Headline
RHSA-2022:8502: Red Hat Security Advisory: RHV Manager (ovirt-engine) [ovirt-4.5.3] bug fix and security update
Updated ovirt-engine packages that fix several bugs and add various enhancements are now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Related CVEs:
- CVE-2022-0155: follow-redirects: Exposure of Private Personal Information to an Unauthorized Actor
- CVE-2022-2805: ovirt-engine: RHVM admin password is logged unfiltered when using otopi-style
Skip to navigation Skip to main content
Utilities
- Subscriptions
- Downloads
- Containers
- Support Cases
Infrastructure and Management
- Red Hat Enterprise Linux
- Red Hat Virtualization
- Red Hat Identity Management
- Red Hat Directory Server
- Red Hat Certificate System
- Red Hat Satellite
- Red Hat Subscription Management
- Red Hat Update Infrastructure
- Red Hat Insights
- Red Hat Ansible Automation Platform
Cloud Computing
- Red Hat OpenShift
- Red Hat CloudForms
- Red Hat OpenStack Platform
- Red Hat OpenShift Container Platform
- Red Hat OpenShift Data Science
- Red Hat OpenShift Online
- Red Hat OpenShift Dedicated
- Red Hat Advanced Cluster Security for Kubernetes
- Red Hat Advanced Cluster Management for Kubernetes
- Red Hat Quay
- Red Hat CodeReady Workspaces
- Red Hat OpenShift Service on AWS
Storage
- Red Hat Gluster Storage
- Red Hat Hyperconverged Infrastructure
- Red Hat Ceph Storage
- Red Hat OpenShift Data Foundation
Runtimes
- Red Hat Runtimes
- Red Hat JBoss Enterprise Application Platform
- Red Hat Data Grid
- Red Hat JBoss Web Server
- Red Hat Single Sign On
- Red Hat support for Spring Boot
- Red Hat build of Node.js
- Red Hat build of Thorntail
- Red Hat build of Eclipse Vert.x
- Red Hat build of OpenJDK
- Red Hat build of Quarkus
Integration and Automation
- Red Hat Process Automation
- Red Hat Process Automation Manager
- Red Hat Decision Manager
All Products
Issued:
2022-11-16
Updated:
2022-11-16
RHSA-2022:8502 - Security Advisory
- Overview
- Updated Packages
Synopsis
Moderate: RHV Manager (ovirt-engine) [ovirt-4.5.3] bug fix and security update
Type/Severity
Security Advisory: Moderate
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
View affected systems
Topic
Updated ovirt-engine packages that fix several bugs and add various enhancements are now available.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
The ovirt-engine package provides the Red Hat Virtualization Manager, a centralized management platform that allows system administrators to view and manage virtual machines. The Manager provides a comprehensive range of features including search capabilities, resource management, live migrations, and virtual infrastructure provisioning.
Security Fix(es):
- follow-redirects: Exposure of Private Personal Information to an Unauthorized Actor (CVE-2022-0155)
- ovirt-engine: RHVM admin password is logged unfiltered when using otopi-style (CVE-2022-2805)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Bug Fix(es):
- Ghost OVFs are written when using floating SD to migrate VMs between 2 RHV environments. (BZ#1705338)
- RHV engine is reporting a delete disk with wipe as completing successfully when it actually fails from a timeout. (BZ#1836318)
- [DR] Failover / Failback HA VM Fails to be started due to ‘VM XXX is being imported’ (BZ#1968433)
- Virtual Machine with lease fails to run on DR failover (BZ#1974535)
- Disk is missing after importing VM from Storage Domain that was detached from another DC. (BZ#1983567)
- Unable to switch RHV host into maintenance mode as there are image transfer in progress (BZ#2123141)
- not able to import disk in 4.5.2 (BZ#2134549)
Enhancement(s):
- [RFE] Show last events for user VMs (BZ#1886211)
Affected Products
- Red Hat Virtualization Manager 4.4 x86_64
Fixes
- BZ - 1705338 - Ghost OVFs are written when using floating SD to migrate VMs between 2 RHV environments.
- BZ - 1836318 - RHV engine is reporting a delete disk with wipe as completing successfully when it actually fails from a timeout.
- BZ - 1886211 - [RFE] Show last events for user VMs
- BZ - 1968433 - [DR] Failover / Failback HA VM Fails to be started due to ‘VM XXX is being imported’
- BZ - 1974535 - Virtual Machine with lease fails to run on DR failover
- BZ - 1983567 - Disk is missing after importing VM from Storage Domain that was detached from another DC.
- BZ - 2044556 - CVE-2022-0155 follow-redirects: Exposure of Private Personal Information to an Unauthorized Actor
- BZ - 2079545 - CVE-2022-2805 ovirt-engine: RHVM admin password is logged unfiltered when using otopi-style
- BZ - 2118672 - Use rpm instead of auto in package_facts ansible module to prevent mistakes of determining the correct package manager inside package_facts module
- BZ - 2123141 - Unable to switch RHV host into maintenance mode as there are image transfer in progress
- BZ - 2127836 - Create template dialog is not closed when clicking in OK and the template is not created
- BZ - 2134549 - not able to import disk in 4.5.2
- BZ - 2137207 - The RemoveDisk job finishes before the disk was removed from the DB
Red Hat Virtualization Manager 4.4
SRPM
ovirt-engine-4.5.3.2-1.el8ev.src.rpm
SHA-256: 6328ea4b008a9b6a9a7557de3a856697f288008021c067116be21d1207efe916
ovirt-engine-dwh-4.5.7-1.el8ev.src.rpm
SHA-256: e778f06bae8f9bf442cc0f09b1d4ff84751b5441b5446b9b286a29aaa0288e25
ovirt-engine-ui-extensions-1.3.6-1.el8ev.src.rpm
SHA-256: 1c0d012953941e828a2098e3d3f7bce6e4f44330b37df88a0485b1ef1772dcce
ovirt-web-ui-1.9.2-1.el8ev.src.rpm
SHA-256: 95c75be7119b952a2957fbaae34592233ecb9f3ed01b39f39493ba6d22221dcd
x86_64
ovirt-engine-4.5.3.2-1.el8ev.noarch.rpm
SHA-256: 43c9c612e554a8b47f878f3e8e3a8cb709138e1bf0b10952b8f78d2625b5b0ca
ovirt-engine-backend-4.5.3.2-1.el8ev.noarch.rpm
SHA-256: 643907e9a3ad836a784f6ac3e808384c2682c2f2e840f7ad55e23b2b66118435
ovirt-engine-dbscripts-4.5.3.2-1.el8ev.noarch.rpm
SHA-256: a3a123f4d17efa84935e211d19509ca98752e885c08c11d18cc907d33f3b5204
ovirt-engine-dwh-4.5.7-1.el8ev.noarch.rpm
SHA-256: 26b7c555b684873593adb80599f4ed919583d5aa019f64f366801ba590c0b15e
ovirt-engine-dwh-grafana-integration-setup-4.5.7-1.el8ev.noarch.rpm
SHA-256: d5f03ea36c42ef84e11a530a5ee70832102967e073e31ebe30c842bc1bd7400b
ovirt-engine-dwh-setup-4.5.7-1.el8ev.noarch.rpm
SHA-256: 47c6ff98a44f072d6ae1cb54f7b77a4234ba758c2fce9fb23e6a23272743ab55
ovirt-engine-health-check-bundler-4.5.3.2-1.el8ev.noarch.rpm
SHA-256: 22059b1b6d360913165426bfb1dc3bd9abef01a149072469b52bc8134ddb3993
ovirt-engine-restapi-4.5.3.2-1.el8ev.noarch.rpm
SHA-256: 509bebdedfd5f5f5bd8b5dda0175303369bba5e99702d228acce915cb8bc9772
ovirt-engine-setup-4.5.3.2-1.el8ev.noarch.rpm
SHA-256: 9309246d37715c7e982109813c6f9529d9a435f6dd374a747111bc9a7c161411
ovirt-engine-setup-base-4.5.3.2-1.el8ev.noarch.rpm
SHA-256: 218a5f45b65ed0b0a6914336b2c5bb3b1e521c70e367c83b7ed843fe8f76ad52
ovirt-engine-setup-plugin-cinderlib-4.5.3.2-1.el8ev.noarch.rpm
SHA-256: 85324e73a7fa3a54675135ce5333b5f5fc67a1174e61ea46d2f390e7a242b97c
ovirt-engine-setup-plugin-imageio-4.5.3.2-1.el8ev.noarch.rpm
SHA-256: 81a5a1069d2e6db95a9ffa699a67b82b99188759a9770df019d2b4dbcef4b782
ovirt-engine-setup-plugin-ovirt-engine-4.5.3.2-1.el8ev.noarch.rpm
SHA-256: 8f5af17cdb14341c4eb3c521ed3dc697f24e5857a20587d8b43f1d24b945c679
ovirt-engine-setup-plugin-ovirt-engine-common-4.5.3.2-1.el8ev.noarch.rpm
SHA-256: 70617f15ca14eef359f771018b7fba7a680c601fa0a7fff0ca76f0df45c3d8c2
ovirt-engine-setup-plugin-vmconsole-proxy-helper-4.5.3.2-1.el8ev.noarch.rpm
SHA-256: d684bb22e4d34c6b1133ded8c1ebdaa8751e66fa734791f84a01963d8a9e288d
ovirt-engine-setup-plugin-websocket-proxy-4.5.3.2-1.el8ev.noarch.rpm
SHA-256: ce1f6061d3a00092570876a976afeb2af1764b82e6bd4b571db0bbdcf30c51e2
ovirt-engine-tools-4.5.3.2-1.el8ev.noarch.rpm
SHA-256: 0224101a8403cc3e2ea9a123921191584393dce99446e7484b31ca63cffe4ce6
ovirt-engine-tools-backup-4.5.3.2-1.el8ev.noarch.rpm
SHA-256: 5fa0afa486b63bc2faae95f1552e24a0052fda40d6e67841df1611f88cc6e278
ovirt-engine-ui-extensions-1.3.6-1.el8ev.noarch.rpm
SHA-256: 610cb03d5012c455edad677b705620776b59e4532749f1fbd834be0a4b6ea517
ovirt-engine-vmconsole-proxy-helper-4.5.3.2-1.el8ev.noarch.rpm
SHA-256: df42de9c17fea183aff11aea7056fda11d9c5cdbda525ff0409e232b82852cfe
ovirt-engine-webadmin-portal-4.5.3.2-1.el8ev.noarch.rpm
SHA-256: 502f54be33836a6baed180635e3509fff3c80a0883ab5e1240e8bcecbb47650e
ovirt-engine-websocket-proxy-4.5.3.2-1.el8ev.noarch.rpm
SHA-256: 7ae07dfa27d5f7ed251258c0b3e2d2636bc7b05b5a62854006559a639d10c08d
ovirt-web-ui-1.9.2-1.el8ev.noarch.rpm
SHA-256: 988c97ce7ccb33e09d8123128e07150fc0bc72fc5a0e5c2fa1d7ca159a8e3a89
python3-ovirt-engine-lib-4.5.3.2-1.el8ev.noarch.rpm
SHA-256: 9549a44eccd5b2ab7bcaf9c757310f5e64a7e4f33ef1ff044cd44dcb6e7e183c
rhvm-4.5.3.2-1.el8ev.noarch.rpm
SHA-256: 9148bf870c36bf620fefb98e250cddf56ea3401e85d19b1ce9aeebcb9eb8bb80
The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.
Related news
Dell Streaming Data Platform prior to 1.4 contains Open Redirect vulnerability. An attacker with privileges same as a legitimate user can phish the legitimate the user to redirect to malicious website leading to information disclosure and launch of phishing attacks.
Red Hat Security Advisory 2022-8502-01 - The ovirt-engine package provides the Red Hat Virtualization Manager, a centralized management platform that allows system administrators to view and manage virtual machines. The Manager provides a comprehensive range of features including search capabilities, resource management, live migrations, and virtual infrastructure provisioning.
A flaw was found in ovirt-engine, which leads to the logging of plaintext passwords in the log file when using otapi-style. This flaw allows an attacker with sufficient privileges to read the log file, leading to confidentiality loss.
follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor
Grafana through 6.7.1 allows stored XSS due to insufficient input protection in the originalUrl field, which allows an attacker to inject JavaScript code that will be executed after clicking on Open Original Dashboard after visiting the snapshot.