-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   Red Hat Security Advisory

Synopsis:          Moderate: RHV Manager (ovirt-engine) [ovirt-4.5.3] bug fix and security update
Advisory ID:       RHSA-2022:8502-01
Product:           Red Hat Virtualization
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:8502
Issue date:        2022-11-16
CVE Names:         CVE-2022-0155 CVE-2022-2805 
====================================================================
1. Summary:

Updated ovirt-engine packages that fix several bugs and add various
enhancements are now available.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4 - noarch

3. Description:

The ovirt-engine package provides the Red Hat Virtualization Manager, a
centralized management platform that allows system administrators to view
and manage virtual machines. The Manager provides a comprehensive range of
features including search capabilities, resource management, live
migrations, and virtual infrastructure provisioning.

Security Fix(es):

* follow-redirects: Exposure of Private Personal Information to an
Unauthorized Actor (CVE-2022-0155)

* ovirt-engine: RHVM admin password is logged unfiltered when using
otopi-style (CVE-2022-2805)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

Bug Fix(es):

* Ghost OVFs are written when using floating SD to migrate VMs between 2
RHV environments. (BZ#1705338)

* RHV engine is reporting a delete disk with wipe as completing
successfully when it actually fails from a timeout. (BZ#1836318)

* [DR] Failover / Failback HA VM Fails to be started due to 'VM XXX is
being imported' (BZ#1968433)

* Virtual Machine with lease fails to run on DR failover (BZ#1974535)

* Disk is missing after importing VM from Storage Domain that was detached
from another DC. (BZ#1983567)

* Unable to switch RHV host into maintenance mode as there are image
transfer in progress (BZ#2123141)

* not able to import disk in 4.5.2 (BZ#2134549)

Enhancement(s):

* [RFE] Show last events for user VMs (BZ#1886211)

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/2974891

5. Bugs fixed (https://bugzilla.redhat.com/):

1705338 - Ghost OVFs are written when using floating SD to migrate VMs between 2 RHV environments.
1836318 - RHV engine is reporting a delete disk with wipe as completing successfully when it actually fails from a timeout.
1886211 - [RFE] Show last events for user VMs
1968433 - [DR] Failover / Failback HA VM Fails to be started due to 'VM XXX is being imported'
1974535 - Virtual Machine with lease fails to run on DR failover
1983567 - Disk is missing after importing VM from Storage Domain that was detached from another DC.
2044556 - CVE-2022-0155 follow-redirects: Exposure of Private Personal Information to an Unauthorized Actor
2079545 - CVE-2022-2805 ovirt-engine: RHVM admin password is logged unfiltered when using otopi-style
2118672 - Use rpm instead of auto in package_facts ansible module to prevent mistakes of determining the correct package manager inside package_facts module
2123141 - Unable to switch RHV host into maintenance mode as there are image transfer in progress
2127836 - Create template dialog is not closed when clicking in OK and the template is not created
2134549 - not able to import disk in 4.5.2
2137207 - The RemoveDisk job finishes before the disk was removed from the DB

6. Package List:

RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4:

Source:
ovirt-engine-4.5.3.2-1.el8ev.src.rpm
ovirt-engine-dwh-4.5.7-1.el8ev.src.rpm
ovirt-engine-ui-extensions-1.3.6-1.el8ev.src.rpm
ovirt-web-ui-1.9.2-1.el8ev.src.rpm

noarch:
ovirt-engine-4.5.3.2-1.el8ev.noarch.rpm
ovirt-engine-backend-4.5.3.2-1.el8ev.noarch.rpm
ovirt-engine-dbscripts-4.5.3.2-1.el8ev.noarch.rpm
ovirt-engine-dwh-4.5.7-1.el8ev.noarch.rpm
ovirt-engine-dwh-grafana-integration-setup-4.5.7-1.el8ev.noarch.rpm
ovirt-engine-dwh-setup-4.5.7-1.el8ev.noarch.rpm
ovirt-engine-health-check-bundler-4.5.3.2-1.el8ev.noarch.rpm
ovirt-engine-restapi-4.5.3.2-1.el8ev.noarch.rpm
ovirt-engine-setup-4.5.3.2-1.el8ev.noarch.rpm
ovirt-engine-setup-base-4.5.3.2-1.el8ev.noarch.rpm
ovirt-engine-setup-plugin-cinderlib-4.5.3.2-1.el8ev.noarch.rpm
ovirt-engine-setup-plugin-imageio-4.5.3.2-1.el8ev.noarch.rpm
ovirt-engine-setup-plugin-ovirt-engine-4.5.3.2-1.el8ev.noarch.rpm
ovirt-engine-setup-plugin-ovirt-engine-common-4.5.3.2-1.el8ev.noarch.rpm
ovirt-engine-setup-plugin-vmconsole-proxy-helper-4.5.3.2-1.el8ev.noarch.rpm
ovirt-engine-setup-plugin-websocket-proxy-4.5.3.2-1.el8ev.noarch.rpm
ovirt-engine-tools-4.5.3.2-1.el8ev.noarch.rpm
ovirt-engine-tools-backup-4.5.3.2-1.el8ev.noarch.rpm
ovirt-engine-ui-extensions-1.3.6-1.el8ev.noarch.rpm
ovirt-engine-vmconsole-proxy-helper-4.5.3.2-1.el8ev.noarch.rpm
ovirt-engine-webadmin-portal-4.5.3.2-1.el8ev.noarch.rpm
ovirt-engine-websocket-proxy-4.5.3.2-1.el8ev.noarch.rpm
ovirt-web-ui-1.9.2-1.el8ev.noarch.rpm
python3-ovirt-engine-lib-4.5.3.2-1.el8ev.noarch.rpm
rhvm-4.5.3.2-1.el8ev.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-0155
https://access.redhat.com/security/cve/CVE-2022-2805
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBY3UyLtzjgjWX9erEAQjacQ//emo9BwMrctxmlrqBwa5vAlrr2Kt3ZVCY
hAHTbaUk+sXw9JxGeCZ/aD8/c6ij5oCprdMs4sOGmOfTHEkmj+GbPWfdEluoJvr0
PM001KBuucWC6YDaW/R3V20oZrqdRAlPX7yvTzxuNNlpnpmGx/UkAwB2GSechs91
kXp+E74e1RgOgbFRtzZcgfwCb0Df2Swi2vXdnPDfri5fRVztgwcrIcljLoTBkMy7
8M719eYwsuu1987MqSnIvBOHEj2oWN2IQJTaeNPoz3MqgvYKwqEdiozchJpWvXqi
WddEaLT8S+1WhDf4VCIkdtIZrww/Ya2BxoFoEroCr7jTSDy9c9aFcnjn4wqnhO9s
yqKfxpTWz9mpgTdHHT4FC06L9AUsxa/UaLKydO3tZhc+IjPH0O63SDBi/pZ5WVAH
oCmYtRJA2OYlQABpHXR2x7Pj2Jv7JRNWHjGnabxWVoY6E09vdIrPliz0taPI59s7
YvNtXhkWPIa3w5kyibIxTVLqjR4gr2zrpPa2Oc6QGvEP9zyu59bAxoXKSQj0SYM8
BFykrVd3ahlPGFqOl6UBdvPJpXpJtNXK3lJBCGu2glFSwPXX26ij2fLUW3b7DnUC
+xMPlL9m45KHx/Y7s4WnDvlvSNRjhy/Ttddgm/JwYOLxlzTWd1Qez/vfyDuIK7rk
QvQket8bo7Q=xS+k
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2022-8502:01 Moderate: RHV Manager (ovirt-engine)

Updated ovirt-engine packages that fix several bugs and add various enhancements are now available

Summary

The ovirt-engine package provides the Red Hat Virtualization Manager, a centralized management platform that allows system administrators to view and manage virtual machines. The Manager provides a comprehensive range of features including search capabilities, resource management, live migrations, and virtual infrastructure provisioning.
Security Fix(es):
* follow-redirects: Exposure of Private Personal Information to an Unauthorized Actor (CVE-2022-0155)
* ovirt-engine: RHVM admin password is logged unfiltered when using otopi-style (CVE-2022-2805)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Bug Fix(es):
* Ghost OVFs are written when using floating SD to migrate VMs between 2 RHV environments. (BZ#1705338)
* RHV engine is reporting a delete disk with wipe as completing successfully when it actually fails from a timeout. (BZ#1836318)
* [DR] Failover / Failback HA VM Fails to be started due to 'VM XXX is being imported' (BZ#1968433)
* Virtual Machine with lease fails to run on DR failover (BZ#1974535)
* Disk is missing after importing VM from Storage Domain that was detached from another DC. (BZ#1983567)
* Unable to switch RHV host into maintenance mode as there are image transfer in progress (BZ#2123141)
* not able to import disk in 4.5.2 (BZ#2134549)
Enhancement(s):
* [RFE] Show last events for user VMs (BZ#1886211)



Summary


Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/2974891

References

https://access.redhat.com/security/cve/CVE-2022-0155 https://access.redhat.com/security/cve/CVE-2022-2805 https://access.redhat.com/security/updates/classification/#moderate

Package List

RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4:
Source: ovirt-engine-4.5.3.2-1.el8ev.src.rpm ovirt-engine-dwh-4.5.7-1.el8ev.src.rpm ovirt-engine-ui-extensions-1.3.6-1.el8ev.src.rpm ovirt-web-ui-1.9.2-1.el8ev.src.rpm
noarch: ovirt-engine-4.5.3.2-1.el8ev.noarch.rpm ovirt-engine-backend-4.5.3.2-1.el8ev.noarch.rpm ovirt-engine-dbscripts-4.5.3.2-1.el8ev.noarch.rpm ovirt-engine-dwh-4.5.7-1.el8ev.noarch.rpm ovirt-engine-dwh-grafana-integration-setup-4.5.7-1.el8ev.noarch.rpm ovirt-engine-dwh-setup-4.5.7-1.el8ev.noarch.rpm ovirt-engine-health-check-bundler-4.5.3.2-1.el8ev.noarch.rpm ovirt-engine-restapi-4.5.3.2-1.el8ev.noarch.rpm ovirt-engine-setup-4.5.3.2-1.el8ev.noarch.rpm ovirt-engine-setup-base-4.5.3.2-1.el8ev.noarch.rpm ovirt-engine-setup-plugin-cinderlib-4.5.3.2-1.el8ev.noarch.rpm ovirt-engine-setup-plugin-imageio-4.5.3.2-1.el8ev.noarch.rpm ovirt-engine-setup-plugin-ovirt-engine-4.5.3.2-1.el8ev.noarch.rpm ovirt-engine-setup-plugin-ovirt-engine-common-4.5.3.2-1.el8ev.noarch.rpm ovirt-engine-setup-plugin-vmconsole-proxy-helper-4.5.3.2-1.el8ev.noarch.rpm ovirt-engine-setup-plugin-websocket-proxy-4.5.3.2-1.el8ev.noarch.rpm ovirt-engine-tools-4.5.3.2-1.el8ev.noarch.rpm ovirt-engine-tools-backup-4.5.3.2-1.el8ev.noarch.rpm ovirt-engine-ui-extensions-1.3.6-1.el8ev.noarch.rpm ovirt-engine-vmconsole-proxy-helper-4.5.3.2-1.el8ev.noarch.rpm ovirt-engine-webadmin-portal-4.5.3.2-1.el8ev.noarch.rpm ovirt-engine-websocket-proxy-4.5.3.2-1.el8ev.noarch.rpm ovirt-web-ui-1.9.2-1.el8ev.noarch.rpm python3-ovirt-engine-lib-4.5.3.2-1.el8ev.noarch.rpm rhvm-4.5.3.2-1.el8ev.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/


Severity
Advisory ID: RHSA-2022:8502-01
Product: Red Hat Virtualization
Advisory URL: https://access.redhat.com/errata/RHSA-2022:8502
Issued Date: : 2022-11-16
CVE Names: CVE-2022-0155 CVE-2022-2805

Topic

Updated ovirt-engine packages that fix several bugs and add variousenhancements are now available.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.


Topic


 

Relevant Releases Architectures

RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4 - noarch


Bugs Fixed

1705338 - Ghost OVFs are written when using floating SD to migrate VMs between 2 RHV environments.

1836318 - RHV engine is reporting a delete disk with wipe as completing successfully when it actually fails from a timeout.

1886211 - [RFE] Show last events for user VMs

1968433 - [DR] Failover / Failback HA VM Fails to be started due to 'VM XXX is being imported'

1974535 - Virtual Machine with lease fails to run on DR failover

1983567 - Disk is missing after importing VM from Storage Domain that was detached from another DC.

2044556 - CVE-2022-0155 follow-redirects: Exposure of Private Personal Information to an Unauthorized Actor

2079545 - CVE-2022-2805 ovirt-engine: RHVM admin password is logged unfiltered when using otopi-style

2118672 - Use rpm instead of auto in package_facts ansible module to prevent mistakes of determining the correct package manager inside package_facts module

2123141 - Unable to switch RHV host into maintenance mode as there are image transfer in progress

2127836 - Create template dialog is not closed when clicking in OK and the template is not created

2134549 - not able to import disk in 4.5.2

2137207 - The RemoveDisk job finishes before the disk was removed from the DB


Related News

24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
30.Lock Globe Motherboard Esm H320
1 - 2 min read
The SPDX 3.0 release marks a significant milestone in software management, particularly for Linux admins, infosec professionals, internet security
11.Locks IsometricPattern Esm H320
2 - 3 min read
Open Source maintainers and developers have been warned about the continued wave of attacks aimed at project maintainers similar to those recently
28.Lock Globe Esm H320
1 - 2 min read
A resurgence of cyberattacks targeting Linux systems in Asian campaigns through the utilization of the Pupy Remote Access Trojan (RAT) has been
27.Tablet Connections Blocks Lock Esm H320
2 - 4 min read
Canonical has recently announced the Beta release of Ubuntu Linux 24.04 LTS , codenamed "Noble Numbat." This release aims to continue Ubuntu's
21.Globe RadiatingCode Esm H320
2 - 3 min read
The open-source movement has come a long way, from its origins in the 1960s and 1970s to becoming an integral part of organizations worldwide.
13.Lock StylizedMotherboard Esm H320
2 - 3 min read
The Rust-based Edera project demonstrates a unique approach to container security that addresses cloud-native computing challenges. Let's examine
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved