Alerts This Week
Warning Icon 1 535
Alerts This Week
Warning Icon 1 535

Red Hat RHV-M: RHSA-2021:0381-01 Low: XXE Threat Advisory

Calendar Feb 02, 2021 User Avatar LinuxSecurity Advisories
3 - 6 min read
Redhat Large Esm H500
Topics%20covered

Topics Covered

security advisory Red Hat bug fix low severity low xml external entity XXE ovirt-engine red hat virtualization RHV-M RHV-Engine
Updated ovirt-engine packages that fix several bugs and add various enhancements are now available. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   Red Hat Security Advisory

Synopsis:          Low: RHV-M(ovirt-engine) 4.4.z security, bug fix, enhancement update [ovirt-4.4.4]
Advisory ID:       RHSA-2021:0381-01
Product:           Red Hat Virtualization
Advisory URL:      https://access.redhat.com/errata/RHSA-2021:0381
Issue date:        2021-02-02
CVE Names:         CVE-2020-25649 
====================================================================
1. Summary:

Updated ovirt-engine packages that fix several bugs and add various
enhancements are now available.

Red Hat Product Security has rated this update as having a security impact
of Low. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4 - noarch

3. Description:

The ovirt-engine package provides the Red Hat Virtualization Manager, a
centralized management platform that allows system administrators to view
and manage virtual machines. The Manager provides a comprehensive range of
features including search capabilities, resource management, live
migrations, and virtual infrastructure provisioning.

The Manager is a JBoss Application Server application that provides several
interfaces through which the virtual environment can be accessed and
interacted with, including an Administration Portal, a VM Portal, and a
Representational State Transfer (REST) Application Programming Interface
(API).

Security Fix(es):

* jackson-databind: FasterXML DOMDeserializer insecure entity expansion is
vulnerable to XML external entity (XXE) (CVE-2020-25649)

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.

Bug Fix(es):

* Red Hat Virtualization Manager now requires Ansible 2.9.15. (BZ#1901946)

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/2974891

5. Bugs fixed (https://bugzilla.redhat.com/):

1627997 - [RFE] Allow SPM switching if all tasks have finished via REST-API
1702237 - [RFE] add API for listing disksnapshots under disk resource
1796231 - VM disk remains in locked state if image transfer (image download) timesout due to inactivity.
1868114 - RHV-M UI/Webadmin:  The "Disk Snapshots" tab reflects incorrect "Creation Date" information.
1875951 - Disk hot-unplug fails on engine side with NPE in setDiskVmElements after unplugging from the VM.
1879655 - [RFE] Implement searching VM's with partial name or case sensitive vm names in VM Portal.
1880015 - oVirt metrics example Kibana dashboards are broken in Kibana 7.x
1881115 - RHEL VM icons squashed, please adhere to brand rules
1881357 - German language greeting page says Red Hat®
1887664 - CVE-2020-25649 jackson-databind: FasterXML DOMDeserializer insecure entity expansion is vulnerable to XML external entity (XXE)
1893035 - rhv-log-collector-analyzer: check for double quotes in IPTablesConfigSiteCustom
1894298 - ModuleNotFoundError: No module named 'ovirt_engine' raised when starting ovirt-engine-dwhd.py in dev env
1901946 - [RFE] Bump ovirt-engine version lock to the newest Ansible version
1903385 - RFE:  rhv-image-discrepancies should report if the truesize from VDSM has different size in images in the engine.
1903595 - [PPC] Can't add PPC host to Engine

6. Package List:

RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4:

Source:
ovirt-engine-4.4.4.5-0.10.el8ev.src.rpm
ovirt-engine-dwh-4.4.4.2-1.el8ev.src.rpm
ovirt-web-ui-1.6.6-1.el8ev.src.rpm
rhv-log-collector-analyzer-1.0.6-1.el8ev.src.rpm
rhvm-branding-rhv-4.4.7-1.el8ev.src.rpm
vdsm-jsonrpc-java-1.6.0-1.el8ev.src.rpm

noarch:
ovirt-engine-4.4.4.5-0.10.el8ev.noarch.rpm
ovirt-engine-backend-4.4.4.5-0.10.el8ev.noarch.rpm
ovirt-engine-dbscripts-4.4.4.5-0.10.el8ev.noarch.rpm
ovirt-engine-dwh-4.4.4.2-1.el8ev.noarch.rpm
ovirt-engine-dwh-grafana-integration-setup-4.4.4.2-1.el8ev.noarch.rpm
ovirt-engine-dwh-setup-4.4.4.2-1.el8ev.noarch.rpm
ovirt-engine-health-check-bundler-4.4.4.5-0.10.el8ev.noarch.rpm
ovirt-engine-restapi-4.4.4.5-0.10.el8ev.noarch.rpm
ovirt-engine-setup-4.4.4.5-0.10.el8ev.noarch.rpm
ovirt-engine-setup-base-4.4.4.5-0.10.el8ev.noarch.rpm
ovirt-engine-setup-plugin-cinderlib-4.4.4.5-0.10.el8ev.noarch.rpm
ovirt-engine-setup-plugin-imageio-4.4.4.5-0.10.el8ev.noarch.rpm
ovirt-engine-setup-plugin-ovirt-engine-4.4.4.5-0.10.el8ev.noarch.rpm
ovirt-engine-setup-plugin-ovirt-engine-common-4.4.4.5-0.10.el8ev.noarch.rpm
ovirt-engine-setup-plugin-vmconsole-proxy-helper-4.4.4.5-0.10.el8ev.noarch.rpm
ovirt-engine-setup-plugin-websocket-proxy-4.4.4.5-0.10.el8ev.noarch.rpm
ovirt-engine-tools-4.4.4.5-0.10.el8ev.noarch.rpm
ovirt-engine-tools-backup-4.4.4.5-0.10.el8ev.noarch.rpm
ovirt-engine-vmconsole-proxy-helper-4.4.4.5-0.10.el8ev.noarch.rpm
ovirt-engine-webadmin-portal-4.4.4.5-0.10.el8ev.noarch.rpm
ovirt-engine-websocket-proxy-4.4.4.5-0.10.el8ev.noarch.rpm
ovirt-web-ui-1.6.6-1.el8ev.noarch.rpm
python3-ovirt-engine-lib-4.4.4.5-0.10.el8ev.noarch.rpm
rhv-log-collector-analyzer-1.0.6-1.el8ev.noarch.rpm
rhvm-4.4.4.5-0.10.el8ev.noarch.rpm
rhvm-branding-rhv-4.4.7-1.el8ev.noarch.rpm
vdsm-jsonrpc-java-1.6.0-1.el8ev.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2020-25649
https://access.redhat.com/security/updates/classification/#low

8. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYBlba9zjgjWX9erEAQhjzQ/9E966aSphBTdfmsL3Upuj4b2vmhXuDcea
r+XD21Q8GkvTK0s4yB7q+Vn/TPquTAVkX13AW+tHHM0sp4NfMB+c6Anzogw2AHq9
o/5aeiB+CJdDX2IwHhPDCioPVpZt4cHYCDeNGUfa7tww7b91y72kJQTbQ/GvnHvj
bGlZ4RTkA1tmSEA/JC0ZzUasIKXidNFK88D755dbyWFxlz3HMkXV/FuDOO1NwtGw
JMH/knAtkN/z9rrYFKotO8wHzt/PfG/V09taK5vogMqVJIpYXDtxwOfer6HjyLsC
9H/jAAYjKL/SQO2Dgsh7VMCEZ4Qlut+ahcbsg/L0dGOLq9OFngdusxTqqhUR9UIb
AqFfniY/xwdddfaFVKnI2CVr0QU6hWTj8wFgBdCbMd80zmanVwpk1lLnlex3bjn2
T52CbKABXhV8RDuGdLQyGgfXksYVaKoLeTnqC9nSfMeQ62PEqq0iLNtYDi5EjqLd
ijiB9+NmB/e0vjU5TSsKaD9Rpf6KbFRUwep8ygSwApMQ8H4CQ2HCy5v4GxsQFYFK
OeA2uJmZT9ELvfOybgwdzV9XWF4R9MnbgYuWrh75Cc5v3FCz2CbwddZy5QdPiRhn
k4n6RFelAAvulO8WbkJ0N90EIC7nI2d7S3MgaO+gFWoDIuNnedqDU0Ydp9ZN9DHd
P8Fb7Gf1V+M=XP00
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
This email address is being protected from spambots. You need JavaScript enabled to view it.

Red Hat RHV-M: RHSA-2021:0381-01 Low: XXE Threat Advisory

red hat
Calendar Grey February 2, 2021
Dist Redhat Esm H88
Minor security alert for RedHat RHV-M (oVirt Engine) version 4.4, including updates and improvements. Read the full information!
Updated ovirt-engine packages that fix several bugs and add various enhancements are now available

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/2974891

Summary

The ovirt-engine package provides the Red Hat Virtualization Manager, a centralized management platform that allows system administrators to view and manage virtual machines. The Manager provides a comprehensive range of features including search capabilities, resource management, live migrations, and virtual infrastructure provisioning.
The Manager is a JBoss Application Server application that provides several interfaces through which the virtual environment can be accessed and interacted with, including an Administration Portal, a VM Portal, and a Representational State Transfer (REST) Application Programming Interface (API).
Security Fix(es):
* jackson-databind: FasterXML DOMDeserializer insecure entity expansion is vulnerable to XML external entity (XXE) (CVE-2020-25649)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
Bug Fix(es):
* Red Hat Virtualization Manager now requires Ansible 2.9.15. (BZ#1901946)

Topics%20covered

Topics Covered

security advisory Red Hat bug fix low severity low xml external entity XXE ovirt-engine red hat virtualization RHV-M RHV-Engine

References

https://access.redhat.com/security/cve/CVE-2020-25649 https://access.redhat.com/security/updates/classification/#low

Package List

RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4:
Source: ovirt-engine-4.4.4.5-0.10.el8ev.src.rpm ovirt-engine-dwh-4.4.4.2-1.el8ev.src.rpm ovirt-web-ui-1.6.6-1.el8ev.src.rpm rhv-log-collector-analyzer-1.0.6-1.el8ev.src.rpm rhvm-branding-rhv-4.4.7-1.el8ev.src.rpm vdsm-jsonrpc-java-1.6.0-1.el8ev.src.rpm
noarch: ovirt-engine-4.4.4.5-0.10.el8ev.noarch.rpm ovirt-engine-backend-4.4.4.5-0.10.el8ev.noarch.rpm ovirt-engine-dbscripts-4.4.4.5-0.10.el8ev.noarch.rpm ovirt-engine-dwh-4.4.4.2-1.el8ev.noarch.rpm ovirt-engine-dwh-grafana-integration-setup-4.4.4.2-1.el8ev.noarch.rpm ovirt-engine-dwh-setup-4.4.4.2-1.el8ev.noarch.rpm ovirt-engine-health-check-bundler-4.4.4.5-0.10.el8ev.noarch.rpm ovirt-engine-restapi-4.4.4.5-0.10.el8ev.noarch.rpm ovirt-engine-setup-4.4.4.5-0.10.el8ev.noarch.rpm ovirt-engine-setup-base-4.4.4.5-0.10.el8ev.noarch.rpm ovirt-engine-setup-plugin-cinderlib-4.4.4.5-0.10.el8ev.noarch.rpm ovirt-engine-setup-plugin-imageio-4.4.4.5-0.10.el8ev.noarch.rpm ovirt-engine-setup-plugin-ovirt-engine-4.4.4.5-0.10.el8ev.noarch.rpm ovirt-engine-setup-plugin-ovirt-engine-common-4.4.4.5-0.10.el8ev.noarch.rpm ovirt-engine-setup-plugin-vmconsole-proxy-helper-4.4.4.5-0.10.el8ev.noarch.rpm ovirt-engine-setup-plugin-websocket-proxy-4.4.4.5-0.10.el8ev.noarch.rpm

Read the Full Advisory


Severity
low
Lowest
Low
Medium
High
Critical

Advisory ID: RHSA-2021:0381-01
Product: Red Hat Virtualization
Advisory URL: https://access.redhat.com/errata/RHSA-2021:0381
Issue date: 2021-02-02

Topic

Updated ovirt-engine packages that fix several bugs and add variousenhancements are now available.Red Hat Product Security has rated this update as having a security impactof Low. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.

Topics%20covered

Topics Covered

security advisory Red Hat bug fix low severity low xml external entity XXE ovirt-engine red hat virtualization RHV-M RHV-Engine

Relevant Releases Architectures

RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4 - noarch

Bugs Fixed

1627997 - [RFE] Allow SPM switching if all tasks have finished via REST-API

1702237 - [RFE] add API for listing disksnapshots under disk resource

1796231 - VM disk remains in locked state if image transfer (image download) timesout due to inactivity.

1868114 - RHV-M UI/Webadmin: The "Disk Snapshots" tab reflects incorrect "Creation Date" information.

1875951 - Disk hot-unplug fails on engine side with NPE in setDiskVmElements after unplugging from the VM.

1879655 - [RFE] Implement searching VM's with partial name or case sensitive vm names in VM Portal.

1880015 - oVirt metrics example Kibana dashboards are broken in Kibana 7.x

1881115 - RHEL VM icons squashed, please adhere to brand rules

1881357 - German language greeting page says Red Hat®

1887664 - CVE-2020-25649 jackson-databind: FasterXML DOMDeserializer insecure entity expansion is vulnerable to XML external entity (XXE)

1893035 - rhv-log-collector-analyzer: check for double quotes in IPTablesConfigSiteCustom

1894298 - ModuleNotFoundError: No module named 'ovirt_engine' raised when starting ovirt-engine-dwhd.py in dev env

1901946 - [RFE] Bump ovirt-engine version lock to the newest Ansible version

1903385 - RFE: rhv-image-discrepancies should report if the truesize from VDSM has different size in images in the engine.

1903595 - [PPC] Can't add PPC host to Engine

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here