Security
Headlines
HeadlinesLatestCVEs

Headline

RHSA-2022:8502: Red Hat Security Advisory: RHV Manager (ovirt-engine) [ovirt-4.5.3] bug fix and security update

Updated ovirt-engine packages that fix several bugs and add various enhancements are now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

Related CVEs:

  • CVE-2022-0155: follow-redirects: Exposure of Private Personal Information to an Unauthorized Actor
  • CVE-2022-2805: ovirt-engine: RHVM admin password is logged unfiltered when using otopi-style
Red Hat Security Data
#vulnerability#web#mac#linux#red_hat#nodejs#js#java#kubernetes#aws#auth#rpm

Skip to navigation Skip to main content

Utilities

  • Subscriptions
  • Downloads
  • Containers
  • Support Cases

Infrastructure and Management

  • Red Hat Enterprise Linux
  • Red Hat Virtualization
  • Red Hat Identity Management
  • Red Hat Directory Server
  • Red Hat Certificate System
  • Red Hat Satellite
  • Red Hat Subscription Management
  • Red Hat Update Infrastructure
  • Red Hat Insights
  • Red Hat Ansible Automation Platform

Cloud Computing

  • Red Hat OpenShift
  • Red Hat CloudForms
  • Red Hat OpenStack Platform
  • Red Hat OpenShift Container Platform
  • Red Hat OpenShift Data Science
  • Red Hat OpenShift Online
  • Red Hat OpenShift Dedicated
  • Red Hat Advanced Cluster Security for Kubernetes
  • Red Hat Advanced Cluster Management for Kubernetes
  • Red Hat Quay
  • Red Hat CodeReady Workspaces
  • Red Hat OpenShift Service on AWS

Storage

  • Red Hat Gluster Storage
  • Red Hat Hyperconverged Infrastructure
  • Red Hat Ceph Storage
  • Red Hat OpenShift Data Foundation

Runtimes

  • Red Hat Runtimes
  • Red Hat JBoss Enterprise Application Platform
  • Red Hat Data Grid
  • Red Hat JBoss Web Server
  • Red Hat Single Sign On
  • Red Hat support for Spring Boot
  • Red Hat build of Node.js
  • Red Hat build of Thorntail
  • Red Hat build of Eclipse Vert.x
  • Red Hat build of OpenJDK
  • Red Hat build of Quarkus

Integration and Automation

  • Red Hat Process Automation
  • Red Hat Process Automation Manager
  • Red Hat Decision Manager

All Products

Issued:

2022-11-16

Updated:

2022-11-16

RHSA-2022:8502 - Security Advisory

  • Overview
  • Updated Packages

Synopsis

Moderate: RHV Manager (ovirt-engine) [ovirt-4.5.3] bug fix and security update

Type/Severity

Security Advisory: Moderate

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

Updated ovirt-engine packages that fix several bugs and add various enhancements are now available.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

The ovirt-engine package provides the Red Hat Virtualization Manager, a centralized management platform that allows system administrators to view and manage virtual machines. The Manager provides a comprehensive range of features including search capabilities, resource management, live migrations, and virtual infrastructure provisioning.

Security Fix(es):

  • follow-redirects: Exposure of Private Personal Information to an Unauthorized Actor (CVE-2022-0155)
  • ovirt-engine: RHVM admin password is logged unfiltered when using otopi-style (CVE-2022-2805)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

  • Ghost OVFs are written when using floating SD to migrate VMs between 2 RHV environments. (BZ#1705338)
  • RHV engine is reporting a delete disk with wipe as completing successfully when it actually fails from a timeout. (BZ#1836318)
  • [DR] Failover / Failback HA VM Fails to be started due to ‘VM XXX is being imported’ (BZ#1968433)
  • Virtual Machine with lease fails to run on DR failover (BZ#1974535)
  • Disk is missing after importing VM from Storage Domain that was detached from another DC. (BZ#1983567)
  • Unable to switch RHV host into maintenance mode as there are image transfer in progress (BZ#2123141)
  • not able to import disk in 4.5.2 (BZ#2134549)

Enhancement(s):

  • [RFE] Show last events for user VMs (BZ#1886211)

Affected Products

  • Red Hat Virtualization Manager 4.4 x86_64

Fixes

  • BZ - 1705338 - Ghost OVFs are written when using floating SD to migrate VMs between 2 RHV environments.
  • BZ - 1836318 - RHV engine is reporting a delete disk with wipe as completing successfully when it actually fails from a timeout.
  • BZ - 1886211 - [RFE] Show last events for user VMs
  • BZ - 1968433 - [DR] Failover / Failback HA VM Fails to be started due to ‘VM XXX is being imported’
  • BZ - 1974535 - Virtual Machine with lease fails to run on DR failover
  • BZ - 1983567 - Disk is missing after importing VM from Storage Domain that was detached from another DC.
  • BZ - 2044556 - CVE-2022-0155 follow-redirects: Exposure of Private Personal Information to an Unauthorized Actor
  • BZ - 2079545 - CVE-2022-2805 ovirt-engine: RHVM admin password is logged unfiltered when using otopi-style
  • BZ - 2118672 - Use rpm instead of auto in package_facts ansible module to prevent mistakes of determining the correct package manager inside package_facts module
  • BZ - 2123141 - Unable to switch RHV host into maintenance mode as there are image transfer in progress
  • BZ - 2127836 - Create template dialog is not closed when clicking in OK and the template is not created
  • BZ - 2134549 - not able to import disk in 4.5.2
  • BZ - 2137207 - The RemoveDisk job finishes before the disk was removed from the DB

Red Hat Virtualization Manager 4.4

SRPM

ovirt-engine-4.5.3.2-1.el8ev.src.rpm

SHA-256: 6328ea4b008a9b6a9a7557de3a856697f288008021c067116be21d1207efe916

ovirt-engine-dwh-4.5.7-1.el8ev.src.rpm

SHA-256: e778f06bae8f9bf442cc0f09b1d4ff84751b5441b5446b9b286a29aaa0288e25

ovirt-engine-ui-extensions-1.3.6-1.el8ev.src.rpm

SHA-256: 1c0d012953941e828a2098e3d3f7bce6e4f44330b37df88a0485b1ef1772dcce

ovirt-web-ui-1.9.2-1.el8ev.src.rpm

SHA-256: 95c75be7119b952a2957fbaae34592233ecb9f3ed01b39f39493ba6d22221dcd

x86_64

ovirt-engine-4.5.3.2-1.el8ev.noarch.rpm

SHA-256: 43c9c612e554a8b47f878f3e8e3a8cb709138e1bf0b10952b8f78d2625b5b0ca

ovirt-engine-backend-4.5.3.2-1.el8ev.noarch.rpm

SHA-256: 643907e9a3ad836a784f6ac3e808384c2682c2f2e840f7ad55e23b2b66118435

ovirt-engine-dbscripts-4.5.3.2-1.el8ev.noarch.rpm

SHA-256: a3a123f4d17efa84935e211d19509ca98752e885c08c11d18cc907d33f3b5204

ovirt-engine-dwh-4.5.7-1.el8ev.noarch.rpm

SHA-256: 26b7c555b684873593adb80599f4ed919583d5aa019f64f366801ba590c0b15e

ovirt-engine-dwh-grafana-integration-setup-4.5.7-1.el8ev.noarch.rpm

SHA-256: d5f03ea36c42ef84e11a530a5ee70832102967e073e31ebe30c842bc1bd7400b

ovirt-engine-dwh-setup-4.5.7-1.el8ev.noarch.rpm

SHA-256: 47c6ff98a44f072d6ae1cb54f7b77a4234ba758c2fce9fb23e6a23272743ab55

ovirt-engine-health-check-bundler-4.5.3.2-1.el8ev.noarch.rpm

SHA-256: 22059b1b6d360913165426bfb1dc3bd9abef01a149072469b52bc8134ddb3993

ovirt-engine-restapi-4.5.3.2-1.el8ev.noarch.rpm

SHA-256: 509bebdedfd5f5f5bd8b5dda0175303369bba5e99702d228acce915cb8bc9772

ovirt-engine-setup-4.5.3.2-1.el8ev.noarch.rpm

SHA-256: 9309246d37715c7e982109813c6f9529d9a435f6dd374a747111bc9a7c161411

ovirt-engine-setup-base-4.5.3.2-1.el8ev.noarch.rpm

SHA-256: 218a5f45b65ed0b0a6914336b2c5bb3b1e521c70e367c83b7ed843fe8f76ad52

ovirt-engine-setup-plugin-cinderlib-4.5.3.2-1.el8ev.noarch.rpm

SHA-256: 85324e73a7fa3a54675135ce5333b5f5fc67a1174e61ea46d2f390e7a242b97c

ovirt-engine-setup-plugin-imageio-4.5.3.2-1.el8ev.noarch.rpm

SHA-256: 81a5a1069d2e6db95a9ffa699a67b82b99188759a9770df019d2b4dbcef4b782

ovirt-engine-setup-plugin-ovirt-engine-4.5.3.2-1.el8ev.noarch.rpm

SHA-256: 8f5af17cdb14341c4eb3c521ed3dc697f24e5857a20587d8b43f1d24b945c679

ovirt-engine-setup-plugin-ovirt-engine-common-4.5.3.2-1.el8ev.noarch.rpm

SHA-256: 70617f15ca14eef359f771018b7fba7a680c601fa0a7fff0ca76f0df45c3d8c2

ovirt-engine-setup-plugin-vmconsole-proxy-helper-4.5.3.2-1.el8ev.noarch.rpm

SHA-256: d684bb22e4d34c6b1133ded8c1ebdaa8751e66fa734791f84a01963d8a9e288d

ovirt-engine-setup-plugin-websocket-proxy-4.5.3.2-1.el8ev.noarch.rpm

SHA-256: ce1f6061d3a00092570876a976afeb2af1764b82e6bd4b571db0bbdcf30c51e2

ovirt-engine-tools-4.5.3.2-1.el8ev.noarch.rpm

SHA-256: 0224101a8403cc3e2ea9a123921191584393dce99446e7484b31ca63cffe4ce6

ovirt-engine-tools-backup-4.5.3.2-1.el8ev.noarch.rpm

SHA-256: 5fa0afa486b63bc2faae95f1552e24a0052fda40d6e67841df1611f88cc6e278

ovirt-engine-ui-extensions-1.3.6-1.el8ev.noarch.rpm

SHA-256: 610cb03d5012c455edad677b705620776b59e4532749f1fbd834be0a4b6ea517

ovirt-engine-vmconsole-proxy-helper-4.5.3.2-1.el8ev.noarch.rpm

SHA-256: df42de9c17fea183aff11aea7056fda11d9c5cdbda525ff0409e232b82852cfe

ovirt-engine-webadmin-portal-4.5.3.2-1.el8ev.noarch.rpm

SHA-256: 502f54be33836a6baed180635e3509fff3c80a0883ab5e1240e8bcecbb47650e

ovirt-engine-websocket-proxy-4.5.3.2-1.el8ev.noarch.rpm

SHA-256: 7ae07dfa27d5f7ed251258c0b3e2d2636bc7b05b5a62854006559a639d10c08d

ovirt-web-ui-1.9.2-1.el8ev.noarch.rpm

SHA-256: 988c97ce7ccb33e09d8123128e07150fc0bc72fc5a0e5c2fa1d7ca159a8e3a89

python3-ovirt-engine-lib-4.5.3.2-1.el8ev.noarch.rpm

SHA-256: 9549a44eccd5b2ab7bcaf9c757310f5e64a7e4f33ef1ff044cd44dcb6e7e183c

rhvm-4.5.3.2-1.el8ev.noarch.rpm

SHA-256: 9148bf870c36bf620fefb98e250cddf56ea3401e85d19b1ce9aeebcb9eb8bb80

The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.

Related news

CVE-2023-28069: DSA-2022-258: Dell Streaming Data Platform Security Update for Multiple Third-Party Component Vulnerabilities

Dell Streaming Data Platform prior to 1.4 contains Open Redirect vulnerability. An attacker with privileges same as a legitimate user can phish the legitimate the user to redirect to malicious website leading to information disclosure and launch of phishing attacks.

Red Hat Security Advisory 2022-8502-01

Red Hat Security Advisory 2022-8502-01 - The ovirt-engine package provides the Red Hat Virtualization Manager, a centralized management platform that allows system administrators to view and manage virtual machines. The Manager provides a comprehensive range of features including search capabilities, resource management, live migrations, and virtual infrastructure provisioning.

CVE-2022-2805: Red Hat Customer Portal - Access to 24x7 support and knowledge

A flaw was found in ovirt-engine, which leads to the logging of plaintext passwords in the log file when using otapi-style. This flaw allows an attacker with sufficient privileges to read the log file, leading to confidentiality loss.

CVE-2022-0155: Exposure of Private Personal Information to an Unauthorized Actor in follow-redirects

follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor

CVE-2020-11110: grafana/CHANGELOG.md at main · grafana/grafana

Grafana through 6.7.1 allows stored XSS due to insufficient input protection in the originalUrl field, which allows an attacker to inject JavaScript code that will be executed after clicking on Open Original Dashboard after visiting the snapshot.