RHSA-2021:0799-01: Moderate: OpenShift Virtualization 2.6.0 security and bug fix update

Red Hat 8877 Published by

An OpenShift Virtualization 2.6.0 security and bug fix update has been released for Red Hat Enterprise Linux 8.



RHSA-2021:0799-01: Moderate: OpenShift Virtualization 2.6.0 security and bug fix update



=====================================================================
Red Hat Security Advisory

Synopsis: Moderate: OpenShift Virtualization 2.6.0 security and bug fix update
Advisory ID: RHSA-2021:0799-01
Product: Container-native Virtualization
Advisory URL:   https://access.redhat.com/errata/RHSA-2021:0799
Issue date: 2021-03-10
CVE Names: CVE-2018-10103 CVE-2018-10105 CVE-2018-14461
CVE-2018-14462 CVE-2018-14463 CVE-2018-14464
CVE-2018-14465 CVE-2018-14466 CVE-2018-14467
CVE-2018-14468 CVE-2018-14469 CVE-2018-14470
CVE-2018-14879 CVE-2018-14880 CVE-2018-14881
CVE-2018-14882 CVE-2018-16227 CVE-2018-16228
CVE-2018-16229 CVE-2018-16230 CVE-2018-16300
CVE-2018-16451 CVE-2018-16452 CVE-2018-20843
CVE-2019-5018 CVE-2019-8625 CVE-2019-8710
CVE-2019-8720 CVE-2019-8743 CVE-2019-8764
CVE-2019-8766 CVE-2019-8769 CVE-2019-8771
CVE-2019-8782 CVE-2019-8783 CVE-2019-8808
CVE-2019-8811 CVE-2019-8812 CVE-2019-8813
CVE-2019-8814 CVE-2019-8815 CVE-2019-8816
CVE-2019-8819 CVE-2019-8820 CVE-2019-8823
CVE-2019-8835 CVE-2019-8844 CVE-2019-8846
CVE-2019-11068 CVE-2019-13050 CVE-2019-13627
CVE-2019-14559 CVE-2019-14889 CVE-2019-15165
CVE-2019-15166 CVE-2019-15903 CVE-2019-16168
CVE-2019-16935 CVE-2019-17450 CVE-2019-18197
CVE-2019-19221 CVE-2019-19906 CVE-2019-19956
CVE-2019-20218 CVE-2019-20387 CVE-2019-20388
CVE-2019-20454 CVE-2019-20807 CVE-2019-20907
CVE-2019-20916 CVE-2020-1730 CVE-2020-1751
CVE-2020-1752 CVE-2020-1971 CVE-2020-3862
CVE-2020-3864 CVE-2020-3865 CVE-2020-3867
CVE-2020-3868 CVE-2020-3885 CVE-2020-3894
CVE-2020-3895 CVE-2020-3897 CVE-2020-3899
CVE-2020-3900 CVE-2020-3901 CVE-2020-3902
CVE-2020-6405 CVE-2020-6829 CVE-2020-7595
CVE-2020-8492 CVE-2020-8619 CVE-2020-8622
CVE-2020-8623 CVE-2020-8624 CVE-2020-9283
CVE-2020-9327 CVE-2020-9802 CVE-2020-9803
CVE-2020-9805 CVE-2020-9806 CVE-2020-9807
CVE-2020-9843 CVE-2020-9850 CVE-2020-9862
CVE-2020-9893 CVE-2020-9894 CVE-2020-9895
CVE-2020-9915 CVE-2020-9925 CVE-2020-10018
CVE-2020-10029 CVE-2020-11793 CVE-2020-12321
CVE-2020-12400 CVE-2020-12403 CVE-2020-13630
CVE-2020-13631 CVE-2020-13632 CVE-2020-14040
CVE-2020-14351 CVE-2020-14382 CVE-2020-14391
CVE-2020-14422 CVE-2020-15503 CVE-2020-15586
CVE-2020-15999 CVE-2020-16845 CVE-2020-24659
CVE-2020-25681 CVE-2020-25682 CVE-2020-25683
CVE-2020-25684 CVE-2020-25685 CVE-2020-25686
CVE-2020-25687 CVE-2020-25705 CVE-2020-26160
CVE-2020-27813 CVE-2020-28362 CVE-2020-29652
CVE-2020-29661 CVE-2021-3121 CVE-2021-3156
CVE-2021-20206
=====================================================================

1. Summary:

An update is now available for RHEL-8-CNV-2.6.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

OpenShift Virtualization is Red Hat's virtualization solution designed for
Red Hat OpenShift Container Platform.

This advisory contains the following OpenShift Virtualization 2.6.0 images:

RHEL-8-CNV-2.6
==============
kubevirt-cpu-node-labeller-container-v2.6.0-5
kubevirt-cpu-model-nfd-plugin-container-v2.6.0-5
node-maintenance-operator-container-v2.6.0-13
kubevirt-vmware-container-v2.6.0-5
virtio-win-container-v2.6.0-5
kubevirt-kvm-info-nfd-plugin-container-v2.6.0-5
bridge-marker-container-v2.6.0-9
kubevirt-template-validator-container-v2.6.0-9
kubevirt-v2v-conversion-container-v2.6.0-6
kubemacpool-container-v2.6.0-13
kubevirt-ssp-operator-container-v2.6.0-40
hyperconverged-cluster-webhook-container-v2.6.0-73
hyperconverged-cluster-operator-container-v2.6.0-73
ovs-cni-plugin-container-v2.6.0-10
cnv-containernetworking-plugins-container-v2.6.0-10
ovs-cni-marker-container-v2.6.0-10
cluster-network-addons-operator-container-v2.6.0-16
hostpath-provisioner-container-v2.6.0-11
hostpath-provisioner-operator-container-v2.6.0-14
vm-import-virtv2v-container-v2.6.0-21
kubernetes-nmstate-handler-container-v2.6.0-19
vm-import-controller-container-v2.6.0-21
vm-import-operator-container-v2.6.0-21
virt-api-container-v2.6.0-111
virt-controller-container-v2.6.0-111
virt-handler-container-v2.6.0-111
virt-operator-container-v2.6.0-111
virt-launcher-container-v2.6.0-111
cnv-must-gather-container-v2.6.0-54
virt-cdi-importer-container-v2.6.0-24
virt-cdi-cloner-container-v2.6.0-24
virt-cdi-controller-container-v2.6.0-24
virt-cdi-uploadserver-container-v2.6.0-24
virt-cdi-apiserver-container-v2.6.0-24
virt-cdi-uploadproxy-container-v2.6.0-24
virt-cdi-operator-container-v2.6.0-24
hco-bundle-registry-container-v2.6.0-582

Security Fix(es):

* golang.org/x/crypto: Processing of crafted ssh-ed25519 public keys allows
for panic (CVE-2020-9283)

* golang: crypto/ssh: crafted authentication request can lead to nil
pointer dereference (CVE-2020-29652)

* gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index
validation (CVE-2021-3121)

* golang.org/x/text: possibility to trigger an infinite loop in
encoding/unicode could lead to crash (CVE-2020-14040)

* golang: data race in certain net/http servers including ReverseProxy can
lead to DoS (CVE-2020-15586)

* golang: ReadUvarint and ReadVarint can read an unlimited number of bytes
from invalid inputs (CVE-2020-16845)

* jwt-go: access restriction bypass vulnerability (CVE-2020-26160)

* golang-github-gorilla-websocket: integer overflow leads to denial of
service (CVE-2020-27813)

* golang: math/big: panic during recursive division of very large numbers
(CVE-2020-28362)

* containernetworking-cni: Arbitrary path injection via type field in CNI
configuration (CVE-2021-20206)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

  https://access.redhat.com/articles/11258

4. Bugs fixed (  https://bugzilla.redhat.com/):

1732329 - Virtual Machine is missing documentation of its properties in yaml editor
1783192 - Guest kernel panic when start RHEL6.10 guest with q35 machine type and virtio disk in cnv
1791753 - [RFE] [SSP] Template validator should check validations in template's parent template
1804533 - CVE-2020-9283 golang.org/x/crypto: Processing of crafted ssh-ed25519 public keys allows for panic
1848954 - KMP missing CA extensions in cabundle of mutatingwebhookconfiguration
1848956 - KMP requires downtime for CA stabilization during certificate rotation
1853652 - CVE-2020-14040 golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash
1853911 - VM with dot in network name fails to start with unclear message
1854098 - NodeNetworkState on workers doesn't have "status" key due to nmstate-handler pod failure to run "nmstatectl show"
1856347 - SR-IOV : Missing network name for sriov during vm setup
1856953 - CVE-2020-15586 golang: data race in certain net/http servers including ReverseProxy can lead to DoS
1859235 - Common Templates - after upgrade there are 2 common templates per each os-workload-flavor combination
1860714 - No API information from `oc explain`
1860992 - CNV upgrade - users are not removed from privileged SecurityContextConstraints
1864577 - [v2v][RHV to CNV non migratable source VM fails to import to Ceph-rbd / File system due to overhead required for Filesystem
1866593 - CDI is not handling vm disk clone
1867099 - CVE-2020-16845 golang: ReadUvarint and ReadVarint can read an unlimited number of bytes from invalid inputs
1868817 - Container-native Virtualization 2.6.0 Images
1873771 - Improve the VMCreationFailed error message caused by VM low memory
1874812 - SR-IOV: Guest Agent expose link-local ipv6 address for sometime and then remove it
1878499 - DV import doesn't recover from scratch space PVC deletion
1879108 - Inconsistent naming of "oc virt" command in help text
1881874 - openshift-cnv namespace is getting stuck if the user tries to delete it while CNV is running
1883232 - Webscale: kubevirt/CNV datavolume importer pod inability to disable sidecar injection if namespace has sidecar injection enabled but VM Template does NOT
1883371 - CVE-2020-26160 jwt-go: access restriction bypass vulnerability
1885153 - [v2v][RHV to CNv VM import] Wrong Network mapping do not show a relevant error message
1885418 - [openshift-cnv] issues with memory overhead calculation when limits are used
1887398 - [openshift-cnv][CNV] nodes need to exist and be labeled first, *before* the NodeNetworkConfigurationPolicy is applied
1889295 - [v2v][VMware to CNV VM import API] diskMappings: volumeMode Block is not passed on to PVC request.
1891285 - Common templates and kubevirt-config cm - update machine-type
1891440 - [v2v][VMware to CNV VM import API]Source VM with no network interface fail with unclear error
1892227 - [SSP] cluster scoped resources are not being reconciled
1893278 - openshift-virtualization-os-images namespace not seen by user
1893646 - [HCO] Pod placement configuration - dry run is not performed for all the configuration stanza
1894428 - Message for VMI not migratable is not clear enough
1894824 - [v2v][VM import] Pick the smallest template for the imported VM, and not always Medium
1894897 - [v2v][VMIO] VMimport CR is not reported as failed when target VM is deleted during the import
1895414 - Virt-operator is accepting updates to the placement of its workload components even with running VMs
1897635 - CVE-2020-28362 golang: math/big: panic during recursive division of very large numbers
1898072 - Add Fedora33 to Fedora common templates
1898840 - [v2v] VM import VMWare to CNV Import 63 chars vm name should not fail
1899558 - CNV 2.6 - nmstate fails to set state
1901480 - VM disk io can't worked if namespace have label kubemacpool
1902046 - Not possible to edit CDIConfig (through CDI CR / CDIConfig)
1902111 - CVE-2020-27813 golang-github-gorilla-websocket: integer overflow leads to denial of service
1903014 - hco-webhook pod in CreateContainerError
1903585 - [v2v] Windows 2012 VM imported from RHV goes into Windows repair mode
1904797 - [VMIO][vmware] A migrated RHEL/Windows VM starts in emergency mode/safe mode when target storage is NFS and target namespace is NOT "default"
1906199 - [CNV-2.5] CNV Tries to Install on Windows Workers
1907151 - kubevirt version is not reported correctly via virtctl
1907352 - VM/VMI link changes to `kubevirt.io~v1~VirtualMachineInstance` on CNV 2.6
1907691 - [CNV] Configuring NodeNetworkConfigurationPolicy caused "Internal error occurred" for creating datavolume
1907988 - VM loses dynamic IP address of its default interface after migration
1908363 - Applying NodeNetworkConfigurationPolicy for different NIC than default disables br-ex bridge and nodes lose connectivity
1908421 - [v2v] [VM import RHV to CNV] Windows imported VM boot failed: INACCESSIBLE BOOT DEVICE error
1908883 - CVE-2020-29652 golang: crypto/ssh: crafted authentication request can lead to nil pointer dereference
1909458 - [V2V][VMware to CNV VM import via api using VMIO] VM import to Ceph RBD/BLOCK fails on "qemu-img: /data/disk.img" error
1910857 - Provide a mechanism to enable the HotplugVolumes feature gate via HCO
1911118 - Windows VMI LiveMigration / shutdown fails on 'XML error: non unique alias detected: ua-')
1911396 - Set networkInterfaceMultiqueue false in rhel 6 template for e1000e interface
1911662 - el6 guests don't work properly if virtio bus is specified on various devices
1912908 - Allow using "scsi" bus for disks in template validation
1913248 - Creating vlan interface on top of a bond device via NodeNetworkConfigurationPolicy fails
1913320 - Informative message needed with virtctl image-upload, that additional step is needed from the user
1913717 - Users should have read permitions for golden images data volumes
1913756 - Migrating to Ceph-RBD + Block fails when skipping zeroes
1914177 - CNV does not preallocate blank file data volumes
1914608 - Obsolete CPU models (kubevirt-cpu-plugin-configmap) are set on worker nodes
1914947 - HPP golden images - DV shoudld not be created with WaitForFirstConsumer
1917908 - [VMIO] vmimport pod fail to create when using ceph-rbd/block
1917963 - [CNV 2.6] Unable to install CNV disconnected - requires kvm-info-nfd-plugin which is not mirrored
1919391 - CVE-2021-20206 containernetworking-cni: Arbitrary path injection via type field in CNI configuration
1920576 - HCO can report ready=true when it failed to create a CR for a component operator
1920610 - e2e-aws-4.7-cnv consistently failing on Hyperconverged Cluster Operator
1921650 - CVE-2021-3121 gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation
1923979 - kubernetes-nmstate: nmstate-handler pod crashes when configuring bridge device using ip tool
1927373 - NoExecute taint violates pdb; VMIs are not live migrated
1931376 - VMs disconnected from nmstate-defined bridge after CNV-2.5.4->CNV-2.6.0 upgrade

5. References:

  https://access.redhat.com/security/cve/CVE-2018-10103
  https://access.redhat.com/security/cve/CVE-2018-10105
  https://access.redhat.com/security/cve/CVE-2018-14461
  https://access.redhat.com/security/cve/CVE-2018-14462
  https://access.redhat.com/security/cve/CVE-2018-14463
  https://access.redhat.com/security/cve/CVE-2018-14464
  https://access.redhat.com/security/cve/CVE-2018-14465
  https://access.redhat.com/security/cve/CVE-2018-14466
  https://access.redhat.com/security/cve/CVE-2018-14467
  https://access.redhat.com/security/cve/CVE-2018-14468
  https://access.redhat.com/security/cve/CVE-2018-14469
  https://access.redhat.com/security/cve/CVE-2018-14470
  https://access.redhat.com/security/cve/CVE-2018-14879
  https://access.redhat.com/security/cve/CVE-2018-14880
  https://access.redhat.com/security/cve/CVE-2018-14881
  https://access.redhat.com/security/cve/CVE-2018-14882
  https://access.redhat.com/security/cve/CVE-2018-16227
  https://access.redhat.com/security/cve/CVE-2018-16228
  https://access.redhat.com/security/cve/CVE-2018-16229
  https://access.redhat.com/security/cve/CVE-2018-16230
  https://access.redhat.com/security/cve/CVE-2018-16300
  https://access.redhat.com/security/cve/CVE-2018-16451
  https://access.redhat.com/security/cve/CVE-2018-16452
  https://access.redhat.com/security/cve/CVE-2018-20843
  https://access.redhat.com/security/cve/CVE-2019-5018
  https://access.redhat.com/security/cve/CVE-2019-8625
  https://access.redhat.com/security/cve/CVE-2019-8710
  https://access.redhat.com/security/cve/CVE-2019-8720
  https://access.redhat.com/security/cve/CVE-2019-8743
  https://access.redhat.com/security/cve/CVE-2019-8764
  https://access.redhat.com/security/cve/CVE-2019-8766
  https://access.redhat.com/security/cve/CVE-2019-8769
  https://access.redhat.com/security/cve/CVE-2019-8771
  https://access.redhat.com/security/cve/CVE-2019-8782
  https://access.redhat.com/security/cve/CVE-2019-8783
  https://access.redhat.com/security/cve/CVE-2019-8808
  https://access.redhat.com/security/cve/CVE-2019-8811
  https://access.redhat.com/security/cve/CVE-2019-8812
  https://access.redhat.com/security/cve/CVE-2019-8813
  https://access.redhat.com/security/cve/CVE-2019-8814
  https://access.redhat.com/security/cve/CVE-2019-8815
  https://access.redhat.com/security/cve/CVE-2019-8816
  https://access.redhat.com/security/cve/CVE-2019-8819
  https://access.redhat.com/security/cve/CVE-2019-8820
  https://access.redhat.com/security/cve/CVE-2019-8823
  https://access.redhat.com/security/cve/CVE-2019-8835
  https://access.redhat.com/security/cve/CVE-2019-8844
  https://access.redhat.com/security/cve/CVE-2019-8846
  https://access.redhat.com/security/cve/CVE-2019-11068
  https://access.redhat.com/security/cve/CVE-2019-13050
  https://access.redhat.com/security/cve/CVE-2019-13627
  https://access.redhat.com/security/cve/CVE-2019-14559
  https://access.redhat.com/security/cve/CVE-2019-14889
  https://access.redhat.com/security/cve/CVE-2019-15165
  https://access.redhat.com/security/cve/CVE-2019-15166
  https://access.redhat.com/security/cve/CVE-2019-15903
  https://access.redhat.com/security/cve/CVE-2019-16168
  https://access.redhat.com/security/cve/CVE-2019-16935
  https://access.redhat.com/security/cve/CVE-2019-17450
  https://access.redhat.com/security/cve/CVE-2019-18197
  https://access.redhat.com/security/cve/CVE-2019-19221
  https://access.redhat.com/security/cve/CVE-2019-19906
  https://access.redhat.com/security/cve/CVE-2019-19956
  https://access.redhat.com/security/cve/CVE-2019-20218
  https://access.redhat.com/security/cve/CVE-2019-20387
  https://access.redhat.com/security/cve/CVE-2019-20388
  https://access.redhat.com/security/cve/CVE-2019-20454
  https://access.redhat.com/security/cve/CVE-2019-20807
  https://access.redhat.com/security/cve/CVE-2019-20907
  https://access.redhat.com/security/cve/CVE-2019-20916
  https://access.redhat.com/security/cve/CVE-2020-1730
  https://access.redhat.com/security/cve/CVE-2020-1751
  https://access.redhat.com/security/cve/CVE-2020-1752
  https://access.redhat.com/security/cve/CVE-2020-1971
  https://access.redhat.com/security/cve/CVE-2020-3862
  https://access.redhat.com/security/cve/CVE-2020-3864
  https://access.redhat.com/security/cve/CVE-2020-3865
  https://access.redhat.com/security/cve/CVE-2020-3867
  https://access.redhat.com/security/cve/CVE-2020-3868
  https://access.redhat.com/security/cve/CVE-2020-3885
  https://access.redhat.com/security/cve/CVE-2020-3894
  https://access.redhat.com/security/cve/CVE-2020-3895
  https://access.redhat.com/security/cve/CVE-2020-3897
  https://access.redhat.com/security/cve/CVE-2020-3899
  https://access.redhat.com/security/cve/CVE-2020-3900
  https://access.redhat.com/security/cve/CVE-2020-3901
  https://access.redhat.com/security/cve/CVE-2020-3902
  https://access.redhat.com/security/cve/CVE-2020-6405
  https://access.redhat.com/security/cve/CVE-2020-6829
  https://access.redhat.com/security/cve/CVE-2020-7595
  https://access.redhat.com/security/cve/CVE-2020-8492
  https://access.redhat.com/security/cve/CVE-2020-8619
  https://access.redhat.com/security/cve/CVE-2020-8622
  https://access.redhat.com/security/cve/CVE-2020-8623
  https://access.redhat.com/security/cve/CVE-2020-8624
  https://access.redhat.com/security/cve/CVE-2020-9283
  https://access.redhat.com/security/cve/CVE-2020-9327
  https://access.redhat.com/security/cve/CVE-2020-9802
  https://access.redhat.com/security/cve/CVE-2020-9803
  https://access.redhat.com/security/cve/CVE-2020-9805
  https://access.redhat.com/security/cve/CVE-2020-9806
  https://access.redhat.com/security/cve/CVE-2020-9807
  https://access.redhat.com/security/cve/CVE-2020-9843
  https://access.redhat.com/security/cve/CVE-2020-9850
  https://access.redhat.com/security/cve/CVE-2020-9862
  https://access.redhat.com/security/cve/CVE-2020-9893
  https://access.redhat.com/security/cve/CVE-2020-9894
  https://access.redhat.com/security/cve/CVE-2020-9895
  https://access.redhat.com/security/cve/CVE-2020-9915
  https://access.redhat.com/security/cve/CVE-2020-9925
  https://access.redhat.com/security/cve/CVE-2020-10018
  https://access.redhat.com/security/cve/CVE-2020-10029
  https://access.redhat.com/security/cve/CVE-2020-11793
  https://access.redhat.com/security/cve/CVE-2020-12321
  https://access.redhat.com/security/cve/CVE-2020-12400
  https://access.redhat.com/security/cve/CVE-2020-12403
  https://access.redhat.com/security/cve/CVE-2020-13630
  https://access.redhat.com/security/cve/CVE-2020-13631
  https://access.redhat.com/security/cve/CVE-2020-13632
  https://access.redhat.com/security/cve/CVE-2020-14040
  https://access.redhat.com/security/cve/CVE-2020-14351
  https://access.redhat.com/security/cve/CVE-2020-14382
  https://access.redhat.com/security/cve/CVE-2020-14391
  https://access.redhat.com/security/cve/CVE-2020-14422
  https://access.redhat.com/security/cve/CVE-2020-15503
  https://access.redhat.com/security/cve/CVE-2020-15586
  https://access.redhat.com/security/cve/CVE-2020-15999
  https://access.redhat.com/security/cve/CVE-2020-16845
  https://access.redhat.com/security/cve/CVE-2020-24659
  https://access.redhat.com/security/cve/CVE-2020-25681
  https://access.redhat.com/security/cve/CVE-2020-25682
  https://access.redhat.com/security/cve/CVE-2020-25683
  https://access.redhat.com/security/cve/CVE-2020-25684
  https://access.redhat.com/security/cve/CVE-2020-25685
  https://access.redhat.com/security/cve/CVE-2020-25686
  https://access.redhat.com/security/cve/CVE-2020-25687
  https://access.redhat.com/security/cve/CVE-2020-25705
  https://access.redhat.com/security/cve/CVE-2020-26160
  https://access.redhat.com/security/cve/CVE-2020-27813
  https://access.redhat.com/security/cve/CVE-2020-28362
  https://access.redhat.com/security/cve/CVE-2020-29652
  https://access.redhat.com/security/cve/CVE-2020-29661
  https://access.redhat.com/security/cve/CVE-2021-3121
  https://access.redhat.com/security/cve/CVE-2021-3156
  https://access.redhat.com/security/cve/CVE-2021-20206
  https://access.redhat.com/security/updates/classification/#moderate

6. Contact:

The Red Hat security contact is . More contact
details at   https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.

KDE neon 20210310 released

New Ksplice updates for UEKR5 4.14.35 on OL7 (ELSA-2021-9084)

Windows

Linux

macOS

Community

  • dhamu
    Hello Phil, I have a Linux Tutorial website that curre ...
  • StephanX
    Hi friends, i am new in the Linux universe but i try to ...
  • Philipp
    I would try the XanMod kernel: https://xanmod.orgĀ  I ...