RHSA-2022:0947: Red Hat Security Advisory: OpenShift Virtualization 4.10.0 Images security and bug fix update

Skip to navigation Skip to main content

Utilities

• Subscriptions
• Downloads
• Containers
• Support Cases

Infrastructure and Management

• Red Hat Enterprise Linux
• Red Hat Virtualization
• Red Hat Identity Management
• Red Hat Directory Server
• Red Hat Certificate System
• Red Hat Satellite
• Red Hat Subscription Management
• Red Hat Update Infrastructure
• Red Hat Insights
• Red Hat Ansible Automation Platform

Cloud Computing

• Red Hat OpenShift
• Red Hat CloudForms
• Red Hat OpenStack Platform
• Red Hat OpenShift Container Platform
• Red Hat OpenShift Data Science
• Red Hat OpenShift Online
• Red Hat OpenShift Dedicated
• Red Hat Advanced Cluster Security for Kubernetes
• Red Hat Advanced Cluster Management for Kubernetes
• Red Hat Quay
• Red Hat CodeReady Workspaces
• Red Hat OpenShift Service on AWS

Storage

• Red Hat Gluster Storage
• Red Hat Hyperconverged Infrastructure
• Red Hat Ceph Storage
• Red Hat OpenShift Data Foundation

Runtimes

• Red Hat Runtimes
• Red Hat JBoss Enterprise Application Platform
• Red Hat Data Grid
• Red Hat JBoss Web Server
• Red Hat Single Sign On
• Red Hat support for Spring Boot
• Red Hat build of Node.js
• Red Hat build of Thorntail
• Red Hat build of Eclipse Vert.x
• Red Hat build of OpenJDK
• Red Hat build of Quarkus
• Red Hat CodeReady Studio

Integration and Automation

• Red Hat Process Automation
• Red Hat Process Automation Manager
• Red Hat Decision Manager

All Products

Issued:

2022-03-16

Updated:

2022-03-16

RHSA-2022:0947 - Security Advisory

• Overview
• Updated Packages

Synopsis

Moderate: OpenShift Virtualization 4.10.0 Images security and bug fix update

Type/Severity

Security Advisory: Moderate

Topic

Red Hat OpenShift Virtualization release 4.10.0 is now available with updates to packages and images that fix several bugs and add enhancements.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

OpenShift Virtualization is Red Hat’s virtualization solution designed for Red Hat OpenShift Container Platform.

This advisory contains the following OpenShift Virtualization 4.10.0 images:

RHEL-8-CNV-4.10

==============

kubevirt-velero-plugin-container-v4.10.0-8
virtio-win-container-v4.10.0-10
kubevirt-template-validator-container-v4.10.0-16
hostpath-csi-driver-container-v4.10.0-32
hostpath-provisioner-container-v4.10.0-32
hostpath-provisioner-operator-container-v4.10.0-62
cnv-must-gather-container-v4.10.0-110
virt-cdi-controller-container-v4.10.0-90
virt-cdi-apiserver-container-v4.10.0-90
virt-cdi-uploadserver-container-v4.10.0-90
virt-cdi-uploadproxy-container-v4.10.0-90
virt-cdi-operator-container-v4.10.0-90
virt-cdi-cloner-container-v4.10.0-90
virt-cdi-importer-container-v4.10.0-90
kubevirt-ssp-operator-container-v4.10.0-50
virt-api-container-v4.10.0-217
hyperconverged-cluster-webhook-container-v4.10.0-133
libguestfs-tools-container-v4.10.0-217
virt-handler-container-v4.10.0-217
virt-launcher-container-v4.10.0-217
virt-artifacts-server-container-v4.10.0-217
virt-controller-container-v4.10.0-217
node-maintenance-operator-container-v4.10.0-48
hyperconverged-cluster-operator-container-v4.10.0-133
virt-operator-container-v4.10.0-217
cnv-containernetworking-plugins-container-v4.10.0-49
kubemacpool-container-v4.10.0-49
bridge-marker-container-v4.10.0-49
ovs-cni-marker-container-v4.10.0-49
ovs-cni-plugin-container-v4.10.0-49
kubernetes-nmstate-handler-container-v4.10.0-49
cluster-network-addons-operator-container-v4.10.0-49
hco-bundle-registry-container-v4.10.0-696

Security Fix(es):

• golang: net/http: limit growth of header canonicalization cache (CVE-2021-44716)
• golang: net: incorrect parsing of extraneous zero characters at the beginning of an IP address octet (CVE-2021-29923)
• golang: net: lookup functions may return invalid host names (CVE-2021-33195)
• golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty (CVE-2021-33197)
• golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents (CVE-2021-33198)
• golang: crypto/tls: certificate of wrong type is causing TLS client to panic (CVE-2021-34558)
• golang: net/http/httputil: panic due to racy read of persistConn after handler panic (CVE-2021-36221)
• golang: syscall: don’t close fd 0 on ForkExec error (CVE-2021-44717)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Affected Products

• Red Hat Container Native Virtualization 4.10 for RHEL 8 x86_64
• Red Hat Container Native Virtualization 4.10 for RHEL 7 x86_64

Fixes

• BZ - 1760028 - CPU compatibility is not checked when migrating host-model VMs
• BZ - 1855182 - [Storage] Clone could not be continued after virtctl stop the vm if the clone dv have been created for more than 3 minutes
• BZ - 1906151 - High CPU/Memory usage of Kube API server following a CNV installation
• BZ - 1918294 - VM created from template when OCS is default SC fails to start on “source volumeMode (Block) and target volumeMode (Filesystem) do not match”
• BZ - 1935217 - [CNV-2.5] Manifests in openshift-cnv missing resource requirements - Storage
• BZ - 1945586 - CPU pinning is incorrect after live migration
• BZ - 1958085 - No option to deploy the templates to a non-shared (non default) namespace
• BZ - 1959039 - must-gather doesn’t collect iptables info of CNV VM anymore
• BZ - 1975978 - canary-release-openshift-origin-installer-e2e-aws-4.7-cnv is permfailing
• BZ - 1983079 - No “permittedHostDevices” section in HCO CR, allows any hostdevice in the VM spec.
• BZ - 1983596 - CVE-2021-34558 golang: crypto/tls: certificate of wrong type is causing TLS client to panic
• BZ - 1986970 - Node outages can lead to (legitimate) mass restarts of VMs which can block our controller
• BZ - 1987009 - [tracker] CNV Daemonsets have maxUnavailable set to 1 which leads to very slow upgrades on large clusters
• BZ - 1989564 - CVE-2021-33195 golang: net: lookup functions may return invalid host names
• BZ - 1989570 - CVE-2021-33197 golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty
• BZ - 1989575 - CVE-2021-33198 golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents
• BZ - 1990061 - [virt] CNV Daemonsets have maxUnavailable set to 1 which leads to very slow upgrades on large clusters
• BZ - 1992006 - CVE-2021-29923 golang: net: incorrect parsing of extraneous zero characters at the beginning of an IP address octet
• BZ - 1992231 - hostpath-provisioner Pods are not created
• BZ - 1993454 - Improve ImageIO import performance
• BZ - 1995656 - CVE-2021-36221 golang: net/http/httputil: panic due to racy read of persistConn after handler panic
• BZ - 1997540 - Missing kcs: OpenShift Virtualization limits
• BZ - 1998300 - CNV VMs do not contain the cluster domain name in the FQDN
• BZ - 1999110 - 4.10.0 containers
• BZ - 1999636 - 4.10.0 rpms
• BZ - 2000480 - Using depreacted 1.25 API calls
• BZ - 2001984 - VM not in running state with nonroot VirtLauncher Pods with volumeMode as Filesystem and using a PVC
• BZ - 2001987 - VM not in running state with nonroot VirtLauncher Pods with volumeMode as Filesystem and using a DV
• BZ - 2002272 - Unable to LiveMigrate a VM with nonroot VirtLauncher Pod
• BZ - 2003704 - Switch live migration to use unix sockets
• BZ - 2007397 - Unexpected killing of virt-launcher pod, can result in loss of data for hotplugged volumes
• BZ - 2008140 - [4.10.0] CNV fails to deploy due to unavailable SSP virt-template-validator
• BZ - 2008411 - [4.10.0] SSP operator creates kubevirt-os-images instead of openshift-virtualization-os-images namespace
• BZ - 2008938 - missing spec.priorityClassName for pod hyperconverged-cluster-cli-download
• BZ - 2008949 - Multiple storage pods are missing spec.priorityClassName
• BZ - 2008975 - v4.10.0-142 CNV contains outdated ssp-operator and virt-template-validator
• BZ - 2010540 - HCO.status.relatedObjects are not getting updated with correct resourceVersion of reconciled resources
• BZ - 2010908 - [MTV] VM remains in printableStatus: Provisioning in cold migration
• BZ - 2012920 - nncp in progressing state forever when cluster is having Windows node
• BZ - 2013160 - Create an offline VM with storageClass HPP is always in 'Provisioning‘ status
• BZ - 2013455 - Guest agent reports unreliable status when mac address is changed
• BZ - 2015327 - hostpath-provisioner pods do not have any resources.requests values set up
• BZ - 2017255 - Migration of VM doesn’t clean up the target pod in time in case of failed migration
• BZ - 2018457 - Windows high performance templates should use virtio storage
• BZ - 2018925 - Metric kubevirt_vmi_memory_used_total_bytes is not reporting correct value
• BZ - 2018970 - RHEL9 alpha template - support level is “Full”
• BZ - 2019053 - DV with immediate bind remains in WaitForFirstConsumer
• BZ - 2021992 - [cnv-4.10.0] After upgrade, live migration is Pending
• BZ - 2025295 - Windows VMs fail to start on air-gapped environments for non-admin users
• BZ - 2025750 - must-gather | nft files are not collected for nodes
• BZ - 2025878 - The import cron pod is not deleted after delete the dataimportcron if the import is failed
• BZ - 2026336 - [SNO] We see multiple replicas of virt-api, virt-controller and virt-operator.
• BZ - 2026363 - kubemacpool is rotating kubernetes-nmstate certificates
• BZ - 2026665 - Unable to ssh to a VM when running with Service Mesh
• BZ - 2026667 - Alerts: SSPDown and SSPTemplateValidatorDown are constantly in Firing state
• BZ - 2027420 - [SNO] SR-IOV operator fails to install after CNV is installed
• BZ - 2027922 - Typo on LowKVMNodesCount summary
• BZ - 2029343 - High performance VM fail to start on libvirt error (kvm-hint-dedicated)
• BZ - 2029767 - Enactment goes to pending even when maxunavailable is set to 100% in nncp
• BZ - 2030660 - ImageSteam rhel8-guest and rhel9-guest are managed by HCO but they are not getting reconciled
• BZ - 2030686 - must-gather | missing SRIOV namespace subdir under collected dir
• BZ - 2030801 - CVE-2021-44716 golang: net/http: limit growth of header canonicalization cache
• BZ - 2030806 - CVE-2021-44717 golang: syscall: don’t close fd 0 on ForkExec error
• BZ - 2031033 - VM migration from VMware fail on missing v2v-vmware ConfigMap in OCP-4.10/CNV-4.10
• BZ - 2031688 - hostpath-provisioner-operator deployment is referencing upstream images
• BZ - 2031727 - [CNV-4.10] kubemacpool & nmstate pods stuck in pending state
• BZ - 2031919 - [SNO] we cannot cleanly remove the product on SNO due to kubevirt apiservices leftovers
• BZ - 2032045 - When alert VirtControllerRESTErrorsHigh triggered it keeps in Firing state for hours (even when there are no failed api calls anymore)
• BZ - 2032845 - SSP CR | reason field’s value in SSP CR status.conditions is not CamelCased
• BZ - 2032873 - [4.9] Windows VMs fail to start on air-gapped environments for non-admin users
• BZ - 2032876 - [4.8] Windows VMs fail to start on air-gapped environments for non-admin users
• BZ - 2033240 - Templates golden image parameters names should be updated
• BZ - 2033252 - nncp changing it’s status between “ConfigurationProgressing” to “SuccessfullyConfigured” every few minutes
• BZ - 2034544 - disk.img file is resized up for HPP and NFS storage classes
• BZ - 2035008 - Auto-update boot sources: CDI tries to import even when a PVC already exists; dataSources are not updated
• BZ - 2035324 - Trying to uninstall CNV with `uninstallStrategy: RemoveWorkloads` and existing workloads lefts the system in a corrupted state
• BZ - 2035658 - NMPolicy can’t replace strings using captures, making teardown not possible
• BZ - 2035677 - Windows10 VM with CDROM migration fails
• BZ - 2036220 - Recommended disk image url is outdated in Fedora 33+ template description
• BZ - 2036483 - HCO Enablement | reconciliation error adding a custom cron template
• BZ - 2036605 - Auto-update boot sources: DataSource Ready status is not updated if there’s no DataImportCron associated with it
• BZ - 2037270 - Auto-update boot sources: CentOs and Fedora DVs fail to import due to docker references
• BZ - 2037290 - Dataimportcron keeps re-creating when enable the feature gate
• BZ - 2037312 - CNV occasionally cannot be removed due to leftovers dataImportCrons
• BZ - 2037421 - SSP default log level should be set to “info”
• BZ - 2038679 - Clone with volume mode file system using Storage API fails
• BZ - 2038825 - Ubuntu, centos6 and opensuse templates should be removed from common templates bundle in downstream
• BZ - 2038831 - SAP HANA template should not contain evictionStrategy: LiveMigrate
• BZ - 2038985 - No feedback when HPP path is sharing host filesystem
• BZ - 2039196 - DataImportCron with imagestream source does not support image tags
• BZ - 2039208 - Recording Rule “kubevirt_vm_container_free_memory_bytes” is not working
• BZ - 2039489 - KubePersistentVolumeFillingUp Firing for VM disk Filesystem PVCs
• BZ - 2039683 - HANA Template - remove default values for network names
• BZ - 2039686 - SAP HANA template - container disk registry should be updated
• BZ - 2039691 - SAP HANA template - set node label instead of node for node selection
• BZ - 2040113 - The component value of virt-operator label is different with other virt components
• BZ - 2040115 - Labels “part-of” and “version” in virt components are missing
• BZ - 2041519 - Custom DataImportCron with the same name as CNV-provided DataImportCron can be added via HCO overwriting configuration
• BZ - 2041530 - HPP CSI CR can’t be deleted if it’s a combination of a basic storage pool, and a pvcTemplate
• BZ - 2042139 - HPP-operator reconciling CSI even if nothing is happening
• BZ - 2042799 - All existing templates are marked as deprecated after CNV upgrade
• BZ - 2042842 - SAP HANA template - SR-IOV NICs should not specify model virtio
• BZ - 2042856 - Getting ‘jq’ error while running ‘must-gather’ command.
• BZ - 2042880 - ‘yq’ command is missing in downstream must-gather image.
• BZ - 2042908 - hotplugs not included in VMSnapshot
• BZ - 2044348 - VM with ocs-storagecluster-cephfs sc keeps in CrashLoopBackOff
• BZ - 2044398 - SSP should not update DataSource managed by DataImportCron
• BZ - 2046271 - virt-cdi-importer fails to import a VM image when clusterwide proxy configured
• BZ - 2048227 - Common templates - DATA_SOURCE_NAMESPACE value should be updated in d/s
• BZ - 2048275 - HPP mounter deployment crashes on parsing lsblk output
• BZ - 2051105 - DataSources, managed by DataImportCron, are not reconciled when edited
• BZ - 2051693 - DataSource (which has a golden image and was opted-in/out using cdi label) will be reconciled and will not actually be opted out
• BZ - 2051968 - virt-freezer binary missing from downstream virt-launcher
• BZ - 2052489 - KubevirtVmHighMemoryUsage is based on limit not request
• BZ - 2053027 - nmpolicy cannot clone IP config of the default NIC carrying static IPv6
• BZ - 2058167 - Post deploy on a baremetal cluster SSP is looping attempting to reconcile

CVEs

• CVE-2021-29923
• CVE-2021-33195
• CVE-2021-33197
• CVE-2021-33198
• CVE-2021-34558
• CVE-2021-36221
• CVE-2021-44716
• CVE-2021-44717
• CVE-2022-24407

Red Hat Container Native Virtualization 4.10 for RHEL 8

SRPM

x86_64

Red Hat Container Native Virtualization 4.10 for RHEL 7

SRPM

x86_64

The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.