- Vulnerability/
- RHSA-2021:2865
RHSA-2021:2865: Moderate: RHV Manager (ovirt-engine) security update [ovirt-4.4.7]
First published: Thu Jul 22 2021(Updated: )
The ovirt-engine package provides the manager for virtualization environments.<br>This manager enables admins to define hosts and networks, as well as to add<br>storage, create VMs and manage user permissions.<br>Security Fix(es):<br><li> nodejs-underscore: Arbitrary code execution via the template function (CVE-2021-23358)</li> <li> nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469)</li> <li> nodejs-ua-parser-js: Regular expression denial of service via the regex (CVE-2020-7733)</li> <li> nodejs-path-parse: ReDoS via splitDeviceRe, splitTailRe and splitPathRe (CVE-2021-23343)</li> For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.<br>Bug Fix(es):<br><li> Foreman integration, which allows you to provision bare metal hosts from the Administration Portal using Foreman and then added to the Manager, was deprecated in oVirt 4.4.6 / RHV 4.4.6 and removed completely in oVirt 4.4.7 / RHV 4.4.7.</li> Similar functionality to provision bare metal hosts can be achieved using Foreman directly and adding an already provisioned host using the Administration Portal or the REST API. (BZ#1901011)<br><li> Adding a message banner to the web administration welcome page is straight forward using custom branding that only contains a preamble section. </li> An example of preamble branding is given here: <a href="https://bugzilla.redhat.com/attachment.cgi?id=1783329." target="_blank">https://bugzilla.redhat.com/attachment.cgi?id=1783329.</a> In an engine upgrade, the custom preamble brand remains in place and will work without issue.<br>During engine backup and subsequent restore, on engine restore the custom preamble branding needs to be manually restored/reinstalled and verified. (BZ#1804774)<br><li> The column name threads_per_core in the Red hat Virtualization manager Dashboard is being deprecated, and will be removed in a future release.</li> In version 4.4.7.2 the column name for threads_per_core will be changed to number_of_threads.<br>In the Data Warehouse, the old name will be retained as an additional alias, resulting in 2 columns providing the same data: number_of_threads and threads_per_core, and threads_per_core will be removed in a future version. (BZ#1896359)
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/ovirt-engine | <4.4.7.6-0.11.el8e | 4.4.7.6-0.11.el8e |
| redhat/ovirt-engine-dwh | <4.4.7.3-1.el8e | 4.4.7.3-1.el8e |
| redhat/ovirt-engine-extension-aaa-ldap | <1.4.4-1.el8e | 1.4.4-1.el8e |
| redhat/ovirt-engine-ui-extensions | <1.2.7-1.el8e | 1.2.7-1.el8e |
| redhat/ovirt-web-ui | <1.7.0-1.el8e | 1.7.0-1.el8e |
| redhat/rhv-log-collector-analyzer | <1.0.10-1.el8e | 1.0.10-1.el8e |
| redhat/rhvm-branding-rhv | <4.4.9-1.el8e | 4.4.9-1.el8e |
| redhat/ovirt-engine-backend | <4.4.7.6-0.11.el8e | 4.4.7.6-0.11.el8e |
| redhat/ovirt-engine-dbscripts | <4.4.7.6-0.11.el8e | 4.4.7.6-0.11.el8e |
| redhat/ovirt-engine-dwh-grafana-integration-setup | <4.4.7.3-1.el8e | 4.4.7.3-1.el8e |
| redhat/ovirt-engine-dwh-setup | <4.4.7.3-1.el8e | 4.4.7.3-1.el8e |
| redhat/ovirt-engine-extension-aaa-ldap-setup | <1.4.4-1.el8e | 1.4.4-1.el8e |
| redhat/ovirt-engine-health-check-bundler | <4.4.7.6-0.11.el8e | 4.4.7.6-0.11.el8e |
| redhat/ovirt-engine-restapi | <4.4.7.6-0.11.el8e | 4.4.7.6-0.11.el8e |
| redhat/ovirt-engine-setup | <4.4.7.6-0.11.el8e | 4.4.7.6-0.11.el8e |
| redhat/ovirt-engine-setup-base | <4.4.7.6-0.11.el8e | 4.4.7.6-0.11.el8e |
| redhat/ovirt-engine-setup-plugin-cinderlib | <4.4.7.6-0.11.el8e | 4.4.7.6-0.11.el8e |
| redhat/ovirt-engine-setup-plugin-imageio | <4.4.7.6-0.11.el8e | 4.4.7.6-0.11.el8e |
| redhat/ovirt-engine-setup-plugin-ovirt-engine | <4.4.7.6-0.11.el8e | 4.4.7.6-0.11.el8e |
| redhat/ovirt-engine-setup-plugin-ovirt-engine-common | <4.4.7.6-0.11.el8e | 4.4.7.6-0.11.el8e |
| redhat/ovirt-engine-setup-plugin-vmconsole-proxy-helper | <4.4.7.6-0.11.el8e | 4.4.7.6-0.11.el8e |
| redhat/ovirt-engine-setup-plugin-websocket-proxy | <4.4.7.6-0.11.el8e | 4.4.7.6-0.11.el8e |
| redhat/ovirt-engine-tools | <4.4.7.6-0.11.el8e | 4.4.7.6-0.11.el8e |
| redhat/ovirt-engine-tools-backup | <4.4.7.6-0.11.el8e | 4.4.7.6-0.11.el8e |
| redhat/ovirt-engine-vmconsole-proxy-helper | <4.4.7.6-0.11.el8e | 4.4.7.6-0.11.el8e |
| redhat/ovirt-engine-webadmin-portal | <4.4.7.6-0.11.el8e | 4.4.7.6-0.11.el8e |
| redhat/ovirt-engine-websocket-proxy | <4.4.7.6-0.11.el8e | 4.4.7.6-0.11.el8e |
| redhat/python3-ovirt-engine-lib | <4.4.7.6-0.11.el8e | 4.4.7.6-0.11.el8e |
| redhat/rhvm | <4.4.7.6-0.11.el8e | 4.4.7.6-0.11.el8e |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of RHSA-2021:2865?
The severity of RHSA-2021:2865 is critical.
How do I fix RHSA-2021:2865?
To fix RHSA-2021:2865, update the ovirt-engine package to version 4.4.7.6-0.11.el8e or higher.
Which packages are affected by RHSA-2021:2865?
The affected packages include ovirt-engine, ovirt-engine-dwh, and various ovirt-engine extensions among others.
What type of vulnerability is addressed in RHSA-2021:2865?
RHSA-2021:2865 addresses an arbitrary code execution vulnerability in the nodejs-underscore package.
Is there a specific Red Hat version required for the fix in RHSA-2021:2865?
Yes, the fix for RHSA-2021:2865 requires Red Hat Enterprise Linux 8.
- agent/references
- agent/severity
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- agent/last-modified-date
- agent/remedy
- agent/title
- agent/description
- agent/tags
- agent/event
- collector/redhat-errata
- source/Red Hat
- anchor-id/RHSA-2021:2865
- agent/software-canonical-lookup
- package-manager/redhat