-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: RHV Manager (ovirt-engine) [ovirt-4.5.1] security, bug fix and update Advisory ID: RHSA-2022:5555-01 Product: Red Hat Virtualization Advisory URL: https://access.redhat.com/errata/RHSA-2022:5555 Issue date: 2022-07-14 CVE Names: CVE-2021-3807 CVE-2021-33623 CVE-2021-35515 CVE-2021-35516 CVE-2021-35517 CVE-2021-36090 CVE-2022-22950 CVE-2022-31051 ==================================================================== 1. Summary: Updated ovirt-engine packages that fix several bugs and add various enhancements are now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4 - noarch 3. Description: The ovirt-engine package provides the Red Hat Virtualization Manager, a centralized management platform that allows system administrators to view and manage virtual machines. The Manager provides a comprehensive range of features including search capabilities, resource management, live migrations, and virtual infrastructure provisioning. Security Fix(es): * nodejs-trim-newlines: ReDoS in .end() method (CVE-2021-33623) * apache-commons-compress: infinite loop when reading a specially crafted 7Z archive (CVE-2021-35515) * apache-commons-compress: excessive memory allocation when reading a specially crafted 7Z archive (CVE-2021-35516) * apache-commons-compress: excessive memory allocation when reading a specially crafted TAR archive (CVE-2021-35517) * apache-commons-compress: excessive memory allocation when reading a specially crafted ZIP archive (CVE-2021-36090) * nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (CVE-2021-3807) * spring-expression: Denial of service via specially crafted SpEL expression (CVE-2022-22950) * semantic-release: Masked secrets can be disclosed if they contain characters that are excluded from uri encoding (CVE-2022-31051) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. A list of bugs fixed in this update is available in the Technical Notes book: https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/html-single/technical_notes 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/2974891 5. Bugs fixed (https://bugzilla.redhat.com/): 1663217 - [RFE] Add RHV VM name to the matching between Satellite's content host to RHV (currently only VM FQDN is used) 1782077 - [RFE] More Flexible RHV CPU Allocation Policy with HyperThreading 1849045 - Differences between apidoc and REST API documentation about exporting VMs and templates to OVA 1852308 - Snapshot fails to create with 'Invalid parameter: 'capacity73741824'' Exception 1958032 - Live Storage Migration fails because replication filled the destination volume before extension. 1966615 - CVE-2021-33623 nodejs-trim-newlines: ReDoS in .end() method 1976607 - Deprecate QXL 1981895 - CVE-2021-35515 apache-commons-compress: infinite loop when reading a specially crafted 7Z archive 1981900 - CVE-2021-35516 apache-commons-compress: excessive memory allocation when reading a specially crafted 7Z archive 1981903 - CVE-2021-35517 apache-commons-compress: excessive memory allocation when reading a specially crafted TAR archive 1981909 - CVE-2021-36090 apache-commons-compress: excessive memory allocation when reading a specially crafted ZIP archive 1994144 - [RHV 4.4.6] Mail recipient is not updated while configuring Event Notifications 2001574 - Memory usage on Windows client browser while using move or copy disk operations on Admin web 2001923 - NPE during RemoveSnapshotSingleDisk command 2006625 - Engine generates VDS_HIGH_MEM_USE events for empty hosts that have most memory reserved by huge pages 2007557 - CVE-2021-3807 nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes 2030293 - VM in locked state forever if manager is rebooted while exporting VM as OVA 2068270 - RHV-M Admin Portal gives '500 - Internal Server Error" with command_entities in EXECUTION_FAILED status 2069414 - CVE-2022-22950 spring-expression: Denial of service via specially crafted SpEL expression 2070045 - UploadStreamVDSCommand fails with java.net.SocketTimeoutException after 20 seconds 2072626 - RHV-M generates SNMPv3 trap with msgAuthoritativeEngineBoots: 0 despite multiple engine restarts 2081241 - VFIO_MAP_DMA failed: Cannot allocate memory -12 (VM with GPU passthrough, Q35 machine and 16 vcpus) 2081559 - [RFE] discrepancy tool should detect preallocated cow images that were reduced 2089856 - [TestOnly] Bug 2015796 - [RFE] RHV Manager should support running on a host with DISA STIG security profile applied 2092885 - Please say "SP1" on the landing page 2093795 - Upgrade ovirt-log-collector to 4.4.6 2097414 - CVE-2022-31051 semantic-release: Masked secrets can be disclosed if they contain characters that are excluded from uri encoding 2099650 - Upgrade to latest version failed due to failed database schema refresh 2105296 - cannot live migrate vm from rhv-h 4.4.10 to 4.50 (4.4.11) 6. Package List: RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4: Source: apache-commons-compress-1.21-1.2.el8ev.src.rpm ovirt-dependencies-4.5.2-1.el8ev.src.rpm ovirt-engine-4.5.1.2-0.11.el8ev.src.rpm ovirt-engine-dwh-4.5.3-1.el8ev.src.rpm ovirt-engine-ui-extensions-1.3.4-1.el8ev.src.rpm ovirt-log-collector-4.4.6-1.el8ev.src.rpm ovirt-web-ui-1.9.0-1.el8ev.src.rpm postgresql-jdbc-42.2.14-1.el8ev.src.rpm rhv-log-collector-analyzer-1.0.14-1.el8ev.src.rpm rhvm-branding-rhv-4.5.0-1.el8ev.src.rpm noarch: apache-commons-compress-1.21-1.2.el8ev.noarch.rpm apache-commons-compress-javadoc-1.21-1.2.el8ev.noarch.rpm ovirt-dependencies-4.5.2-1.el8ev.noarch.rpm ovirt-engine-4.5.1.2-0.11.el8ev.noarch.rpm ovirt-engine-backend-4.5.1.2-0.11.el8ev.noarch.rpm ovirt-engine-dbscripts-4.5.1.2-0.11.el8ev.noarch.rpm ovirt-engine-dwh-4.5.3-1.el8ev.noarch.rpm ovirt-engine-dwh-grafana-integration-setup-4.5.3-1.el8ev.noarch.rpm ovirt-engine-dwh-setup-4.5.3-1.el8ev.noarch.rpm ovirt-engine-health-check-bundler-4.5.1.2-0.11.el8ev.noarch.rpm ovirt-engine-restapi-4.5.1.2-0.11.el8ev.noarch.rpm ovirt-engine-setup-4.5.1.2-0.11.el8ev.noarch.rpm ovirt-engine-setup-base-4.5.1.2-0.11.el8ev.noarch.rpm ovirt-engine-setup-plugin-cinderlib-4.5.1.2-0.11.el8ev.noarch.rpm ovirt-engine-setup-plugin-imageio-4.5.1.2-0.11.el8ev.noarch.rpm ovirt-engine-setup-plugin-ovirt-engine-4.5.1.2-0.11.el8ev.noarch.rpm ovirt-engine-setup-plugin-ovirt-engine-common-4.5.1.2-0.11.el8ev.noarch.rpm ovirt-engine-setup-plugin-vmconsole-proxy-helper-4.5.1.2-0.11.el8ev.noarch.rpm ovirt-engine-setup-plugin-websocket-proxy-4.5.1.2-0.11.el8ev.noarch.rpm ovirt-engine-tools-4.5.1.2-0.11.el8ev.noarch.rpm ovirt-engine-tools-backup-4.5.1.2-0.11.el8ev.noarch.rpm ovirt-engine-ui-extensions-1.3.4-1.el8ev.noarch.rpm ovirt-engine-vmconsole-proxy-helper-4.5.1.2-0.11.el8ev.noarch.rpm ovirt-engine-webadmin-portal-4.5.1.2-0.11.el8ev.noarch.rpm ovirt-engine-websocket-proxy-4.5.1.2-0.11.el8ev.noarch.rpm ovirt-log-collector-4.4.6-1.el8ev.noarch.rpm ovirt-web-ui-1.9.0-1.el8ev.noarch.rpm postgresql-jdbc-42.2.14-1.el8ev.noarch.rpm postgresql-jdbc-javadoc-42.2.14-1.el8ev.noarch.rpm python3-ovirt-engine-lib-4.5.1.2-0.11.el8ev.noarch.rpm rhv-log-collector-analyzer-1.0.14-1.el8ev.noarch.rpm rhvm-4.5.1.2-0.11.el8ev.noarch.rpm rhvm-branding-rhv-4.5.0-1.el8ev.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2021-3807 https://access.redhat.com/security/cve/CVE-2021-33623 https://access.redhat.com/security/cve/CVE-2021-35515 https://access.redhat.com/security/cve/CVE-2021-35516 https://access.redhat.com/security/cve/CVE-2021-35517 https://access.redhat.com/security/cve/CVE-2021-36090 https://access.redhat.com/security/cve/CVE-2022-22950 https://access.redhat.com/security/cve/CVE-2022-31051 https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/html-single/technical_notes https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYuFkB9zjgjWX9erEAQhJEQ//eXBYq/X5gI7umxdyGiiBdWtu+p7OuQ65 fGKy0dmJSIB5IzbmSxekBwRn23cSbFtRQxm25RbE+AwxD7a57pPJXJy3Wjvz+MKl wGJADj6Ia+4APGc4D63vkFZb7e9beUX4ehIswzADD+eYdT6hSoxzeFCSoNVS52ih gjqZvAb5HoDHiqO5EZPyhnb29xwMVO4obMQlpVe4BcPBjIS4CkW9Uh7x4YB9/778 hGYqgzquGa1TEqChw8Hhy8TSmA3g5b66ywsxNrllHDgTN/hG8iEcWw3V+e23Ubbi zb8rpu1Lm/36RYMyYwUiLg/F8ePbNnIdb1bllFDAUq9M7lH5hs77KDPj00Ff7+xh nwOgG5ktIMP/7KNsKUxPf/W94Yi6R9pZH3J2PXV2YjpDd8L6LNXGK5q5A3yjGksr tXZmQ2+jckXeel1vDvJ3qlkfHHNS1gvcQvNWci5EBOoeqEKQUTJZJQoucTbrhp2M 8502HAzHGRinjVnLizT/6JnEuGvHVwy8O8yx/D2UEEz7FsCDxPG0bBb+8Iy+6ZZb /EcTamIUpmyxEZ9AdQxW++GoaGWckYaMEVjcIbWvExP1kAlWY2E5uuaizlrLh116 fonyYo2esLh8mFN8OmcZhPDwJGuzlFL+mhOn6OQi8/ZmfkHPItSWVv772vKA1zlT yetpCCo5iV4=Muhw -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce