RHSA-2022:8502-01: Moderate: RHV Manager (ovirt-engine) ovirt-4.5.3: bug fix and security update
Red Hat Security Advisory
Synopsis: Moderate: RHV Manager (ovirt-engine) [ovirt-4.5.3] bug fix and security update
Advisory ID: RHSA-2022:8502-01
Product: Red Hat Virtualization
Advisory URL: https://access.redhat.com/errata/RHSA-2022:8502
Issue date: 2022-11-16
CVE Names: CVE-2022-0155 CVE-2022-2805
Updated ovirt-engine packages that fix several bugs and add various
enhancements are now available.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4 - noarch
The ovirt-engine package provides the Red Hat Virtualization Manager, a
centralized management platform that allows system administrators to view
and manage virtual machines. The Manager provides a comprehensive range of
features including search capabilities, resource management, live
migrations, and virtual infrastructure provisioning.
* follow-redirects: Exposure of Private Personal Information to an
Unauthorized Actor (CVE-2022-0155)
* ovirt-engine: RHVM admin password is logged unfiltered when using
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
* Ghost OVFs are written when using floating SD to migrate VMs between 2
RHV environments. (BZ#1705338)
* RHV engine is reporting a delete disk with wipe as completing
successfully when it actually fails from a timeout. (BZ#1836318)
* [DR] Failover / Failback HA VM Fails to be started due to 'VM XXX is
being imported' (BZ#1968433)
* Virtual Machine with lease fails to run on DR failover (BZ#1974535)
* Disk is missing after importing VM from Storage Domain that was detached
from another DC. (BZ#1983567)
* Unable to switch RHV host into maintenance mode as there are image
transfer in progress (BZ#2123141)
* not able to import disk in 4.5.2 (BZ#2134549)
* [RFE] Show last events for user VMs (BZ#1886211)
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
5. Bugs fixed ( https://bugzilla.redhat.com/):
1705338 - Ghost OVFs are written when using floating SD to migrate VMs between 2 RHV environments.
1836318 - RHV engine is reporting a delete disk with wipe as completing successfully when it actually fails from a timeout.
1886211 - [RFE] Show last events for user VMs
1968433 - [DR] Failover / Failback HA VM Fails to be started due to 'VM XXX is being imported'
1974535 - Virtual Machine with lease fails to run on DR failover
1983567 - Disk is missing after importing VM from Storage Domain that was detached from another DC.
2044556 - CVE-2022-0155 follow-redirects: Exposure of Private Personal Information to an Unauthorized Actor
2079545 - CVE-2022-2805 ovirt-engine: RHVM admin password is logged unfiltered when using otopi-style
2118672 - Use rpm instead of auto in package_facts ansible module to prevent mistakes of determining the correct package manager inside package_facts module
2123141 - Unable to switch RHV host into maintenance mode as there are image transfer in progress
2127836 - Create template dialog is not closed when clicking in OK and the template is not created
2134549 - not able to import disk in 4.5.2
2137207 - The RemoveDisk job finishes before the disk was removed from the DB
6. Package List:
RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4:
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2022 Red Hat, Inc.
A RHV Manager (ovirt-engine) ovirt-4.5.3: bug fix and security update has been released.