-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: OpenShift Virtualization 4.13.0 Images security, bug fix, and enhancement update
Advisory ID:       RHSA-2023:3205-01
Product:           OpenShift Virtualization
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:3205
Issue date:        2023-05-18
CVE Names:         CVE-2022-2879 CVE-2022-2880 CVE-2022-27664 
                   CVE-2022-32149 CVE-2022-32189 CVE-2022-32190 
                   CVE-2022-41715 CVE-2022-41717 
=====================================================================

1. Summary:

Red Hat OpenShift Virtualization release 4.13.0 is now available with
updates to packages and images that fix several bugs and add enhancements.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

OpenShift Virtualization is Red Hat's virtualization solution designed for
Red Hat OpenShift Container Platform.

This advisory contains OpenShift Virtualization 4.13.0 images.

Security Fix(es):

* golang: archive/tar: unbounded memory consumption when reading headers
(CVE-2022-2879)

* golang: net/http/httputil: ReverseProxy should not forward unparseable
query parameters (CVE-2022-2880)

* golang: net/https: handle server errors after sending GOAWAY
(CVE-2022-27664)

* golang: golang.org/x/text/language: ParseAcceptLanguage takes a long time
to parse complex tags (CVE-2022-32149)

* golang: net/url: JoinPath does not strip relative path components in all
circumstances (CVE-2022-32190)

* golang: regexp/syntax: limit memory used by parsing regexps
(CVE-2022-41715)

* golang: net/https: excessive memory growth in a Go server accepting HTTP/2
requests (CVE-2022-41717)

* golang: math/big: decoding big.Float and big.Rat types can panic if the
encoded message is too short, potentially allowing a denial of service
(CVE-2022-32189)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

Additional Changes:

This update also fixes several bugs and adds various enhancements.
Documentation for these changes is available from the Release Notes
document linked to in the References section.

3. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2023393 - [CNV] [UI]Additional information needed for cloning when default storageclass in not defined in target datavolume
2029391 - VM status flipping between Paused and Running
2052556 - Metric "kubevirt_num_virt_handlers_by_node_running_virt_launcher" reporting incorrect value
2060499 - [RFE] Cannot add additional service (or other objects) to VM template
2070132 - [RFE][CNV] Ability to export and import virtual machines disks between clusters
2087540 - [RFE] Improve CPU info
2101390 - Easy to miss the "tick" when adding GPU device to vm via UI
2104424 - Enable descheduler or hide it on template's scheduling tab
2104479 - [4.12] Cloned VM's snapshot restore fails if the source VM disk is deleted
2104859 - [RFE] Add "Copy SSH command" to VM action list
2110562 - CNV introduces a compliance check fail in "ocp4-moderate" profile - routes-protected-by-tls
2111794 - the virtlogd process is taking too much RAM! (17468Ki > 17Mi)
2113814 - CVE-2022-32189 golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service
2114922 - Can run with host-Model cpuModel even if it is in ObsoleteCPUModels
2116562 - NodeNetworkConfigurationPolicy "ERROR: State editing already in progress. Commit, roll back or wait before retrying"
2117803 - Cannot edit ssh even vm is stopped
2122119 - Virtual machine fails to start with error "Unable to use native AIO: failed to create linux AIO context: Resource temporarily unavailable"
2122168 - Error while running virtctl - GLIBC_2.34 is not found in the package of virtctl - which is required by virtctl
2123209 - CNV runs non-root VMs by default which removes cap_sys_nice from the launchers and caused the real time VM failed to boot up
2124668 - CVE-2022-32190 golang: net/url: JoinPath does not strip relative path components in all circumstances
2124669 - CVE-2022-27664 golang: net/https: handle server errors after sending GOAWAY
2132867 - CVE-2022-2879 golang: archive/tar: unbounded memory consumption when reading headers
2132868 - CVE-2022-2880 golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters
2132872 - CVE-2022-41715 golang: regexp/syntax: limit memory used by parsing regexps
2132873 - VM is removed before virt-launcher pod exits, new VM with same name points to old VMI/virt-launcher pod still terminating
2134010 - CVE-2022-32149 golang: golang.org/x/text/language: ParseAcceptLanguage takes a long time to parse complex tags
2138199 - Win11 and Win22 templates are not filtered properly by Template provider
2138653 - Saving Template prameters reloads the page
2138664 - VM that was created with SSH key fails to start
2139235 - unlike other CNV components, Kubevirt uses its own cipher for tls 1.2
2139257 - Cannot add disk via "Using an existing PVC"
2139260 - Clone button is disabled while VM is running
2139293 - Non-admin user cannot load VM list page
2139296 - Non-admin cannot load MigrationPolicies page
2139299 - No auto-generated VM name while creating VM by non-admin user
2139306 - Non-admin cannot create VM via customize mode
2139479 - virtualization overview crashes for non-priv user
2139574 - VM name gets "emptyname" if click the create button quickly
2139651 - non-priv user can click create when have no permissions
2139687 - catalog shows template list for non-priv users
2139820 - non-priv user cant reach vm details
2140730 - Links on Virtualization Overview page lead to wrong namespace for non-priv user
2140977 - Alerts number is not correct on Virtualization overview
2140982 - The base template of cloned template is "Not available"
2140998 - Incorrect information shows in overview page per namespace
2142511 - Enhance alerts card in overview
2143039 - Some liveMigrationConfig options cannot be used for cluster-wide setting
2143498 - Could not load template while creating VM from catalog
2143716 - [4.13]VMExport: fix DV Error message when trying to import without certConfigMap and secretExtraHeaders
2144580 - "?" icon is too big in VM Template Disk tab
2145092 - "No MigrationPolicies are defined yet" flash by on MigrationPolicies page
2145126 - Cant start VM with "clock" virtualMachinePreference
2145137 - Machine type is not updated to rhel9.2.0 in Templates
2145223 - VM with missing source datasource pvc is started without any error messages
2147582 - Add Y axis to all graphs under metrics tab (same as Pod metrics tab)
2148322 - Add help text to DataImportCron
2148849 - The help text of items in DataSource details page includes incorrect url link
2148850 - Help text is missing in MigrationPolicies details page
2149118 - virt-handler leaks VNC sockets
2149201 - Incorrect pending changes warning about memory and CPU while starting a VM in a namespace with limitranges
2149227 - VMs requiring vTPM fails to create
2149897 - The context menu of the serial console does not contain a paste command
2150364 - Deletion of VM deletes referenced secret
2150653 - VMExport for VMSnapshot - volume names should be the same as the VMs volume names
2150832 - vCPU number is not correct in Virtualization -> Overview
2151053 - The scripts tab of Windows VM cannot be saved
2151056 - Improve descriptive text of cloud-init and ssh-key
2151427 - Virtualization -> Overview is crashed when creating VM in other browser session
2151508 - Add login username to virtctl ssh command
2151521 - No username set in cloud-init in the template example yaml
2151759 - "No available boot source" shows while creating VM from upload image
2151766 - "No available boot source" shows while creating VM from existing PVC
2151831 - Time format in VM utilization card is not correct
2152122 - VM can't start if disk io is default
2152534 - Default CPU request in namespace limitrange takes precedence over the VMs configured vCPU
2152537 - [4.13]Better to have a more friendly error when missing storage size in clone
2155403 - ssh related information displayed in OpenShift console for  Windows VMs created from template
2155409 - PVC details page crashing
2155796 - windows10-installer contains upstream example url
2156392 - In the VM latency checkup, the max_desired_latency_milliseconds field has no meaning when the measured latency is less than 1[ms]
2156902 - VM latency checkup - Checkup not performing a teardown in case of setup failure
2158060 - [console] Source project list for selecting existing PVC is not sorted alphabetically
2158079 - "Storage" and "?" are not aligned in customize wizard (Firefox only)
2158362 - PVC should be filtered by status in pvc dropdown list while creating vm or adding disk
2158424 - Cannot select Network Attachment Definitions from the global namespaces
2158515 - Guestfs image url not constructed correctly
2159715 - VM Memory does not show in details card of overview or details tab
2159975 - The prefix "docker://docker://" was added to the container image while editing the rootdisk (registry)
2160298 - YAML Switcher text should be just ?YAML?
2161274 - CVE-2022-41717 golang: net/https: excessive memory growth in a Go server accepting HTTP/2 requests
2161340 - HCO taking long to reconcile ConsolePlugin kubevirt-plugin
2162016 - hostpath provisioner operator consuming stray k8s API
2162333 - PVC created using non default storage class on fresh cluster
2163460 - Can't set resources.requests.memory when using instance type
2164590 - VM with InstanceType validation webhook when checking hugepage size
2164807 - Migration metrics values are not sum up values from all VMIs
2164814 - [4.13]virtualmachineclones.clone.kubevirt.io and virtualmachineexports.export.kubevirt.io are not part of system:cluster-readers group
2164838 - KubeVirtComponentExceedsRequestedMemory Alert for virt-api pod
2165618 - Overhead of management layer in virt-launcher is not calculated accurately
2165943 - Error While applying Migration Policy
2166165 - Two elements about vm-name-input shows on VM creation page
2166394 - cdi.kubevirt.io/storage.bind.immediate.requested is not propagated down to the DataVolume if set on an existing DataImportCronTemplate
2166507 - The loading time of Virtualization -> Overview -> Settings page is a bit longer
2166508 - Virtualization -> Overview -> Settings page is crashed when the user have no permission to list network-attachment-definitions
2166512 - VM can't start because of requests/limits CPU number mismatch after adding the overallocated one
2167012 - Unable to create a vm with network bridge
2167226 - Sorting Network Interface by 'Network' or 'Type' does not work.
2167251 - Virtualization -> Overview page is crashed
2167661 - Alerts card always show the ?Info? although it?s 0
2167979 - qemu.log are no longer getting collected for cnv must-gather (vm gather) in 4.13.0
2168032 - Error happens while selecting ssh types between "SSH over NodePort" and "SSH over LoadBalancer"
2168111 - VM template loses storage information if a required parameter has no value
2168165 - [4.13]preallocation is always applied when importing image to block storage
2168180 - Correct the pod name of kubevirt-console-plugin from `kubevirt-plugin-xxx` to `kubevirt-console-plugin-xxx`
2168480 - VM -> Metrics tab: ?Virtualization dashboard? link is wrong
2168484 - VM -> Metrics tab: Add dates to the X axis
2168486 - "Restore template settings" is disabled while editing VM's CPU/Mem
2168488 - Add text to VM workload profile
2168561 - Strorage IOPS card in VM Metrics has wrong case
2168770 - "Not migratable" label should  only be added to running VM
2168859 - Cannot attach an existing secret while creating the VM as a regular user
2168861 - "Attach existing sysprep" should not try to get resource at cluster scope when logged in with regular user
2169699 - [e2e] Add data-test-id for SSH service type
2169880 - virt-handler should not delete any pre-configured mediated devices i these are provided by an external provider
2170703 - "Filter by keyword" not working in catalog
2170740 - Deleting vm with --cascade=orphan is not working properly
2171395 - virt-controller crashes because of out-of-bound slice access in evacuation controller
2172371 - "Restore template settings" change the memory to zero if the VM has no template
2172375 - Error happens while deleting secret from VM
2172612 - [4.13] VMSnaphot and WaitForFirstConsumer storage: VMRestore is not Complete
2172842 - Fix "Templates project" and "Templates catalog"
2172952 - Cannot change first vNIC to virtio in "Review and create VirtualMachine"
2173527 - VM details: Machine type- should it be just q35 or everything?
2173562 - The ?play? button is not clickable in the mini console
2173563 - The "YAML view" position is not consistent in VM tabs
2173593 - Virtualization -> Overview -> Top-consumers is crashed
2173595 - Cluster reader cannot view VM list page
2174288 - No storageClass is selected by default while adding/editing a disk
2174324 - "Add" should be "Add volume" in Bootable volumes page
2174334 - VM's disk is not deleted along with the VM if the VM is created from upload image
2174619 - No boot order items while editing the boot order
2174636 - Visit Virtualization -> Overview -> Migrations crashes the app
2174742 - Machine type is not updated to rhel9.2.0 in KV CR
2175054 - Delete bootable volume crashes the page
2175171 - Internal workaround for nonRoot->Root FG on Kubevirt
2175256 - Error when accessing Catalog page
2175274 - Error after trying to edit VM CPU | Memory field in VM Details
2175571 - [RFE] Sort templates in grid view
2175601 - Cannot select Network Attachment Definitions from the global namespaces
2175636 - VMI with x86_Icelake fail when mpx feature is missing
2175641 - Add volume from existing PVC not working
2175643 - The "Add volume" button has a loading time in "Bootable volumes" page
2175888 - [cnv-4.13] Mark Windows 11 as TechPreview
2175890 - [cnv-4.13] Ensure Windows 2022 Templates are marked as TechPreview like it is done now for Windows 11
2175974 - The default rows of volume table should at least includes all default volumes
2175976 - "Select InstanceType" should show the volume's default instanceType
2175977 - The Create VM button should be disabled until everything is selected
2175979 - "Cores" should be "CPU" in instanceTypes page
2175983 - Improve the delete button and the text on delete modal for bootable volumes
2175985 - "Clone existing PVC ?" should be accessible on hover
2175986 - Improve message when different storageclass is selected
2175988 - Remove descriptive text of the volume name
2176353 - Cannot enable headless mode in catalog
2176355 - Show a reason on VM console tab when headless mode is ON
2176422 - getting wrong error message when trying to upload dv when pvc already exist
2176706 - Click the item link in Pending Changes get a blank page below
2176708 - The disk name "Make Persistent disk" in "Pending Changes" should be the actual disk name
2176725 - "Start this VirtualMachine after creation" is not carried over to next dialog during VM creation
2176753 - Remove the dashed line from the Configurations in MigrationPolicy details page
2176804 - VM created with instanceType from UI cannot be started due to secret missing
2176843 - "No bootable device" shows in VM console if it's created with instanceType
2177091 - Edit buttons are added to "Hardware devices" in quick creation page but not editable
2177578 - Set width for columns in volume list tab
2177586 - No pod networking added to the VM while creating it from instanceType
2177589 - Preference in Virt -> Bootable volumes -> Add volume modal is not sorted
2177668 - [DPDK latency checkup] Traffic generator cannot start due to multiple environment vars with PCIDEVICE_ prefix
2177763 - clusterInstanceType and clusterPreference show in "get all" command
2177888 - VM with cpu.cores and memory.guest raises false notification
2177961 - 'GiB' is displayed incompletely
2177973 - Add "CloneInProgress" badge to volumes while it's still been cloning
2178037 - VM termination stuck until instancetype/preference revisionName is cleared
2178628 - VM mutator panics when inferring instancetype from DataSource without specifying namespace
2178629 - [DPDK latency checkup] Traffic generator cannot start due to error in scappy server
2179225 - Improve "Use existing secret" in catalog -> instanceTypes
2179226 - Improve the name of "Add new" secret in catalog -> instanceTypes
2179565 - VM Overview card links are broken
2179626 - Filter can not be cleared in VM Diagnostic tab
2179811 - Sometimes the preference list is empty in Bootable volumes -> Add volume modal
2180146 - upgrade cnv from 4.12.1 to v4.13.0.rhel9-1819 is stuck
2180279 - VM cannot be started while creating from a template which has 2nd disk added
2180553 - Cannot remove description from volume
2180853 - The console goes blank after trying to clone a virtual machine
2182006 - Rename of Network Interface duplicates it, breaks VM start
2182097 - "Cancel" button on instanceType should exit the flow instead of clearing data
2182534 - spec.firmware.bootloader is not copied while cloning a UEFI VM
2182535 - "Copy SSH command" get undefined user
2182536 - The volume in instanceTypes page should be selected automatically just after it's been added
2182538 - Cloned VM should not use the same PVC of the source VM
2182539 - [Nonpriv] VM Memory does not show in details card of overview or details tab
2182661 - Restore VM's pretty names
2183026 - Console is almost frozen if scroll down and up in VM metrics tab
2183205 - [DPDK latency checkup] Traffic generator cannot start due to missing dedicated ServiceAccount
2183397 - Trend charts are empty when looking at ?All projects?
2183968 - CNV4.13 SVVP Test:job 'Check SMBIOS Table Specific Requirements' failed on win2022
2186767 - VM metrics graphs are render incorrectly
2187437 - The storageclass option is not respected in add volume modal for "Use existing volume"
2187547 - non-privileged user cannot add new nic
2187581 - "No data available" shows on Virtualization overview metrics chart

5. References:

https://access.redhat.com/security/cve/CVE-2022-2879
https://access.redhat.com/security/cve/CVE-2022-2880
https://access.redhat.com/security/cve/CVE-2022-27664
https://access.redhat.com/security/cve/CVE-2022-32149
https://access.redhat.com/security/cve/CVE-2022-32189
https://access.redhat.com/security/cve/CVE-2022-32190
https://access.redhat.com/security/cve/CVE-2022-41715
https://access.redhat.com/security/cve/CVE-2022-41717
https://access.redhat.com/security/updates/classification/#moderate

6. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBZGW9gtzjgjWX9erEAQj46g//c5OCySy5sJv4Os+hxOe+9sMjLoWYae8f
NWt4DyyJYnEdWuNW83SXw0BOVfbAghoBC+joQkbUYJ4wDZnrul71GhXaAE7R74Kg
Upe+Bfe0cM/EeR2OK+3tTiG1YT0W6IQ6KhP9V3wJpy/hIqTw0oBh+u1CXyhtWLUd
hy4eGaYcJ8QAaEvCpaAUpF2Khl+PieamQfLUr2s6MAkaYPkeZEAPmn+cGj2nzE+o
ZjRTnw0aj+j+vcmBcntuC32pJuN/mGJuQb8gqP4IM6OCSY8ngOcJVot5z++83O/g
wV4l8Po/x0CCrL3lwH8gds+l5rRaXofNe9SNlJBy1KpDJWzEXhBUrWOBXEGXeTjZ
H2lqF4p9xouv5I969l9OeBilSuN8ywUIqZXp8h9FRpuCqb53ccbNO+sVS4b4mTuS
t7ErSYnSa1oojTHnE0Cv3rOKqaHsLQSP7l1KoR2xr+8mrkTuC5XTBTy9zDErbJ4N
6g1g3qloGVSgwdMp0OPC3bWoH3w/KsQQwP+8/6n035QstoPE+8mfuZBHMV9WXBxd
EBsHVRLFrZOvzmEygx+km41qVPrBWMV0VxOqccPwtGa4gK1gxtIbP0fj7s66milD
SEPyRxYamwQQOO+6dvllqcmh3is6aKizedj+5bXEumUQl02eo7KsiwRbrdr86kzH
G8aOGgmZiNM=
=xSd9
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/rhsa-announce