RHSA-2021:2736: Red Hat Security Advisory: Red Hat Virtualization Host security and bug fix update [ovirt-4.4.7]

An update for imgbased, redhat-release-virtualization-host, and redhat-virtualization-host is now available for Red Hat Virtualization 4 for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.The redhat-virtualization-host packages provide the Red Hat Virtualization Host. These packages include redhat-release-virtualization-host, ovirt-node, and rhev-hypervisor. Red Hat Virtualization Hosts (RHVH) are installed using a special build of Red Hat Enterprise Linux with only the packages required to host virtual machines. RHVH features a Cockpit user interface for monitoring the host’s resources and performing administrative tasks. The redhat-virtualization-host packages provide the Red Hat Virtualization Host. These packages include redhat-release-virtualization-host, ovirt-node, and rhev-hypervisor. Red Hat Virtualization Hosts (RHVH) are installed using a special build of Red Hat Enterprise Linux with only the packages required to host virtual machines. RHVH features a Cockpit user interface for monitoring the host’s resources and performing administrative tasks. The ovirt-node-ng packages provide the Red Hat Virtualization Host. These packages include redhat-release-virtualization-host, ovirt-node, and rhev-hypervisor. Red Hat Virtualization Hosts (RHVH) are installed using a special build of Red Hat Enterprise Linux with only the packages required to host virtual machines. RHVH features a Cockpit user interface for monitoring the host’s resources and performing administrative tasks. Security Fix(es):

• kernel: size_t-to-int conversion vulnerability in the filesystem layer (CVE-2021-33909)
• systemd: uncontrolled allocation on the stack in function unit_name_path_escape leads to crash (CVE-2021-33910)
• kernel: use-after-free in net/bluetooth/hci_event.c when destroying an hci_chan (CVE-2021-33034)
• ansible: multiple modules expose secured values (CVE-2021-3447) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es):
• The redhat-release-virtualization-host package no longer requires vdsm-hooks. In this release, the installation of vdsm-hooks is not mandatory for the Red Hat Virtualization Host. (BZ#1976095)
• Previously, rhsmcertd was not enabled by default on the Red Hat Virtualization Host. As a result, the systems did not regularly report to RHSM while the subscription-manager reported no obvious issues and repositories were properly enabled. In this release, rhsmcertd is enabled by default in RHVH, and as a result, RHSM now receives reports regularly. (BZ#1958145)
• In this release, the Red Hat Virtualization Host has been rebased on top of the RHEL 8.4.0 Batch #1 update. For more information, see the RHEL release notes. (BZ#1957242)
• Red Hat Virtualization Host now includes an updated scap-security-guide-rhv which allows you to apply a PCI DSS security profile to the system during installation, (BZ#1883793) Related CVEs:
• CVE-2021-3447: ansible: multiple modules expose secured values
• CVE-2021-32399: kernel: race condition for removal of the HCI controller
• CVE-2021-33034: kernel: use-after-free in net/bluetooth/hci_event.c when destroying an hci_chan
• CVE-2021-33909: kernel: size_t-to-int conversion vulnerability in the filesystem layer
• CVE-2021-33910: systemd: uncontrolled allocation on the stack in function unit_name_path_escape leads to crash