-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: OpenShift Virtualization 4.13.3 Images security and bug fix update
Advisory ID:       RHSA-2023:4664-01
Product:           OpenShift Virtualization
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:4664
Issue date:        2023-08-16
CVE Names:         CVE-2022-41723 CVE-2022-45869 CVE-2022-46663 
                   CVE-2023-0458 CVE-2023-1998 CVE-2023-2002 
                   CVE-2023-2124 CVE-2023-2194 CVE-2023-2235 
                   CVE-2023-2700 CVE-2023-3089 CVE-2023-3090 
                   CVE-2023-22652 CVE-2023-24534 CVE-2023-24536 
                   CVE-2023-24537 CVE-2023-24538 CVE-2023-24539 
                   CVE-2023-24540 CVE-2023-28321 CVE-2023-28322 
                   CVE-2023-28466 CVE-2023-28484 CVE-2023-29400 
                   CVE-2023-29469 CVE-2023-32233 CVE-2023-32681 
                   CVE-2023-35788 
=====================================================================

1. Summary:

Red Hat OpenShift Virtualization release 4.13.3 is now available with
updates to packages and images that fix several bugs and add enhancements.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

OpenShift Virtualization is Red Hat's virtualization solution designed for
Red Hat OpenShift Container Platform.

This advisory contains OpenShift Virtualization 4.13.3 images.

Security Fix(es):

* openshift: OCP & FIPS mode (CVE-2023-3089)

* golang: html/template: improper handling of JavaScript whitespace
(CVE-2023-24540)

* net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK
decoding (CVE-2022-41723)

* golang: net/http, net/textproto: denial of service from excessive memory
allocation (CVE-2023-24534)

* golang: net/http, net/textproto, mime/multipart: denial of service from
excessive resource consumption (CVE-2023-24536)

* golang: go/parser: Infinite loop in parsing (CVE-2023-24537)

* golang: html/template: backticks not treated as string delimiters
(CVE-2023-24538)

* golang: html/template: improper sanitization of CSS values
(CVE-2023-24539)

* golang: html/template: improper handling of empty HTML attributes
(CVE-2023-29400)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

Bug Fix(es):

* Consistency in naming mediatedDevicesTypes and nodemediatedDeviceTypes
(BZ#2054863)

* "failed to sync guest time" log spam in destination virt-launcher pod
during VM live migration (BZ#2064160)

* Missing documentation for snapshot recording rules (BZ#2143165)

* KubevirtHyperconvergedClusterOperatorCRModification alert in firing state
during cnv upgrade (4.11.2->4.12.0) (BZ#2154319)

* VMExport: can't download a PVC that was created from DV on NFS (when
there's no VM that owns this PVC) - the storage doesn't support fsGroup
(BZ#2156525)

* Unable to do post-copy migration (BZ#2164836)

* empty libvirt metrics output, when executing metrics Prometheus query on
a vm that is paused status (BZ#2172544)

* The filter items on instanceType page is not horizontal aligned
(BZ#2174744)

* "No NetworkAttachmentDefinitions available" should not show when editing
pod networking (BZ#2175651)

* CNV 4.13 nightly | manually increasing the number of virt-api pods does
not work (BZ#2175710)

* The volume in instanceTypes page should be selected automatically just
after it's been added (BZ#2177977)

* PVC size is not readable while selecting "PVC (creates PVC)" in disk
modal (BZ#2180666)

* "Copy SSH command" get undefined user (BZ#2180719)

* [Nonpriv] VM Memory does not show in details card of overview or details
tab (BZ#2181432)

* spec.firmware.bootloader is not copied while cloning a UEFI VM
(BZ#2181515)

* kubevirt-plugin (now kubevirt-console-plugin) ignores node placement
configuration (BZ#2181999)

* VM metrics graphs are render incorrectly (BZ#2182000)

* Restore VM's pretty names (BZ#2182317)

* Cannot clone VM to other namespace if the VM is created from instanceType
(BZ#2182938)

* "No data available" shows on Virtualization overview metrics chart
(BZ#2183915)

* Some CNV installation components are missing required labels (BZ#2187509)

* Custom SELinux policy for virt_launcher still present on CNV with
DisableCustomSELinuxPolicy feature gate enabled (BZ#2188144)

* VM created from CD source registry cannot be started due to
InvalidImageName (BZ#2189744)

* lun cannot be used with DVs (BZ#2190171)

* [4.13.z] Missing virtctl vmexport download manifests command (BZ#2203727)

* [4.13]Missing StorageProfile defaults for IBM and AWS EFS CSI
provisioners (BZ#2220844)

* [cnv-4.13] isolateEmulatorThread should not block live migration
(BZ#2229148)

3. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2054863 - Consistency in naming mediatedDevicesTypes and nodemediatedDeviceTypes
2064160 - "failed to sync guest time" log spam in destination virt-launcher pod during VM live migration
2130604 - Unable to start/stop VM while rebooting the node where kubemacpool-mac-controller-manager pod is running
2143165 - Missing documentation for snapshot recording rules
2154319 - KubevirtHyperconvergedClusterOperatorCRModification alert in firing state during cnv upgrade (4.11.2->4.12.0)
2156525 - VMExport: can't download a PVC that was created from DV on NFS (when there's no VM that owns this PVC) - the storage doesn't support fsGroup
2164836 - Unable to do post-copy migration
2172544 - empty libvirt metrics output, when executing metrics Prometheus query on a vm  that is paused status
2174744 - The filter items on instanceType page is not horizontal aligned
2175651 - "No NetworkAttachmentDefinitions available" should not show when editing pod networking
2175710 - CNV 4.13 nightly | manually increasing the number of virt-api pods does not work
2177977 - The volume in instanceTypes page should be selected automatically just after it's been added
2178358 - CVE-2022-41723 net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding
2180666 - PVC size is not readable while selecting "PVC (creates PVC)" in disk modal
2180719 - "Copy SSH command" get undefined user
2181432 - [Nonpriv] VM Memory does not show in details card of overview or details tab
2181515 - spec.firmware.bootloader is not copied while cloning a UEFI VM
2181999 - kubevirt-plugin (now kubevirt-console-plugin) ignores node placement configuration
2182000 - VM metrics graphs are render incorrectly
2182317 - Restore VM's pretty names
2182938 - Cannot clone VM to other namespace if the VM is created from instanceType
2183915 - "No data available" shows on Virtualization overview metrics chart
2184481 - CVE-2023-24538 golang: html/template: backticks not treated as string delimiters
2184482 - CVE-2023-24536 golang: net/http, net/textproto, mime/multipart: denial of service from excessive resource consumption
2184483 - CVE-2023-24534 golang: net/http, net/textproto: denial of service from excessive memory allocation
2184484 - CVE-2023-24537 golang: go/parser: Infinite loop in parsing
2187509 - Some CNV installation components are missing required labels
2188144 - Custom SELinux policy for virt_launcher still present on CNV with DisableCustomSELinuxPolicy feature gate enabled
2189744 - VM created from CD source registry cannot be started due to InvalidImageName
2190171 - lun can not be used with DVs
2196026 - CVE-2023-24539 golang: html/template: improper sanitization of CSS values
2196027 - CVE-2023-24540 golang: html/template: improper handling of JavaScript whitespace
2196029 - CVE-2023-29400 golang: html/template: improper handling of empty HTML attributes
2203727 - [4.13.z] Missing?virtctl vmexport download manifests command
2212085 - CVE-2023-3089 openshift: OCP & FIPS mode
2220844 - [4.13]Missing StorageProfile defaults for IBM and AWS EFS CSI provisioners
2221913 - [4.13]DataImportCron Garbage Collection can mistakenly delete latest PVC
2229148 - [cnv-4.13] isolateEmulatorThread should not block live migration

5. References:

https://access.redhat.com/security/cve/CVE-2022-41723
https://access.redhat.com/security/cve/CVE-2022-45869
https://access.redhat.com/security/cve/CVE-2022-46663
https://access.redhat.com/security/cve/CVE-2023-0458
https://access.redhat.com/security/cve/CVE-2023-1998
https://access.redhat.com/security/cve/CVE-2023-2002
https://access.redhat.com/security/cve/CVE-2023-2124
https://access.redhat.com/security/cve/CVE-2023-2194
https://access.redhat.com/security/cve/CVE-2023-2235
https://access.redhat.com/security/cve/CVE-2023-2700
https://access.redhat.com/security/cve/CVE-2023-3089
https://access.redhat.com/security/cve/CVE-2023-3090
https://access.redhat.com/security/cve/CVE-2023-22652
https://access.redhat.com/security/cve/CVE-2023-24534
https://access.redhat.com/security/cve/CVE-2023-24536
https://access.redhat.com/security/cve/CVE-2023-24537
https://access.redhat.com/security/cve/CVE-2023-24538
https://access.redhat.com/security/cve/CVE-2023-24539
https://access.redhat.com/security/cve/CVE-2023-24540
https://access.redhat.com/security/cve/CVE-2023-28321
https://access.redhat.com/security/cve/CVE-2023-28322
https://access.redhat.com/security/cve/CVE-2023-28466
https://access.redhat.com/security/cve/CVE-2023-28484
https://access.redhat.com/security/cve/CVE-2023-29400
https://access.redhat.com/security/cve/CVE-2023-29469
https://access.redhat.com/security/cve/CVE-2023-32233
https://access.redhat.com/security/cve/CVE-2023-32681
https://access.redhat.com/security/cve/CVE-2023-35788
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/security/vulnerabilities/RHSB-2023-001

6. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJk3NtDAAoJENzjgjWX9erERs0P+gOsRKRfmfgd22Zel/kf4I6E
hiUHlKpz6+PqSEaplEFkCNBnknQR8f3H1dnoFYdPd1u1bHEJL9LTVj9oV8xam3LA
JWsa4Kpt1dRVGsm0CdZGJPRpC8AOOW1RSmyS4tA8nsWnZBJPIFXMIGlfHZLUKsgG
HWNNi0Xj4pf9/1Hz1t3sXHzxv2R54EZt0XT53SaSc66SXraFVzjSP7MI2jVgFFul
DQYuZpbBf87hIk6ntVgOkvS4+QSoASkDlNgmyY0fOL65tOmfQGYpYkvPLduWQq4C
WqCoK5UGbpbpOsAp2PDJK+qKRcRe5SwUu3aXYZSB9lsmtwYDXGEbuPzD3G1ChyYm
KJZB/WvyEZRXG9/+dcN1ZVlMtaCtaiDaslAYve0q2XfWUG2boEFmVYr7Iu/2E4iR
nM93xR1sz27LKP69Cx3nmIPEsbQYuRE4tBplqujUhJeWJKae0fnJk6KQCHpURB3X
z1HqheFm2rw9lmDh47yiSkIhnteTijXQk94l6snx+0YbLfj3arFAEXFLCYR46aVA
LTMO2blhj3nmwKOE7BlzzGppQvSjXlooqu2NlAweilKqLTuYCWtx2El1XYw8GHaE
JZDuak8PZCdFSVRjvWAOhpHNvMDUNL2FxS3BpsfUgqzcZ1p4N/JNwLYpzWSzp5nS
kT4IM+MLgbEP3sHc/qho
=cuFI
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2023-4664:01 Important: OpenShift Virtualization 4.13.3 Images

Red Hat OpenShift Virtualization release 4.13.3 is now available with updates to packages and images that fix several bugs and add enhancements

Summary

OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform.
This advisory contains OpenShift Virtualization 4.13.3 images.
Security Fix(es):
* openshift: OCP & FIPS mode (CVE-2023-3089)
* golang: html/template: improper handling of JavaScript whitespace (CVE-2023-24540)
* net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding (CVE-2022-41723)
* golang: net/http, net/textproto: denial of service from excessive memory allocation (CVE-2023-24534)
* golang: net/http, net/textproto, mime/multipart: denial of service from excessive resource consumption (CVE-2023-24536)
* golang: go/parser: Infinite loop in parsing (CVE-2023-24537)
* golang: html/template: backticks not treated as string delimiters (CVE-2023-24538)
* golang: html/template: improper sanitization of CSS values (CVE-2023-24539)
* golang: html/template: improper handling of empty HTML attributes (CVE-2023-29400)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Bug Fix(es):
* Consistency in naming mediatedDevicesTypes and nodemediatedDeviceTypes (BZ#2054863)
* "failed to sync guest time" log spam in destination virt-launcher pod during VM live migration (BZ#2064160)
* Missing documentation for snapshot recording rules (BZ#2143165)
* KubevirtHyperconvergedClusterOperatorCRModification alert in firing state during cnv upgrade (4.11.2->4.12.0) (BZ#2154319)
* VMExport: can't download a PVC that was created from DV on NFS (when there's no VM that owns this PVC) - the storage doesn't support fsGroup (BZ#2156525)
* Unable to do post-copy migration (BZ#2164836)
* empty libvirt metrics output, when executing metrics Prometheus query on a vm that is paused status (BZ#2172544)
* The filter items on instanceType page is not horizontal aligned (BZ#2174744)
* "No NetworkAttachmentDefinitions available" should not show when editing pod networking (BZ#2175651)
* CNV 4.13 nightly | manually increasing the number of virt-api pods does not work (BZ#2175710)
* The volume in instanceTypes page should be selected automatically just after it's been added (BZ#2177977)
* PVC size is not readable while selecting "PVC (creates PVC)" in disk modal (BZ#2180666)
* "Copy SSH command" get undefined user (BZ#2180719)
* [Nonpriv] VM Memory does not show in details card of overview or details tab (BZ#2181432)
* spec.firmware.bootloader is not copied while cloning a UEFI VM (BZ#2181515)
* kubevirt-plugin (now kubevirt-console-plugin) ignores node placement configuration (BZ#2181999)
* VM metrics graphs are render incorrectly (BZ#2182000)
* Restore VM's pretty names (BZ#2182317)
* Cannot clone VM to other namespace if the VM is created from instanceType (BZ#2182938)
* "No data available" shows on Virtualization overview metrics chart (BZ#2183915)
* Some CNV installation components are missing required labels (BZ#2187509)
* Custom SELinux policy for virt_launcher still present on CNV with DisableCustomSELinuxPolicy feature gate enabled (BZ#2188144)
* VM created from CD source registry cannot be started due to InvalidImageName (BZ#2189744)
* lun cannot be used with DVs (BZ#2190171)
* [4.13.z] Missing virtctl vmexport download manifests command (BZ#2203727)
* [4.13]Missing StorageProfile defaults for IBM and AWS EFS CSI provisioners (BZ#2220844)
* [cnv-4.13] isolateEmulatorThread should not block live migration (BZ#2229148)



Summary


Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258

References

https://access.redhat.com/security/cve/CVE-2022-41723 https://access.redhat.com/security/cve/CVE-2022-45869 https://access.redhat.com/security/cve/CVE-2022-46663 https://access.redhat.com/security/cve/CVE-2023-0458 https://access.redhat.com/security/cve/CVE-2023-1998 https://access.redhat.com/security/cve/CVE-2023-2002 https://access.redhat.com/security/cve/CVE-2023-2124 https://access.redhat.com/security/cve/CVE-2023-2194 https://access.redhat.com/security/cve/CVE-2023-2235 https://access.redhat.com/security/cve/CVE-2023-2700 https://access.redhat.com/security/cve/CVE-2023-3089 https://access.redhat.com/security/cve/CVE-2023-3090 https://access.redhat.com/security/cve/CVE-2023-22652 https://access.redhat.com/security/cve/CVE-2023-24534 https://access.redhat.com/security/cve/CVE-2023-24536 https://access.redhat.com/security/cve/CVE-2023-24537 https://access.redhat.com/security/cve/CVE-2023-24538 https://access.redhat.com/security/cve/CVE-2023-24539 https://access.redhat.com/security/cve/CVE-2023-24540 https://access.redhat.com/security/cve/CVE-2023-28321 https://access.redhat.com/security/cve/CVE-2023-28322 https://access.redhat.com/security/cve/CVE-2023-28466 https://access.redhat.com/security/cve/CVE-2023-28484 https://access.redhat.com/security/cve/CVE-2023-29400 https://access.redhat.com/security/cve/CVE-2023-29469 https://access.redhat.com/security/cve/CVE-2023-32233 https://access.redhat.com/security/cve/CVE-2023-32681 https://access.redhat.com/security/cve/CVE-2023-35788 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/security/vulnerabilities/RHSB-2023-001

Package List


Severity
Advisory ID: RHSA-2023:4664-01
Product: OpenShift Virtualization
Advisory URL: https://access.redhat.com/errata/RHSA-2023:4664
Issued Date: : 2023-08-16
CVE Names: CVE-2022-41723 CVE-2022-45869 CVE-2022-46663 CVE-2023-0458 CVE-2023-1998 CVE-2023-2002 CVE-2023-2124 CVE-2023-2194 CVE-2023-2235 CVE-2023-2700 CVE-2023-3089 CVE-2023-3090 CVE-2023-22652 CVE-2023-24534 CVE-2023-24536 CVE-2023-24537 CVE-2023-24538 CVE-2023-24539 CVE-2023-24540 CVE-2023-28321 CVE-2023-28322 CVE-2023-28466 CVE-2023-28484 CVE-2023-29400 CVE-2023-29469 CVE-2023-32233 CVE-2023-32681 CVE-2023-35788

Topic

Red Hat OpenShift Virtualization release 4.13.3 is now available withupdates to packages and images that fix several bugs and add enhancements.Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.


Topic


 

Relevant Releases Architectures


Bugs Fixed

2054863 - Consistency in naming mediatedDevicesTypes and nodemediatedDeviceTypes

2064160 - "failed to sync guest time" log spam in destination virt-launcher pod during VM live migration

2130604 - Unable to start/stop VM while rebooting the node where kubemacpool-mac-controller-manager pod is running

2143165 - Missing documentation for snapshot recording rules

2154319 - KubevirtHyperconvergedClusterOperatorCRModification alert in firing state during cnv upgrade (4.11.2->4.12.0)

2156525 - VMExport: can't download a PVC that was created from DV on NFS (when there's no VM that owns this PVC) - the storage doesn't support fsGroup

2164836 - Unable to do post-copy migration

2172544 - empty libvirt metrics output, when executing metrics Prometheus query on a vm that is paused status

2174744 - The filter items on instanceType page is not horizontal aligned

2175651 - "No NetworkAttachmentDefinitions available" should not show when editing pod networking

2175710 - CNV 4.13 nightly | manually increasing the number of virt-api pods does not work

2177977 - The volume in instanceTypes page should be selected automatically just after it's been added

2178358 - CVE-2022-41723 net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding

2180666 - PVC size is not readable while selecting "PVC (creates PVC)" in disk modal

2180719 - "Copy SSH command" get undefined user

2181432 - [Nonpriv] VM Memory does not show in details card of overview or details tab

2181515 - spec.firmware.bootloader is not copied while cloning a UEFI VM

2181999 - kubevirt-plugin (now kubevirt-console-plugin) ignores node placement configuration

2182000 - VM metrics graphs are render incorrectly

2182317 - Restore VM's pretty names

2182938 - Cannot clone VM to other namespace if the VM is created from instanceType

2183915 - "No data available" shows on Virtualization overview metrics chart

2184481 - CVE-2023-24538 golang: html/template: backticks not treated as string delimiters

2184482 - CVE-2023-24536 golang: net/http, net/textproto, mime/multipart: denial of service from excessive resource consumption

2184483 - CVE-2023-24534 golang: net/http, net/textproto: denial of service from excessive memory allocation

2184484 - CVE-2023-24537 golang: go/parser: Infinite loop in parsing

2187509 - Some CNV installation components are missing required labels

2188144 - Custom SELinux policy for virt_launcher still present on CNV with DisableCustomSELinuxPolicy feature gate enabled

2189744 - VM created from CD source registry cannot be started due to InvalidImageName

2190171 - lun can not be used with DVs

2196026 - CVE-2023-24539 golang: html/template: improper sanitization of CSS values

2196027 - CVE-2023-24540 golang: html/template: improper handling of JavaScript whitespace

2196029 - CVE-2023-29400 golang: html/template: improper handling of empty HTML attributes

2203727 - [4.13.z] Missing?virtctl vmexport download manifests command

2212085 - CVE-2023-3089 openshift: OCP & FIPS mode

2220844 - [4.13]Missing StorageProfile defaults for IBM and AWS EFS CSI provisioners

2221913 - [4.13]DataImportCron Garbage Collection can mistakenly delete latest PVC

2229148 - [cnv-4.13] isolateEmulatorThread should not block live migration


Related News

22.Lock ScreenEffect Esm H320
2 - 3 min read
Red Hat recently released its newest enterprise Linux distro, Red Hat Enterprise Linux (RHEL) 9.4 , which introduces several features designed to
8.Locks HexConnections CodeGlobe Esm H320
1 - 2 min read
The latest release of Debian , one of the oldest and most trusted distributions within the Linux ecosystem, redefines security, stability, and
20.Lock AbstractDigital Circular Esm H320
1 - 2 min read
The Ubuntu security team has recently discovered and addressed multiple vulnerabilities in the Apache HTTP Server. The vulnerabilities affected
1.Penguin Landscape Esm H320
1 - 2 min read
A critical vulnerability was discovered in the Linux kernel's netfilter subsystem, specifically within the nf_tables component, posing potential
19.Laptop Bed Esm H320
2 - 3 min read
The release of Google Chrome 124 addresses four vulnerabilities, including a critical security flaw that can enable attackers to execute arbitrary
23.Tablet Connections Esm H320
2 - 3 min read
The release of Ubuntu 24.04 LTS , also known as Noble Numbat, brings various security enhancements and exciting new features . These improvements
4.Lock AbstractDigital Esm H320
2 - 3 min read
Tails 6.2 is a new Linux distribution release that expands its multilingual support and improves security features. The distribution is a
19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved