Red Hat 9036 Published by

An OpenShift Virtualization 2.6.6 Images security and bug fix update has been released.



RHSA-2021:3119-01: Moderate: OpenShift Virtualization 2.6.6 Images security and bug fix update



=====================================================================
Red Hat Security Advisory

Synopsis: Moderate: OpenShift Virtualization 2.6.6 Images security and bug fix update
Advisory ID: RHSA-2021:3119-01
Product: cnv
Advisory URL:   https://access.redhat.com/errata/RHSA-2021:3119
Issue date: 2021-08-10
CVE Names: CVE-2016-10228 CVE-2017-14502 CVE-2019-2708
CVE-2019-9169 CVE-2019-13012 CVE-2019-14866
CVE-2019-25013 CVE-2019-25032 CVE-2019-25034
CVE-2019-25035 CVE-2019-25036 CVE-2019-25037
CVE-2019-25038 CVE-2019-25039 CVE-2019-25040
CVE-2019-25041 CVE-2019-25042 CVE-2020-8231
CVE-2020-8284 CVE-2020-8285 CVE-2020-8286
CVE-2020-8927 CVE-2020-9948 CVE-2020-9951
CVE-2020-9983 CVE-2020-12362 CVE-2020-12363
CVE-2020-12364 CVE-2020-13434 CVE-2020-13543
CVE-2020-13584 CVE-2020-14344 CVE-2020-14345
CVE-2020-14346 CVE-2020-14347 CVE-2020-14360
CVE-2020-14361 CVE-2020-14362 CVE-2020-14363
CVE-2020-15358 CVE-2020-25659 CVE-2020-25712
CVE-2020-26116 CVE-2020-26137 CVE-2020-27618
CVE-2020-27619 CVE-2020-28196 CVE-2020-28935
CVE-2020-29361 CVE-2020-29362 CVE-2020-29363
CVE-2020-36242 CVE-2021-3114 CVE-2021-3177
CVE-2021-3326 CVE-2021-3516 CVE-2021-3517
CVE-2021-3518 CVE-2021-3520 CVE-2021-3537
CVE-2021-3541 CVE-2021-3560 CVE-2021-20201
CVE-2021-20271 CVE-2021-23239 CVE-2021-23240
CVE-2021-23336 CVE-2021-25215 CVE-2021-25217
CVE-2021-27219 CVE-2021-28211 CVE-2021-32399
CVE-2021-33909 CVE-2021-33910
=====================================================================

1. Summary:

Red Hat OpenShift Virtualization release 2.6.6 is now available with
updates to packages and images that fix several bugs and add enhancements.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

OpenShift Virtualization is Red Hat's virtualization solution designed for
Red Hat OpenShift Container Platform.

This advisory contains the following OpenShift Virtualization
images:

RHEL-8-CNV-2.6

hostpath-provisioner-container-v2.6.6-3
vm-import-controller-container-v2.6.6-5
vm-import-virtv2v-container-v2.6.6-5
vm-import-operator-container-v2.6.6-5
virt-cdi-apiserver-container-v2.6.6-4
virt-cdi-controller-container-v2.6.6-4
virt-cdi-cloner-container-v2.6.6-4
virt-cdi-importer-container-v2.6.6-4
virt-cdi-uploadserver-container-v2.6.6-4
virt-cdi-uploadproxy-container-v2.6.6-4
virt-cdi-operator-container-v2.6.6-4
ovs-cni-marker-container-v2.6.6-5
kubevirt-ssp-operator-container-v2.6.6-5
kubemacpool-container-v2.6.6-7
kubevirt-vmware-container-v2.6.6-4
kubevirt-kvm-info-nfd-plugin-container-v2.6.6-4
kubevirt-cpu-model-nfd-plugin-container-v2.6.6-4
kubevirt-cpu-node-labeller-container-v2.6.6-4
virtio-win-container-v2.6.6-4
kubevirt-template-validator-container-v2.6.6-4
cnv-containernetworking-plugins-container-v2.6.6-4
node-maintenance-operator-container-v2.6.6-4
kubevirt-v2v-conversion-container-v2.6.6-4
cluster-network-addons-operator-container-v2.6.6-4
ovs-cni-plugin-container-v2.6.6-4
bridge-marker-container-v2.6.6-4
kubernetes-nmstate-handler-container-v2.6.6-7
hyperconverged-cluster-webhook-container-v2.6.6-4
cnv-must-gather-container-v2.6.6-16
hyperconverged-cluster-operator-container-v2.6.6-4
virt-launcher-container-v2.6.6-7
hostpath-provisioner-operator-container-v2.6.6-5
virt-api-container-v2.6.6-7
virt-handler-container-v2.6.6-7
virt-controller-container-v2.6.6-7
virt-operator-container-v2.6.6-7
hco-bundle-registry-container-v2.6.6-70

Security Fix(es):

* golang: crypto/elliptic: incorrect operations on the P-224 curve
(CVE-2021-3114)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

  https://access.redhat.com/articles/11258

4. Bugs fixed (  https://bugzilla.redhat.com/):

1918750 - CVE-2021-3114 golang: crypto/elliptic: incorrect operations on the P-224 curve
1945703 - "Guest OS Info" availability in VMI describe is flaky
1958816 - [2.6.z] KubeMacPool fails to start due to OOM likely caused by a high number of Pods running in the cluster
1963275 - migration controller null pointer dereference
1965099 - Live Migration double handoff to virt-handler causes connection failures
1965181 - CDI importer doesn't report AwaitingVDDK like it used to
1967086 - Cloning DataVolumes between namespaces fails while creating cdi-upload pod
1967887 - [2.6.6] nmstate is not progressing on a node and not configuring vlan filtering that causes an outage for VMs
1969756 - Windows VMs fail to start on air-gapped environments
1970372 - Virt-handler fails to verify container-disk
1973227 - segfault in virt-controller during pdb deletion
1974084 - 2.6.6 containers
1975212 - No Virtual Machine Templates Found [EDIT - all templates are marked as depracted]
1975727 - [Regression][VMIO][Warm] The third precopy does not end in warm migration
1977756 - [2.6.z] PVC keeps in pending when using hostpath-provisioner
1982760 - [v2v] no kind VirtualMachine is registered for version \"kubevirt.io/v1\" i...
1986989 - OpenShift Virtualization 2.6.z cannot be upgraded to 4.8.0 initially deployed starting with