-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   Red Hat Security Advisory

Synopsis:          Moderate: OpenShift Virtualization 4.10.0 Images security and bug fix update
Advisory ID:       RHSA-2022:0947-01
Product:           cnv
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:0947
Issue date:        2022-03-16
CVE Names:         CVE-2021-29923 CVE-2021-33195 CVE-2021-33197 
                   CVE-2021-33198 CVE-2021-34558 CVE-2021-36221 
                   CVE-2021-44716 CVE-2021-44717 CVE-2022-24407 
====================================================================
1. Summary:

Red Hat OpenShift Virtualization release 4.10.0 is now available with
updates to packages and images that fix several bugs and add enhancements.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

OpenShift Virtualization is Red Hat's virtualization solution designed for
Red Hat OpenShift Container Platform.

This advisory contains the following OpenShift Virtualization 4.10.0
images:

RHEL-8-CNV-4.10

=============
kubevirt-velero-plugin-container-v4.10.0-8
virtio-win-container-v4.10.0-10
kubevirt-template-validator-container-v4.10.0-16
hostpath-csi-driver-container-v4.10.0-32
hostpath-provisioner-container-v4.10.0-32
hostpath-provisioner-operator-container-v4.10.0-62
cnv-must-gather-container-v4.10.0-110
virt-cdi-controller-container-v4.10.0-90
virt-cdi-apiserver-container-v4.10.0-90
virt-cdi-uploadserver-container-v4.10.0-90
virt-cdi-uploadproxy-container-v4.10.0-90
virt-cdi-operator-container-v4.10.0-90
virt-cdi-cloner-container-v4.10.0-90
virt-cdi-importer-container-v4.10.0-90
kubevirt-ssp-operator-container-v4.10.0-50
virt-api-container-v4.10.0-217
hyperconverged-cluster-webhook-container-v4.10.0-133
libguestfs-tools-container-v4.10.0-217
virt-handler-container-v4.10.0-217
virt-launcher-container-v4.10.0-217
virt-artifacts-server-container-v4.10.0-217
virt-controller-container-v4.10.0-217
node-maintenance-operator-container-v4.10.0-48
hyperconverged-cluster-operator-container-v4.10.0-133
virt-operator-container-v4.10.0-217
cnv-containernetworking-plugins-container-v4.10.0-49
kubemacpool-container-v4.10.0-49
bridge-marker-container-v4.10.0-49
ovs-cni-marker-container-v4.10.0-49
ovs-cni-plugin-container-v4.10.0-49
kubernetes-nmstate-handler-container-v4.10.0-49
cluster-network-addons-operator-container-v4.10.0-49
hco-bundle-registry-container-v4.10.0-696

Security Fix(es):

* golang: net/http: limit growth of header canonicalization cache
(CVE-2021-44716)

* golang: net: incorrect parsing of extraneous zero characters at the
beginning of an IP address octet (CVE-2021-29923)

* golang: net: lookup functions may return invalid host names
(CVE-2021-33195)

* golang: net/http/httputil: ReverseProxy forwards connection headers if
first one is empty (CVE-2021-33197)

* golang: math/big.Rat: may cause a panic or an unrecoverable fatal error
if passed inputs with very large exponents (CVE-2021-33198)

* golang: crypto/tls: certificate of wrong type is causing TLS client to
panic (CVE-2021-34558)

* golang: net/http/httputil: panic due to racy read of persistConn after
handler panic (CVE-2021-36221)

* golang: syscall: don't close fd 0 on ForkExec error (CVE-2021-44717)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

1760028 - CPU compatibility is not checked when migrating host-model VMs
1855182 - [Storage] Clone could not be continued after virtctl stop the vm if the clone dv have been created for more than 3 minutes
1906151 - High CPU/Memory usage of Kube API server following a CNV installation
1918294 - VM created from template when OCS is default SC fails to start on "source volumeMode (Block) and target volumeMode (Filesystem) do not match"
1935217 - [CNV-2.5] Manifests in openshift-cnv missing resource requirements - Storage
1945586 - CPU pinning is incorrect after live migration
1958085 - No option to deploy the templates to a non-shared (non default) namespace
1959039 - must-gather doesn't collect iptables info of CNV VM anymore
1975978 - canary-release-openshift-origin-installer-e2e-aws-4.7-cnv is permfailing
1983079 - No "permittedHostDevices" section in HCO CR, allows any hostdevice in the VM spec.
1983596 - CVE-2021-34558 golang: crypto/tls: certificate of wrong type is causing TLS client to panic
1986970 - Node outages can lead to (legitimate) mass restarts of VMs which can block our controller
1987009 - [tracker] CNV Daemonsets have maxUnavailable set to 1 which leads to very slow upgrades on large clusters1989564 - CVE-2021-33195 golang: net: lookup functions may return invalid host names
1989570 - CVE-2021-33197 golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty
1989575 - CVE-2021-33198 golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents
1990061 - [virt] CNV Daemonsets have maxUnavailable set to 1 which leads to very slow upgrades on large clusters1992006 - CVE-2021-29923 golang: net: incorrect parsing of extraneous zero characters at the beginning of an IP address octet
1992231 - hostpath-provisioner Pods are not created
1993454 - Improve ImageIO import performance
1995656 - CVE-2021-36221 golang: net/http/httputil: panic due to racy read of persistConn after handler panic
1997540 - Missing kcs: OpenShift Virtualization limits
1998300 - CNV VMs do not contain the cluster domain name in the FQDN
1999110 - 4.10.0 containers1999636 - 4.10.0 rpms
2000480 - Using depreacted 1.25 API calls
2001984 - VM not in running state with nonroot VirtLauncher Pods with volumeMode as Filesystem and using a PVC
2001987 - VM not in running state with nonroot VirtLauncher Pods with volumeMode as Filesystem and using a DV
2002272 - Unable to LiveMigrate a VM with nonroot VirtLauncher Pod
2003704 - Switch live migration to use unix sockets
2007397 - Unexpected killing of virt-launcher pod, can result in loss of data for hotplugged volumes
2008140 - [4.10.0] CNV fails to deploy due to unavailable SSP virt-template-validator
2008411 - [4.10.0] SSP operator creates kubevirt-os-images instead of openshift-virtualization-os-images namespace
2008938 - missing spec.priorityClassName for pod hyperconverged-cluster-cli-download
2008949 - Multiple storage pods are missing spec.priorityClassName
2008975 - v4.10.0-142 CNV contains outdated ssp-operator and virt-template-validator
2010540 - HCO.status.relatedObjects are not getting updated with correct resourceVersion of reconciled resources
2010908 - [MTV] VM remains in printableStatus: Provisioning in cold migration
2012920 - nncp in progressing state forever when cluster is having Windows node
2013160 - Create an offline VM with storageClass HPP is always in 'Provisioning‘ status
2013455 - Guest agent reports unreliable status when  mac address is changed
2015327 - hostpath-provisioner pods do not have any resources.requests values set up
2017255 - Migration of VM doesn't clean up the target pod in time in case of failed migration
2018457 - Windows high performance templates should use virtio storage
2018925 - Metric kubevirt_vmi_memory_used_total_bytes is not reporting correct value
2018970 - RHEL9 alpha template - support level is "Full"
2019053 - DV with immediate bind remains in WaitForFirstConsumer
2021992 - [cnv-4.10.0] After upgrade, live migration is Pending
2025295 - Windows VMs fail to start on air-gapped environments for non-admin users2025750 - must-gather | nft files are not collected for nodes
2025878 - The import cron pod is not deleted after delete the dataimportcron if the import is failed
2026336 - [SNO] We see multiple replicas of virt-api, virt-controller and virt-operator.
2026363 - kubemacpool is rotating kubernetes-nmstate certificates
2026665 - Unable to ssh to a VM when running with Service Mesh
2026667 - Alerts: SSPDown and SSPTemplateValidatorDown are constantly in Firing state
2027420 - [SNO] SR-IOV operator fails to install after CNV is installed
2027922 - Typo on LowKVMNodesCount summary
2029343 - High performance VM fail to start on libvirt error (kvm-hint-dedicated)
2029767 - Enactment goes to pending even when maxunavailable is set to 100% in nncp
2030660 - ImageSteam rhel8-guest and rhel9-guest are managed by HCO but they are not getting reconciled
2030686 - must-gather | missing SRIOV namespace subdir under collected dir
2030801 - CVE-2021-44716 golang: net/http: limit growth of header canonicalization cache
2030806 - CVE-2021-44717 golang: syscall: don't close fd 0 on ForkExec error
2031033 - VM migration from VMware fail on missing v2v-vmware ConfigMap in OCP-4.10/CNV-4.10
2031688 - hostpath-provisioner-operator deployment is referencing upstream images
2031727 - [CNV-4.10] kubemacpool & nmstate pods stuck in pending state
2031919 - [SNO] we cannot cleanly remove the product on SNO due to kubevirt apiservices leftovers2032045 - When alert VirtControllerRESTErrorsHigh triggered it keeps in Firing state for hours (even when there are no failed api calls anymore)
2032845 - SSP CR | reason field's value in SSP CR status.conditions is not CamelCased
2032873 - [4.9] Windows VMs fail to start on air-gapped environments for non-admin users2032876 - [4.8] Windows VMs fail to start on air-gapped environments for non-admin users2033240 - Templates golden image parameters names should be updated
2033252 - nncp changing it's status between "ConfigurationProgressing" to "SuccessfullyConfigured" every few minutes
2034544 - disk.img file is resized up for HPP and NFS storage classes
2035008 - Auto-update boot sources: CDI tries to import even when a PVC already exists;  dataSources are not updated
2035324 - Trying to uninstall CNV with `uninstallStrategy: RemoveWorkloads` and existing workloads lefts the system in a corrupted state
2035658 - NMPolicy can't replace strings using captures, making teardown not possible
2035677 - Windows10 VM with CDROM migration fails
2036220 - Recommended disk image url is outdated in Fedora 33+ template description
2036483 - HCO Enablement | reconciliation error adding a custom cron template
2036605 - Auto-update boot sources: DataSource Ready status is not updated if there's no DataImportCron associated with it
2037270 - Auto-update boot sources: CentOs and Fedora DVs fail to import due to docker references
2037290 - Dataimportcron keeps re-creating when enable the feature gate
2037312 - CNV occasionally cannot be removed due to leftovers dataImportCrons
2037421 - SSP default log level should be set to "info"
2038679 - Clone with volume mode file system using Storage API fails
2038825 - Ubuntu, centos6 and opensuse templates should be removed from common templates bundle in downstream
2038831 - SAP HANA template should not contain evictionStrategy: LiveMigrate
2038985 - No feedback when HPP path is sharing host filesystem
2039196 - DataImportCron with imagestream source does not support image tags
2039208 - Recording Rule "kubevirt_vm_container_free_memory_bytes" is not working
2039489 - KubePersistentVolumeFillingUp Firing for VM disk Filesystem PVCs
2039683 - HANA Template - remove default values for network names
2039686 - SAP HANA template - container disk registry should be updated
2039691 - SAP HANA template - set node label instead of node for node selection
2040113 - The component value of virt-operator label is different with other virt components
2040115 - Labels  "part-of" and "version" in virt components  are missing
2041519 - Custom DataImportCron with the same name as CNV-provided DataImportCron can be added via HCO overwriting configuration
2041530 - HPP CSI CR can't be deleted if it's a combination of a basic storage pool, and a pvcTemplate
2042139 - HPP-operator reconciling CSI even if nothing is happening
2042799 - All existing templates are marked as deprecated after CNV upgrade
2042842 - SAP HANA template -  SR-IOV NICs should not specify model virtio
2042856 - Getting 'jq' error while running 'must-gather' command.
2042880 - 'yq' command is missing in downstream must-gather image.
2042908 - hotplugs not included in VMSnapshot
2044348 - VM with ocs-storagecluster-cephfs sc keeps in CrashLoopBackOff
2044398 - SSP should not update DataSource managed by DataImportCron
2046271 - virt-cdi-importer fails to import a VM image when clusterwide proxy configured
2048227 - Common templates - DATA_SOURCE_NAMESPACE value should be updated in d/s
2048275 - HPP mounter deployment crashes on parsing lsblk output
2051105 - DataSources, managed by DataImportCron, are not reconciled when edited
2051693 - DataSource (which has a golden image and was opted-in/out using cdi label) will be reconciled and will not actually be opted out
2051968 - virt-freezer binary missing from downstream virt-launcher
2052489 - KubevirtVmHighMemoryUsage is based on limit not request
2053027 - nmpolicy cannot clone IP config of the default NIC carrying static IPv6
2058167 - Post deploy on a baremetal cluster SSP is looping attempting to reconcile

5. References:

https://access.redhat.com/security/cve/CVE-2021-29923
https://access.redhat.com/security/cve/CVE-2021-33195
https://access.redhat.com/security/cve/CVE-2021-33197
https://access.redhat.com/security/cve/CVE-2021-33198
https://access.redhat.com/security/cve/CVE-2021-34558
https://access.redhat.com/security/cve/CVE-2021-36221
https://access.redhat.com/security/cve/CVE-2021-44716
https://access.redhat.com/security/cve/CVE-2021-44717
https://access.redhat.com/security/cve/CVE-2022-24407
https://access.redhat.com/security/updates/classification/#moderate

6. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYjJSI9zjgjWX9erEAQgOHBAAlkzm8Bg5mdp2y/95FjjySTigxCiMcV9U
1+hC+WHS0ufzc0mUO8HqKIFSEjDiTKEqF3R00eorBeyfMiklyHlI7oOLs3TEF8Tr
MRjNjKdV4bIfVG8m92PaIq9RbUyD5Pzk4P0xgbEABFNT4sdJI18RF826EJoUXxG1
ycBid2d0shEpQgGi0/CVvwsXkkOKQdi7Nsh4mi8U5XkvQ8BXD6k6UerD7QqD82By
/uJzWaMJfbOex0ZzBWlXXyiZa4tWNbjJk9ULSKw27lqNaNN9jm5Ec2Jlz6X7JUvY
iYu+dQuSuU7aIQGINAFJstKOU3MKas0xTVs5uqdJ/lyMHQfY9fpzLnm7yb883JO9
SLQoRmIjf7bja9vknlrv/3pLZQjIhRk7SUkTo36kTeB79N0AFFRywihomWPAWKnl
GAzuaX1j9lUNhz/+UKtR8HHqL6F4OVqDU1qofF13Gw0E90ZTdVrVA0ioU6EFBYv5
gfijlSTEQGa3c/keSacR9zx2LAQd6jn5q3HRR4R2fYXOlsdv+M2oaqM6ai4ABGAa
QLHlkth5ieKY9XuU3hJwd2a9/Ar2HeFcD2FfcRsx06/0g0WUaYphaFWuReDQwe3M
xCAdSPhi8QysijleW3zOiIw2vFZvKeXTgMwbwlOvgJkK7eXHvO/VCtyFLigf57m3
ZNdx+ztsYEA=+jwg
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce