RedHat: RHSA-2022-6393:01 Important: RHV Manager (ovirt-engine) | L...

Advisories

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: RHV Manager (ovirt-engine) [ovirt-4.5.2] bug fix and security update
Advisory ID:       RHSA-2022:6393-01
Product:           Red Hat Virtualization
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6393
Issue date:        2022-09-08
CVE Names:         CVE-2020-11022 CVE-2020-11023 CVE-2021-22096 
                   CVE-2021-23358 CVE-2022-2806 CVE-2022-31129 
=====================================================================

1. Summary:

Updated ovirt-engine packages that fix several bugs and add various
enhancements are now available.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4 - noarch

3. Description:

The ovirt-engine package provides the Red Hat Virtualization Manager, a
centralized management platform that allows system administrators to view
and manage virtual machines. The Manager provides a comprehensive range of
features including search capabilities, resource management, live
migrations, and virtual infrastructure provisioning.

Security Fix(es):

* nodejs-underscore: Arbitrary code execution via the template function
(CVE-2021-23358)

* moment: inefficient parsing algorithm resulting in DoS (CVE-2022-31129)

* jquery: Cross-site scripting due to improper injQuery.htmlPrefilter
method (CVE-2020-11022)

* jquery: Untrusted code execution via 

RedHat: RHSA-2022-6393:01 Important: RHV Manager (ovirt-engine)

Updated ovirt-engine packages that fix several bugs and add various enhancements are now available

Summary

The ovirt-engine package provides the Red Hat Virtualization Manager, a centralized management platform that allows system administrators to view and manage virtual machines. The Manager provides a comprehensive range of features including search capabilities, resource management, live migrations, and virtual infrastructure provisioning.
Security Fix(es):
* nodejs-underscore: Arbitrary code execution via the template function (CVE-2021-23358)
* moment: inefficient parsing algorithm resulting in DoS (CVE-2022-31129)
* jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022)
* jquery: Untrusted code execution via

Solution

For details on how to apply this update, which includes the changesdescribed in this advisory, refer to:https://access.redhat.com/articles/2974891

References

https://access.redhat.com/security/cve/CVE-2020-11022 https://access.redhat.com/security/cve/CVE-2020-11023 https://access.redhat.com/security/cve/CVE-2021-22096 https://access.redhat.com/security/cve/CVE-2021-23358 https://access.redhat.com/security/cve/CVE-2022-2806 https://access.redhat.com/security/cve/CVE-2022-31129 https://access.redhat.com/security/updates/classification/#important

Package List

RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4:
Source: ovirt-engine-4.5.2.4-0.1.el8ev.src.rpm ovirt-engine-dwh-4.5.4-1.el8ev.src.rpm ovirt-engine-extension-aaa-ldap-1.4.6-1.el8ev.src.rpm ovirt-engine-ui-extensions-1.3.5-1.el8ev.src.rpm ovirt-log-collector-4.4.7-2.el8ev.src.rpm ovirt-web-ui-1.9.1-1.el8ev.src.rpm rhv-log-collector-analyzer-1.0.15-1.el8ev.src.rpm unboundid-ldapsdk-6.0.4-1.el8ev.src.rpm vdsm-jsonrpc-java-1.7.2-1.el8ev.src.rpm
noarch: ovirt-engine-4.5.2.4-0.1.el8ev.noarch.rpm ovirt-engine-backend-4.5.2.4-0.1.el8ev.noarch.rpm ovirt-engine-dbscripts-4.5.2.4-0.1.el8ev.noarch.rpm ovirt-engine-dwh-4.5.4-1.el8ev.noarch.rpm ovirt-engine-dwh-grafana-integration-setup-4.5.4-1.el8ev.noarch.rpm ovirt-engine-dwh-setup-4.5.4-1.el8ev.noarch.rpm ovirt-engine-extension-aaa-ldap-1.4.6-1.el8ev.noarch.rpm ovirt-engine-extension-aaa-ldap-setup-1.4.6-1.el8ev.noarch.rpm ovirt-engine-health-check-bundler-4.5.2.4-0.1.el8ev.noarch.rpm ovirt-engine-restapi-4.5.2.4-0.1.el8ev.noarch.rpm ovirt-engine-setup-4.5.2.4-0.1.el8ev.noarch.rpm ovirt-engine-setup-base-4.5.2.4-0.1.el8ev.noarch.rpm ovirt-engine-setup-plugin-cinderlib-4.5.2.4-0.1.el8ev.noarch.rpm ovirt-engine-setup-plugin-imageio-4.5.2.4-0.1.el8ev.noarch.rpm ovirt-engine-setup-plugin-ovirt-engine-4.5.2.4-0.1.el8ev.noarch.rpm ovirt-engine-setup-plugin-ovirt-engine-common-4.5.2.4-0.1.el8ev.noarch.rpm ovirt-engine-setup-plugin-vmconsole-proxy-helper-4.5.2.4-0.1.el8ev.noarch.rpm ovirt-engine-setup-plugin-websocket-proxy-4.5.2.4-0.1.el8ev.noarch.rpm ovirt-engine-tools-4.5.2.4-0.1.el8ev.noarch.rpm ovirt-engine-tools-backup-4.5.2.4-0.1.el8ev.noarch.rpm ovirt-engine-ui-extensions-1.3.5-1.el8ev.noarch.rpm ovirt-engine-vmconsole-proxy-helper-4.5.2.4-0.1.el8ev.noarch.rpm ovirt-engine-webadmin-portal-4.5.2.4-0.1.el8ev.noarch.rpm ovirt-engine-websocket-proxy-4.5.2.4-0.1.el8ev.noarch.rpm ovirt-log-collector-4.4.7-2.el8ev.noarch.rpm ovirt-web-ui-1.9.1-1.el8ev.noarch.rpm python3-ovirt-engine-lib-4.5.2.4-0.1.el8ev.noarch.rpm rhv-log-collector-analyzer-1.0.15-1.el8ev.noarch.rpm rhvm-4.5.2.4-0.1.el8ev.noarch.rpm unboundid-ldapsdk-6.0.4-1.el8ev.noarch.rpm unboundid-ldapsdk-javadoc-6.0.4-1.el8ev.noarch.rpm vdsm-jsonrpc-java-1.7.2-1.el8ev.noarch.rpm vdsm-jsonrpc-java-javadoc-1.7.2-1.el8ev.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/

Severity
Advisory ID: RHSA-2022:6393-01
Product: Red Hat Virtualization
Advisory URL: https://access.redhat.com/errata/RHSA-2022:6393
Issued Date: : 2022-09-08
CVE Names: CVE-2020-11022 CVE-2020-11023 CVE-2021-22096 CVE-2021-23358 CVE-2022-2806 CVE-2022-31129

Topic

Updated ovirt-engine packages that fix several bugs and add variousenhancements are now available.Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.

Relevant Releases Architectures

RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4 - noarch

Bugs Fixed

1828406 - CVE-2020-11022 jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method

1850004 - CVE-2020-11023 jquery: Untrusted code execution via

1939284 - clusterPolicyWeightFunctionInfo tooltip needs improvement in relation to Rank Selector policy unit.

1944286 - CVE-2021-23358 nodejs-underscore: Arbitrary code execution via the template function

1955388 - Auto Pinning Policy only pins some of the vCPUs on a single NUMA host

1974974 - Not possible to determine migration policy from the API, even though documentation reports that it can be done.

2034584 - CVE-2021-22096 springframework: malicious input leads to insertion of additional log entries

2080005 - CVE-2022-2806 ovirt-log-collector: RHVM admin password is logged unfiltered

2092478 - Upgrade unboundid-ldapsdk to 6.0.4

2094577 - rhv-image-discrepancies must ignore small disks created by OCP

2097536 - [RFE] Add disk name and uuid to problems output

2097558 - Renew ovirt-provider-ovn.cer certificates during engine-setup

2097560 - Warning when ovsdb-server certificates are about to expire(OVN certificate)

2097725 - Certificate Warn period and automatic renewal via engine-setup do not match

2104115 - RHV 4.5 cannot import VMs with cpu pinning

2104831 - Upgrade ovirt-log-collector to 4.4.7

2104939 - Export OVA when using host with port other than 22

2105075 - CVE-2022-31129 moment: inefficient parsing algorithm resulting in DoS

2107250 - Upgrade of the host failed as the RHV 4.3 hypervisor is based on RHEL 7 with openssl 1.0.z, but RHV Manager 4.4 uses the openssl 1.1.z syntax

2107267 - ovirt-log-collector doesn't generate database dump

2108985 - RHV 4.4 SP1 EUS requires RHEL 8.6 EUS (RHEL 8.7+ releases are not supported on RHV 4.4 SP1 EUS)

2109923 - Error when importing templates in Admin portal

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.