-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   Red Hat Security Advisory

Synopsis:          Moderate: OpenShift Virtualization 4.8.2 Images security and bug fix update
Advisory ID:       RHSA-2021:3598-01
Product:           cnv
Advisory URL:      https://access.redhat.com/errata/RHSA-2021:3598
Issue date:        2021-09-21
CVE Names:         CVE-2021-3609 CVE-2021-22543 CVE-2021-22555 
                   CVE-2021-27218 CVE-2021-33195 CVE-2021-33197 
                   CVE-2021-33198 CVE-2021-34558 CVE-2021-37576 
                   CVE-2021-38201 CVE-2021-38575 
====================================================================
1. Summary:

Red Hat OpenShift Virtualization release 4.8.2 is now available with
updates to packages and images that fix several bugs and add enhancements.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

OpenShift Virtualization is Red Hat's virtualization solution designed for
Red Hat OpenShift Container Platform.

This advisory contains the following OpenShift Virtualization 4.8.2 images:

RHEL-8-CNV-4.8
=============kubevirt-vmware-container-v4.8.2-1
node-maintenance-operator-container-v4.8.2-1
bridge-marker-container-v4.8.2-1
kubemacpool-container-v4.8.2-1
virtio-win-container-v4.8.2-1
kubevirt-v2v-conversion-container-v4.8.2-1
hostpath-provisioner-container-v4.8.2-1
kubernetes-nmstate-handler-container-v4.8.2-1
cluster-network-addons-operator-container-v4.8.2-1
cnv-containernetworking-plugins-container-v4.8.2-1
hyperconverged-cluster-operator-container-v4.8.2-2
hostpath-provisioner-operator-container-v4.8.2-1
ovs-cni-marker-container-v4.8.2-1
hyperconverged-cluster-webhook-container-v4.8.2-2
ovs-cni-plugin-container-v4.8.2-1
kubevirt-template-validator-container-v4.8.2-2
kubevirt-ssp-operator-container-v4.8.2-2
cnv-must-gather-container-v4.8.2-3
vm-import-virtv2v-container-v4.8.2-4
vm-import-operator-container-v4.8.2-4
vm-import-controller-container-v4.8.2-4
virt-cdi-cloner-container-v4.8.2-2
virt-cdi-controller-container-v4.8.2-2
virt-cdi-operator-container-v4.8.2-2
virt-cdi-uploadproxy-container-v4.8.2-2
virt-cdi-uploadserver-container-v4.8.2-2
virt-cdi-apiserver-container-v4.8.2-2
virt-cdi-importer-container-v4.8.2-2
virt-launcher-container-v4.8.2-5
virt-api-container-v4.8.2-5
virt-handler-container-v4.8.2-5
virt-controller-container-v4.8.2-5
virt-operator-container-v4.8.2-5
hco-bundle-registry-container-v4.8.2-17

Security Fix(es):

* golang: net: lookup functions may return invalid host names
(CVE-2021-33195)

* golang: net/http/httputil: ReverseProxy forwards connection headers if
first one is empty (CVE-2021-33197)

* golang: math/big.Rat: may cause a panic or an unrecoverable fatal error
if passed inputs with very large exponents (CVE-2021-33198)

* golang: crypto/tls: certificate of wrong type is causing TLS client to
panic (CVE-2021-34558)

3. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://docs.openshift.com/container-platform/4.8/virt/upgrading-virt.html

4. Bugs fixed (https://bugzilla.redhat.com/):

1953485 - [CNV-2.5] Manifests in openshift-cnv missing resource requirements - SSP
1957791 - [MTV][Warm] The migrated VM on target side should be powered off/on accordingly to the source VM's last power state during warm migration
1972819 - Failed, Pending and Scheduling VMs can not be stopped
1982143 - [RFE] volumeSnapshotStatuses reason does not check for volume type that do not support snapshots
1983596 - CVE-2021-34558 golang: crypto/tls: certificate of wrong type is causing TLS client to panic
1989564 - CVE-2021-33195 golang: net: lookup functions may return invalid host names
1989570 - CVE-2021-33197 golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty
1989575 - CVE-2021-33198 golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents
1990065 - [4.8.2][network] CNV Daemonsets have maxUnavailable set to 1 which leads to very slow upgrades on large clusters1991460 - Cannot get 'write' permission without 'resize': Image size is not a multiple of request alignment'
1993122 - Rhel9 templates - provider-url should be updated to https://www.redhat.com/
1995050 - RHEL9 template - support level and description should be updated
1996110 - cdi importer fails for a CirrOS VM import to NFS (but not to Cepf-rbd/block)
1996660 - [4.8] Goroutine count and memory remains high after VMIs are removed
1997668 - [v2v] VM import from RHV should not be blocked for a non UTC Timezone.
1998818 - virt-handler Pod is missing xorrisofs command
1998983 - 4.8.2 containers2000021 - [VMIO][RHV VM Import] 63 long char VM Name with more than 1 Disk results in DataVolumeCreationFailed
2001038 - Importer attempts to shrink an image in certain situations
2001069 - [4.8.z] Automatic size detection may not request a PVC that is large enough for an import

5. References:

https://access.redhat.com/security/cve/CVE-2021-3609
https://access.redhat.com/security/cve/CVE-2021-22543
https://access.redhat.com/security/cve/CVE-2021-22555
https://access.redhat.com/security/cve/CVE-2021-27218
https://access.redhat.com/security/cve/CVE-2021-33195
https://access.redhat.com/security/cve/CVE-2021-33197
https://access.redhat.com/security/cve/CVE-2021-33198
https://access.redhat.com/security/cve/CVE-2021-34558
https://access.redhat.com/security/cve/CVE-2021-37576
https://access.redhat.com/security/cve/CVE-2021-38201
https://access.redhat.com/security/cve/CVE-2021-38575
https://access.redhat.com/security/updates/classification/#moderate

6. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYUm9jNzjgjWX9erEAQj5ERAAlwei+1rByD0NbOnsl6V/N8336joQgWAw
YTaHbCzYC7188JJ2ucnup1wmPhjk1mWFzUGI+7GLNjnCAaBy3Eg3w5ZI86H1G7T6
0q3TOmTU8ezyr6JMryiw1v4aambVtB8g1K7XjNVQnKhKyJtsx7iuagyg9QMbVknU
i2uRANE/7GgL0Yv6jwPSgNjzArhW9TosXVfg+oYY9MQ8fAZyhdXxZKRnwwe0lHVk
NMwPppumF80lvraU/HwcYlkQrc9It5F62fm0NOvyvY0J3+V55+yeb5UeiBMeyFK4
++HIcxtktf/X7dBAfUkeqPoVYX/MkHxHCaYbEnXyVNK9m/8Z9HWOzzJ6YgFGZ7hE
FNnKyGG1ZXcOmWHZ2UBoVFOMLGcf907o6oaC6p3AfX6LVPTRb8E8Df7TS0TP3miS
BQmq+UnJG6mnO0xHtxmS+WJ1lh51LVaczJuMUHgpGOn8pCVkQIH4jx2tmSVkZN6O
0jOcW2Lg1YGX6Byfz9jcjaG2pRXGeos/JVJKEeWOVtiJcFQFRgEUNxJpeothOqi5
Dr1hJbtn/Ts4E8jDw3IrjfvjPC7f+IBU67fcT4FXHklkaYchZKLteaIAEMoy+w6h
GMxVU+aohcvVSfIXv6hi4S8hM6HAxEdklwX7nUP2AsjGDDS1ZKFZz/EleItz45MF
E1MQ2NdfNNY=vkzK
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2021-3598:01 Moderate: OpenShift Virtualization 4.8.2 Images

Red Hat OpenShift Virtualization release 4.8.2 is now available with updates to packages and images that fix several bugs and add enhancements

Summary

OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform.
This advisory contains the following OpenShift Virtualization 4.8.2 images:
RHEL-8-CNV-4.8 =============kubevirt-vmware-container-v4.8.2-1 node-maintenance-operator-container-v4.8.2-1 bridge-marker-container-v4.8.2-1 kubemacpool-container-v4.8.2-1 virtio-win-container-v4.8.2-1 kubevirt-v2v-conversion-container-v4.8.2-1 hostpath-provisioner-container-v4.8.2-1 kubernetes-nmstate-handler-container-v4.8.2-1 cluster-network-addons-operator-container-v4.8.2-1 cnv-containernetworking-plugins-container-v4.8.2-1 hyperconverged-cluster-operator-container-v4.8.2-2 hostpath-provisioner-operator-container-v4.8.2-1 ovs-cni-marker-container-v4.8.2-1 hyperconverged-cluster-webhook-container-v4.8.2-2 ovs-cni-plugin-container-v4.8.2-1 kubevirt-template-validator-container-v4.8.2-2 kubevirt-ssp-operator-container-v4.8.2-2 cnv-must-gather-container-v4.8.2-3 vm-import-virtv2v-container-v4.8.2-4 vm-import-operator-container-v4.8.2-4 vm-import-controller-container-v4.8.2-4 virt-cdi-cloner-container-v4.8.2-2 virt-cdi-controller-container-v4.8.2-2 virt-cdi-operator-container-v4.8.2-2 virt-cdi-uploadproxy-container-v4.8.2-2 virt-cdi-uploadserver-container-v4.8.2-2 virt-cdi-apiserver-container-v4.8.2-2 virt-cdi-importer-container-v4.8.2-2 virt-launcher-container-v4.8.2-5 virt-api-container-v4.8.2-5 virt-handler-container-v4.8.2-5 virt-controller-container-v4.8.2-5 virt-operator-container-v4.8.2-5 hco-bundle-registry-container-v4.8.2-17
Security Fix(es):
* golang: net: lookup functions may return invalid host names (CVE-2021-33195)
* golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty (CVE-2021-33197)
* golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents (CVE-2021-33198)
* golang: crypto/tls: certificate of wrong type is causing TLS client to panic (CVE-2021-34558)



Summary


Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://docs.openshift.com/container-platform/4.8/virt/upgrading-virt.html

References

https://access.redhat.com/security/cve/CVE-2021-3609 https://access.redhat.com/security/cve/CVE-2021-22543 https://access.redhat.com/security/cve/CVE-2021-22555 https://access.redhat.com/security/cve/CVE-2021-27218 https://access.redhat.com/security/cve/CVE-2021-33195 https://access.redhat.com/security/cve/CVE-2021-33197 https://access.redhat.com/security/cve/CVE-2021-33198 https://access.redhat.com/security/cve/CVE-2021-34558 https://access.redhat.com/security/cve/CVE-2021-37576 https://access.redhat.com/security/cve/CVE-2021-38201 https://access.redhat.com/security/cve/CVE-2021-38575 https://access.redhat.com/security/updates/classification/#moderate

Package List


Severity
Advisory ID: RHSA-2021:3598-01
Product: cnv
Advisory URL: https://access.redhat.com/errata/RHSA-2021:3598
Issued Date: : 2021-09-21
CVE Names: CVE-2021-3609 CVE-2021-22543 CVE-2021-22555 CVE-2021-27218 CVE-2021-33195 CVE-2021-33197 CVE-2021-33198 CVE-2021-34558 CVE-2021-37576 CVE-2021-38201 CVE-2021-38575

Topic

Red Hat OpenShift Virtualization release 4.8.2 is now available withupdates to packages and images that fix several bugs and add enhancements.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.


Topic


 

Relevant Releases Architectures


Bugs Fixed

1953485 - [CNV-2.5] Manifests in openshift-cnv missing resource requirements - SSP

1957791 - [MTV][Warm] The migrated VM on target side should be powered off/on accordingly to the source VM's last power state during warm migration

1972819 - Failed, Pending and Scheduling VMs can not be stopped

1982143 - [RFE] volumeSnapshotStatuses reason does not check for volume type that do not support snapshots

1983596 - CVE-2021-34558 golang: crypto/tls: certificate of wrong type is causing TLS client to panic

1989564 - CVE-2021-33195 golang: net: lookup functions may return invalid host names

1989570 - CVE-2021-33197 golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty

1989575 - CVE-2021-33198 golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents

1990065 - [4.8.2][network] CNV Daemonsets have maxUnavailable set to 1 which leads to very slow upgrades on large clusters1991460 - Cannot get 'write' permission without 'resize': Image size is not a multiple of request alignment'

1993122 - Rhel9 templates - provider-url should be updated to https://www.redhat.com/

1995050 - RHEL9 template - support level and description should be updated

1996110 - cdi importer fails for a CirrOS VM import to NFS (but not to Cepf-rbd/block)

1996660 - [4.8] Goroutine count and memory remains high after VMIs are removed

1997668 - [v2v] VM import from RHV should not be blocked for a non UTC Timezone.

1998818 - virt-handler Pod is missing xorrisofs command

1998983 - 4.8.2 containers2000021 - [VMIO][RHV VM Import] 63 long char VM Name with more than 1 Disk results in DataVolumeCreationFailed

2001038 - Importer attempts to shrink an image in certain situations

2001069 - [4.8.z] Automatic size detection may not request a PVC that is large enough for an import


Related News

4.Lock AbstractDigital Esm H320
2 - 3 min read
Tails 6.2 is a new Linux distribution release that expands its multilingual support and improves security features. The distribution is a
19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
32.Lock Code Circular Esm H320
2 - 3 min read
Linux admins and security practitioners face significant challenges in keeping their Linux systems secure amidst the constant threat of kernel bugs.
1.Penguin Landscape Esm H320
2 - 3 min read
A significant security threat, known as the Spectre v2 exploit, has been observed targeting Linux systems running on modern Intel processors. Let's
10.FingerPrint Locks Esm H320
2 - 3 min read
The recent release of I2P 2.5.0 , an anonymous P2P network that protects against online censorship, surveillance, and monitoring, has brought a slew
24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
30.Lock Globe Motherboard Esm H320
1 - 2 min read
The SPDX 3.0 release marks a significant milestone in software management, particularly for Linux admins, infosec professionals, internet security
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved