RHSA-2022:0475: Red Hat Security Advisory: RHV Manager (ovirt-engine) security update [ovirt-4.4.10-1]

Skip to navigation Skip to main content

Utilities

• Subscriptions
• Downloads
• Containers
• Support Cases

Infrastructure and Management

• Red Hat Enterprise Linux
• Red Hat Virtualization
• Red Hat Identity Management
• Red Hat Directory Server
• Red Hat Certificate System
• Red Hat Satellite
• Red Hat Subscription Management
• Red Hat Update Infrastructure
• Red Hat Insights
• Red Hat Ansible Automation Platform

Cloud Computing

• Red Hat OpenShift
• Red Hat CloudForms
• Red Hat OpenStack Platform
• Red Hat OpenShift Container Platform
• Red Hat OpenShift Data Science
• Red Hat OpenShift Online
• Red Hat OpenShift Dedicated
• Red Hat Advanced Cluster Security for Kubernetes
• Red Hat Advanced Cluster Management for Kubernetes
• Red Hat Quay
• Red Hat CodeReady Workspaces
• Red Hat OpenShift Service on AWS

Storage

• Red Hat Gluster Storage
• Red Hat Hyperconverged Infrastructure
• Red Hat Ceph Storage
• Red Hat OpenShift Data Foundation

Runtimes

• Red Hat Runtimes
• Red Hat JBoss Enterprise Application Platform
• Red Hat Data Grid
• Red Hat JBoss Web Server
• Red Hat Single Sign On
• Red Hat support for Spring Boot
• Red Hat build of Node.js
• Red Hat build of Thorntail
• Red Hat build of Eclipse Vert.x
• Red Hat build of OpenJDK
• Red Hat build of Quarkus
• Red Hat CodeReady Studio

Integration and Automation

• Red Hat Process Automation
• Red Hat Process Automation Manager
• Red Hat Decision Manager

All Products

Issued:

2022-02-08

Updated:

2022-02-08

RHSA-2022:0475 - Security Advisory

• Overview
• Updated Packages

Synopsis

Low: RHV Manager (ovirt-engine) security update [ovirt-4.4.10-1]

Type/Severity

Security Advisory: Low

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

Updated ovirt-engine packages that fix several bugs and add various enhancements are now available.

Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

The ovirt-engine package provides the manager for virtualization environments.
This manager enables admins to define hosts and networks, as well as to add
storage, create VMs and manage user permissions.

Security Fix(es):

• log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)
• log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)
• log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)
• log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

Bug Fix(es):

• With this release, the ovirt-engine-extension-logger-log4j package has been removed. It is replaced by an internal ovirt-engine implementation.

When upgrading from earlier Red Hat Virtualization versions to RHV 4.4.10, the ovirt-engine-extension-logger-log4j package is uninstalled if it is present. If you used the ovirt-engine-extension-logger-log4j in earlier Red Hat Virtualization versions, you must manually remove the ovirt-engine-extension-logger-log4j configuration files and configure the new feature for sending log records to a remote syslog service, as outlined in the Administration Guide.

After a successful upgrade to RHV 4.4.10, you can uninstall log4j12 without breaking the Red Hat Virtualization setup by running the following command: `$ dnf remove log4j12`. (BZ#2044277)

• Previously, when preparing a host with FIPS kernel parameters enabled, the boot UUID parameter was blank after reboot. In this release, the UUID is present in the kernel arguments. Enabling FIPS does not change the UUID after reboot. (BZ#2013430)
• Because installing the self-hosted engine with Cockpit is deprecated, the ‘Installing Red Hat Virtualization as a self-hosted engine using the Cockpit web interface’ link

on the Red Hat Virtualization Administration Portal login page has been replaced with the “Installing Red Hat Virtualization as a self-hosted engine using the command line” link. (BZ#1992476)

• In this release, Red Hat Virtualization 4.4.10 requires snmp4j version 3.6.4 or later, which no longer depends on the log4j library. (BZ#2044257)

Affected Products

• Red Hat Virtualization Manager 4.4 x86_64

Fixes

• BZ - 1992476 - [UI] Switch default installation method of HE on login page documentation links
• BZ - 2013430 - RHV 4.4. FIPS install leaves UUID blank in grub after setting kernel option
• BZ - 2031667 - CVE-2021-4104 log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender
• BZ - 2041949 - CVE-2022-23302 log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink
• BZ - 2041959 - CVE-2022-23305 log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender
• BZ - 2041967 - CVE-2022-23307 log4j: Unsafe deserialization flaw in Chainsaw log viewer
• BZ - 2044257 - Bump snmp4j library version to remove dependency on log4j
• BZ - 2044277 - Replace ovirt-engine-extension-logger-log4j with internal ovirt-engine implementation

CVEs

• CVE-2021-4104
• CVE-2022-23302
• CVE-2022-23305
• CVE-2022-23307

References

• https://access.redhat.com/security/updates/classification/#low
• https://access.redhat.com/security/vulnerabilities/RHSB-2021-009

Red Hat Virtualization Manager 4.4

SRPM

ovirt-engine-4.4.10.6-0.1.el8ev.src.rpm

SHA-256: e72185955b4a2ff285e88cb911d5f389cf5aeeb9744579735d6560834f748bb6

rhvm-branding-rhv-4.4.10-1.el8ev.src.rpm

SHA-256: 0be59d055fa89c074464599dcb4a614375ba8d842cea7917f527ae43f689aa4d

snmp4j-3.6.4-0.1.el8ev.src.rpm

SHA-256: 5380808f94ae71eee20685e5b70301e38d2a9b1d49879fdb3d4847a54dbed8bb

x86_64

ovirt-engine-4.4.10.6-0.1.el8ev.noarch.rpm

SHA-256: 311a74b7182b20bae9bf5f834d6205f7231cc545c79d79f45abcff362b7d267d

ovirt-engine-backend-4.4.10.6-0.1.el8ev.noarch.rpm

SHA-256: c664be808b50f0a7df523a3d98183599f225cce2df599a8d0adf6ad92f4f83bc

ovirt-engine-dbscripts-4.4.10.6-0.1.el8ev.noarch.rpm

SHA-256: f04c176fa2e9d0e30f049e247b1343d8c4f9a543ca76ce56fa6f625d3dbc1ff3

ovirt-engine-health-check-bundler-4.4.10.6-0.1.el8ev.noarch.rpm

SHA-256: b3a53b26fe9fdb79f907a4d4efb1329e099a6373a7955991c993fe2ddca5191d

ovirt-engine-restapi-4.4.10.6-0.1.el8ev.noarch.rpm

SHA-256: 19a0ec298b7e7f10dd41086f83eca3df942f57e27d4ea69f28321305ed6f5a0d

ovirt-engine-setup-4.4.10.6-0.1.el8ev.noarch.rpm

SHA-256: f658efd449aaf78298f0421ae3005d7da05e7be9b7426ce4658242c7cf057684

ovirt-engine-setup-base-4.4.10.6-0.1.el8ev.noarch.rpm

SHA-256: f745c79a59bb4f36794462afe83829fa28b11afc4fa417887785409694a11962

ovirt-engine-setup-plugin-cinderlib-4.4.10.6-0.1.el8ev.noarch.rpm

SHA-256: 51d72bc39134d287231287a66437003290f57fa70937ca7a987a4a46403570e2

ovirt-engine-setup-plugin-imageio-4.4.10.6-0.1.el8ev.noarch.rpm

SHA-256: 21624f80198e5205ae5959df4370de08d9fb795b6037ae63f83c4b37a1b12648

ovirt-engine-setup-plugin-ovirt-engine-4.4.10.6-0.1.el8ev.noarch.rpm

SHA-256: 64c58e7913e0eeac0b58a90e6e453b01f4a42e4455203a4746957fa8a8d915a3

ovirt-engine-setup-plugin-ovirt-engine-common-4.4.10.6-0.1.el8ev.noarch.rpm

SHA-256: b3274bfb0c92a888fcc1f5baae1ca48cd8a4648e43e5615c22ed60debad53112

ovirt-engine-setup-plugin-vmconsole-proxy-helper-4.4.10.6-0.1.el8ev.noarch.rpm

SHA-256: 51a9acf460f40d741e7aa8580306ed0ab3391733d495aa0c215b0f507db7086d

ovirt-engine-setup-plugin-websocket-proxy-4.4.10.6-0.1.el8ev.noarch.rpm

SHA-256: ca0ae54eb0ffc4d674203ab6aab410886d834786f382c53363061b977e7d0bc8

ovirt-engine-tools-4.4.10.6-0.1.el8ev.noarch.rpm

SHA-256: 8c29dfffa3bd3d84c81899f6e82008b5d44d0529ce0a4de53b581c61c9201e3b

ovirt-engine-tools-backup-4.4.10.6-0.1.el8ev.noarch.rpm

SHA-256: 0bfc2c23175c499415998ed02a40fd3ee8418c91aa524b3f3a06c5627c423f32

ovirt-engine-vmconsole-proxy-helper-4.4.10.6-0.1.el8ev.noarch.rpm

SHA-256: 54d0f2e3184b80933c85474527589edb66af84fd9b96b2bec1a469fb869346be

ovirt-engine-webadmin-portal-4.4.10.6-0.1.el8ev.noarch.rpm

SHA-256: c7875d05be5657ae26b22e0a3b05c5f7892e488493fbe0e87386dd89281ad296

ovirt-engine-websocket-proxy-4.4.10.6-0.1.el8ev.noarch.rpm

SHA-256: b3f9e3b9e88c84d028deeb237b7cff26e878dfb4bbab313117b8dc589ecd683a

python3-ovirt-engine-lib-4.4.10.6-0.1.el8ev.noarch.rpm

SHA-256: 7339f589874e4997c88fc6ad92fc251f9316e8a17e786bad55eb7338b22d9c50

rhvm-4.4.10.6-0.1.el8ev.noarch.rpm

SHA-256: 82bde3643d61a76f94497d56b4ebf852efb92c0e6da20fc8aed1567557d25b74

rhvm-branding-rhv-4.4.10-1.el8ev.noarch.rpm

SHA-256: 00bc281beb8bc04903d6360ff8ae4daf205b486f624e3318bcffa754383f2534

snmp4j-3.6.4-0.1.el8ev.noarch.rpm

SHA-256: 28acd53d4232cde7debf8ca434935bcb0c670ff6cab03939695712c3a61c9bbc

snmp4j-javadoc-3.6.4-0.1.el8ev.noarch.rpm

SHA-256: de6f521063520fdc84e30b554781e0d667ac8598b9d59439b0b76367d1e84f00

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.