RedHat: RHSA-2022-6393:01 Important: RHV Manager (ovirt-engine)
Summary
The ovirt-engine package provides the Red Hat Virtualization Manager, a
centralized management platform that allows system administrators to view
and manage virtual machines. The Manager provides a comprehensive range of
features including search capabilities, resource management, live
migrations, and virtual infrastructure provisioning.
Security Fix(es):
* nodejs-underscore: Arbitrary code execution via the template function
(CVE-2021-23358)
* moment: inefficient parsing algorithm resulting in DoS (CVE-2022-31129)
* jquery: Cross-site scripting due to improper injQuery.htmlPrefilter
method (CVE-2020-11022)
* jquery: Untrusted code execution via
Summary
Solution
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/2974891
References
https://access.redhat.com/security/cve/CVE-2020-11022 https://access.redhat.com/security/cve/CVE-2020-11023 https://access.redhat.com/security/cve/CVE-2021-22096 https://access.redhat.com/security/cve/CVE-2021-23358 https://access.redhat.com/security/cve/CVE-2022-2806 https://access.redhat.com/security/cve/CVE-2022-31129 https://access.redhat.com/security/updates/classification/#important
Package List
RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4:
Source:
ovirt-engine-4.5.2.4-0.1.el8ev.src.rpm
ovirt-engine-dwh-4.5.4-1.el8ev.src.rpm
ovirt-engine-extension-aaa-ldap-1.4.6-1.el8ev.src.rpm
ovirt-engine-ui-extensions-1.3.5-1.el8ev.src.rpm
ovirt-log-collector-4.4.7-2.el8ev.src.rpm
ovirt-web-ui-1.9.1-1.el8ev.src.rpm
rhv-log-collector-analyzer-1.0.15-1.el8ev.src.rpm
unboundid-ldapsdk-6.0.4-1.el8ev.src.rpm
vdsm-jsonrpc-java-1.7.2-1.el8ev.src.rpm
noarch:
ovirt-engine-4.5.2.4-0.1.el8ev.noarch.rpm
ovirt-engine-backend-4.5.2.4-0.1.el8ev.noarch.rpm
ovirt-engine-dbscripts-4.5.2.4-0.1.el8ev.noarch.rpm
ovirt-engine-dwh-4.5.4-1.el8ev.noarch.rpm
ovirt-engine-dwh-grafana-integration-setup-4.5.4-1.el8ev.noarch.rpm
ovirt-engine-dwh-setup-4.5.4-1.el8ev.noarch.rpm
ovirt-engine-extension-aaa-ldap-1.4.6-1.el8ev.noarch.rpm
ovirt-engine-extension-aaa-ldap-setup-1.4.6-1.el8ev.noarch.rpm
ovirt-engine-health-check-bundler-4.5.2.4-0.1.el8ev.noarch.rpm
ovirt-engine-restapi-4.5.2.4-0.1.el8ev.noarch.rpm
ovirt-engine-setup-4.5.2.4-0.1.el8ev.noarch.rpm
ovirt-engine-setup-base-4.5.2.4-0.1.el8ev.noarch.rpm
ovirt-engine-setup-plugin-cinderlib-4.5.2.4-0.1.el8ev.noarch.rpm
ovirt-engine-setup-plugin-imageio-4.5.2.4-0.1.el8ev.noarch.rpm
ovirt-engine-setup-plugin-ovirt-engine-4.5.2.4-0.1.el8ev.noarch.rpm
ovirt-engine-setup-plugin-ovirt-engine-common-4.5.2.4-0.1.el8ev.noarch.rpm
ovirt-engine-setup-plugin-vmconsole-proxy-helper-4.5.2.4-0.1.el8ev.noarch.rpm
ovirt-engine-setup-plugin-websocket-proxy-4.5.2.4-0.1.el8ev.noarch.rpm
ovirt-engine-tools-4.5.2.4-0.1.el8ev.noarch.rpm
ovirt-engine-tools-backup-4.5.2.4-0.1.el8ev.noarch.rpm
ovirt-engine-ui-extensions-1.3.5-1.el8ev.noarch.rpm
ovirt-engine-vmconsole-proxy-helper-4.5.2.4-0.1.el8ev.noarch.rpm
ovirt-engine-webadmin-portal-4.5.2.4-0.1.el8ev.noarch.rpm
ovirt-engine-websocket-proxy-4.5.2.4-0.1.el8ev.noarch.rpm
ovirt-log-collector-4.4.7-2.el8ev.noarch.rpm
ovirt-web-ui-1.9.1-1.el8ev.noarch.rpm
python3-ovirt-engine-lib-4.5.2.4-0.1.el8ev.noarch.rpm
rhv-log-collector-analyzer-1.0.15-1.el8ev.noarch.rpm
rhvm-4.5.2.4-0.1.el8ev.noarch.rpm
unboundid-ldapsdk-6.0.4-1.el8ev.noarch.rpm
unboundid-ldapsdk-javadoc-6.0.4-1.el8ev.noarch.rpm
vdsm-jsonrpc-java-1.7.2-1.el8ev.noarch.rpm
vdsm-jsonrpc-java-javadoc-1.7.2-1.el8ev.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
Topic
Updated ovirt-engine packages that fix several bugs and add variousenhancements are now available.Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.
Topic
Relevant Releases Architectures
RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4 - noarch
Bugs Fixed
1828406 - CVE-2020-11022 jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method
1850004 - CVE-2020-11023 jquery: Untrusted code execution via
1939284 - clusterPolicyWeightFunctionInfo tooltip needs improvement in relation to Rank Selector policy unit.
1944286 - CVE-2021-23358 nodejs-underscore: Arbitrary code execution via the template function
1955388 - Auto Pinning Policy only pins some of the vCPUs on a single NUMA host
1974974 - Not possible to determine migration policy from the API, even though documentation reports that it can be done.
2034584 - CVE-2021-22096 springframework: malicious input leads to insertion of additional log entries
2080005 - CVE-2022-2806 ovirt-log-collector: RHVM admin password is logged unfiltered
2092478 - Upgrade unboundid-ldapsdk to 6.0.4
2094577 - rhv-image-discrepancies must ignore small disks created by OCP
2097536 - [RFE] Add disk name and uuid to problems output
2097558 - Renew ovirt-provider-ovn.cer certificates during engine-setup
2097560 - Warning when ovsdb-server certificates are about to expire(OVN certificate)
2097725 - Certificate Warn period and automatic renewal via engine-setup do not match
2104115 - RHV 4.5 cannot import VMs with cpu pinning
2104831 - Upgrade ovirt-log-collector to 4.4.7
2104939 - Export OVA when using host with port other than 22
2105075 - CVE-2022-31129 moment: inefficient parsing algorithm resulting in DoS
2107250 - Upgrade of the host failed as the RHV 4.3 hypervisor is based on RHEL 7 with openssl 1.0.z, but RHV Manager 4.4 uses the openssl 1.1.z syntax
2107267 - ovirt-log-collector doesn't generate database dump
2108985 - RHV 4.4 SP1 EUS requires RHEL 8.6 EUS (RHEL 8.7+ releases are not supported on RHV 4.4 SP1 EUS)
2109923 - Error when importing templates in Admin portal