Alerts This Week
Warning Icon 1 758
Alerts This Week
Warning Icon 1 758

Red Hat RHV-M: RHSA-2021:0381-01 Low: XXE Threat Advisory

red hat
Calendar Grey February 2, 2021
Dist Redhat Esm H88
Minor security alert for RedHat RHV-M (oVirt Engine) version 4.4, including updates and improvements. Read the full information!
Updated ovirt-engine packages that fix several bugs and add various enhancements are now available

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/2974891

Summary

The ovirt-engine package provides the Red Hat Virtualization Manager, a centralized management platform that allows system administrators to view and manage virtual machines. The Manager provides a comprehensive range of features including search capabilities, resource management, live migrations, and virtual infrastructure provisioning.
The Manager is a JBoss Application Server application that provides several interfaces through which the virtual environment can be accessed and interacted with, including an Administration Portal, a VM Portal, and a Representational State Transfer (REST) Application Programming Interface (API).
Security Fix(es):
* jackson-databind: FasterXML DOMDeserializer insecure entity expansion is vulnerable to XML external entity (XXE) (CVE-2020-25649)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
Bug Fix(es):
* Red Hat Virtualization Manager now requires Ansible 2.9.15. (BZ#1901946)

References

https://access.redhat.com/security/cve/CVE-2020-25649 https://access.redhat.com/security/updates/classification/#low

Package List

RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4:
Source: ovirt-engine-4.4.4.5-0.10.el8ev.src.rpm ovirt-engine-dwh-4.4.4.2-1.el8ev.src.rpm ovirt-web-ui-1.6.6-1.el8ev.src.rpm rhv-log-collector-analyzer-1.0.6-1.el8ev.src.rpm rhvm-branding-rhv-4.4.7-1.el8ev.src.rpm vdsm-jsonrpc-java-1.6.0-1.el8ev.src.rpm
noarch: ovirt-engine-4.4.4.5-0.10.el8ev.noarch.rpm ovirt-engine-backend-4.4.4.5-0.10.el8ev.noarch.rpm ovirt-engine-dbscripts-4.4.4.5-0.10.el8ev.noarch.rpm ovirt-engine-dwh-4.4.4.2-1.el8ev.noarch.rpm ovirt-engine-dwh-grafana-integration-setup-4.4.4.2-1.el8ev.noarch.rpm ovirt-engine-dwh-setup-4.4.4.2-1.el8ev.noarch.rpm ovirt-engine-health-check-bundler-4.4.4.5-0.10.el8ev.noarch.rpm ovirt-engine-restapi-4.4.4.5-0.10.el8ev.noarch.rpm ovirt-engine-setup-4.4.4.5-0.10.el8ev.noarch.rpm ovirt-engine-setup-base-4.4.4.5-0.10.el8ev.noarch.rpm ovirt-engine-setup-plugin-cinderlib-4.4.4.5-0.10.el8ev.noarch.rpm ovirt-engine-setup-plugin-imageio-4.4.4.5-0.10.el8ev.noarch.rpm ovirt-engine-setup-plugin-ovirt-engine-4.4.4.5-0.10.el8ev.noarch.rpm ovirt-engine-setup-plugin-ovirt-engine-common-4.4.4.5-0.10.el8ev.noarch.rpm ovirt-engine-setup-plugin-vmconsole-proxy-helper-4.4.4.5-0.10.el8ev.noarch.rpm ovirt-engine-setup-plugin-websocket-proxy-4.4.4.5-0.10.el8ev.noarch.rpm

Read the Full Advisory


Severity
low
Lowest
Low
Medium
High
Critical

Advisory ID: RHSA-2021:0381-01
Product: Red Hat Virtualization
Issue date: 2021-02-02

Topic

Updated ovirt-engine packages that fix several bugs and add variousenhancements are now available.Red Hat Product Security has rated this update as having a security impactof Low. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.

Relevant Releases Architectures

RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4 - noarch

Bugs Fixed

1627997 - [RFE] Allow SPM switching if all tasks have finished via REST-API

1702237 - [RFE] add API for listing disksnapshots under disk resource

1796231 - VM disk remains in locked state if image transfer (image download) timesout due to inactivity.

1868114 - RHV-M UI/Webadmin: The "Disk Snapshots" tab reflects incorrect "Creation Date" information.

1875951 - Disk hot-unplug fails on engine side with NPE in setDiskVmElements after unplugging from the VM.

1879655 - [RFE] Implement searching VM's with partial name or case sensitive vm names in VM Portal.

1880015 - oVirt metrics example Kibana dashboards are broken in Kibana 7.x

1881115 - RHEL VM icons squashed, please adhere to brand rules

1881357 - German language greeting page says Red Hat®

1887664 - CVE-2020-25649 jackson-databind: FasterXML DOMDeserializer insecure entity expansion is vulnerable to XML external entity (XXE)

1893035 - rhv-log-collector-analyzer: check for double quotes in IPTablesConfigSiteCustom

1894298 - ModuleNotFoundError: No module named 'ovirt_engine' raised when starting ovirt-engine-dwhd.py in dev env

1901946 - [RFE] Bump ovirt-engine version lock to the newest Ansible version

1903385 - RFE: rhv-image-discrepancies should report if the truesize from VDSM has different size in images in the engine.

1903595 - [PPC] Can't add PPC host to Engine

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here