Red Hat 8 Update: RHSA-2022-5555-01 Moderate: ovirt-engine Security Fix
red hat
July 27, 2022
Updated ovirt-engine packages that fix several bugs and add various enhancements are now available
Solution
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/2974891
Summary
The ovirt-engine package provides the Red Hat Virtualization Manager, a
centralized management platform that allows system administrators to view
and manage virtual machines. The Manager provides a comprehensive range of
features including search capabilities, resource management, live
migrations, and virtual infrastructure provisioning.
Security Fix(es):
* nodejs-trim-newlines: ReDoS in .end() method (CVE-2021-33623)
* apache-commons-compress: infinite loop when reading a specially crafted
7Z archive (CVE-2021-35515)
* apache-commons-compress: excessive memory allocation when reading a
specially crafted 7Z archive (CVE-2021-35516)
* apache-commons-compress: excessive memory allocation when reading a
specially crafted TAR archive (CVE-2021-35517)
* apache-commons-compress: excessive memory allocation when reading a
specially crafted ZIP archive (CVE-2021-36090)
* nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching
ANSI escape codes (CVE-2021-3807)
* spring-expression: Denial of service via specially crafted SpEL
expression (CVE-2022-22950)
* semantic-release: Masked secrets can be disclosed if they contain
characters that are excluded from uri encoding (CVE-2022-31051)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
A list of bugs fixed in this update is available in the Technical Notes
book:
https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/html-single/technical_notes
References
https://access.redhat.com/security/cve/CVE-2021-3807 https://access.redhat.com/security/cve/CVE-2021-33623 https://access.redhat.com/security/cve/CVE-2021-35515 https://access.redhat.com/security/cve/CVE-2021-35516 https://access.redhat.com/security/cve/CVE-2021-35517 https://access.redhat.com/security/cve/CVE-2021-36090 https://access.redhat.com/security/cve/CVE-2022-22950 https://access.redhat.com/security/cve/CVE-2022-31051 https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/html-single/technical_notes https://access.redhat.com/security/updates/classification/#moderate
Package List
RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4:
Source:
apache-commons-compress-1.21-1.2.el8ev.src.rpm
ovirt-dependencies-4.5.2-1.el8ev.src.rpm
ovirt-engine-4.5.1.2-0.11.el8ev.src.rpm
ovirt-engine-dwh-4.5.3-1.el8ev.src.rpm
ovirt-engine-ui-extensions-1.3.4-1.el8ev.src.rpm
ovirt-log-collector-4.4.6-1.el8ev.src.rpm
ovirt-web-ui-1.9.0-1.el8ev.src.rpm
postgresql-jdbc-42.2.14-1.el8ev.src.rpm
rhv-log-collector-analyzer-1.0.14-1.el8ev.src.rpm
rhvm-branding-rhv-4.5.0-1.el8ev.src.rpm
noarch:
apache-commons-compress-1.21-1.2.el8ev.noarch.rpm
apache-commons-compress-javadoc-1.21-1.2.el8ev.noarch.rpm
ovirt-dependencies-4.5.2-1.el8ev.noarch.rpm
ovirt-engine-4.5.1.2-0.11.el8ev.noarch.rpm
ovirt-engine-backend-4.5.1.2-0.11.el8ev.noarch.rpm
ovirt-engine-dbscripts-4.5.1.2-0.11.el8ev.noarch.rpm
ovirt-engine-dwh-4.5.3-1.el8ev.noarch.rpm
ovirt-engine-dwh-grafana-integration-setup-4.5.3-1.el8ev.noarch.rpm
ovirt-engine-dwh-setup-4.5.3-1.el8ev.noarch.rpm
ovirt-engine-health-check-bundler-4.5.1.2-0.11.el8ev.noarch.rpm
ovirt-engine-restapi-4.5.1.2-0.11.el8ev.noarch.rpm
ovirt-engine-setup-4.5.1.2-0.11.el8ev.noarch.rpm
ovirt-engine-setup-base-4.5.1.2-0.11.el8ev.noarch.rpm
ovirt-engine-setup-plugin-cinderlib-4.5.1.2-0.11.el8ev.noarch.rpm
Read the Full Advisory
PREVIOUS
NEXT
Advisory ID: RHSA-2022:5555-01
Product: Red Hat Virtualization
Advisory URL: https://access.redhat.com/errata/RHSA-2022:5555
Issue date: 2022-07-14
Topic
Updated ovirt-engine packages that fix several bugs and add variousenhancements are now available.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.
Relevant Releases Architectures
RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4 - noarch
Bugs Fixed
1663217 - [RFE] Add RHV VM name to the matching between Satellite's content host to RHV (currently only VM FQDN is used)
1782077 - [RFE] More Flexible RHV CPU Allocation Policy with HyperThreading
1849045 - Differences between apidoc and REST API documentation about exporting VMs and templates to OVA
1852308 - Snapshot fails to create with 'Invalid parameter: 'capacity=1073741824' Exception
1958032 - Live Storage Migration fails because replication filled the destination volume before extension.
1966615 - CVE-2021-33623 nodejs-trim-newlines: ReDoS in .end() method
1976607 - Deprecate QXL
1981895 - CVE-2021-35515 apache-commons-compress: infinite loop when reading a specially crafted 7Z archive
1981900 - CVE-2021-35516 apache-commons-compress: excessive memory allocation when reading a specially crafted 7Z archive
1981903 - CVE-2021-35517 apache-commons-compress: excessive memory allocation when reading a specially crafted TAR archive
1981909 - CVE-2021-36090 apache-commons-compress: excessive memory allocation when reading a specially crafted ZIP archive
1994144 - [RHV 4.4.6] Mail recipient is not updated while configuring Event Notifications
2001574 - Memory usage on Windows client browser while using move or copy disk operations on Admin web
2001923 - NPE during RemoveSnapshotSingleDisk command
2006625 - Engine generates VDS_HIGH_MEM_USE events for empty hosts that have most memory reserved by huge pages
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!