Red Hat 9062 Published by

A RHV-M(ovirt-engine) 4.4.z security, bug fix, enhancement update has been released.



RHSA-2021:0381-01: Low: RHV-M(ovirt-engine) 4.4.z security, bug fix, enhancement update ovirt-4.4.4:



=====================================================================
Red Hat Security Advisory

Synopsis: Low: RHV-M(ovirt-engine) 4.4.z security, bug fix, enhancement update [ovirt-4.4.4]
Advisory ID: RHSA-2021:0381-01
Product: Red Hat Virtualization
Advisory URL:   https://access.redhat.com/errata/RHSA-2021:0381
Issue date: 2021-02-02
CVE Names: CVE-2020-25649
=====================================================================

1. Summary:

Updated ovirt-engine packages that fix several bugs and add various
enhancements are now available.

Red Hat Product Security has rated this update as having a security impact
of Low. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4 - noarch

3. Description:

The ovirt-engine package provides the Red Hat Virtualization Manager, a
centralized management platform that allows system administrators to view
and manage virtual machines. The Manager provides a comprehensive range of
features including search capabilities, resource management, live
migrations, and virtual infrastructure provisioning.

The Manager is a JBoss Application Server application that provides several
interfaces through which the virtual environment can be accessed and
interacted with, including an Administration Portal, a VM Portal, and a
Representational State Transfer (REST) Application Programming Interface
(API).

Security Fix(es):

* jackson-databind: FasterXML DOMDeserializer insecure entity expansion is
vulnerable to XML external entity (XXE) (CVE-2020-25649)

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.

Bug Fix(es):

* Red Hat Virtualization Manager now requires Ansible 2.9.15. (BZ#1901946)

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

  https://access.redhat.com/articles/2974891

5. Bugs fixed (  https://bugzilla.redhat.com/):

1627997 - [RFE] Allow SPM switching if all tasks have finished via REST-API
1702237 - [RFE] add API for listing disksnapshots under disk resource
1796231 - VM disk remains in locked state if image transfer (image download) timesout due to inactivity.
1868114 - RHV-M UI/Webadmin: The "Disk Snapshots" tab reflects incorrect "Creation Date" information.
1875951 - Disk hot-unplug fails on engine side with NPE in setDiskVmElements after unplugging from the VM.
1879655 - [RFE] Implement searching VM's with partial name or case sensitive vm names in VM Portal.
1880015 - oVirt metrics example Kibana dashboards are broken in Kibana 7.x
1881115 - RHEL VM icons squashed, please adhere to brand rules
1881357 - German language greeting page says Red HatÂ:registered:
1887664 - CVE-2020-25649 jackson-databind: FasterXML DOMDeserializer insecure entity expansion is vulnerable to XML external entity (XXE)
1893035 - rhv-log-collector-analyzer: check for double quotes in IPTablesConfigSiteCustom
1894298 - ModuleNotFoundError: No module named 'ovirt_engine' raised when starting ovirt-engine-dwhd.py in dev env
1901946 - [RFE] Bump ovirt-engine version lock to the newest Ansible version
1903385 - RFE: rhv-image-discrepancies should report if the truesize from VDSM has different size in images in the engine.
1903595 - [PPC] Can't add PPC host to Engine

6. Package List:

RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4:

Source:
ovirt-engine-4.4.4.5-0.10.el8ev.src.rpm
ovirt-engine-dwh-4.4.4.2-1.el8ev.src.rpm
ovirt-web-ui-1.6.6-1.el8ev.src.rpm
rhv-log-collector-analyzer-1.0.6-1.el8ev.src.rpm
rhvm-branding-rhv-4.4.7-1.el8ev.src.rpm
vdsm-jsonrpc-java-1.6.0-1.el8ev.src.rpm

noarch:
ovirt-engine-4.4.4.5-0.10.el8ev.noarch.rpm
ovirt-engine-backend-4.4.4.5-0.10.el8ev.noarch.rpm
ovirt-engine-dbscripts-4.4.4.5-0.10.el8ev.noarch.rpm
ovirt-engine-dwh-4.4.4.2-1.el8ev.noarch.rpm
ovirt-engine-dwh-grafana-integration-setup-4.4.4.2-1.el8ev.noarch.rpm
ovirt-engine-dwh-setup-4.4.4.2-1.el8ev.noarch.rpm
ovirt-engine-health-check-bundler-4.4.4.5-0.10.el8ev.noarch.rpm
ovirt-engine-restapi-4.4.4.5-0.10.el8ev.noarch.rpm
ovirt-engine-setup-4.4.4.5-0.10.el8ev.noarch.rpm
ovirt-engine-setup-base-4.4.4.5-0.10.el8ev.noarch.rpm
ovirt-engine-setup-plugin-cinderlib-4.4.4.5-0.10.el8ev.noarch.rpm
ovirt-engine-setup-plugin-imageio-4.4.4.5-0.10.el8ev.noarch.rpm
ovirt-engine-setup-plugin-ovirt-engine-4.4.4.5-0.10.el8ev.noarch.rpm
ovirt-engine-setup-plugin-ovirt-engine-common-4.4.4.5-0.10.el8ev.noarch.rpm
ovirt-engine-setup-plugin-vmconsole-proxy-helper-4.4.4.5-0.10.el8ev.noarch.rpm
ovirt-engine-setup-plugin-websocket-proxy-4.4.4.5-0.10.el8ev.noarch.rpm
ovirt-engine-tools-4.4.4.5-0.10.el8ev.noarch.rpm
ovirt-engine-tools-backup-4.4.4.5-0.10.el8ev.noarch.rpm
ovirt-engine-vmconsole-proxy-helper-4.4.4.5-0.10.el8ev.noarch.rpm
ovirt-engine-webadmin-portal-4.4.4.5-0.10.el8ev.noarch.rpm
ovirt-engine-websocket-proxy-4.4.4.5-0.10.el8ev.noarch.rpm
ovirt-web-ui-1.6.6-1.el8ev.noarch.rpm
python3-ovirt-engine-lib-4.4.4.5-0.10.el8ev.noarch.rpm
rhv-log-collector-analyzer-1.0.6-1.el8ev.noarch.rpm
rhvm-4.4.4.5-0.10.el8ev.noarch.rpm
rhvm-branding-rhv-4.4.7-1.el8ev.noarch.rpm
vdsm-jsonrpc-java-1.6.0-1.el8ev.noarch.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
  https://access.redhat.com/security/team/key/

7. References:

  https://access.redhat.com/security/cve/CVE-2020-25649
  https://access.redhat.com/security/updates/classification/#low

8. Contact:

The Red Hat security contact is . More contact
details at   https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.