-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: OpenShift Virtualization 4.9.0 Images security and bug fix update
Advisory ID:       RHSA-2021:4104-01
Product:           cnv
Advisory URL:      https://access.redhat.com/errata/RHSA-2021:4104
Issue date:        2021-11-02
CVE Names:         CVE-2020-25648 CVE-2021-3121 CVE-2021-3653 
                   CVE-2021-22922 CVE-2021-22923 CVE-2021-22924 
                   CVE-2021-31525 CVE-2021-33195 CVE-2021-33197 
                   CVE-2021-33198 CVE-2021-34558 CVE-2021-36222 
                   CVE-2021-37750 
=====================================================================

1. Summary:

Red Hat OpenShift Virtualization release 4.9.0 is now available with
updates to packages and images that fix several bugs and add enhancements.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

OpenShift Virtualization is Red Hat's virtualization solution designed for
Red Hat OpenShift Container Platform.

This advisory contains the following OpenShift Virtualization 4.9.0 images:

RHEL-8-CNV-4.9
==============
kubevirt-v2v-conversion-container-v4.9.0-9
vm-import-controller-container-v4.9.0-15
cnv-containernetworking-plugins-container-v4.9.0-15
kubemacpool-container-v4.9.0-18
virtio-win-container-v4.9.0-8
vm-import-operator-container-v4.9.0-15
kubevirt-vmware-container-v4.9.0-8
kubevirt-template-validator-container-v4.9.0-14
cluster-network-addons-operator-container-v4.9.0-26
kubernetes-nmstate-handler-container-v4.9.0-25
node-maintenance-operator-container-v4.9.0-13
hostpath-provisioner-container-v4.9.0-6
bridge-marker-container-v4.9.0-13
kubevirt-ssp-operator-container-v4.9.0-28
ovs-cni-marker-container-v4.9.0-16
ovs-cni-plugin-container-v4.9.0-16
vm-import-virtv2v-container-v4.9.0-15
virt-cdi-apiserver-container-v4.9.0-35
virt-cdi-cloner-container-v4.9.0-35
virt-cdi-uploadproxy-container-v4.9.0-35
virt-cdi-controller-container-v4.9.0-35
hostpath-provisioner-operator-container-v4.9.0-15
virt-cdi-importer-container-v4.9.0-35
virt-cdi-uploadserver-container-v4.9.0-35
virt-cdi-operator-container-v4.9.0-35
virt-launcher-container-v4.9.0-58
virt-api-container-v4.9.0-58
virt-handler-container-v4.9.0-58
virt-operator-container-v4.9.0-58
virt-controller-container-v4.9.0-58
virt-artifacts-server-container-v4.9.0-58
libguestfs-tools-container-v4.9.0-58
cnv-must-gather-container-v4.9.0-54
hyperconverged-cluster-operator-container-v4.9.0-57
hyperconverged-cluster-webhook-container-v4.9.0-57
hco-bundle-registry-container-v4.9.0-249

Security Fix(es):

* gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index
validation (CVE-2021-3121)

* golang: net/https: panic in ReadRequest and ReadResponse when reading a
very large header (CVE-2021-31525)

* golang: net: lookup functions may return invalid host names
(CVE-2021-33195)

* golang: net/http/httputil: ReverseProxy forwards connection headers if
first one is empty (CVE-2021-33197)

* golang: math/big.Rat: may cause a panic or an unrecoverable fatal error
if passed inputs with very large exponents (CVE-2021-33198)

* golang: crypto/tls: certificate of wrong type is causing TLS client to
panic (CVE-2021-34558)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

1858777 - Alert for VM with 'evictionStrategy: LiveMigrate' for local PVs set
1891921 - virt-launcher is missing /usr/share/zoneinfo directory, making it impossible to set clock offset of timezone type for the guest RTC
1896469 - In cluster with OVN Kubernetes networking - a node doesn't recover when configuring linux-bridge over its default NIC
1903687 - [scale] 1K DV creation failed
1921650 - CVE-2021-3121 gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation
1933043 - Delete VM just after it turns into "running" is very likely to hit grace period end
1935219 - [CNV-2.5] Set memory and CPU request on hco-operator and hco-webhook deployments
1942726 - test automatic bug creation for a new release
1943164 - Node drain: Sometimes source virt-launcher pod status is Failed and not Completed
1945589 - Live migration with virtiofs is possible
1953481 - New OCP priority classes are not used - Deploy
1953483 - New OCP priority classes are not used - SSP
1953484 - New OCP priority classes are not used - Storage
1955129 - Failed to bindmount hotplug-disk for hostpath-provisioner
1957852 - Could not start VM as restore snapshot was still not Complete
1958341 - CVE-2021-31525 golang: net/https: panic in ReadRequest and ReadResponse when reading a very large header
1963963 - hco.kubevirt.io:config-reader role and rolebinding are not strictly reconciled
1965050 - RoleBinding and ClusterRoleBinding brought in by kubevirt does not get reconciled when kind is ServiceAccount
1973852 - Introduce VM crashloop backoff
1976604 - [CNV-5786] IP connectivity is lost after migration (masquerade)
1976730 - Disk is not usable due to incorrect size for proper alignment
1979631 - virt-chroot: container disk validation crash prevents VMI from starting/migrating
1979659 - 4.9.0 containers
1981345 - 4.9.0 rpms
1983596 - CVE-2021-34558 golang: crypto/tls: certificate of wrong type is causing TLS client to panic
1985083 - VMI Pod fails to terminate due to a zombie qemu process
1985649 - virt-handler Pod is missing xorrisofs command
1985670 - virt-launcher fails to create v1 controller cpu for group: Read-only file system
1985719 - Unprivileged client fails to get guest agent data
1989176 - kube-cni-linux-bridge-plugin Pod is missing bridge CNI plugin
1989263 - VM Snapshot may freeze guest indefinitely
1989269 - Online VM Snapshot storing incorrect VM spec
1989564 - CVE-2021-33195 golang: net: lookup functions may return invalid host names
1989570 - CVE-2021-33197 golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty
1989575 - CVE-2021-33198 golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents
1991691 - Enable DownwardMetrics FeatureGate via HCO CR
1992608 - kubevirt doesn't respect useEmulation: true
1993121 - Rhel9 templates - provider-url should be updated to https://www.redhat.com/
1994389 - Some of the cdi resources missing app labels
1995295 - SCC annotation of ssp-operator was changed to privileged
1996407 - [cdi-functional-tests] cdi-docker-registry-host Pod fails to start
1997014 - Common templates - dataVolumeTemplates API version should be updated
1998054 - RHEL9 template - update template description.
1998656 - no "name" label in ssp-operator pod
1999571 - NFS clone not progressing when clone sizes mismatch (target > source)
1999617 - Unable to create a VM with nonroot VirtLauncher Pods
1999835 - ConsoleCLIDownload | wrong path in virtctl archive URL
2000052 - NNCP creation failures after nmstate-handler pod deletion
2000204 - [4.9.0] [RFE] volumeSnapshotStatuses reason does not check for volume type that do not support snapshots
2001041 - [4.9.0] Importer attempts to shrink an image in certain situations
2001047 - Automatic size detection may not request a PVC that is large enough for an import
2003473 - Failed to Migrate Windows VM with CDROM  (readonly)
2005695 - With descheduler during multiple VMIs migrations, some VMs are restarted
2006418 - Clone Strategy does not work as described
2008900 - Eviction of not live migratable VMs due to virt-launcher upgrade can happen outside the upgrade window
2010742 - [CNV-4.9] VMI is in LiveMigrate loop when Upgrading Cluster from 2.6.7/4.7.32 to OCP 4.8.13
2011179 - Cluster-wide live migration limits and timeouts are not suitable
2017394 - After upgrade, live migration is Pending
2018521 - [Storage] Failed to restore VirtualMachineSnapshot after CNV upgrade

5. References:

https://access.redhat.com/security/cve/CVE-2020-25648
https://access.redhat.com/security/cve/CVE-2021-3121
https://access.redhat.com/security/cve/CVE-2021-3653
https://access.redhat.com/security/cve/CVE-2021-22922
https://access.redhat.com/security/cve/CVE-2021-22923
https://access.redhat.com/security/cve/CVE-2021-22924
https://access.redhat.com/security/cve/CVE-2021-31525
https://access.redhat.com/security/cve/CVE-2021-33195
https://access.redhat.com/security/cve/CVE-2021-33197
https://access.redhat.com/security/cve/CVE-2021-33198
https://access.redhat.com/security/cve/CVE-2021-34558
https://access.redhat.com/security/cve/CVE-2021-36222
https://access.redhat.com/security/cve/CVE-2021-37750
https://access.redhat.com/security/updates/classification/#moderate

6. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYYFgvtzjgjWX9erEAQgTew//UB8+PewiM/dIYqf+illw9SSDTPEm3XQs
F0t0Zj3AbQBYoRPwexustd3jcxYQmJnwtl2VAv5pZXGf5iLCVAHg89ZLc6BzadxW
NJO+YLsXAzkYPLfn32XKySFaX3kS1OoE5RJUF5Sbr76IV7qAQFgWz24xuBCpqkaj
sNi8gBU/Z3ZnJIBhqAneoPlbob21ChCdyYNCHKcuewgH62iIVjhCVuxvLsCQANhL
DjCynb29sX/w4CKM5bW8188Z31aFf+5QRswIcg0VLTbbhsix9t/96akYJnrD3mpw
lY5jSX++m6HiihWwYHic3JSwX+VCew33PgDsDGd62wblOYg/Am8WZMAHccAHrXQ3
EaaeFdQ1pJBPuIDdar44dfgpFGLmOHfa5kLfPaiW+Lew28xgv2lsPDGd0zjdOY+l
H36kJhNDsUy0ZdOPMgTgvMfhDXH3EJLsOL0kLRHpFVvbftYl1cQ7ovc3UUdpoylv
XoS+a1nVtVXJDh5Fcc/3SHEFkaIjCkzdLDZrH5ERot3g/SoMwpjG+EiNaivCK228
SOtRVyP1m+CwpGDKkDvJ9aozEBTRmbYy55g3s2hwRdLmsTbnvzgu4oSowhKp6Z7b
SSakzzqMAznVOUScnJM6IBOKo75RHvPe9n1RasJl45MK5fKh9Q2p7E/V4F5aJxJE
OMZGh3VNA54=
=p11j
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/rhsa-announce