Red Hat 9062 Published by

An OpenShift Virtualization 4.11.1 security and bug fix update has been released.



RHSA-2022:8750-01: Moderate: OpenShift Virtualization 4.11.1 security and bug fix update



=====================================================================
Red Hat Security Advisory

Synopsis: Moderate: OpenShift Virtualization 4.11.1 security and bug fix update
Advisory ID: RHSA-2022:8750-01
Product: cnv
Advisory URL:   https://access.redhat.com/errata/RHSA-2022:8750
Issue date: 2022-12-01
CVE Names: CVE-2015-20107 CVE-2016-3709 CVE-2020-0256
CVE-2020-35525 CVE-2020-35527 CVE-2021-0308
CVE-2021-38561 CVE-2022-0391 CVE-2022-0934
CVE-2022-1292 CVE-2022-1304 CVE-2022-1586
CVE-2022-1785 CVE-2022-1897 CVE-2022-1927
CVE-2022-2068 CVE-2022-2097 CVE-2022-2509
CVE-2022-3515 CVE-2022-22624 CVE-2022-22628
CVE-2022-22629 CVE-2022-22662 CVE-2022-24675
CVE-2022-24795 CVE-2022-24921 CVE-2022-25308
CVE-2022-25309 CVE-2022-25310 CVE-2022-26700
CVE-2022-26709 CVE-2022-26710 CVE-2022-26716
CVE-2022-26717 CVE-2022-26719 CVE-2022-27404
CVE-2022-27405 CVE-2022-27406 CVE-2022-28327
CVE-2022-29154 CVE-2022-30293 CVE-2022-30629
CVE-2022-30698 CVE-2022-30699 CVE-2022-32206
CVE-2022-32208 CVE-2022-34903 CVE-2022-37434
CVE-2022-38177 CVE-2022-38178 CVE-2022-40674
=====================================================================

1. Summary:

Red Hat OpenShift Virtualization release 4.11.1 is now available with
updates to packages and images that fix several bugs and add enhancements.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

OpenShift Virtualization is Red Hat's virtualization solution designed for
Red Hat OpenShift Container Platform.

Security Fix(es):

* golang: out-of-bounds read in golang.org/x/text/language leads to DoS
(CVE-2021-38561)

* golang: encoding/pem: fix stack overflow in Decode (CVE-2022-24675)

* golang: regexp: stack exhaustion via a deeply nested expression
(CVE-2022-24921)

* golang: crypto/elliptic: panic caused by oversized scalar
(CVE-2022-28327)

* golang: crypto/tls: session tickets lack random ticket_age_add
(CVE-2022-30629)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

Bug Fix(es):

* Cloning a Block DV to VM with Filesystem with not big enough size comes
to endless loop - using pvc api (BZ#2033191)

* Restart of VM Pod causes SSH keys to be regenerated within VM
(BZ#2087177)

* Import gzipped raw file causes image to be downloaded and uncompressed to
TMPDIR (BZ#2089391)

* [4.11] VM Snapshot Restore hangs indefinitely when backed by a
snapshotclass (BZ#2098225)

* Fedora version in DataImportCrons is not 'latest' (BZ#2102694)

* [4.11] Cloned VM's snapshot restore fails if the source VM disk is
deleted (BZ#2109407)

* CNV introduces a compliance check fail in "ocp4-moderate" profile -
routes-protected-by-tls (BZ#2110562)

* Nightly build: v4.11.0-578: index format was changed in 4.11 to
file-based instead of sqlite-based (BZ#2112643)

* Unable to start windows VMs on PSI setups (BZ#2115371)

* [4.11.1]virt-launcher cannot be started on OCP 4.12 due to PodSecurity
restricted:v1.24 (BZ#2128997)

* Mark Windows 11 as TechPreview (BZ#2129013)

* 4.11.1 rpms (BZ#2139453)

This advisory contains the following OpenShift Virtualization 4.11.1
images.

RHEL-8-CNV-4.11

virt-cdi-operator-container-v4.11.1-5
virt-cdi-uploadserver-container-v4.11.1-5
virt-cdi-apiserver-container-v4.11.1-5
virt-cdi-importer-container-v4.11.1-5
virt-cdi-controller-container-v4.11.1-5
virt-cdi-cloner-container-v4.11.1-5
virt-cdi-uploadproxy-container-v4.11.1-5
checkup-framework-container-v4.11.1-3
kubevirt-tekton-tasks-wait-for-vmi-status-container-v4.11.1-7
kubevirt-tekton-tasks-create-datavolume-container-v4.11.1-7
kubevirt-template-validator-container-v4.11.1-4
virt-handler-container-v4.11.1-5
hostpath-provisioner-operator-container-v4.11.1-4
virt-api-container-v4.11.1-5
vm-network-latency-checkup-container-v4.11.1-3
cluster-network-addons-operator-container-v4.11.1-5
virtio-win-container-v4.11.1-4
virt-launcher-container-v4.11.1-5
ovs-cni-marker-container-v4.11.1-5
hyperconverged-cluster-webhook-container-v4.11.1-7
virt-controller-container-v4.11.1-5
virt-artifacts-server-container-v4.11.1-5
kubevirt-tekton-tasks-modify-vm-template-container-v4.11.1-7
kubevirt-tekton-tasks-disk-virt-customize-container-v4.11.1-7
libguestfs-tools-container-v4.11.1-5
hostpath-provisioner-container-v4.11.1-4
kubevirt-tekton-tasks-disk-virt-sysprep-container-v4.11.1-7
kubevirt-tekton-tasks-copy-template-container-v4.11.1-7
cnv-containernetworking-plugins-container-v4.11.1-5
bridge-marker-container-v4.11.1-5
virt-operator-container-v4.11.1-5
hostpath-csi-driver-container-v4.11.1-4
kubevirt-tekton-tasks-create-vm-from-template-container-v4.11.1-7
kubemacpool-container-v4.11.1-5
hyperconverged-cluster-operator-container-v4.11.1-7
kubevirt-ssp-operator-container-v4.11.1-4
ovs-cni-plugin-container-v4.11.1-5
kubevirt-tekton-tasks-cleanup-vm-container-v4.11.1-7
kubevirt-tekton-tasks-operator-container-v4.11.1-2
cnv-must-gather-container-v4.11.1-8
kubevirt-console-plugin-container-v4.11.1-9
hco-bundle-registry-container-v4.11.1-49

3. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

  https://access.redhat.com/articles/11258

4. Bugs fixed (  https://bugzilla.redhat.com/):

2033191 - Cloning a Block DV to VM with Filesystem with not big enough size comes to endless loop - using pvc api
2064857 - CVE-2022-24921 golang: regexp: stack exhaustion via a deeply nested expression
2070772 - When specifying pciAddress for several SR-IOV NIC they are not correctly propagated to libvirt XML
2077688 - CVE-2022-24675 golang: encoding/pem: fix stack overflow in Decode
2077689 - CVE-2022-28327 golang: crypto/elliptic: panic caused by oversized scalar
2087177 - Restart of VM Pod causes SSH keys to be regenerated within VM
2089391 - Import gzipped raw file causes image to be downloaded and uncompressed to TMPDIR
2091856 - ?Edit BootSource? action should have more explicit information when disabled
2092793 - CVE-2022-30629 golang: crypto/tls: session tickets lack random ticket_age_add
2098225 - [4.11] VM Snapshot Restore hangs indefinitely when backed by a snapshotclass
2100495 - CVE-2021-38561 golang: out-of-bounds read in golang.org/x/text/language leads to DoS
2102694 - Fedora version in DataImportCrons is not 'latest'
2109407 - [4.11] Cloned VM's snapshot restore fails if the source VM disk is deleted
2110562 - CNV introduces a compliance check fail in "ocp4-moderate" profile - routes-protected-by-tls
2112643 - Nightly build: v4.11.0-578: index format was changed in 4.11 to file-based instead of sqlite-based
2115371 - Unable to start windows VMs on PSI setups
2119613 - GiB changes to B in Template's Edit boot source reference modal
2128554 - The storageclass of VM disk is different from quick created and customize created after changed the default storageclass
2128872 - [4.11]Can't restore cloned VM
2128997 - [4.11.1]virt-launcher cannot be started on OCP 4.12 due to PodSecurity restricted:v1.24
2129013 - Mark Windows 11 as TechPreview
2129235 - [RFE] Add "Copy SSH command" to VM action list
2134668 - Cannot edit ssh even vm is stopped
2139453 - 4.11.1 rpms

5. References:

  https://access.redhat.com/security/cve/CVE-2015-20107
  https://access.redhat.com/security/cve/CVE-2016-3709
  https://access.redhat.com/security/cve/CVE-2020-0256
  https://access.redhat.com/security/cve/CVE-2020-35525
  https://access.redhat.com/security/cve/CVE-2020-35527
  https://access.redhat.com/security/cve/CVE-2021-0308
  https://access.redhat.com/security/cve/CVE-2021-38561
  https://access.redhat.com/security/cve/CVE-2022-0391
  https://access.redhat.com/security/cve/CVE-2022-0934
  https://access.redhat.com/security/cve/CVE-2022-1292
  https://access.redhat.com/security/cve/CVE-2022-1304
  https://access.redhat.com/security/cve/CVE-2022-1586
  https://access.redhat.com/security/cve/CVE-2022-1785
  https://access.redhat.com/security/cve/CVE-2022-1897
  https://access.redhat.com/security/cve/CVE-2022-1927
  https://access.redhat.com/security/cve/CVE-2022-2068
  https://access.redhat.com/security/cve/CVE-2022-2097
  https://access.redhat.com/security/cve/CVE-2022-2509
  https://access.redhat.com/security/cve/CVE-2022-3515
  https://access.redhat.com/security/cve/CVE-2022-22624
  https://access.redhat.com/security/cve/CVE-2022-22628
  https://access.redhat.com/security/cve/CVE-2022-22629
  https://access.redhat.com/security/cve/CVE-2022-22662
  https://access.redhat.com/security/cve/CVE-2022-24675
  https://access.redhat.com/security/cve/CVE-2022-24795
  https://access.redhat.com/security/cve/CVE-2022-24921
  https://access.redhat.com/security/cve/CVE-2022-25308
  https://access.redhat.com/security/cve/CVE-2022-25309
  https://access.redhat.com/security/cve/CVE-2022-25310
  https://access.redhat.com/security/cve/CVE-2022-26700
  https://access.redhat.com/security/cve/CVE-2022-26709
  https://access.redhat.com/security/cve/CVE-2022-26710
  https://access.redhat.com/security/cve/CVE-2022-26716
  https://access.redhat.com/security/cve/CVE-2022-26717
  https://access.redhat.com/security/cve/CVE-2022-26719
  https://access.redhat.com/security/cve/CVE-2022-27404
  https://access.redhat.com/security/cve/CVE-2022-27405
  https://access.redhat.com/security/cve/CVE-2022-27406
  https://access.redhat.com/security/cve/CVE-2022-28327
  https://access.redhat.com/security/cve/CVE-2022-29154
  https://access.redhat.com/security/cve/CVE-2022-30293
  https://access.redhat.com/security/cve/CVE-2022-30629
  https://access.redhat.com/security/cve/CVE-2022-30698
  https://access.redhat.com/security/cve/CVE-2022-30699
  https://access.redhat.com/security/cve/CVE-2022-32206
  https://access.redhat.com/security/cve/CVE-2022-32208
  https://access.redhat.com/security/cve/CVE-2022-34903
  https://access.redhat.com/security/cve/CVE-2022-37434
  https://access.redhat.com/security/cve/CVE-2022-38177
  https://access.redhat.com/security/cve/CVE-2022-38178
  https://access.redhat.com/security/cve/CVE-2022-40674
  https://access.redhat.com/security/updates/classification/#moderate

6. Contact:

The Red Hat security contact is . More contact
details at   https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.