RHSA-2021:1169: Red Hat Security Advisory: RHV Manager (ovirt-engine) 4.4.z [ovirt-4.4.5] security, bug fix, enhancement

An update is now available for Red Hat Virtualization Engine 4.4. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.The ovirt-engine package provides the manager for virtualization environments. This manager enables admins to define hosts and networks, as well as to add storage, create VMs and manage user permissions. A list of bugs fixed in this update is available in the Technical Notes book: https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/html-single/technical_notes Security Fix(es):

• nodejs-bootstrap-select: not escaping title values on <option> may lead to XSS (CVE-2019-20921)
• m2crypto: bleichenbacher timing attacks in the RSA decryption API (CVE-2020-25657)
• datatables.net: prototype pollution if ‘constructor’ were used in a data property name (CVE-2020-28458)
• nodejs-immer: prototype pollution may lead to DoS or remote code execution (CVE-2020-28477) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Related CVEs:
• CVE-2019-20921: nodejs-bootstrap-select: not escaping title values on <option> may lead to XSS
• CVE-2020-25657: m2crypto: bleichenbacher timing attacks in the RSA decryption API
• CVE-2020-28458: datatables.net: prototype pollution if ‘constructor’ were used in a data property name
• CVE-2020-28477: nodejs-immer: prototype pollution may lead to DoS or remote code execution