Red Hat 9062 Published by

An OpenShift Virtualization 4.8.2 Images security and bug fix update has been released for Red Hat Enterprise Linux 8.



RHSA-2021:3598-01: Moderate: OpenShift Virtualization 4.8.2 Images security and bug fix update



=====================================================================
Red Hat Security Advisory

Synopsis: Moderate: OpenShift Virtualization 4.8.2 Images security and bug fix update
Advisory ID: RHSA-2021:3598-01
Product: cnv
Advisory URL:   https://access.redhat.com/errata/RHSA-2021:3598
Issue date: 2021-09-21
CVE Names: CVE-2021-3609 CVE-2021-22543 CVE-2021-22555
CVE-2021-27218 CVE-2021-33195 CVE-2021-33197
CVE-2021-33198 CVE-2021-34558 CVE-2021-37576
CVE-2021-38201 CVE-2021-38575
=====================================================================

1. Summary:

Red Hat OpenShift Virtualization release 4.8.2 is now available with
updates to packages and images that fix several bugs and add enhancements.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

OpenShift Virtualization is Red Hat's virtualization solution designed for
Red Hat OpenShift Container Platform.

This advisory contains the following OpenShift Virtualization 4.8.2 images:

RHEL-8-CNV-4.8
==============
kubevirt-vmware-container-v4.8.2-1
node-maintenance-operator-container-v4.8.2-1
bridge-marker-container-v4.8.2-1
kubemacpool-container-v4.8.2-1
virtio-win-container-v4.8.2-1
kubevirt-v2v-conversion-container-v4.8.2-1
hostpath-provisioner-container-v4.8.2-1
kubernetes-nmstate-handler-container-v4.8.2-1
cluster-network-addons-operator-container-v4.8.2-1
cnv-containernetworking-plugins-container-v4.8.2-1
hyperconverged-cluster-operator-container-v4.8.2-2
hostpath-provisioner-operator-container-v4.8.2-1
ovs-cni-marker-container-v4.8.2-1
hyperconverged-cluster-webhook-container-v4.8.2-2
ovs-cni-plugin-container-v4.8.2-1
kubevirt-template-validator-container-v4.8.2-2
kubevirt-ssp-operator-container-v4.8.2-2
cnv-must-gather-container-v4.8.2-3
vm-import-virtv2v-container-v4.8.2-4
vm-import-operator-container-v4.8.2-4
vm-import-controller-container-v4.8.2-4
virt-cdi-cloner-container-v4.8.2-2
virt-cdi-controller-container-v4.8.2-2
virt-cdi-operator-container-v4.8.2-2
virt-cdi-uploadproxy-container-v4.8.2-2
virt-cdi-uploadserver-container-v4.8.2-2
virt-cdi-apiserver-container-v4.8.2-2
virt-cdi-importer-container-v4.8.2-2
virt-launcher-container-v4.8.2-5
virt-api-container-v4.8.2-5
virt-handler-container-v4.8.2-5
virt-controller-container-v4.8.2-5
virt-operator-container-v4.8.2-5
hco-bundle-registry-container-v4.8.2-17

Security Fix(es):

* golang: net: lookup functions may return invalid host names
(CVE-2021-33195)

* golang: net/http/httputil: ReverseProxy forwards connection headers if
first one is empty (CVE-2021-33197)

* golang: math/big.Rat: may cause a panic or an unrecoverable fatal error
if passed inputs with very large exponents (CVE-2021-33198)

* golang: crypto/tls: certificate of wrong type is causing TLS client to
panic (CVE-2021-34558)

3. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

  https://docs.openshift.com/container-platform/4.8/virt/upgrading-virt.html

4. Bugs fixed (  https://bugzilla.redhat.com/):

1953485 - [CNV-2.5] Manifests in openshift-cnv missing resource requirements - SSP
1957791 - [MTV][Warm] The migrated VM on target side should be powered off/on accordingly to the source VM's last power state during warm migration
1972819 - Failed, Pending and Scheduling VMs can not be stopped
1982143 - [RFE] volumeSnapshotStatuses reason does not check for volume type that do not support snapshots
1983596 - CVE-2021-34558 golang: crypto/tls: certificate of wrong type is causing TLS client to panic
1989564 - CVE-2021-33195 golang: net: lookup functions may return invalid host names
1989570 - CVE-2021-33197 golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty
1989575 - CVE-2021-33198 golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents
1990065 - [4.8.2][network] CNV Daemonsets have maxUnavailable set to 1 which leads to very slow upgrades on large clusters
1991460 - Cannot get 'write' permission without 'resize': Image size is not a multiple of request alignment'
1993122 - Rhel9 templates - provider-url should be updated to   https://www.redhat.com/
1995050 - RHEL9 template - support level and description should be updated
1996110 - cdi importer fails for a CirrOS VM import to NFS (but not to Cepf-rbd/block)
1996660 - [4.8] Goroutine count and memory remains high after VMIs are removed
1997668 - [v2v] VM import from RHV should not be blocked for a non UTC Timezone.
1998818 - virt-handler Pod is missing xorrisofs command
1998983 - 4.8.2 containers
2000021 - [VMIO][RHV VM Import] 63 long char VM Name with more than 1 Disk results in DataVolumeCreationFailed
2001038 - Importer attempts to shrink an image in certain situations
2001069 - [4.8.z] Automatic size detection may not request a PVC that is large enough for an import

5. References:

  https://access.redhat.com/security/cve/CVE-2021-3609
  https://access.redhat.com/security/cve/CVE-2021-22543
  https://access.redhat.com/security/cve/CVE-2021-22555
  https://access.redhat.com/security/cve/CVE-2021-27218
  https://access.redhat.com/security/cve/CVE-2021-33195
  https://access.redhat.com/security/cve/CVE-2021-33197
  https://access.redhat.com/security/cve/CVE-2021-33198
  https://access.redhat.com/security/cve/CVE-2021-34558
  https://access.redhat.com/security/cve/CVE-2021-37576
  https://access.redhat.com/security/cve/CVE-2021-38201
  https://access.redhat.com/security/cve/CVE-2021-38575
  https://access.redhat.com/security/updates/classification/#moderate

6. Contact:

The Red Hat security contact is . More contact
details at   https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.