31
    virt-cdi-uploadserver-container-v2.4.0-29
    virt-cdi-apiserver-container-v2.4.0-29
    virt-controller-container-v2.4.0-58
    virt-cdi-cloner-container-v2.4.0-29
    kubevirt-template-validator-container-v2.4.0-21
    vm-import-operator-container-v2.4.0-21
    kubernetes-nmstate-handler-container-v2.4.0-37
    node-maintenance-operator-container-v2.4.0-27
    virt-operator-container-v2.4.0-58
    kubevirt-v2v-conversion-container-v2.4.0-23
    cnv-must-gather-container-v2.4.0-73
    virtio-win-container-v2.4.0-15
    kubevirt-cpu-node-labeller-container-v2.4.0-19
    ovs-cni-plugin-container-v2.4.0-37
    kubevirt-vmware-container-v2.4.0-21
    hyperconverged-cluster-operator-container-v2.4.0-70
    virt-handler-container-v2.4.0-58
    virt-cdi-importer-container-v2.4.0-29
    virt-launcher-container-v2.4.0-58
    kubevirt-cpu-model-nfd-plugin-container-v2.4.0-17
    virt-api-container-v2.4.0-58
    ovs-cni-marker-container-v2.4.0-38
    kubemacpool-container-v2.4.0-39
    cluster-network-addons-operator-container-v2.4.0-38
    bridge-marker-container-v2.4.0-39
    vm-import-controller-container-v2.4.0-21
    hco-bundle-registry-container-v2.3.0-497
    
    3. Solution:
    
    For details on how to apply this update, which includes the changes
    described in this advisory, refer to:
    
    https://access.redhat.com/articles/11258
    
    4. Bugs fixed (https://bugzilla.redhat.com/):
    
    1684772 - virt-launcher images do not have the edk2-ovmf package installed
    1716329 - missing Status, Version and Label for a number of CNV components, and Status term inconsistency
    1724978 - [RFE][v2v] Improve the way we display progress percent in UI
    1725672 - CDI: getting error with "unknown reason" when trying to create UploadTokenRequest for a none existing pvc
    1727117 - [RFE] Reduce installed libvirt components
    1780473 - Delete VM is hanging if the corresponding template does not exist anymore
    1787213 - KubeMacpool may not work from time to time since it is skipped when we face certificate issue.
    1789564 - Failed to allocate a SRIOV VF to VMI
    1795889 - internal IP shown on VMI spec instead of public one on VMI with guest-agent
    1796342 - VM Failing to start since hard disk not ready
    1802554 - [SSP] cpu-feature-lahf_lm and Conroe are enabled on one worker (test issue)
    1805044 - No mem/filesystem/Network Utilization in VM overview
    1806288 - [CDI] fails to import images that comes from url that reject HEAD requests
    1806436 - [SSP] Windows common templates - Windows10 should be removed from windows-server* templates, windows-server* should not have desktop version
    1811111 - All the VM templates are visible in the developer catalog but not really/easily instantiable
    1811417 - Failed to install cnv-2.4 on top of ocp 4.4 (hco operator in crashLoopBackOff state)
    1816518 - [SSP] Common templates - template name under objects -> metadata -> labels  should be identical to the template actual name
    1817080 - node maintenance CRD is marked with NonStructuralSchema condition
    1819252 - kubevirt-ssp-operator cannot create ServiceMonitor object
    1820651 - CDI import fails using block volume (available size -1)
    1821209 - Debug log message looks unprofessional
    1822079 - nmstate-handler fails to start and keeps restarting
    1822315 - status.desiredState: doesn't pick the correct value and is null
    1823342 - Invalid qcow2 image causes HTTP range error and difficult to read stack trace
    1823699 - [CNV-2.4] Failing to deploy NetworkAddons
    1823701 - [CNV-2.4] when a single component is failing, HCO can continue reporting outdated negative conditions also on other components
    1825801 - [CNV-2.4] Failing to deploy due issues in CRD of cluster network operator
    1826044 - [CNV-2.4] Failing to deploy due issues in CRD of cluster host-path-provisioner operator
    1827257 - VMs' connectivity is available even the two VMs are in different vlan
    1828401 - misconfigured prow job e2e-aws-4.5-cnv resulting in step e2e-aws failed: step needs a lease but no lease client provided
    1829376 - VMs with blank block volumes fail to spin up
    1830780 - virt-v2v-wrapper - 0% VM migration progress in UI
    1831536 - kubevirt-{handler,apiserver,controller} service accounts added to the privileged SCC
    1832179 - [virt] VM with runStrategy attribute (instead of 'running' attribute) does not have 'RUNNING' state in cli
    1832283 - [SSP operator] Common templates and template_validator are missing after clean installation
    1832291 - SSP installation is successful even with some components missing
    1832769 - [kubevirt version] is not reported correctly
    1833220 - CVE-2020-10749 containernetworking/plugins: IPv6 router advertisements allow for MitM attacks on IPv4 clusters
    1833376 - Hardcoded VMware-vix-disklib version 6 - import fail with version 7
    1833786 - kubevirt hyperconverged-cluster-operator deploy_marketplace.sh fails in disconnected cluster
    1834253 - VMs are stuck in Starting state
    1835242 - Can't query SSP CRs after upgrade from 2.3 to 2.4
    1835426 - [RFE] Provide a clear error message when VM and VMI name does not match
    1836792 - [CNV deployment] kubevirt components are missing
    1837182 - VMI virt-launcher reaches Error state after running for 10-24 hours
    1837670 - Specifying "Ubuntu 18.04 LTS" force the Conroe CPU model
    1838066 - [CNV deployment] kubevirt failing to create cpu-plugin-configmap obsoleteCPUs
    1838424 - [Installation] CNV 2.4.0 virt-handler and kubevirt-node-labeller pods are not showing up
    1839982 - [CNV][DOC] Lack of explanation for StorageClass default accessMode in openshift-cnv kubevirt-storage-class-defaults
    1840047 - [CNV-2.4] virt-handler failing on /usr/bin/container-disk: no such file or directory
    1840220 - [CNV-2.4] node-maintenance-operator failing to create deployment - invalid format of manifest
    1840652 - Upgrade indication is missing
    1841065 - [v2v] RHV to CNV: VM import fail on network mapping validation
    1841325 - [CNV][V2V] VM migration fails if VMWare host isn't under Cluster but directly under Datacenter
    1841505 - [CNV-2.4] virt-template-validator container fails to start
    1842869 - vmi cannot be scheduled, because node labeller doesn't report correct labels
    1842958 - [SSP] Fail to create Windows VMs from templates - windows-cd-bus validation added but cdrom is missing from the template
    1843219 - node-labeller SCC is privileged, which appears too relaxed
    1843456 - virt-launcher goes from running to error state due to panic: timed out waiting for domain to be defined
    1843467 - [CNV network KMP] kubemacpool causes worker node to be Ready,SchedulingDisabled
    1843519 - HCO CR is not listed when running "kubectl get all" from command line
    1843948 - [Network operator] Upgrade from 2.3 to 2.4 - Network operator fails to upgrade ovs-cni pods, upgrade is not completed
    1844057 - [CNV-2.4] cluster-network-addons-operator failing to start
    1844105 - [SSP operator] Upgrade from 2.3.0 to 2.4.0- SSP operator fails to upgrade node labeller and template validator
    1844907 - kubemacpool deployment status errors regarding replicas
    1845060 - Node-labeller is in pending state when node doesn't have kvm device
    1845061 - Version displayed in Container Native Virtualization OperatorHub side panel
    1845477 - [SSP] Template validator fails to "Extract the CA bundle"; template validator is not called when a VM is created
    1845557 - [CNV-2.4] template validator webhook fails with certification issues
    1845604 - [v2v] RHV to CNV VM import: Prevent a second vm-import from starting.
    1845899 - [CNV-2.5] cluster-network-addons-operator failing to start
    1845901 - Filesystem corruption related to smart clone
    1847070 - vmi cannot be scheduled , qemu-kvm core dump
    1847594 - pods in  openshift-cnv namespace no longer have openshift.io/scc under metadata.annotations
    1848004 - [CNV-2.5] Deployment fails on NetworkAddonsConfigNotAvailable
    1848007 - [CNV-2.4] Deployment fails on NetworkAddonsConfigNotAvailable
    1848951 - CVE-2020-14316 kubevirt: VMIs can be used to access host files
    1849527 - [v2v] [api]  VM import RHV to CNV importer should stop send requests to RHV if they are rejected because of wrong user/pass
    1849915 - [v2v] VM import RHV to CNV: The timezone data is not  available in the vm-import-controller image.
    1850425 - [v2v][VM import RHV to CNV] Add validation for network target type in network mapping
    1850467 - [v2v] [api]  VM import RHV to CNV invalid target network type should not crash the controller
    1850482 - [v2v][VM import from RHV to CNV] 2 nics are mapped to a new network though second was mapped to pod.
    1850937 - kubemacpool fails in a specific order of components startup
    1851856 - Deployment not progressing due to PriorityClass missing
    1851886 - [CNV][V2V] VMWare pod is failing when running wizard to migrate from RHV
    1852446 - [v2v][RHV to CNV VM import] Windows10 VM import fail on: timezone is not UTC-compatible
    1853028 - CNV must-gather failure on CNV-QE BM-RHCOS environment
    1853133 - [CNV-2.4] Deployment fails on KubeVirtMetricsAggregationNotAvailable
    1853373 - virtctl image-upload fails to upload an image if the dv name includes a "."
    1854419 - [Re-brand] Align CSV
    1854744 - To stabilize some tests I need to backport PRs which change production code
    1855256 - [v2v][RHV to CNV VM import] Empty directories created for vm-import-operator/controller logs in cnv-must-gather
    1856438 - [CNAO]  Upgrade is not completed (wrong operatorVersion), CR is not updated.
    1856447 - CNV upgrade - HCO fails to identify wrong observedVersion in CR, HCO is reported as READY
    1856979 - Domain notify errors break VMI migrations and graceful shutdown
    
    5. References:
    
    https://access.redhat.com/security/cve/CVE-2018-7263
    https://access.redhat.com/security/cve/CVE-2018-9251
    https://access.redhat.com/security/cve/CVE-2018-14404
    https://access.redhat.com/security/cve/CVE-2018-18074
    https://access.redhat.com/security/cve/CVE-2018-19519
    https://access.redhat.com/security/cve/CVE-2018-20060
    https://access.redhat.com/security/cve/CVE-2018-20337
    https://access.redhat.com/security/cve/CVE-2018-20852
    https://access.redhat.com/security/cve/CVE-2019-1547
    https://access.redhat.com/security/cve/CVE-2019-1549
    https://access.redhat.com/security/cve/CVE-2019-1563
    https://access.redhat.com/security/cve/CVE-2019-3016
    https://access.redhat.com/security/cve/CVE-2019-3825
    https://access.redhat.com/security/cve/CVE-2019-3843
    https://access.redhat.com/security/cve/CVE-2019-3844
    https://access.redhat.com/security/cve/CVE-2019-5094
    https://access.redhat.com/security/cve/CVE-2019-5436
    https://access.redhat.com/security/cve/CVE-2019-5481
    https://access.redhat.com/security/cve/CVE-2019-5482
    https://access.redhat.com/security/cve/CVE-2019-8457
    https://access.redhat.com/security/cve/CVE-2019-11236
    https://access.redhat.com/security/cve/CVE-2019-11324
    https://access.redhat.com/security/cve/CVE-2019-12447
    https://access.redhat.com/security/cve/CVE-2019-12448
    https://access.redhat.com/security/cve/CVE-2019-12449
    https://access.redhat.com/security/cve/CVE-2019-13232
    https://access.redhat.com/security/cve/CVE-2019-13752
    https://access.redhat.com/security/cve/CVE-2019-13753
    https://access.redhat.com/security/cve/CVE-2019-14563
    https://access.redhat.com/security/cve/CVE-2019-14822
    https://access.redhat.com/security/cve/CVE-2019-15847
    https://access.redhat.com/security/cve/CVE-2019-16056
    https://access.redhat.com/security/cve/CVE-2019-17451
    https://access.redhat.com/security/cve/CVE-2019-18934
    https://access.redhat.com/security/cve/CVE-2019-19126
    https://access.redhat.com/security/cve/CVE-2019-19232
    https://access.redhat.com/security/cve/CVE-2019-19807
    https://access.redhat.com/security/cve/CVE-2019-19923
    https://access.redhat.com/security/cve/CVE-2019-19924
    https://access.redhat.com/security/cve/CVE-2019-19925
    https://access.redhat.com/security/cve/CVE-2019-19959
    https://access.redhat.com/security/cve/CVE-2019-1010180
    https://access.redhat.com/security/cve/CVE-2019-1010204
    https://access.redhat.com/security/cve/CVE-2020-8616
    https://access.redhat.com/security/cve/CVE-2020-8617
    https://access.redhat.com/security/cve/CVE-2020-10749
    https://access.redhat.com/security/cve/CVE-2020-10754
    https://access.redhat.com/security/cve/CVE-2020-10757
    https://access.redhat.com/security/cve/CVE-2020-10766
    https://access.redhat.com/security/cve/CVE-2020-10767
    https://access.redhat.com/security/cve/CVE-2020-10768
    https://access.redhat.com/security/cve/CVE-2020-11008
    https://access.redhat.com/security/cve/CVE-2020-11080
    https://access.redhat.com/security/cve/CVE-2020-11501
    https://access.redhat.com/security/cve/CVE-2020-12049
    https://access.redhat.com/security/cve/CVE-2020-12653
    https://access.redhat.com/security/cve/CVE-2020-12654
    https://access.redhat.com/security/cve/CVE-2020-12662
    https://access.redhat.com/security/cve/CVE-2020-12663
    https://access.redhat.com/security/cve/CVE-2020-12888
    https://access.redhat.com/security/cve/CVE-2020-13777
    https://access.redhat.com/security/cve/CVE-2020-14316
    https://access.redhat.com/security/updates/classification/#important
    
    6. Contact:
    
    The Red Hat security contact is . More contact
    details at https://access.redhat.com/security/team/contact/
    
    Copyright 2020 Red Hat, Inc.
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1
    
    iQIVAwUBXyB4V9zjgjWX9erEAQgEkw//TUQMVu8y+RkZPuxOMosHU+4FcddeynZC
    wt5OYBAxDXBbxHxCrpJidV5KbJhkVQbYSoJUun7p9iXRofoxCGPqKKruKBPAIj77
    hAD+MoIOHi5aUQsTX4ogQDbf0jijtva33RZyxdVYMQHyToDYDBRVQaUgrHmaBeBD
    c/byBT/vwwf9rmjSYVUDg3tlqDZlI9RZiYt+0nLJgo/13NHZYHmgQ7OiUiCDSi5l
    ALugtSccgqIZowz36esN0oifyoLNfmafDLD3zUZq/ie+xb3TNYeNQRdu5Xq5S6OY
    q7UyNrJTZTXUhuhTqd9S/UXaR0vHL0mv9i0IULXb/cIP164Ar2Udu891UJ4JBvUD
    EutWT6u85kfKMchRC1ykoIWimmpy4Hv+95YfjXhkOt9hy0TKfEWPiKoyRkOtSv9h
    OG2ZMUhYbNL9v+BI53zXN73TIgmIeg85m26ZSMioMBb69CAPkblvhZtCeB72/XMP
    pf/aS7E9J2v0cu7HlmtpyO0dXVE+3S6nixZKKEqC8piTgRUAwVEpi+YH2W4uwECI
    QWSMlaL4bdjI2ZkwNtRwYUTtqRjnA9KXEAhyMJ7O+9fCLxLsGM7QcyhfKIBoMPqe
    8HZQ+HLnnfQl+dDhIwEq6iElbaeF0WjiH0+jG7C4Q6EuvvhCJ9ZSQS2EGiwR8S0U
    uPzd4aQeLto=
    =pAQg
    -----END PGP SIGNATURE-----
    
    --
    RHSA-announce mailing list
    This email address is being protected from spambots. You need JavaScript enabled to view it.
    https://www.redhat.com/mailman/listinfo/rhsa-announce
    

    LinuxSecurity Poll

    Are you planning to use the 1Password password manager now that it is available to Linux users?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/35-are-you-planning-to-use-the-1password-password-manager-now-that-it-is-available-to-linux-users?task=poll.vote&format=json
    35
    radio
    [{"id":"122","title":"Yes","votes":"1","type":"x","order":"1","pct":20,"resources":[]},{"id":"123","title":"No ","votes":"3","type":"x","order":"2","pct":60,"resources":[]},{"id":"124","title":"Not sure at the moment","votes":"1","type":"x","order":"3","pct":20,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350
    bottom 200

    Advisories

    Please enable / Bitte aktiviere JavaScript!
    Veuillez activer / Por favor activa el Javascript![ ? ]

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.