[RHSA-2023:0074-01] Important: RHV 4.4 SP1 [ovirt-4.5.3-3] security update
Security announcements for all Red Hat products and services.
rhsa-announce at redhat.com
Wed Jan 11 16:34:25 UTC 2023
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Important: RHV 4.4 SP1 [ovirt-4.5.3-3] security update
Advisory ID: RHSA-2023:0074-01
Product: Red Hat Virtualization
Advisory URL: https://access.redhat.com/errata/RHSA-2023:0074
Issue date: 2023-01-11
CVE Names: CVE-2021-30483 CVE-2022-45047
=====================================================================
1. Summary:
Updated RHV packages that fix several bugs and add various enhancements are
now available.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Relevant releases/architectures:
RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4 - noarch
Red Hat Virtualization 4 Hypervisor for RHEL 8 - noarch, x86_64
Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts - noarch, ppc64le, x86_64
3. Description:
The ovirt-engine package provides the Red Hat Virtualization Manager, a
centralized management platform that allows system administrators to view
and manage virtual machines. The Manager provides a comprehensive range of
features including search capabilities, resource management, live
migrations, and virtual infrastructure provisioning.
Security fix(es):
* mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)
* isomorphic-git: Directory traversal via a crafted repository
(CVE-2021-30483)
For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.
Bug Fix(es):
* With this release, SELinux rules for the Grafana HTTP port are now
properly set up for new remote DWH installations as part of the Red Hat
Virtualization Manager engine-setup. (BZ#2126778)
* Previously, search conditions were not applied properly when a non-admin
user tried to search for Clusters or Data Centers over the REST API. In
this release, both admin and non-admin users can search for clusters
properly using the REST API. (BZ#2144346)
* Previously, stale bitmaps in the base image during a cold or live
internal merge caused the operation to fail. In this release, the merge
operation succeeds. (BZ#2141371)
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/2974891
5. Bugs fixed (https://bugzilla.redhat.com/):
1988539 - CVE-2021-30483 isomorphic-git: Directory traversal via a crafted repository
2126778 - Port 3000 blocked between engine and remote DWH with Grafana
2141371 - Incorrect image chain when deleting an intermediate snapshot
2144346 - Search returns all entities the permissions allow if the user is not admin
2145194 - CVE-2022-45047 mina-sshd: Java unsafe deserialization vulnerability
2152015 - Discrepancy tool fails with KeyError
2152845 - Storage stabilization for 4.5.3
6. Package List:
Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts:
Source:
vdsm-4.50.3.6-1.el8ev.src.rpm
noarch:
vdsm-api-4.50.3.6-1.el8ev.noarch.rpm
vdsm-client-4.50.3.6-1.el8ev.noarch.rpm
vdsm-common-4.50.3.6-1.el8ev.noarch.rpm
vdsm-hook-cpuflags-4.50.3.6-1.el8ev.noarch.rpm
vdsm-hook-ethtool-options-4.50.3.6-1.el8ev.noarch.rpm
vdsm-hook-fcoe-4.50.3.6-1.el8ev.noarch.rpm
vdsm-hook-localdisk-4.50.3.6-1.el8ev.noarch.rpm
vdsm-hook-nestedvt-4.50.3.6-1.el8ev.noarch.rpm
vdsm-hook-openstacknet-4.50.3.6-1.el8ev.noarch.rpm
vdsm-hook-vhostmd-4.50.3.6-1.el8ev.noarch.rpm
vdsm-http-4.50.3.6-1.el8ev.noarch.rpm
vdsm-jsonrpc-4.50.3.6-1.el8ev.noarch.rpm
vdsm-python-4.50.3.6-1.el8ev.noarch.rpm
vdsm-yajsonrpc-4.50.3.6-1.el8ev.noarch.rpm
ppc64le:
vdsm-4.50.3.6-1.el8ev.ppc64le.rpm
vdsm-hook-checkips-4.50.3.6-1.el8ev.ppc64le.rpm
vdsm-hook-extra-ipv4-addrs-4.50.3.6-1.el8ev.ppc64le.rpm
vdsm-network-4.50.3.6-1.el8ev.ppc64le.rpm
x86_64:
vdsm-4.50.3.6-1.el8ev.x86_64.rpm
vdsm-gluster-4.50.3.6-1.el8ev.x86_64.rpm
vdsm-hook-checkips-4.50.3.6-1.el8ev.x86_64.rpm
vdsm-hook-extra-ipv4-addrs-4.50.3.6-1.el8ev.x86_64.rpm
vdsm-network-4.50.3.6-1.el8ev.x86_64.rpm
Red Hat Virtualization 4 Hypervisor for RHEL 8:
Source:
vdsm-4.50.3.6-1.el8ev.src.rpm
noarch:
vdsm-hook-cpuflags-4.50.3.6-1.el8ev.noarch.rpm
vdsm-hook-ethtool-options-4.50.3.6-1.el8ev.noarch.rpm
vdsm-hook-fcoe-4.50.3.6-1.el8ev.noarch.rpm
vdsm-hook-localdisk-4.50.3.6-1.el8ev.noarch.rpm
vdsm-hook-nestedvt-4.50.3.6-1.el8ev.noarch.rpm
vdsm-hook-openstacknet-4.50.3.6-1.el8ev.noarch.rpm
vdsm-hook-vhostmd-4.50.3.6-1.el8ev.noarch.rpm
x86_64:
vdsm-hook-checkips-4.50.3.6-1.el8ev.x86_64.rpm
vdsm-hook-extra-ipv4-addrs-4.50.3.6-1.el8ev.x86_64.rpm
RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4:
Source:
apache-sshd-2.9.2-0.1.el8ev.src.rpm
ovirt-engine-4.5.3.5-1.el8ev.src.rpm
ovirt-engine-ui-extensions-1.3.7-1.el8ev.src.rpm
ovirt-web-ui-1.9.3-1.el8ev.src.rpm
rhv-log-collector-analyzer-1.0.16-1.el8ev.src.rpm
noarch:
apache-sshd-2.9.2-0.1.el8ev.noarch.rpm
apache-sshd-javadoc-2.9.2-0.1.el8ev.noarch.rpm
ovirt-engine-4.5.3.5-1.el8ev.noarch.rpm
ovirt-engine-backend-4.5.3.5-1.el8ev.noarch.rpm
ovirt-engine-dbscripts-4.5.3.5-1.el8ev.noarch.rpm
ovirt-engine-health-check-bundler-4.5.3.5-1.el8ev.noarch.rpm
ovirt-engine-restapi-4.5.3.5-1.el8ev.noarch.rpm
ovirt-engine-setup-4.5.3.5-1.el8ev.noarch.rpm
ovirt-engine-setup-base-4.5.3.5-1.el8ev.noarch.rpm
ovirt-engine-setup-plugin-cinderlib-4.5.3.5-1.el8ev.noarch.rpm
ovirt-engine-setup-plugin-imageio-4.5.3.5-1.el8ev.noarch.rpm
ovirt-engine-setup-plugin-ovirt-engine-4.5.3.5-1.el8ev.noarch.rpm
ovirt-engine-setup-plugin-ovirt-engine-common-4.5.3.5-1.el8ev.noarch.rpm
ovirt-engine-setup-plugin-vmconsole-proxy-helper-4.5.3.5-1.el8ev.noarch.rpm
ovirt-engine-setup-plugin-websocket-proxy-4.5.3.5-1.el8ev.noarch.rpm
ovirt-engine-tools-4.5.3.5-1.el8ev.noarch.rpm
ovirt-engine-tools-backup-4.5.3.5-1.el8ev.noarch.rpm
ovirt-engine-ui-extensions-1.3.7-1.el8ev.noarch.rpm
ovirt-engine-vmconsole-proxy-helper-4.5.3.5-1.el8ev.noarch.rpm
ovirt-engine-webadmin-portal-4.5.3.5-1.el8ev.noarch.rpm
ovirt-engine-websocket-proxy-4.5.3.5-1.el8ev.noarch.rpm
ovirt-web-ui-1.9.3-1.el8ev.noarch.rpm
python3-ovirt-engine-lib-4.5.3.5-1.el8ev.noarch.rpm
rhv-log-collector-analyzer-1.0.16-1.el8ev.noarch.rpm
rhvm-4.5.3.5-1.el8ev.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2021-30483
https://access.redhat.com/security/cve/CVE-2022-45047
https://access.redhat.com/security/updates/classification/#important
8. Contact:
The Red Hat security contact is <secalert at redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBY77lENzjgjWX9erEAQgN9A/9G5NYjt87qCs93u5tgnYP1G5A8GCojNtd
G3TglbeCMHIgGlA67TSE5vXvppHdYHCN2QoT+d+9iz0SHbIOOn7Ztc4I/KyIgX3Y
T6e2trOCry7KWz8TX+DTyoJamnGVRbvKnvmoUB6rrZbhoa9wP68ZwhvNdVzuGi27
p8xa2zPv1LDz1gyf2Ko1dtb0i7CtYWhL1dRcAByA4dvACiQJe1NMwCyLZf/vb3Zu
64pO4La8QWn3SJut9HJ8PhoGbtPWBWGCIF1ghKVAysrUjpe6QceIElLd6ADVTa29
GPbsxwcUUyJFIzennM47GVMf+X3uKnHH5MbLuv3ghEjguaBsQ9M9TNNAyFz9wO+k
cTVmxkZfB45t7teRQCoAF5uLLza2xLkzZBvVEgKsiGCKXJrN4nc8mWTXKkbtEXej
kmrVT85brDs0+IgNsian/8Zyn48//5CZJm/TsQne0vRf3GYDOUMabrd3XmOzHH4a
XVw3u57eKZ4dtmQ9KNsgzFKUJOe/w1HWyIbk7XVawNPZX4K0waXXaiBLJZxYTjWP
5Fve+MpRPBCtOrV8LKVLdbz4eZRG4q+Z2N92ZOc6X4omJUhGYHRmmPL5C/iLsXiA
kI3NoANDaeMvgqoR8J1FB4N3Tvk5kKE5yBXCELG/+ZpLgjLecElyxHFCeibogY3s
ZiUYms4Cl8s=
=Z3Jw
-----END PGP SIGNATURE-----
More information about the RHSA-announce
mailing list