Alerts This Week
Warning Icon 1 714
Alerts This Week
Warning Icon 1 714

Red Hat Virtualization 4 Update: RHSA-2021-2239-01 Moderate DoS Threat

red hat
Calendar Grey June 3, 2021
Dist Redhat Esm H88
A significant security enhancement for Red Hat Virtualization Host tackles various concerns, notably a potential DoS vulnerability.
An update for imgbased, redhat-release-virtualization-host, and redhat-virtualization-host is now available for Red Hat Virtualization 4 for Red Hat Enterprise Linux 8

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/2974891

Summary

The redhat-virtualization-host packages provide the Red Hat Virtualization Host. These packages include redhat-release-virtualization-host, ovirt-node, and rhev-hypervisor. Red Hat Virtualization Hosts (RHVH) are installed using a special build of Red Hat Enterprise Linux with only the packages required to host virtual machines. RHVH features a Cockpit user interface for monitoring the host's resources and performing administrative tasks.
The redhat-virtualization-host packages provide the Red Hat Virtualization Host. These packages include redhat-release-virtualization-host, ovirt-node, and rhev-hypervisor. Red Hat Virtualization Hosts (RHVH) are installed using a special build of Red Hat Enterprise Linux with only the packages required to host virtual machines. RHVH features a Cockpit user interface for monitoring the host's resources and performing administrative tasks.
The ovirt-node-ng packages provide the Red Hat Virtualization Host. These packages include redhat-release-virtualization-host, ovirt-node, and rhev-hypervisor. Red Hat Virtualization Hosts (RHVH) are installed using a special build of Red Hat Enterprise Linux with only the packages required to host virtual machines. RHVH features a Cockpit user interface for monitoring the host's resources and performing administrative tasks.
Security Fix(es):
* python-cryptography: bleichenbacher timing oracle attack against RSA decryption (CVE-2020-25659)
* krb5: unbounded recursion via an ASN.1-encoded Kerberos message in lib/krb5/asn.1/asn1_encode.c may lead to DoS (CVE-2020-28196)
* python-cryptography: certain sequences of update() calls when symmetrically encrypting very large payloads could result in an integer overflow and lead to buffer overflows (CVE-2020-36242)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
Bug Fix(es):
* Previously, old RPM files were not properly removed during package removal (uninistall) or upgrade. As a result, removed packages were reinstalled, or, during and upgrade, the system tried to install two or more different versions at once, causing the upgrade to fail. In this release, the dnf plugin has been fixed, and RPM packages are now properly removed. The new version will also auto-heal the broken system by removing RPM packages which are not supposed to be in the persisted-rpms directory. (BZ#1936972)
* With this release, ovirt-hosted-engine-ha supports multiple, comma-separated values for all iSCSI configuration items. (BZ#1909888)

Topics%20covered

Topics Covered

security advisory security update moderate impact software fix DoS threat Red Hat Virtualization RHSA-2021-2239

References

https://access.redhat.com/security/cve/CVE-2020-25659 https://access.redhat.com/security/cve/CVE-2020-28196 https://access.redhat.com/security/cve/CVE-2020-36242 https://access.redhat.com/security/updates/classification#moderate

Package List

Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts:
Source: cockpit-ovirt-0.15.0-2.el8ev.src.rpm ovirt-hosted-engine-ha-2.4.7-1.el8ev.src.rpm
noarch: cockpit-ovirt-dashboard-0.15.0-2.el8ev.noarch.rpm ovirt-hosted-engine-ha-2.4.7-1.el8ev.noarch.rpm
Red Hat Virtualization 4 Hypervisor for RHEL 8:
Source: redhat-virtualization-host-4.4.6-20210527.3.el8_4.src.rpm
x86_64: elfutils-debuginfo-0.182-3.el8.x86_64.rpm elfutils-debuginfod-client-0.182-3.el8.x86_64.rpm elfutils-debuginfod-client-debuginfo-0.182-3.el8.x86_64.rpm elfutils-debuginfod-debuginfo-0.182-3.el8.x86_64.rpm elfutils-debugsource-0.182-3.el8.x86_64.rpm elfutils-libelf-debuginfo-0.182-3.el8.x86_64.rpm elfutils-libs-debuginfo-0.182-3.el8.x86_64.rpm redhat-virtualization-host-image-update-4.4.6-20210527.3.el8_4.x86_64.rpm
RHEL 8-based RHEV-H for RHEV 4 (build requirements):
Source: imgbased-1.2.19-1.el8ev.src.rpm redhat-release-virtualization-host-4.4.6-1.el8ev.src.rpm scap-security-guide-0.1.54-1.el8ev.src.rpm
noarch: imgbased-1.2.19-1.el8ev.noarch.rpm python3-imgbased-1.2.19-1.el8ev.noarch.rpm redhat-virtualization-host-image-update-placeholder-4.4.6-1.el8ev.noarch.rpm scap-security-guide-rhv-0.1.54-1.el8ev.noarch.rpm
x86_64: redhat-release-virtualization-host-4.4.6-1.el8ev.x86_64.rpm


Read the Full Advisory


Advisory ID: RHSA-2021:2239-01
Product: Red Hat Virtualization
Advisory URL: https://access.redhat.com/errata/RHSA-2021:2239
Issue date: 2021-06-03

Topic

An update for imgbased, redhat-release-virtualization-host, andredhat-virtualization-host is now available for Red Hat Virtualization 4for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.

Topics%20covered

Topics Covered

security advisory security update moderate impact software fix DoS threat Red Hat Virtualization RHSA-2021-2239

Relevant Releases Architectures

RHEL 8-based RHEV-H for RHEV 4 (build requirements) - noarch, x86_64

Red Hat Virtualization 4 Hypervisor for RHEL 8 - x86_64

Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts - noarch

Bugs Fixed

1779052 - RHVH 4.4: AVC denied errors (dac_override) in audit.log

1882542 - [downstream] Failed to assign network to Infiniband Bond

1889988 - CVE-2020-25659 python-cryptography: bleichenbacher timing oracle attack against RSA decryption

1897893 - RHVH does not keep the same IPv6 address on each reprovision

1901041 - CVE-2020-28196 krb5: unbounded recursion via an ASN.1-encoded Kerberos message in lib/krb5/asn.1/asn1_encode.c may lead to DoS

1901878 - Rebase RHV-H on RHEL 8.4

1909888 - [RFE] Support multiple IQN in hosted-engine.conf for Active-Active DR setup

1926226 - CVE-2020-36242 python-cryptography: certain sequences of update() calls when symmetrically encrypting very large payloads could result in an integer overflow and lead to buffer overflows

1931443 - After reboot a RHV-H host fails to boot displaying error: ../../grub-core/loader/i386/pc/linux.c:170:invalid magic number

1936972 - [RHVH] Failed to reinstall persisted RPMs

1938925 - RHV-H iso needs to include NetworkManager-1.26.0-12.el8_3 or later.

1942580 - End User License Agreement trademarks Shadowman but not new logo

1944632 - Rebase RHV-H 4.4.6 on FDP 2.11 21.C

1946095 - "No valid network interface has been found" when starting HE deployment via cockpit

1948944 - RHVH 4.4.6 ISO (RHVH-4.4-20210412.3-RHVH-x86_64-dvd1.iso) installation failed

1949431 - The directory of EULA presented on the UI is incorrect

Read the Full Advisory

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here