Alerts This Week
Warning Icon 1 692
Alerts This Week
Warning Icon 1 692

Red Hat Virtualization 4.4 RHSA-2021:1169-01 Moderate: XSS and DoS

red hat
Calendar Grey April 14, 2021
Dist Redhat Esm H88
Red Hat Virtualization 4.4 enhancement released, categorized as moderate risk due to various security vulnerabilities. Examine the corrections and their ramifications.
An update is now available for Red Hat Virtualization Engine 4.4

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/2974891

Summary

The ovirt-engine package provides the manager for virtualization environments. This manager enables admins to define hosts and networks, as well as to add storage, create VMs and manage user permissions.
A list of bugs fixed in this update is available in the Technical Notes book:
ml-single/technical_notes
Security Fix(es):
* nodejs-bootstrap-select: not escaping title values on

Topics%20covered

Topics Covered

security advisory denial of service XSS DoS security fix moderate threat Red Hat Virtualization ovirt-engine virtualization management

References

https://access.redhat.com/security/cve/CVE-2019-20921 https://access.redhat.com/security/cve/CVE-2020-25657 https://access.redhat.com/security/cve/CVE-2020-28458 https://access.redhat.com/security/cve/CVE-2020-28477 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/html-single/technical_notes

Package List

RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4:
Source: ansible-runner-1.4.6-2.el8ar.src.rpm ansible-runner-service-1.0.7-1.el8ev.src.rpm apache-sshd-2.6.0-1.el8ev.src.rpm ovirt-engine-4.4.5.9-0.1.el8ev.src.rpm ovirt-engine-dwh-4.4.5.5-1.el8ev.src.rpm ovirt-web-ui-1.6.7-1.el8ev.src.rpm
noarch: ansible-runner-1.4.6-2.el8ar.noarch.rpm ansible-runner-service-1.0.7-1.el8ev.noarch.rpm apache-sshd-2.6.0-1.el8ev.noarch.rpm apache-sshd-javadoc-2.6.0-1.el8ev.noarch.rpm ovirt-engine-4.4.5.9-0.1.el8ev.noarch.rpm ovirt-engine-backend-4.4.5.9-0.1.el8ev.noarch.rpm ovirt-engine-dbscripts-4.4.5.9-0.1.el8ev.noarch.rpm ovirt-engine-dwh-4.4.5.5-1.el8ev.noarch.rpm ovirt-engine-dwh-grafana-integration-setup-4.4.5.5-1.el8ev.noarch.rpm ovirt-engine-dwh-setup-4.4.5.5-1.el8ev.noarch.rpm ovirt-engine-health-check-bundler-4.4.5.9-0.1.el8ev.noarch.rpm ovirt-engine-restapi-4.4.5.9-0.1.el8ev.noarch.rpm ovirt-engine-setup-4.4.5.9-0.1.el8ev.noarch.rpm ovirt-engine-setup-base-4.4.5.9-0.1.el8ev.noarch.rpm ovirt-engine-setup-plugin-cinderlib-4.4.5.9-0.1.el8ev.noarch.rpm ovirt-engine-setup-plugin-imageio-4.4.5.9-0.1.el8ev.noarch.rpm ovirt-engine-setup-plugin-ovirt-engine-4.4.5.9-0.1.el8ev.noarch.rpm ovirt-engine-setup-plugin-ovirt-engine-common-4.4.5.9-0.1.el8ev.noarch.rpm

Read the Full Advisory


Advisory ID: RHSA-2021:1169-01
Product: Red Hat Virtualization
Advisory URL: https://access.redhat.com/errata/RHSA-2021:1169
Issue date: 2021-04-14

Topic

An update is now available for Red Hat Virtualization Engine 4.4.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.

Topics%20covered

Topics Covered

security advisory denial of service XSS DoS security fix moderate threat Red Hat Virtualization ovirt-engine virtualization management

Relevant Releases Architectures

RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4 - noarch

Bugs Fixed

1145658 - Storage domain removal does not check if the storage domain contains any memory dumps.

1155275 - [RFE] - Online update LUN size to the Guest after LUN resize

1649479 - [RFE] OVF_STORE last update not exposed in the UI

1666786 - RHV-M reports "Balancing VM ${VM}" for ever as successful in the tasks list

1688186 - [RFE] CPU and NUMA Pinning shall be handled automatically

1729359 - Failed image upload leaves disk in locked state, requiring manual intervention to cleanup.

1787235 - [RFE] Offline disk move should log which host the data is being copied on in the audit log

1802844 - rest api setupnetworks: assignment_method should be inside ip_address_assignment

1837221 - [RFE] Allow using other than RSA SHA-1/SHA-2 public keys for SSH connections between RHVM and hypervisors1843882 - network interface not added to public firewalld zone until host reboot

1858420 - Snapshot creation on host that engine then loses connection to results in missing snapshots table entry

1882273 - CVE-2019-20921 nodejs-bootstrap-select: not escaping title values on

1884233 - oVirt-engine reports misleading login-domain for external RH-SSO accounts

1889823 - CVE-2020-25657 m2crypto: bleichenbacher timing attacks in the RSA decryption API

1895217 - Hosted-Engine --restore-from-file fails if backup has VM pinned to restore host and has no Icon set.

1901503 - Misleading error message, displaying Data Center Storage Type instead of its name

Read the Full Advisory

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here