RedHat: RHSA-2021-3459:01 Moderate: Red Hat Virtualization Host security
Summary
The VDSM service is required by a Virtualization Manager to manage the
Linux hosts. VDSM manages and monitors the host's storage, memory and
networks as well as virtual machine creation, other host administration
tasks, statistics gathering, and log collection.
Security Fix(es):
* nodejs-lodash: command injection via template (CVE-2021-23337)
* nodejs-lodash: ReDoS via the toNumber, trim and trimEnd functions
(CVE-2020-28500)
For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.
Bug Fix(es):
* An update in libvirt has changed the way block threshold events are
submitted.
As a result, the VDSM was confused by the libvirt event, and tried to look
up a drive, logging a warning about a missing drive.
In this release, the VDSM has been adapted to handle the new libvirt
behavior, and does not log warnings about missing drives. (BZ#1948177)
* Previously, when a virtual machine was powered off on the source host of
a live migration and the migration finished successfully at the same time,
the two events interfered with each other, and sometimes prevented
migration cleanup resulting in additional migrations from the host being
blocked.
In this release, additional migrations are not blocked. (BZ#1959436)
* Previously, when failing to execute a snapshot and re-executing it later,
the second try would fail due to using the previous execution data. In this
release, this data will be used only when needed, in recovery mode.
(BZ#1984209)
Summary
Solution
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/2974891
References
https://access.redhat.com/security/cve/CVE-2020-28500 https://access.redhat.com/security/cve/CVE-2021-23337 https://access.redhat.com/security/updates/classification/#moderate
Package List
Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts:
Source:
cockpit-ovirt-0.15.1-2.el8ev.src.rpm
ovirt-host-4.4.8-2.el8ev.src.rpm
ovirt-hosted-engine-ha-2.4.8-1.el8ev.src.rpm
ovirt-hosted-engine-setup-2.5.3-1.el8ev.src.rpm
vdsm-4.40.80.5-1.el8ev.src.rpm
noarch:
cockpit-ovirt-dashboard-0.15.1-2.el8ev.noarch.rpm
ovirt-hosted-engine-ha-2.4.8-1.el8ev.noarch.rpm
ovirt-hosted-engine-setup-2.5.3-1.el8ev.noarch.rpm
vdsm-api-4.40.80.5-1.el8ev.noarch.rpm
vdsm-client-4.40.80.5-1.el8ev.noarch.rpm
vdsm-common-4.40.80.5-1.el8ev.noarch.rpm
vdsm-hook-cpuflags-4.40.80.5-1.el8ev.noarch.rpm
vdsm-hook-ethtool-options-4.40.80.5-1.el8ev.noarch.rpm
vdsm-hook-fcoe-4.40.80.5-1.el8ev.noarch.rpm
vdsm-hook-localdisk-4.40.80.5-1.el8ev.noarch.rpm
vdsm-hook-nestedvt-4.40.80.5-1.el8ev.noarch.rpm
vdsm-hook-openstacknet-4.40.80.5-1.el8ev.noarch.rpm
vdsm-hook-vhostmd-4.40.80.5-1.el8ev.noarch.rpm
vdsm-http-4.40.80.5-1.el8ev.noarch.rpm
vdsm-jsonrpc-4.40.80.5-1.el8ev.noarch.rpm
vdsm-python-4.40.80.5-1.el8ev.noarch.rpm
vdsm-yajsonrpc-4.40.80.5-1.el8ev.noarch.rpm
ppc64le:
ovirt-host-4.4.8-2.el8ev.ppc64le.rpm
ovirt-host-dependencies-4.4.8-2.el8ev.ppc64le.rpm
vdsm-4.40.80.5-1.el8ev.ppc64le.rpm
vdsm-hook-checkips-4.40.80.5-1.el8ev.ppc64le.rpm
vdsm-hook-extra-ipv4-addrs-4.40.80.5-1.el8ev.ppc64le.rpm
vdsm-network-4.40.80.5-1.el8ev.ppc64le.rpm
x86_64:
ovirt-host-4.4.8-2.el8ev.x86_64.rpm
ovirt-host-dependencies-4.4.8-2.el8ev.x86_64.rpm
vdsm-4.40.80.5-1.el8ev.x86_64.rpm
vdsm-gluster-4.40.80.5-1.el8ev.x86_64.rpm
vdsm-hook-checkips-4.40.80.5-1.el8ev.x86_64.rpm
vdsm-hook-extra-ipv4-addrs-4.40.80.5-1.el8ev.x86_64.rpm
vdsm-network-4.40.80.5-1.el8ev.x86_64.rpm
Red Hat Virtualization 4 Hypervisor for RHEL 8:
Source:
vdsm-4.40.80.5-1.el8ev.src.rpm
noarch:
vdsm-hook-cpuflags-4.40.80.5-1.el8ev.noarch.rpm
vdsm-hook-ethtool-options-4.40.80.5-1.el8ev.noarch.rpm
vdsm-hook-fcoe-4.40.80.5-1.el8ev.noarch.rpm
vdsm-hook-localdisk-4.40.80.5-1.el8ev.noarch.rpm
vdsm-hook-nestedvt-4.40.80.5-1.el8ev.noarch.rpm
vdsm-hook-openstacknet-4.40.80.5-1.el8ev.noarch.rpm
vdsm-hook-vhostmd-4.40.80.5-1.el8ev.noarch.rpm
x86_64:
vdsm-hook-checkips-4.40.80.5-1.el8ev.x86_64.rpm
vdsm-hook-extra-ipv4-addrs-4.40.80.5-1.el8ev.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
Topic
An update for cockpit-ovirt, ovirt-host, ovirt-hosted-engine-ha,ovirt-hosted-engine-setup, and vdsm is now available for Red HatVirtualization 4 for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.
Topic
Relevant Releases Architectures
Red Hat Virtualization 4 Hypervisor for RHEL 8 - noarch, x86_64
Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts - noarch, ppc64le, x86_64
Bugs Fixed
1928937 - CVE-2021-23337 nodejs-lodash: command injection via template
1928954 - CVE-2020-28500 nodejs-lodash: ReDoS via the toNumber, trim and trimEnd functions
1948177 - Unknown drive for vm - ignored block threshold event
1959436 - VMs stuck in "migrating" status since it's unable to acquire the migration semaphore
1984209 - VDSM reports failed snapshot to engine, but it succeeded. Then engine deletes the volume and causes data corruption.
1998017 - Keep cinbderlib dependencies optional for 4.4.8