Headline
Red Hat Security Advisory 2022-8502-01
Red Hat Security Advisory 2022-8502-01 - The ovirt-engine package provides the Red Hat Virtualization Manager, a centralized management platform that allows system administrators to view and manage virtual machines. The Manager provides a comprehensive range of features including search capabilities, resource management, live migrations, and virtual infrastructure provisioning.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
====================================================================
Red Hat Security Advisory
Synopsis: Moderate: RHV Manager (ovirt-engine) [ovirt-4.5.3] bug fix and security update
Advisory ID: RHSA-2022:8502-01
Product: Red Hat Virtualization
Advisory URL: https://access.redhat.com/errata/RHSA-2022:8502
Issue date: 2022-11-16
CVE Names: CVE-2022-0155 CVE-2022-2805
====================================================================
- Summary:
Updated ovirt-engine packages that fix several bugs and add various
enhancements are now available.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
- Relevant releases/architectures:
RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4 - noarch
- Description:
The ovirt-engine package provides the Red Hat Virtualization Manager, a
centralized management platform that allows system administrators to view
and manage virtual machines. The Manager provides a comprehensive range of
features including search capabilities, resource management, live
migrations, and virtual infrastructure provisioning.
Security Fix(es):
follow-redirects: Exposure of Private Personal Information to an
Unauthorized Actor (CVE-2022-0155)ovirt-engine: RHVM admin password is logged unfiltered when using
otopi-style (CVE-2022-2805)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Bug Fix(es):
Ghost OVFs are written when using floating SD to migrate VMs between 2
RHV environments. (BZ#1705338)RHV engine is reporting a delete disk with wipe as completing
successfully when it actually fails from a timeout. (BZ#1836318)[DR] Failover / Failback HA VM Fails to be started due to ‘VM XXX is
being imported’ (BZ#1968433)Virtual Machine with lease fails to run on DR failover (BZ#1974535)
Disk is missing after importing VM from Storage Domain that was detached
from another DC. (BZ#1983567)Unable to switch RHV host into maintenance mode as there are image
transfer in progress (BZ#2123141)not able to import disk in 4.5.2 (BZ#2134549)
Enhancement(s):
- [RFE] Show last events for user VMs (BZ#1886211)
- Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/2974891
- Bugs fixed (https://bugzilla.redhat.com/):
1705338 - Ghost OVFs are written when using floating SD to migrate VMs between 2 RHV environments.
1836318 - RHV engine is reporting a delete disk with wipe as completing successfully when it actually fails from a timeout.
1886211 - [RFE] Show last events for user VMs
1968433 - [DR] Failover / Failback HA VM Fails to be started due to ‘VM XXX is being imported’
1974535 - Virtual Machine with lease fails to run on DR failover
1983567 - Disk is missing after importing VM from Storage Domain that was detached from another DC.
2044556 - CVE-2022-0155 follow-redirects: Exposure of Private Personal Information to an Unauthorized Actor
2079545 - CVE-2022-2805 ovirt-engine: RHVM admin password is logged unfiltered when using otopi-style
2118672 - Use rpm instead of auto in package_facts ansible module to prevent mistakes of determining the correct package manager inside package_facts module
2123141 - Unable to switch RHV host into maintenance mode as there are image transfer in progress
2127836 - Create template dialog is not closed when clicking in OK and the template is not created
2134549 - not able to import disk in 4.5.2
2137207 - The RemoveDisk job finishes before the disk was removed from the DB
- Package List:
RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4:
Source:
ovirt-engine-4.5.3.2-1.el8ev.src.rpm
ovirt-engine-dwh-4.5.7-1.el8ev.src.rpm
ovirt-engine-ui-extensions-1.3.6-1.el8ev.src.rpm
ovirt-web-ui-1.9.2-1.el8ev.src.rpm
noarch:
ovirt-engine-4.5.3.2-1.el8ev.noarch.rpm
ovirt-engine-backend-4.5.3.2-1.el8ev.noarch.rpm
ovirt-engine-dbscripts-4.5.3.2-1.el8ev.noarch.rpm
ovirt-engine-dwh-4.5.7-1.el8ev.noarch.rpm
ovirt-engine-dwh-grafana-integration-setup-4.5.7-1.el8ev.noarch.rpm
ovirt-engine-dwh-setup-4.5.7-1.el8ev.noarch.rpm
ovirt-engine-health-check-bundler-4.5.3.2-1.el8ev.noarch.rpm
ovirt-engine-restapi-4.5.3.2-1.el8ev.noarch.rpm
ovirt-engine-setup-4.5.3.2-1.el8ev.noarch.rpm
ovirt-engine-setup-base-4.5.3.2-1.el8ev.noarch.rpm
ovirt-engine-setup-plugin-cinderlib-4.5.3.2-1.el8ev.noarch.rpm
ovirt-engine-setup-plugin-imageio-4.5.3.2-1.el8ev.noarch.rpm
ovirt-engine-setup-plugin-ovirt-engine-4.5.3.2-1.el8ev.noarch.rpm
ovirt-engine-setup-plugin-ovirt-engine-common-4.5.3.2-1.el8ev.noarch.rpm
ovirt-engine-setup-plugin-vmconsole-proxy-helper-4.5.3.2-1.el8ev.noarch.rpm
ovirt-engine-setup-plugin-websocket-proxy-4.5.3.2-1.el8ev.noarch.rpm
ovirt-engine-tools-4.5.3.2-1.el8ev.noarch.rpm
ovirt-engine-tools-backup-4.5.3.2-1.el8ev.noarch.rpm
ovirt-engine-ui-extensions-1.3.6-1.el8ev.noarch.rpm
ovirt-engine-vmconsole-proxy-helper-4.5.3.2-1.el8ev.noarch.rpm
ovirt-engine-webadmin-portal-4.5.3.2-1.el8ev.noarch.rpm
ovirt-engine-websocket-proxy-4.5.3.2-1.el8ev.noarch.rpm
ovirt-web-ui-1.9.2-1.el8ev.noarch.rpm
python3-ovirt-engine-lib-4.5.3.2-1.el8ev.noarch.rpm
rhvm-4.5.3.2-1.el8ev.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
- References:
https://access.redhat.com/security/cve/CVE-2022-0155
https://access.redhat.com/security/cve/CVE-2022-2805
https://access.redhat.com/security/updates/classification/#moderate
- Contact:
The Red Hat security contact is [email protected]. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBY3UyLtzjgjWX9erEAQjacQ//emo9BwMrctxmlrqBwa5vAlrr2Kt3ZVCY
hAHTbaUk+sXw9JxGeCZ/aD8/c6ij5oCprdMs4sOGmOfTHEkmj+GbPWfdEluoJvr0
PM001KBuucWC6YDaW/R3V20oZrqdRAlPX7yvTzxuNNlpnpmGx/UkAwB2GSechs91
kXp+E74e1RgOgbFRtzZcgfwCb0Df2Swi2vXdnPDfri5fRVztgwcrIcljLoTBkMy7
8M719eYwsuu1987MqSnIvBOHEj2oWN2IQJTaeNPoz3MqgvYKwqEdiozchJpWvXqi
WddEaLT8S+1WhDf4VCIkdtIZrww/Ya2BxoFoEroCr7jTSDy9c9aFcnjn4wqnhO9s
yqKfxpTWz9mpgTdHHT4FC06L9AUsxa/UaLKydO3tZhc+IjPH0O63SDBi/pZ5WVAH
oCmYtRJA2OYlQABpHXR2x7Pj2Jv7JRNWHjGnabxWVoY6E09vdIrPliz0taPI59s7
YvNtXhkWPIa3w5kyibIxTVLqjR4gr2zrpPa2Oc6QGvEP9zyu59bAxoXKSQj0SYM8
BFykrVd3ahlPGFqOl6UBdvPJpXpJtNXK3lJBCGu2glFSwPXX26ij2fLUW3b7DnUC
+xMPlL9m45KHx/Y7s4WnDvlvSNRjhy/Ttddgm/JwYOLxlzTWd1Qez/vfyDuIK7rk
QvQket8bo7Q=xS+k
-----END PGP SIGNATURE-----
–
RHSA-announce mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/rhsa-announce
Related news
Dell Streaming Data Platform prior to 1.4 contains Open Redirect vulnerability. An attacker with privileges same as a legitimate user can phish the legitimate the user to redirect to malicious website leading to information disclosure and launch of phishing attacks.
Updated ovirt-engine packages that fix several bugs and add various enhancements are now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-0155: follow-redirects: Exposure of Private Personal Information to an Unauthorized Actor * CVE-2022-2805: ovirt-engine: RHVM admin password is logged unfiltered when using otopi-style
Updated ovirt-engine packages that fix several bugs and add various enhancements are now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-0155: follow-redirects: Exposure of Private Personal Information to an Unauthorized Actor * CVE-2022-2805: ovirt-engine: RHVM admin password is logged unfiltered when using otopi-style
A flaw was found in ovirt-engine, which leads to the logging of plaintext passwords in the log file when using otapi-style. This flaw allows an attacker with sufficient privileges to read the log file, leading to confidentiality loss.
follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor
Grafana through 6.7.1 allows stored XSS due to insufficient input protection in the originalUrl field, which allows an attacker to inject JavaScript code that will be executed after clicking on Open Original Dashboard after visiting the snapshot.