Tuesday, February 2, 2021

Red Hat Security Advisory 2021-0381-01

advisory vulnerabilities In: , 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Low: RHV-M(ovirt-engine) 4.4.z security, bug fix, enhancement update [ovirt-4.4.4]
Advisory ID:       RHSA-2021:0381-01
Product:           Red Hat Virtualization
Advisory URL:      https://access.redhat.com/errata/RHSA-2021:0381
Issue date:        2021-02-02
CVE Names:         CVE-2020-25649 
=====================================================================

1. Summary:

Updated ovirt-engine packages that fix several bugs and add various
enhancements are now available.

Red Hat Product Security has rated this update as having a security impact
of Low. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4 - noarch

3. Description:

The ovirt-engine package provides the Red Hat Virtualization Manager, a
centralized management platform that allows system administrators to view
and manage virtual machines. The Manager provides a comprehensive range of
features including search capabilities, resource management, live
migrations, and virtual infrastructure provisioning.

The Manager is a JBoss Application Server application that provides several
interfaces through which the virtual environment can be accessed and
interacted with, including an Administration Portal, a VM Portal, and a
Representational State Transfer (REST) Application Programming Interface
(API).

Security Fix(es):

* jackson-databind: FasterXML DOMDeserializer insecure entity expansion is
vulnerable to XML external entity (XXE) (CVE-2020-25649)

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.

Bug Fix(es):

* Red Hat Virtualization Manager now requires Ansible 2.9.15. (BZ#1901946)

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/2974891

5. Bugs fixed (https://bugzilla.redhat.com/):

1627997 - [RFE] Allow SPM switching if all tasks have finished via REST-API
1702237 - [RFE] add API for listing disksnapshots under disk resource
1796231 - VM disk remains in locked state if image transfer (image download) timesout due to inactivity.
1868114 - RHV-M UI/Webadmin:  The "Disk Snapshots" tab reflects incorrect "Creation Date" information.
1875951 - Disk hot-unplug fails on engine side with NPE in setDiskVmElements after unplugging from the VM.
1879655 - [RFE] Implement searching VM's with partial name or case sensitive vm names in VM Portal.
1880015 - oVirt metrics example Kibana dashboards are broken in Kibana 7.x
1881115 - RHEL VM icons squashed, please adhere to brand rules
1881357 - German language greeting page says Red Hat®
1887664 - CVE-2020-25649 jackson-databind: FasterXML DOMDeserializer insecure entity expansion is vulnerable to XML external entity (XXE)
1893035 - rhv-log-collector-analyzer: check for double quotes in IPTablesConfigSiteCustom
1894298 - ModuleNotFoundError: No module named 'ovirt_engine' raised when starting ovirt-engine-dwhd.py in dev env
1901946 - [RFE] Bump ovirt-engine version lock to the newest Ansible version
1903385 - RFE:  rhv-image-discrepancies should report if the truesize from VDSM has different size in images in the engine.
1903595 - [PPC] Can't add PPC host to Engine

6. Package List:

RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4:

Source:
ovirt-engine-4.4.4.5-0.10.el8ev.src.rpm
ovirt-engine-dwh-4.4.4.2-1.el8ev.src.rpm
ovirt-web-ui-1.6.6-1.el8ev.src.rpm
rhv-log-collector-analyzer-1.0.6-1.el8ev.src.rpm
rhvm-branding-rhv-4.4.7-1.el8ev.src.rpm
vdsm-jsonrpc-java-1.6.0-1.el8ev.src.rpm

noarch:
ovirt-engine-4.4.4.5-0.10.el8ev.noarch.rpm
ovirt-engine-backend-4.4.4.5-0.10.el8ev.noarch.rpm
ovirt-engine-dbscripts-4.4.4.5-0.10.el8ev.noarch.rpm
ovirt-engine-dwh-4.4.4.2-1.el8ev.noarch.rpm
ovirt-engine-dwh-grafana-integration-setup-4.4.4.2-1.el8ev.noarch.rpm
ovirt-engine-dwh-setup-4.4.4.2-1.el8ev.noarch.rpm
ovirt-engine-health-check-bundler-4.4.4.5-0.10.el8ev.noarch.rpm
ovirt-engine-restapi-4.4.4.5-0.10.el8ev.noarch.rpm
ovirt-engine-setup-4.4.4.5-0.10.el8ev.noarch.rpm
ovirt-engine-setup-base-4.4.4.5-0.10.el8ev.noarch.rpm
ovirt-engine-setup-plugin-cinderlib-4.4.4.5-0.10.el8ev.noarch.rpm
ovirt-engine-setup-plugin-imageio-4.4.4.5-0.10.el8ev.noarch.rpm
ovirt-engine-setup-plugin-ovirt-engine-4.4.4.5-0.10.el8ev.noarch.rpm
ovirt-engine-setup-plugin-ovirt-engine-common-4.4.4.5-0.10.el8ev.noarch.rpm
ovirt-engine-setup-plugin-vmconsole-proxy-helper-4.4.4.5-0.10.el8ev.noarch.rpm
ovirt-engine-setup-plugin-websocket-proxy-4.4.4.5-0.10.el8ev.noarch.rpm
ovirt-engine-tools-4.4.4.5-0.10.el8ev.noarch.rpm
ovirt-engine-tools-backup-4.4.4.5-0.10.el8ev.noarch.rpm
ovirt-engine-vmconsole-proxy-helper-4.4.4.5-0.10.el8ev.noarch.rpm
ovirt-engine-webadmin-portal-4.4.4.5-0.10.el8ev.noarch.rpm
ovirt-engine-websocket-proxy-4.4.4.5-0.10.el8ev.noarch.rpm
ovirt-web-ui-1.6.6-1.el8ev.noarch.rpm
python3-ovirt-engine-lib-4.4.4.5-0.10.el8ev.noarch.rpm
rhv-log-collector-analyzer-1.0.6-1.el8ev.noarch.rpm
rhvm-4.4.4.5-0.10.el8ev.noarch.rpm
rhvm-branding-rhv-4.4.7-1.el8ev.noarch.rpm
vdsm-jsonrpc-java-1.6.0-1.el8ev.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2020-25649
https://access.redhat.com/security/updates/classification/#low

8. Contact:

The Red Hat security contact is <[email protected]>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYBlba9zjgjWX9erEAQhjzQ/9E966aSphBTdfmsL3Upuj4b2vmhXuDcea
r+XD21Q8GkvTK0s4yB7q+Vn/TPquTAVkX13AW+tHHM0sp4NfMB+c6Anzogw2AHq9
o/5aeiB+CJdDX2IwHhPDCioPVpZt4cHYCDeNGUfa7tww7b91y72kJQTbQ/GvnHvj
bGlZ4RTkA1tmSEA/JC0ZzUasIKXidNFK88D755dbyWFxlz3HMkXV/FuDOO1NwtGw
JMH/knAtkN/z9rrYFKotO8wHzt/PfG/V09taK5vogMqVJIpYXDtxwOfer6HjyLsC
9H/jAAYjKL/SQO2Dgsh7VMCEZ4Qlut+ahcbsg/L0dGOLq9OFngdusxTqqhUR9UIb
AqFfniY/xwdddfaFVKnI2CVr0QU6hWTj8wFgBdCbMd80zmanVwpk1lLnlex3bjn2
T52CbKABXhV8RDuGdLQyGgfXksYVaKoLeTnqC9nSfMeQ62PEqq0iLNtYDi5EjqLd
ijiB9+NmB/e0vjU5TSsKaD9Rpf6KbFRUwep8ygSwApMQ8H4CQ2HCy5v4GxsQFYFK
OeA2uJmZT9ELvfOybgwdzV9XWF4R9MnbgYuWrh75Cc5v3FCz2CbwddZy5QdPiRhn
k4n6RFelAAvulO8WbkJ0N90EIC7nI2d7S3MgaO+gFWoDIuNnedqDU0Ydp9ZN9DHd
P8Fb7Gf1V+M=
=XP00
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/rhsa-announce
 

Copyright © 2021 Vulnerability Database | Cyber Details™

thank you Templateism for the design - You should have written the code a little more complicated - Nothing Encrypted anymore