RHSA-2022:4764: Red Hat Security Advisory: RHV RHEL Host (ovirt-host) [ovirt-4.5.0] security update

Issued:

2022-05-26

Updated:

2022-05-26

RHSA-2022:4764 - Security Advisory

• Overview
• Updated Packages

Synopsis

Low: RHV RHEL Host (ovirt-host) [ovirt-4.5.0] security update

Type/Severity

Security Advisory: Low

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

Updated host packages that fix several bugs and add various enhancements are now available.

Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

The ovirt-host package consolidates host package requirements into a single meta package.

Security Fix(es) from Bugzilla:

• vdsm: disclosure of sensitive values in log files (CVE-2022-0207)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es) from Bugzilla:

• With this release, RHV 4.4 SP1 has been upgraded to use ansible-core in cockpit-ovirt. (BZ#2066042)
• Rebase package(s) to version: 0.16.0

Highlights and notable enhancements: https://github.com/oVirt/cockpit-ovirt/releases/tag/cockpit-ovirt-0.16.0 (BZ#2067078)

• Rebase package(s) to version: 0.6.2 (BZ#2060889)
• Rebase package(s) to version: 4.5.0

Highlights, important fixes, or notable enhancements: (BZ#2054733)

• Feature: Include the package nvme-cli on virtualization hosts

Reason: The package is requested in RHEL 8 Managing Storage devices, Chapter 15. NVMe over fabrics using FC for accessing that hardware

Result: the needed package is available on the host. (BZ#2058177)

• Previously, the ovirt-ha-broker service failed to start on a host with a DISA STIG profile.

In this release, the ovirt-ha-broker binaries were moved to /usr/libexec. As a result, the ovirt-ha-broker service succeeds to start on a host with a DISA STIG profile. (BZ#2050108)

• Previously, during self-hosted engine deployment, the tpgt value was not used in the iSCSI login, creating duplicate iSCSI sessions.

IN this release, the tpgt value is used in the iSCSI login, and no duplicate iSCSI sessions are created. (BZ#1768969)

• With this release, the self-hosted engine installation supports selecting either DISA STIG or PCI-DSS security profiles for the self-hosted engine VM. (BZ#2029830)
• Red Hat Virtualization 4.4 SP1 now requires ansible-core >= 2.12.0 to execute Ansible playbooks/roles internally from RHV components. (BZ#2052686)
• Rebase package(s) to version: 2.6.1

Highlights, important fixes, or notable enhancements: (BZ#2050512)

• RHV Hypervisor 4.4 SP1, with exception to RHV-H, is able to run on a host with RHEL 8.6 DISA STIG openscap profile applied. (BZ#2015802)
• Previously, SCSI reservation was not set for disks that are hot-plugged.

In this release, the SCSI reservation works for disks that are being hot-plugged. (BZ#2028481)

• The Red Hat Virtualization Host is now capable of running on a machine with the PCI-DSS security profile. (BZ#2030226)
• Previously, if storage problems occurred and disappeared during a VM migration attempt, it sometimes led to the VM being paused and not resuming even if the VM had an auto-resume policy set.

In this release, the VM is handled according to its resume behavior policy when the storage state changes during a VM migration attempt. (BZ#2010478)

• Previously, the VDSM used UDEV links to create the LVM filter. As a result, the LVM sometimes grabbed SCSI devices during the boot process by mistake.

In this release, the LVM does not not try to grab SCSI devices during the boot process, only using the multipath device specified in the LVM filter. (BZ#2016173)

Affected Products

• Red Hat Virtualization 4 for RHEL 8 x86_64
• Red Hat Virtualization Host 4 for RHEL 8 x86_64
• Red Hat Virtualization for IBM Power LE 4 for RHEL 8 ppc64le

Fixes

• BZ - 1768969 - Duplicate iSCSI sessions in the hosted-engine deployment host when the tpgt is not 1
• BZ - 1787192 - Host fails to activate in RHV and goes to non-operational status when some of the iSCSI targets are down
• BZ - 1878724 - vdsm-tool configure is failing with error “dependency job for libvirtd.service failed”
• BZ - 1986732 - ovirt-ha services cannot set the LocalMaintenance mode in the storage metadata and are in a restart loop
• BZ - 2010478 - After storage error HA VMs failed to auto resume.
• BZ - 2015802 - [RFE] RHV hypervisors should support running on host with DISA STIG security profile applied
• BZ - 2028481 - SCSI reservation is not working for hot plugged VM disks
• BZ - 2029830 - [RFE] Hosted engine should accept OpenSCAP profile name instead of bool
• BZ - 2030226 - [RFE] RHV hypervisors should support running on hosts with the PCI-DSS security profile applied
• BZ - 2039248 - CVE-2022-0207 vdsm: disclosure of sensitive values in log files
• BZ - 2050108 - hosted-engine-setup fails to start ovirt-ha-broker service on RHEL-H with DISA STIG
• BZ - 2050512 - Upgrade ovirt-hosted-engine-setup to 2.6.1
• BZ - 2052686 - [RFE] Upgrade to ansible-core-2.12 in hosted-engine-setup
• BZ - 2054733 - Upgrade ovirt-host to 4.5.0
• BZ - 2058177 - [RFE] Include the package nvme-cli on virtualization hosts
• BZ - 2060889 - Upgrade mom to 0.6.2
• BZ - 2066042 - Require ansible-core instead of ansible in cockpit-ovirt
• BZ - 2067078 - Upgrade cockpit-ovirt to 0.16.0

Red Hat Virtualization 4 for RHEL 8

SRPM

cockpit-ovirt-0.16.0-1.el8ev.src.rpm

SHA-256: b23e8685b8d7faf23e980c925e0280916fc870b0fa1ecc237dbe809de1aa9bda

mom-0.6.2-1.el8ev.src.rpm

SHA-256: 82ba3b262493181643a8dfab13f9aa5e70017f54154fe32e905ea90b7069bfff

ovirt-host-4.5.0-3.el8ev.src.rpm

SHA-256: d1166d76602ea7f03034e33f3946394e1226c0162f7df1f941a906c99b07a21c

ovirt-hosted-engine-ha-2.5.0-1.el8ev.src.rpm

SHA-256: f3b7640b263137872c9e8620b0119ad494f0a34ed30b67bfab5afd5a9403e830

ovirt-hosted-engine-setup-2.6.3-1.el8ev.src.rpm

SHA-256: 9f2ac28fc950a0169a82f7c4a0ad0244c825577e7cc02afc5cb699ae5f854905

vdsm-4.50.0.13-1.el8ev.src.rpm

SHA-256: 8ff30e07005d8043faef41cdd8fa3017c0a1c0106a613c3056f83ec6201a6b03

x86_64

cockpit-ovirt-dashboard-0.16.0-1.el8ev.noarch.rpm

SHA-256: b77bf2a335ed6583c10b43e2dd2a8a099bf7dcfb312aeb1e6570a231b1e54b72

mom-0.6.2-1.el8ev.noarch.rpm

SHA-256: 19fcefc67240eef84dff59b10b50830a308ff29b27e55e78c8c12adc945b1462

ovirt-host-4.5.0-3.el8ev.x86_64.rpm

SHA-256: 43ab7bc3f778af133df5474fd59fc385e6df19ce21287b44433a5f39e7a95588

ovirt-host-dependencies-4.5.0-3.el8ev.x86_64.rpm

SHA-256: c3f5a254acb35e907ba1a07bd262a56229997f94c0e4fd33ec7eb6aa78e51035

ovirt-hosted-engine-ha-2.5.0-1.el8ev.noarch.rpm

SHA-256: 1041de2d78b70282c8b29ff65c83c4888304ee653468df5686ed5b9f357f2016

ovirt-hosted-engine-setup-2.6.3-1.el8ev.noarch.rpm

SHA-256: 103dfeac88be836bd956c91a395bdb776b976e3b3dfbb3bd4e847ed41f1fe920

vdsm-4.50.0.13-1.el8ev.x86_64.rpm

SHA-256: a798d7b8e3d85dbb28e6d85edcb1e24befedf7ceacfb4f185a8d8b95bb18dae9

vdsm-api-4.50.0.13-1.el8ev.noarch.rpm

SHA-256: e667e3200807e876ac7c00faa6f25d5a7bcf0259537332a263650fd61347ec41

vdsm-client-4.50.0.13-1.el8ev.noarch.rpm

SHA-256: fc71eb7b363ab958516d5773f8699d1eec80d99d48ecd328eaafd922afc8d090

vdsm-common-4.50.0.13-1.el8ev.noarch.rpm

SHA-256: 7ee7d224365829004598fbe485b0bdf2151bac3eb9705685312fb0e62db36370

vdsm-gluster-4.50.0.13-1.el8ev.x86_64.rpm

SHA-256: 39f7d4837436ef1ccee57460c909b1de7892d7578db22fea934a7a3b9dc25112

vdsm-hook-checkips-4.50.0.13-1.el8ev.x86_64.rpm

SHA-256: d238ae9cd1021557630afba6478b5e7fa27edeac1339eef19e9af16b46a1a4de

vdsm-hook-cpuflags-4.50.0.13-1.el8ev.noarch.rpm

SHA-256: 6ec052ca4f0fcc98366dfb4b0521e0c9d9b1088c33a98e9c681541900091e0cb

vdsm-hook-ethtool-options-4.50.0.13-1.el8ev.noarch.rpm

SHA-256: 99fabcee39c1dc83e6cac894b82d82f36cd38cb2061c99172d157fb9e63f2932

vdsm-hook-extra-ipv4-addrs-4.50.0.13-1.el8ev.x86_64.rpm

SHA-256: 89614050ba8359110b53825f2bb01e8bcc269eb785dbb9c0344ff0c1ad45c7c9

vdsm-hook-fcoe-4.50.0.13-1.el8ev.noarch.rpm

SHA-256: dfc2c9d0b29075efa99dbe05cf4eda59786b7b1f1fe2a69db842a935b8a21c39

vdsm-hook-localdisk-4.50.0.13-1.el8ev.noarch.rpm

SHA-256: 8abd1856ba594f8a6c980fdd4088cd721db631bad127365bd33d89a4c478a255

vdsm-hook-nestedvt-4.50.0.13-1.el8ev.noarch.rpm

SHA-256: 0e4fa0b75ec917c7e3a7cb388f38cef16793403e6ac2334c0e8e050845fbc4f7

vdsm-hook-openstacknet-4.50.0.13-1.el8ev.noarch.rpm

SHA-256: 4ae6af3ec3ae8bac1e82b02c06db4eb54ea53be2d140bd57fc8d91efc5e9b64b

vdsm-hook-vhostmd-4.50.0.13-1.el8ev.noarch.rpm

SHA-256: 173c1a2d9d20cbd7188786bd95d86de9149990480b1445b9e08f84bcf78c4913

vdsm-http-4.50.0.13-1.el8ev.noarch.rpm

SHA-256: f0bbc789f386dd1de23fff43c560f7be38c628da11b6d7595b0a7e314dff4e1a

vdsm-jsonrpc-4.50.0.13-1.el8ev.noarch.rpm

SHA-256: 4c6c249fc713e685a80fdd580ba92791e749caf47d1eb26e769b28ae7c76cf26

vdsm-network-4.50.0.13-1.el8ev.x86_64.rpm

SHA-256: 5b3e765488bda88909183d0ddd6a59906a43445fe5685ee3693ad0800af9805f

vdsm-python-4.50.0.13-1.el8ev.noarch.rpm

SHA-256: 9fd659051bbbaea19a2ada0749312a78d6ff2ab5ffec2b761e85af037eb10d03

vdsm-yajsonrpc-4.50.0.13-1.el8ev.noarch.rpm

SHA-256: 72dfd63af79369366450a09d2a2779ddda6b06b295619fa02de718e3a9a2520a

Red Hat Virtualization Host 4 for RHEL 8

SRPM

vdsm-4.50.0.13-1.el8ev.src.rpm

SHA-256: 8ff30e07005d8043faef41cdd8fa3017c0a1c0106a613c3056f83ec6201a6b03

x86_64

vdsm-hook-checkips-4.50.0.13-1.el8ev.x86_64.rpm

SHA-256: d238ae9cd1021557630afba6478b5e7fa27edeac1339eef19e9af16b46a1a4de

vdsm-hook-cpuflags-4.50.0.13-1.el8ev.noarch.rpm

SHA-256: 6ec052ca4f0fcc98366dfb4b0521e0c9d9b1088c33a98e9c681541900091e0cb

vdsm-hook-ethtool-options-4.50.0.13-1.el8ev.noarch.rpm

SHA-256: 99fabcee39c1dc83e6cac894b82d82f36cd38cb2061c99172d157fb9e63f2932

vdsm-hook-extra-ipv4-addrs-4.50.0.13-1.el8ev.x86_64.rpm

SHA-256: 89614050ba8359110b53825f2bb01e8bcc269eb785dbb9c0344ff0c1ad45c7c9

vdsm-hook-fcoe-4.50.0.13-1.el8ev.noarch.rpm

SHA-256: dfc2c9d0b29075efa99dbe05cf4eda59786b7b1f1fe2a69db842a935b8a21c39

vdsm-hook-localdisk-4.50.0.13-1.el8ev.noarch.rpm

SHA-256: 8abd1856ba594f8a6c980fdd4088cd721db631bad127365bd33d89a4c478a255

vdsm-hook-nestedvt-4.50.0.13-1.el8ev.noarch.rpm

SHA-256: 0e4fa0b75ec917c7e3a7cb388f38cef16793403e6ac2334c0e8e050845fbc4f7

vdsm-hook-openstacknet-4.50.0.13-1.el8ev.noarch.rpm

SHA-256: 4ae6af3ec3ae8bac1e82b02c06db4eb54ea53be2d140bd57fc8d91efc5e9b64b

vdsm-hook-vhostmd-4.50.0.13-1.el8ev.noarch.rpm

SHA-256: 173c1a2d9d20cbd7188786bd95d86de9149990480b1445b9e08f84bcf78c4913

Red Hat Virtualization for IBM Power LE 4 for RHEL 8

SRPM

mom-0.6.2-1.el8ev.src.rpm

SHA-256: 82ba3b262493181643a8dfab13f9aa5e70017f54154fe32e905ea90b7069bfff

ovirt-host-4.5.0-3.el8ev.src.rpm

SHA-256: d1166d76602ea7f03034e33f3946394e1226c0162f7df1f941a906c99b07a21c

ovirt-hosted-engine-ha-2.5.0-1.el8ev.src.rpm

SHA-256: f3b7640b263137872c9e8620b0119ad494f0a34ed30b67bfab5afd5a9403e830

vdsm-4.50.0.13-1.el8ev.src.rpm

SHA-256: 8ff30e07005d8043faef41cdd8fa3017c0a1c0106a613c3056f83ec6201a6b03

ppc64le

mom-0.6.2-1.el8ev.noarch.rpm

SHA-256: 19fcefc67240eef84dff59b10b50830a308ff29b27e55e78c8c12adc945b1462

ovirt-host-4.5.0-3.el8ev.ppc64le.rpm

SHA-256: 870088ef9d5b9716c4c40539d6c6c9f4a50bbd1d9c369473f51651599e2a9ef1

ovirt-host-dependencies-4.5.0-3.el8ev.ppc64le.rpm

SHA-256: c2f49bae4396f240ab319668e16e18453a80b2de98aee2226e332d0442d3ced3

vdsm-4.50.0.13-1.el8ev.ppc64le.rpm

SHA-256: 914117641badbe81593a460711211049c13cba379d789f5b186343835609a4d1

vdsm-api-4.50.0.13-1.el8ev.noarch.rpm

SHA-256: e667e3200807e876ac7c00faa6f25d5a7bcf0259537332a263650fd61347ec41

vdsm-client-4.50.0.13-1.el8ev.noarch.rpm

SHA-256: fc71eb7b363ab958516d5773f8699d1eec80d99d48ecd328eaafd922afc8d090

vdsm-common-4.50.0.13-1.el8ev.noarch.rpm

SHA-256: 7ee7d224365829004598fbe485b0bdf2151bac3eb9705685312fb0e62db36370

vdsm-hook-checkips-4.50.0.13-1.el8ev.ppc64le.rpm

SHA-256: 00a92ef1e9b38a93db57d9a85e9e4f3453ce140c6117e3f44cdfe216228211a5

vdsm-hook-cpuflags-4.50.0.13-1.el8ev.noarch.rpm

SHA-256: 6ec052ca4f0fcc98366dfb4b0521e0c9d9b1088c33a98e9c681541900091e0cb

vdsm-hook-ethtool-options-4.50.0.13-1.el8ev.noarch.rpm

SHA-256: 99fabcee39c1dc83e6cac894b82d82f36cd38cb2061c99172d157fb9e63f2932

vdsm-hook-extra-ipv4-addrs-4.50.0.13-1.el8ev.ppc64le.rpm

SHA-256: 30ed18a29ab73266a218e9a06f14b967ebbe752d728f00aaddcdd5ea464dcb8b

vdsm-hook-fcoe-4.50.0.13-1.el8ev.noarch.rpm

SHA-256: dfc2c9d0b29075efa99dbe05cf4eda59786b7b1f1fe2a69db842a935b8a21c39

vdsm-hook-localdisk-4.50.0.13-1.el8ev.noarch.rpm

SHA-256: 8abd1856ba594f8a6c980fdd4088cd721db631bad127365bd33d89a4c478a255

vdsm-hook-nestedvt-4.50.0.13-1.el8ev.noarch.rpm

SHA-256: 0e4fa0b75ec917c7e3a7cb388f38cef16793403e6ac2334c0e8e050845fbc4f7

vdsm-hook-openstacknet-4.50.0.13-1.el8ev.noarch.rpm

SHA-256: 4ae6af3ec3ae8bac1e82b02c06db4eb54ea53be2d140bd57fc8d91efc5e9b64b

vdsm-hook-vhostmd-4.50.0.13-1.el8ev.noarch.rpm

SHA-256: 173c1a2d9d20cbd7188786bd95d86de9149990480b1445b9e08f84bcf78c4913

vdsm-http-4.50.0.13-1.el8ev.noarch.rpm

SHA-256: f0bbc789f386dd1de23fff43c560f7be38c628da11b6d7595b0a7e314dff4e1a

vdsm-jsonrpc-4.50.0.13-1.el8ev.noarch.rpm

SHA-256: 4c6c249fc713e685a80fdd580ba92791e749caf47d1eb26e769b28ae7c76cf26

vdsm-network-4.50.0.13-1.el8ev.ppc64le.rpm

SHA-256: 5f08b15f6e689572f04b01b8b062b5cc109c4b95d16ad788e1d0bc9ddb570de1

vdsm-python-4.50.0.13-1.el8ev.noarch.rpm

SHA-256: 9fd659051bbbaea19a2ada0749312a78d6ff2ab5ffec2b761e85af037eb10d03

vdsm-yajsonrpc-4.50.0.13-1.el8ev.noarch.rpm

SHA-256: 72dfd63af79369366450a09d2a2779ddda6b06b295619fa02de718e3a9a2520a

The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.