RedHat: RHSA-2022-8502:01 Moderate: RHV Manager (ovirt-engine) | Li...
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: RHV Manager (ovirt-engine) [ovirt-4.5.3] bug fix and security update
Advisory ID:       RHSA-2022:8502-01
Product:           Red Hat Virtualization
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:8502
Issue date:        2022-11-16
CVE Names:         CVE-2022-0155 CVE-2022-2805 
=====================================================================

1. Summary:

Updated ovirt-engine packages that fix several bugs and add various
enhancements are now available.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4 - noarch

3. Description:

The ovirt-engine package provides the Red Hat Virtualization Manager, a
centralized management platform that allows system administrators to view
and manage virtual machines. The Manager provides a comprehensive range of
features including search capabilities, resource management, live
migrations, and virtual infrastructure provisioning.

Security Fix(es):

* follow-redirects: Exposure of Private Personal Information to an
Unauthorized Actor (CVE-2022-0155)

* ovirt-engine: RHVM admin password is logged unfiltered when using
otopi-style (CVE-2022-2805)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

Bug Fix(es):

* Ghost OVFs are written when using floating SD to migrate VMs between 2
RHV environments. (BZ#1705338)

* RHV engine is reporting a delete disk with wipe as completing
successfully when it actually fails from a timeout. (BZ#1836318)

* [DR] Failover / Failback HA VM Fails to be started due to 'VM XXX is
being imported' (BZ#1968433)

* Virtual Machine with lease fails to run on DR failover (BZ#1974535)

* Disk is missing after importing VM from Storage Domain that was detached
from another DC. (BZ#1983567)

* Unable to switch RHV host into maintenance mode as there are image
transfer in progress (BZ#2123141)

* not able to import disk in 4.5.2 (BZ#2134549)

Enhancement(s):

* [RFE] Show last events for user VMs (BZ#1886211)

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/2974891

5. Bugs fixed (https://bugzilla.redhat.com/):

1705338 - Ghost OVFs are written when using floating SD to migrate VMs between 2 RHV environments.
1836318 - RHV engine is reporting a delete disk with wipe as completing successfully when it actually fails from a timeout.
1886211 - [RFE] Show last events for user VMs
1968433 - [DR] Failover / Failback HA VM Fails to be started due to 'VM XXX is being imported'
1974535 - Virtual Machine with lease fails to run on DR failover
1983567 - Disk is missing after importing VM from Storage Domain that was detached from another DC.
2044556 - CVE-2022-0155 follow-redirects: Exposure of Private Personal Information to an Unauthorized Actor
2079545 - CVE-2022-2805 ovirt-engine: RHVM admin password is logged unfiltered when using otopi-style
2118672 - Use rpm instead of auto in package_facts ansible module to prevent mistakes of determining the correct package manager inside package_facts module
2123141 - Unable to switch RHV host into maintenance mode as there are image transfer in progress
2127836 - Create template dialog is not closed when clicking in OK and the template is not created
2134549 - not able to import disk in 4.5.2
2137207 - The RemoveDisk job finishes before the disk was removed from the DB

6. Package List:

RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4:

Source:
ovirt-engine-4.5.3.2-1.el8ev.src.rpm
ovirt-engine-dwh-4.5.7-1.el8ev.src.rpm
ovirt-engine-ui-extensions-1.3.6-1.el8ev.src.rpm
ovirt-web-ui-1.9.2-1.el8ev.src.rpm

noarch:
ovirt-engine-4.5.3.2-1.el8ev.noarch.rpm
ovirt-engine-backend-4.5.3.2-1.el8ev.noarch.rpm
ovirt-engine-dbscripts-4.5.3.2-1.el8ev.noarch.rpm
ovirt-engine-dwh-4.5.7-1.el8ev.noarch.rpm
ovirt-engine-dwh-grafana-integration-setup-4.5.7-1.el8ev.noarch.rpm
ovirt-engine-dwh-setup-4.5.7-1.el8ev.noarch.rpm
ovirt-engine-health-check-bundler-4.5.3.2-1.el8ev.noarch.rpm
ovirt-engine-restapi-4.5.3.2-1.el8ev.noarch.rpm
ovirt-engine-setup-4.5.3.2-1.el8ev.noarch.rpm
ovirt-engine-setup-base-4.5.3.2-1.el8ev.noarch.rpm
ovirt-engine-setup-plugin-cinderlib-4.5.3.2-1.el8ev.noarch.rpm
ovirt-engine-setup-plugin-imageio-4.5.3.2-1.el8ev.noarch.rpm
ovirt-engine-setup-plugin-ovirt-engine-4.5.3.2-1.el8ev.noarch.rpm
ovirt-engine-setup-plugin-ovirt-engine-common-4.5.3.2-1.el8ev.noarch.rpm
ovirt-engine-setup-plugin-vmconsole-proxy-helper-4.5.3.2-1.el8ev.noarch.rpm
ovirt-engine-setup-plugin-websocket-proxy-4.5.3.2-1.el8ev.noarch.rpm
ovirt-engine-tools-4.5.3.2-1.el8ev.noarch.rpm
ovirt-engine-tools-backup-4.5.3.2-1.el8ev.noarch.rpm
ovirt-engine-ui-extensions-1.3.6-1.el8ev.noarch.rpm
ovirt-engine-vmconsole-proxy-helper-4.5.3.2-1.el8ev.noarch.rpm
ovirt-engine-webadmin-portal-4.5.3.2-1.el8ev.noarch.rpm
ovirt-engine-websocket-proxy-4.5.3.2-1.el8ev.noarch.rpm
ovirt-web-ui-1.9.2-1.el8ev.noarch.rpm
python3-ovirt-engine-lib-4.5.3.2-1.el8ev.noarch.rpm
rhvm-4.5.3.2-1.el8ev.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-0155
https://access.redhat.com/security/cve/CVE-2022-2805
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBY3UyLtzjgjWX9erEAQjacQ//emo9BwMrctxmlrqBwa5vAlrr2Kt3ZVCY
hAHTbaUk+sXw9JxGeCZ/aD8/c6ij5oCprdMs4sOGmOfTHEkmj+GbPWfdEluoJvr0
PM001KBuucWC6YDaW/R3V20oZrqdRAlPX7yvTzxuNNlpnpmGx/UkAwB2GSechs91
kXp+E74e1RgOgbFRtzZcgfwCb0Df2Swi2vXdnPDfri5fRVztgwcrIcljLoTBkMy7
8M719eYwsuu1987MqSnIvBOHEj2oWN2IQJTaeNPoz3MqgvYKwqEdiozchJpWvXqi
WddEaLT8S+1WhDf4VCIkdtIZrww/Ya2BxoFoEroCr7jTSDy9c9aFcnjn4wqnhO9s
yqKfxpTWz9mpgTdHHT4FC06L9AUsxa/UaLKydO3tZhc+IjPH0O63SDBi/pZ5WVAH
oCmYtRJA2OYlQABpHXR2x7Pj2Jv7JRNWHjGnabxWVoY6E09vdIrPliz0taPI59s7
YvNtXhkWPIa3w5kyibIxTVLqjR4gr2zrpPa2Oc6QGvEP9zyu59bAxoXKSQj0SYM8
BFykrVd3ahlPGFqOl6UBdvPJpXpJtNXK3lJBCGu2glFSwPXX26ij2fLUW3b7DnUC
+xMPlL9m45KHx/Y7s4WnDvlvSNRjhy/Ttddgm/JwYOLxlzTWd1Qez/vfyDuIK7rk
QvQket8bo7Q=
=xS+k
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2022-8502:01 Moderate: RHV Manager (ovirt-engine)

Updated ovirt-engine packages that fix several bugs and add various enhancements are now available

Summary

The ovirt-engine package provides the Red Hat Virtualization Manager, a centralized management platform that allows system administrators to view and manage virtual machines. The Manager provides a comprehensive range of features including search capabilities, resource management, live migrations, and virtual infrastructure provisioning.
Security Fix(es):
* follow-redirects: Exposure of Private Personal Information to an Unauthorized Actor (CVE-2022-0155)
* ovirt-engine: RHVM admin password is logged unfiltered when using otopi-style (CVE-2022-2805)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Bug Fix(es):
* Ghost OVFs are written when using floating SD to migrate VMs between 2 RHV environments. (BZ#1705338)
* RHV engine is reporting a delete disk with wipe as completing successfully when it actually fails from a timeout. (BZ#1836318)
* [DR] Failover / Failback HA VM Fails to be started due to 'VM XXX is being imported' (BZ#1968433)
* Virtual Machine with lease fails to run on DR failover (BZ#1974535)
* Disk is missing after importing VM from Storage Domain that was detached from another DC. (BZ#1983567)
* Unable to switch RHV host into maintenance mode as there are image transfer in progress (BZ#2123141)
* not able to import disk in 4.5.2 (BZ#2134549)
Enhancement(s):
* [RFE] Show last events for user VMs (BZ#1886211)

Solution

For details on how to apply this update, which includes the changesdescribed in this advisory, refer to:https://access.redhat.com/articles/2974891

References

https://access.redhat.com/security/cve/CVE-2022-0155 https://access.redhat.com/security/cve/CVE-2022-2805 https://access.redhat.com/security/updates/classification/#moderate

Package List

RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4:
Source: ovirt-engine-4.5.3.2-1.el8ev.src.rpm ovirt-engine-dwh-4.5.7-1.el8ev.src.rpm ovirt-engine-ui-extensions-1.3.6-1.el8ev.src.rpm ovirt-web-ui-1.9.2-1.el8ev.src.rpm
noarch: ovirt-engine-4.5.3.2-1.el8ev.noarch.rpm ovirt-engine-backend-4.5.3.2-1.el8ev.noarch.rpm ovirt-engine-dbscripts-4.5.3.2-1.el8ev.noarch.rpm ovirt-engine-dwh-4.5.7-1.el8ev.noarch.rpm ovirt-engine-dwh-grafana-integration-setup-4.5.7-1.el8ev.noarch.rpm ovirt-engine-dwh-setup-4.5.7-1.el8ev.noarch.rpm ovirt-engine-health-check-bundler-4.5.3.2-1.el8ev.noarch.rpm ovirt-engine-restapi-4.5.3.2-1.el8ev.noarch.rpm ovirt-engine-setup-4.5.3.2-1.el8ev.noarch.rpm ovirt-engine-setup-base-4.5.3.2-1.el8ev.noarch.rpm ovirt-engine-setup-plugin-cinderlib-4.5.3.2-1.el8ev.noarch.rpm ovirt-engine-setup-plugin-imageio-4.5.3.2-1.el8ev.noarch.rpm ovirt-engine-setup-plugin-ovirt-engine-4.5.3.2-1.el8ev.noarch.rpm ovirt-engine-setup-plugin-ovirt-engine-common-4.5.3.2-1.el8ev.noarch.rpm ovirt-engine-setup-plugin-vmconsole-proxy-helper-4.5.3.2-1.el8ev.noarch.rpm ovirt-engine-setup-plugin-websocket-proxy-4.5.3.2-1.el8ev.noarch.rpm ovirt-engine-tools-4.5.3.2-1.el8ev.noarch.rpm ovirt-engine-tools-backup-4.5.3.2-1.el8ev.noarch.rpm ovirt-engine-ui-extensions-1.3.6-1.el8ev.noarch.rpm ovirt-engine-vmconsole-proxy-helper-4.5.3.2-1.el8ev.noarch.rpm ovirt-engine-webadmin-portal-4.5.3.2-1.el8ev.noarch.rpm ovirt-engine-websocket-proxy-4.5.3.2-1.el8ev.noarch.rpm ovirt-web-ui-1.9.2-1.el8ev.noarch.rpm python3-ovirt-engine-lib-4.5.3.2-1.el8ev.noarch.rpm rhvm-4.5.3.2-1.el8ev.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/


Severity
Advisory ID: RHSA-2022:8502-01
Product: Red Hat Virtualization
Advisory URL: https://access.redhat.com/errata/RHSA-2022:8502
Issued Date: : 2022-11-16
CVE Names: CVE-2022-0155 CVE-2022-2805

Topic

Updated ovirt-engine packages that fix several bugs and add variousenhancements are now available.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.

Relevant Releases Architectures

RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4 - noarch

Bugs Fixed

1705338 - Ghost OVFs are written when using floating SD to migrate VMs between 2 RHV environments.

1836318 - RHV engine is reporting a delete disk with wipe as completing successfully when it actually fails from a timeout.

1886211 - [RFE] Show last events for user VMs

1968433 - [DR] Failover / Failback HA VM Fails to be started due to 'VM XXX is being imported'

1974535 - Virtual Machine with lease fails to run on DR failover

1983567 - Disk is missing after importing VM from Storage Domain that was detached from another DC.

2044556 - CVE-2022-0155 follow-redirects: Exposure of Private Personal Information to an Unauthorized Actor

2079545 - CVE-2022-2805 ovirt-engine: RHVM admin password is logged unfiltered when using otopi-style

2118672 - Use rpm instead of auto in package_facts ansible module to prevent mistakes of determining the correct package manager inside package_facts module

2123141 - Unable to switch RHV host into maintenance mode as there are image transfer in progress

2127836 - Create template dialog is not closed when clicking in OK and the template is not created

2134549 - not able to import disk in 4.5.2

2137207 - The RemoveDisk job finishes before the disk was removed from the DB

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.