Red Hat 9062 Published by

A RHV 4.4 SP1 ovirt-4.5.3-3 security update has been released for Red Hat Enterprise Linux 8.



RHSA-2023:0074-01: Important: RHV 4.4 SP1 ovirt-4.5.3-3: security update



=====================================================================
Red Hat Security Advisory

Synopsis: Important: RHV 4.4 SP1 [ovirt-4.5.3-3] security update
Advisory ID: RHSA-2023:0074-01
Product: Red Hat Virtualization
Advisory URL:   https://access.redhat.com/errata/RHSA-2023:0074
Issue date: 2023-01-11
CVE Names: CVE-2021-30483 CVE-2022-45047
=====================================================================

1. Summary:

Updated RHV packages that fix several bugs and add various enhancements are
now available.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4 - noarch
Red Hat Virtualization 4 Hypervisor for RHEL 8 - noarch, x86_64
Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts - noarch, ppc64le, x86_64

3. Description:

The ovirt-engine package provides the Red Hat Virtualization Manager, a
centralized management platform that allows system administrators to view
and manage virtual machines. The Manager provides a comprehensive range of
features including search capabilities, resource management, live
migrations, and virtual infrastructure provisioning.

Security fix(es):

* mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)

* isomorphic-git: Directory traversal via a crafted repository
(CVE-2021-30483)

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.

Bug Fix(es):

* With this release, SELinux rules for the Grafana HTTP port are now
properly set up for new remote DWH installations as part of the Red Hat
Virtualization Manager engine-setup. (BZ#2126778)

* Previously, search conditions were not applied properly when a non-admin
user tried to search for Clusters or Data Centers over the REST API. In
this release, both admin and non-admin users can search for clusters
properly using the REST API. (BZ#2144346)

* Previously, stale bitmaps in the base image during a cold or live
internal merge caused the operation to fail. In this release, the merge
operation succeeds. (BZ#2141371)

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

  https://access.redhat.com/articles/2974891

5. Bugs fixed (  https://bugzilla.redhat.com/):

1988539 - CVE-2021-30483 isomorphic-git: Directory traversal via a crafted repository
2126778 - Port 3000 blocked between engine and remote DWH with Grafana
2141371 - Incorrect image chain when deleting an intermediate snapshot
2144346 - Search returns all entities the permissions allow if the user is not admin
2145194 - CVE-2022-45047 mina-sshd: Java unsafe deserialization vulnerability
2152015 - Discrepancy tool fails with KeyError
2152845 - Storage stabilization for 4.5.3

6. Package List:

Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts:

Source:
vdsm-4.50.3.6-1.el8ev.src.rpm

noarch:
vdsm-api-4.50.3.6-1.el8ev.noarch.rpm
vdsm-client-4.50.3.6-1.el8ev.noarch.rpm
vdsm-common-4.50.3.6-1.el8ev.noarch.rpm
vdsm-hook-cpuflags-4.50.3.6-1.el8ev.noarch.rpm
vdsm-hook-ethtool-options-4.50.3.6-1.el8ev.noarch.rpm
vdsm-hook-fcoe-4.50.3.6-1.el8ev.noarch.rpm
vdsm-hook-localdisk-4.50.3.6-1.el8ev.noarch.rpm
vdsm-hook-nestedvt-4.50.3.6-1.el8ev.noarch.rpm
vdsm-hook-openstacknet-4.50.3.6-1.el8ev.noarch.rpm
vdsm-hook-vhostmd-4.50.3.6-1.el8ev.noarch.rpm
vdsm-http-4.50.3.6-1.el8ev.noarch.rpm
vdsm-jsonrpc-4.50.3.6-1.el8ev.noarch.rpm
vdsm-python-4.50.3.6-1.el8ev.noarch.rpm
vdsm-yajsonrpc-4.50.3.6-1.el8ev.noarch.rpm

ppc64le:
vdsm-4.50.3.6-1.el8ev.ppc64le.rpm
vdsm-hook-checkips-4.50.3.6-1.el8ev.ppc64le.rpm
vdsm-hook-extra-ipv4-addrs-4.50.3.6-1.el8ev.ppc64le.rpm
vdsm-network-4.50.3.6-1.el8ev.ppc64le.rpm

x86_64:
vdsm-4.50.3.6-1.el8ev.x86_64.rpm
vdsm-gluster-4.50.3.6-1.el8ev.x86_64.rpm
vdsm-hook-checkips-4.50.3.6-1.el8ev.x86_64.rpm
vdsm-hook-extra-ipv4-addrs-4.50.3.6-1.el8ev.x86_64.rpm
vdsm-network-4.50.3.6-1.el8ev.x86_64.rpm

Red Hat Virtualization 4 Hypervisor for RHEL 8:

Source:
vdsm-4.50.3.6-1.el8ev.src.rpm

noarch:
vdsm-hook-cpuflags-4.50.3.6-1.el8ev.noarch.rpm
vdsm-hook-ethtool-options-4.50.3.6-1.el8ev.noarch.rpm
vdsm-hook-fcoe-4.50.3.6-1.el8ev.noarch.rpm
vdsm-hook-localdisk-4.50.3.6-1.el8ev.noarch.rpm
vdsm-hook-nestedvt-4.50.3.6-1.el8ev.noarch.rpm
vdsm-hook-openstacknet-4.50.3.6-1.el8ev.noarch.rpm
vdsm-hook-vhostmd-4.50.3.6-1.el8ev.noarch.rpm

x86_64:
vdsm-hook-checkips-4.50.3.6-1.el8ev.x86_64.rpm
vdsm-hook-extra-ipv4-addrs-4.50.3.6-1.el8ev.x86_64.rpm

RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4:

Source:
apache-sshd-2.9.2-0.1.el8ev.src.rpm
ovirt-engine-4.5.3.5-1.el8ev.src.rpm
ovirt-engine-ui-extensions-1.3.7-1.el8ev.src.rpm
ovirt-web-ui-1.9.3-1.el8ev.src.rpm
rhv-log-collector-analyzer-1.0.16-1.el8ev.src.rpm

noarch:
apache-sshd-2.9.2-0.1.el8ev.noarch.rpm
apache-sshd-javadoc-2.9.2-0.1.el8ev.noarch.rpm
ovirt-engine-4.5.3.5-1.el8ev.noarch.rpm
ovirt-engine-backend-4.5.3.5-1.el8ev.noarch.rpm
ovirt-engine-dbscripts-4.5.3.5-1.el8ev.noarch.rpm
ovirt-engine-health-check-bundler-4.5.3.5-1.el8ev.noarch.rpm
ovirt-engine-restapi-4.5.3.5-1.el8ev.noarch.rpm
ovirt-engine-setup-4.5.3.5-1.el8ev.noarch.rpm
ovirt-engine-setup-base-4.5.3.5-1.el8ev.noarch.rpm
ovirt-engine-setup-plugin-cinderlib-4.5.3.5-1.el8ev.noarch.rpm
ovirt-engine-setup-plugin-imageio-4.5.3.5-1.el8ev.noarch.rpm
ovirt-engine-setup-plugin-ovirt-engine-4.5.3.5-1.el8ev.noarch.rpm
ovirt-engine-setup-plugin-ovirt-engine-common-4.5.3.5-1.el8ev.noarch.rpm
ovirt-engine-setup-plugin-vmconsole-proxy-helper-4.5.3.5-1.el8ev.noarch.rpm
ovirt-engine-setup-plugin-websocket-proxy-4.5.3.5-1.el8ev.noarch.rpm
ovirt-engine-tools-4.5.3.5-1.el8ev.noarch.rpm
ovirt-engine-tools-backup-4.5.3.5-1.el8ev.noarch.rpm
ovirt-engine-ui-extensions-1.3.7-1.el8ev.noarch.rpm
ovirt-engine-vmconsole-proxy-helper-4.5.3.5-1.el8ev.noarch.rpm
ovirt-engine-webadmin-portal-4.5.3.5-1.el8ev.noarch.rpm
ovirt-engine-websocket-proxy-4.5.3.5-1.el8ev.noarch.rpm
ovirt-web-ui-1.9.3-1.el8ev.noarch.rpm
python3-ovirt-engine-lib-4.5.3.5-1.el8ev.noarch.rpm
rhv-log-collector-analyzer-1.0.16-1.el8ev.noarch.rpm
rhvm-4.5.3.5-1.el8ev.noarch.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
  https://access.redhat.com/security/team/key/

7. References:

  https://access.redhat.com/security/cve/CVE-2021-30483
  https://access.redhat.com/security/cve/CVE-2022-45047
  https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is . More contact
details at   https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.