-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   Red Hat Security Advisory

Synopsis:          Important: RHV 4.4 SP1 [ovirt-4.5.3-3] security update
Advisory ID:       RHSA-2023:0074-01
Product:           Red Hat Virtualization
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0074
Issue date:        2023-01-11
CVE Names:         CVE-2021-30483 CVE-2022-45047 
====================================================================
1. Summary:

Updated RHV packages that fix several bugs and add various enhancements are
now available.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4 - noarch
Red Hat Virtualization 4 Hypervisor for RHEL 8 - noarch, x86_64
Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts - noarch, ppc64le, x86_64

3. Description:

The ovirt-engine package provides the Red Hat Virtualization Manager, a
centralized management platform that allows system administrators to view
and manage virtual machines. The Manager provides a comprehensive range of
features including search capabilities, resource management, live
migrations, and virtual infrastructure provisioning.

Security fix(es):

* mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)

* isomorphic-git: Directory traversal via a crafted repository
(CVE-2021-30483)

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.

Bug Fix(es):

* With this release, SELinux rules for the Grafana HTTP port are now
properly set up for new remote DWH installations as part of the Red Hat
Virtualization Manager engine-setup. (BZ#2126778)

* Previously, search conditions were not applied properly when a non-admin
user tried to search for Clusters or Data Centers over the REST API. In
this release, both admin and non-admin users can search for clustersproperly using the REST API. (BZ#2144346)

* Previously, stale bitmaps in the base image during a cold or live
internal merge caused the operation to fail. In this release, the merge
operation succeeds. (BZ#2141371)

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/2974891

5. Bugs fixed (https://bugzilla.redhat.com/):

1988539 - CVE-2021-30483 isomorphic-git: Directory traversal via a crafted repository
2126778 - Port 3000 blocked between engine and remote DWH with Grafana
2141371 - Incorrect image chain when deleting an intermediate snapshot
2144346 - Search returns all entities the permissions allow if the user is not admin
2145194 - CVE-2022-45047 mina-sshd: Java unsafe deserialization vulnerability
2152015 - Discrepancy tool fails with KeyError
2152845 - Storage stabilization for 4.5.3

6. Package List:

Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts:

Source:
vdsm-4.50.3.6-1.el8ev.src.rpm

noarch:
vdsm-api-4.50.3.6-1.el8ev.noarch.rpm
vdsm-client-4.50.3.6-1.el8ev.noarch.rpm
vdsm-common-4.50.3.6-1.el8ev.noarch.rpm
vdsm-hook-cpuflags-4.50.3.6-1.el8ev.noarch.rpm
vdsm-hook-ethtool-options-4.50.3.6-1.el8ev.noarch.rpm
vdsm-hook-fcoe-4.50.3.6-1.el8ev.noarch.rpm
vdsm-hook-localdisk-4.50.3.6-1.el8ev.noarch.rpm
vdsm-hook-nestedvt-4.50.3.6-1.el8ev.noarch.rpm
vdsm-hook-openstacknet-4.50.3.6-1.el8ev.noarch.rpm
vdsm-hook-vhostmd-4.50.3.6-1.el8ev.noarch.rpm
vdsm-http-4.50.3.6-1.el8ev.noarch.rpm
vdsm-jsonrpc-4.50.3.6-1.el8ev.noarch.rpm
vdsm-python-4.50.3.6-1.el8ev.noarch.rpm
vdsm-yajsonrpc-4.50.3.6-1.el8ev.noarch.rpm

ppc64le:
vdsm-4.50.3.6-1.el8ev.ppc64le.rpm
vdsm-hook-checkips-4.50.3.6-1.el8ev.ppc64le.rpm
vdsm-hook-extra-ipv4-addrs-4.50.3.6-1.el8ev.ppc64le.rpm
vdsm-network-4.50.3.6-1.el8ev.ppc64le.rpm

x86_64:
vdsm-4.50.3.6-1.el8ev.x86_64.rpm
vdsm-gluster-4.50.3.6-1.el8ev.x86_64.rpm
vdsm-hook-checkips-4.50.3.6-1.el8ev.x86_64.rpm
vdsm-hook-extra-ipv4-addrs-4.50.3.6-1.el8ev.x86_64.rpm
vdsm-network-4.50.3.6-1.el8ev.x86_64.rpm

Red Hat Virtualization 4 Hypervisor for RHEL 8:

Source:
vdsm-4.50.3.6-1.el8ev.src.rpm

noarch:
vdsm-hook-cpuflags-4.50.3.6-1.el8ev.noarch.rpm
vdsm-hook-ethtool-options-4.50.3.6-1.el8ev.noarch.rpm
vdsm-hook-fcoe-4.50.3.6-1.el8ev.noarch.rpm
vdsm-hook-localdisk-4.50.3.6-1.el8ev.noarch.rpm
vdsm-hook-nestedvt-4.50.3.6-1.el8ev.noarch.rpm
vdsm-hook-openstacknet-4.50.3.6-1.el8ev.noarch.rpm
vdsm-hook-vhostmd-4.50.3.6-1.el8ev.noarch.rpm

x86_64:
vdsm-hook-checkips-4.50.3.6-1.el8ev.x86_64.rpm
vdsm-hook-extra-ipv4-addrs-4.50.3.6-1.el8ev.x86_64.rpm

RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4:

Source:
apache-sshd-2.9.2-0.1.el8ev.src.rpm
ovirt-engine-4.5.3.5-1.el8ev.src.rpm
ovirt-engine-ui-extensions-1.3.7-1.el8ev.src.rpm
ovirt-web-ui-1.9.3-1.el8ev.src.rpm
rhv-log-collector-analyzer-1.0.16-1.el8ev.src.rpm

noarch:
apache-sshd-2.9.2-0.1.el8ev.noarch.rpm
apache-sshd-javadoc-2.9.2-0.1.el8ev.noarch.rpm
ovirt-engine-4.5.3.5-1.el8ev.noarch.rpm
ovirt-engine-backend-4.5.3.5-1.el8ev.noarch.rpm
ovirt-engine-dbscripts-4.5.3.5-1.el8ev.noarch.rpm
ovirt-engine-health-check-bundler-4.5.3.5-1.el8ev.noarch.rpm
ovirt-engine-restapi-4.5.3.5-1.el8ev.noarch.rpm
ovirt-engine-setup-4.5.3.5-1.el8ev.noarch.rpm
ovirt-engine-setup-base-4.5.3.5-1.el8ev.noarch.rpm
ovirt-engine-setup-plugin-cinderlib-4.5.3.5-1.el8ev.noarch.rpm
ovirt-engine-setup-plugin-imageio-4.5.3.5-1.el8ev.noarch.rpm
ovirt-engine-setup-plugin-ovirt-engine-4.5.3.5-1.el8ev.noarch.rpm
ovirt-engine-setup-plugin-ovirt-engine-common-4.5.3.5-1.el8ev.noarch.rpm
ovirt-engine-setup-plugin-vmconsole-proxy-helper-4.5.3.5-1.el8ev.noarch.rpm
ovirt-engine-setup-plugin-websocket-proxy-4.5.3.5-1.el8ev.noarch.rpm
ovirt-engine-tools-4.5.3.5-1.el8ev.noarch.rpm
ovirt-engine-tools-backup-4.5.3.5-1.el8ev.noarch.rpm
ovirt-engine-ui-extensions-1.3.7-1.el8ev.noarch.rpm
ovirt-engine-vmconsole-proxy-helper-4.5.3.5-1.el8ev.noarch.rpm
ovirt-engine-webadmin-portal-4.5.3.5-1.el8ev.noarch.rpm
ovirt-engine-websocket-proxy-4.5.3.5-1.el8ev.noarch.rpm
ovirt-web-ui-1.9.3-1.el8ev.noarch.rpm
python3-ovirt-engine-lib-4.5.3.5-1.el8ev.noarch.rpm
rhv-log-collector-analyzer-1.0.16-1.el8ev.noarch.rpm
rhvm-4.5.3.5-1.el8ev.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2021-30483
https://access.redhat.com/security/cve/CVE-2022-45047
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBY77lENzjgjWX9erEAQgN9A/9G5NYjt87qCs93u5tgnYP1G5A8GCojNtd
G3TglbeCMHIgGlA67TSE5vXvppHdYHCN2QoT+d+9iz0SHbIOOn7Ztc4I/KyIgX3Y
T6e2trOCry7KWz8TX+DTyoJamnGVRbvKnvmoUB6rrZbhoa9wP68ZwhvNdVzuGi27
p8xa2zPv1LDz1gyf2Ko1dtb0i7CtYWhL1dRcAByA4dvACiQJe1NMwCyLZf/vb3Zu
64pO4La8QWn3SJut9HJ8PhoGbtPWBWGCIF1ghKVAysrUjpe6QceIElLd6ADVTa29
GPbsxwcUUyJFIzennM47GVMf+X3uKnHH5MbLuv3ghEjguaBsQ9M9TNNAyFz9wO+k
cTVmxkZfB45t7teRQCoAF5uLLza2xLkzZBvVEgKsiGCKXJrN4nc8mWTXKkbtEXej
kmrVT85brDs0+IgNsian/8Zyn48//5CZJm/TsQne0vRf3GYDOUMabrd3XmOzHH4a
XVw3u57eKZ4dtmQ9KNsgzFKUJOe/w1HWyIbk7XVawNPZX4K0waXXaiBLJZxYTjWP
5Fve+MpRPBCtOrV8LKVLdbz4eZRG4q+Z2N92ZOc6X4omJUhGYHRmmPL5C/iLsXiA
kI3NoANDaeMvgqoR8J1FB4N3Tvk5kKE5yBXCELG/+ZpLgjLecElyxHFCeibogY3s
ZiUYms4Cl8s=Z3Jw
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce