Headline

RHSA-2021:3259: Red Hat Security Advisory: OpenShift Virtualization 4.8.1 Images security and bug fix update

Red Hat OpenShift Virtualization release 4.8.1 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.OpenShift Virtualization is Red Hat’s virtualization solution designed for Red Hat OpenShift Container Platform. This advisory contains the following OpenShift Virtualization 4.8.1 images: RHEL-8-CNV-4.8 ============== kubevirt-v2v-conversion-container-v4.8.1-1 bridge-marker-container-v4.8.1-2 node-maintenance-operator-container-v4.8.1-1 cnv-containernetworking-plugins-container-v4.8.1-1 virtio-win-container-v4.8.1-1 ovs-cni-plugin-container-v4.8.1-2 kubevirt-vmware-container-v4.8.1-1 kubernetes-nmstate-handler-container-v4.8.1-2 cluster-network-addons-operator-container-v4.8.1-2 kubemacpool-container-v4.8.1-2 ovs-cni-marker-container-v4.8.1-2 cnv-must-gather-container-v4.8.1-4 virt-operator-container-v4.8.1-2 vm-import-virtv2v-container-v4.8.1-2 vm-import-operator-container-v4.8.1-2 vm-import-controller-container-v4.8.1-2 kubevirt-template-validator-container-v4.8.1-2 virt-cdi-cloner-container-v4.8.1-5 virt-cdi-controller-container-v4.8.1-5 virt-cdi-operator-container-v4.8.1-5 virt-cdi-apiserver-container-v4.8.1-5 hostpath-provisioner-operator-container-v4.8.1-3 virt-cdi-uploadproxy-container-v4.8.1-5 virt-cdi-importer-container-v4.8.1-5 hyperconverged-cluster-operator-container-v4.8.1-3 virt-cdi-uploadserver-container-v4.8.1-5 hyperconverged-cluster-webhook-container-v4.8.1-3 hostpath-provisioner-container-v4.8.1-2 kubevirt-ssp-operator-container-v4.8.1-5 virt-launcher-container-v4.8.1-3 virt-api-container-v4.8.1-3 virt-handler-container-v4.8.1-3 virt-controller-container-v4.8.1-3 hco-bundle-registry-container-v4.8.1-18 Security Fix(es):

gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation (CVE-2021-3121)
golang: crypto/tls: certificate of wrong type is causing TLS client to panic (CVE-2021-34558) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es):
[CNV 2.4.3] oc vm delete doesn’t complete sometimes (BZ#1900631)
Migration fails with read only cdrom drive attached (BZ#1927378)
[CNV-2.5] Manifests in openshift-cnv missing resource requirements - Network (BZ#1935218)
[RFE][v2v] Expose the vddk library version loaded by nbdkit (BZ#1937405)
New OCP priority classes are not used - Network (BZ#1953482)
Migration fails with read only cdrom drive attached on “timed out waiting for domain to be defined” (BZ#1966903)
cfgMap kubevirt-ca brought in by kubevirt does not get reconciled (BZ#1968410)
Update nmstate version in CNV (BZ#1971262)
virt-api - deprecated API is used (BZ#1972762)
Pending VMIs when creating concurrent bulk of VMs backed by WFFC DVs (BZ#1974289)
Migration of ‘Migratable’ VMs fails although live migration is enabled for the target environment (BZ#1977277)
CDI importer doesn’t report AwaitingVDDK like it used to (BZ#1979957)
[4.8.1] Cloning DataVolumes between namespaces fails while creating cdi-upload pod (BZ#1982269)
VMs Migration from a specific VMware fails the importer, on NfcFssrvrProcessErrorMsg (BZ#1984775)
[RFE] Keep the VddkInitImage value in the v2v-vmware conigMap when upgrading CNV from 2.6 to CNV-4.8 (BZ#1984801)
CDI Importer fails on large qcow2.gz (BZ#1989170)
4.8.1 containers (BZ#1989410)
[hpp] CNV Daemonsets have maxUnavailable set to 1 which leads to very slow upgrades on large clusters (BZ#1990063) Related CVEs:
CVE-2021-3121: gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation
CVE-2021-34558: golang: crypto/tls: certificate of wrong type is causing TLS client to panic