RHSA-2021:2865: Moderate: RHV Manager (ovirt-engine) security update [ovirt-4.4.7]

First published: Thu Jul 22 2021(Updated: )

The ovirt-engine package provides the manager for virtualization environments.<br>This manager enables admins to define hosts and networks, as well as to add<br>storage, create VMs and manage user permissions.<br>Security Fix(es):<br><li> nodejs-underscore: Arbitrary code execution via the template function (CVE-2021-23358)</li> <li> nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469)</li> <li> nodejs-ua-parser-js: Regular expression denial of service via the regex (CVE-2020-7733)</li> <li> nodejs-path-parse: ReDoS via splitDeviceRe, splitTailRe and splitPathRe (CVE-2021-23343)</li> For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.<br>Bug Fix(es):<br><li> Foreman integration, which allows you to provision bare metal hosts from the Administration Portal using Foreman and then added to the Manager, was deprecated in oVirt 4.4.6 / RHV 4.4.6 and removed completely in oVirt 4.4.7 / RHV 4.4.7.</li> Similar functionality to provision bare metal hosts can be achieved using Foreman directly and adding an already provisioned host using the Administration Portal or the REST API. (BZ#1901011)<br><li> Adding a message banner to the web administration welcome page is straight forward using custom branding that only contains a preamble section. </li> An example of preamble branding is given here: <a href="https://bugzilla.redhat.com/attachment.cgi?id=1783329." target="_blank">https://bugzilla.redhat.com/attachment.cgi?id=1783329.</a> In an engine upgrade, the custom preamble brand remains in place and will work without issue.<br>During engine backup and subsequent restore, on engine restore the custom preamble branding needs to be manually restored/reinstalled and verified. (BZ#1804774)<br><li> The column name threads_per_core in the Red hat Virtualization manager Dashboard is being deprecated, and will be removed in a future release.</li> In version 4.4.7.2 the column name for threads_per_core will be changed to number_of_threads.<br>In the Data Warehouse, the old name will be retained as an additional alias, resulting in 2 columns providing the same data: number_of_threads and threads_per_core, and threads_per_core will be removed in a future version. (BZ#1896359)

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• agent/references
• agent/severity
• agent/type
• agent/softwarecombine
• agent/first-publish-date
• agent/last-modified-date
• agent/remedy
• agent/title
• agent/description
• agent/tags
• agent/event
• collector/redhat-errata
• source/Red Hat
• anchor-id/RHSA-2021:2865
• agent/software-canonical-lookup
• package-manager/redhat