[RHSA-2023:4664-01] Important: OpenShift Virtualization 4.13.3 Images security and bug fix update
=====================================================================
Red Hat Security Advisory
Synopsis: Important: OpenShift Virtualization 4.13.3 Images security and bug fix update
Advisory ID: RHSA-2023:4664-01
Product: OpenShift Virtualization
Advisory URL: https://access.redhat.com/errata/RHSA-2023:4664
Issue date: 2023-08-16
CVE Names: CVE-2022-41723 CVE-2022-45869 CVE-2022-46663
CVE-2023-0458 CVE-2023-1998 CVE-2023-2002
CVE-2023-2124 CVE-2023-2194 CVE-2023-2235
CVE-2023-2700 CVE-2023-3089 CVE-2023-3090
CVE-2023-22652 CVE-2023-24534 CVE-2023-24536
CVE-2023-24537 CVE-2023-24538 CVE-2023-24539
CVE-2023-24540 CVE-2023-28321 CVE-2023-28322
CVE-2023-28466 CVE-2023-28484 CVE-2023-29400
CVE-2023-29469 CVE-2023-32233 CVE-2023-32681
CVE-2023-35788
=====================================================================
1. Summary:
Red Hat OpenShift Virtualization release 4.13.3 is now available with
updates to packages and images that fix several bugs and add enhancements.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Description:
OpenShift Virtualization is Red Hat's virtualization solution designed for
Red Hat OpenShift Container Platform.
This advisory contains OpenShift Virtualization 4.13.3 images.
Security Fix(es):
* openshift: OCP & FIPS mode (CVE-2023-3089)
* golang: html/template: improper handling of JavaScript whitespace
(CVE-2023-24540)
* net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK
decoding (CVE-2022-41723)
* golang: net/http, net/textproto: denial of service from excessive memory
allocation (CVE-2023-24534)
* golang: net/http, net/textproto, mime/multipart: denial of service from
excessive resource consumption (CVE-2023-24536)
* golang: go/parser: Infinite loop in parsing (CVE-2023-24537)
* golang: html/template: backticks not treated as string delimiters
(CVE-2023-24538)
* golang: html/template: improper sanitization of CSS values
(CVE-2023-24539)
* golang: html/template: improper handling of empty HTML attributes
(CVE-2023-29400)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Bug Fix(es):
* Consistency in naming mediatedDevicesTypes and nodemediatedDeviceTypes
(BZ#2054863)
* "failed to sync guest time" log spam in destination virt-launcher pod
during VM live migration (BZ#2064160)
* Missing documentation for snapshot recording rules (BZ#2143165)
* KubevirtHyperconvergedClusterOperatorCRModification alert in firing state
during cnv upgrade (4.11.2->4.12.0) (BZ#2154319)
* VMExport: can't download a PVC that was created from DV on NFS (when
there's no VM that owns this PVC) - the storage doesn't support fsGroup
(BZ#2156525)
* Unable to do post-copy migration (BZ#2164836)
* empty libvirt metrics output, when executing metrics Prometheus query on
a vm that is paused status (BZ#2172544)
* The filter items on instanceType page is not horizontal aligned
(BZ#2174744)
* "No NetworkAttachmentDefinitions available" should not show when editing
pod networking (BZ#2175651)
* CNV 4.13 nightly | manually increasing the number of virt-api pods does
not work (BZ#2175710)
* The volume in instanceTypes page should be selected automatically just
after it's been added (BZ#2177977)
* PVC size is not readable while selecting "PVC (creates PVC)" in disk
modal (BZ#2180666)
* "Copy SSH command" get undefined user (BZ#2180719)
* [Nonpriv] VM Memory does not show in details card of overview or details
tab (BZ#2181432)
* spec.firmware.bootloader is not copied while cloning a UEFI VM
(BZ#2181515)
* kubevirt-plugin (now kubevirt-console-plugin) ignores node placement
configuration (BZ#2181999)
* VM metrics graphs are render incorrectly (BZ#2182000)
* Restore VM's pretty names (BZ#2182317)
* Cannot clone VM to other namespace if the VM is created from instanceType
(BZ#2182938)
* "No data available" shows on Virtualization overview metrics chart
(BZ#2183915)
* Some CNV installation components are missing required labels (BZ#2187509)
* Custom SELinux policy for virt_launcher still present on CNV with
DisableCustomSELinuxPolicy feature gate enabled (BZ#2188144)
* VM created from CD source registry cannot be started due to
InvalidImageName (BZ#2189744)
* lun cannot be used with DVs (BZ#2190171)
* [4.13.z] Missing virtctl vmexport download manifests command (BZ#2203727)
* [4.13]Missing StorageProfile defaults for IBM and AWS EFS CSI
provisioners (BZ#2220844)
* [cnv-4.13] isolateEmulatorThread should not block live migration
(BZ#2229148)
3. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
4. Bugs fixed ( https://bugzilla.redhat.com/):
2054863 - Consistency in naming mediatedDevicesTypes and nodemediatedDeviceTypes
2064160 - "failed to sync guest time" log spam in destination virt-launcher pod during VM live migration
2130604 - Unable to start/stop VM while rebooting the node where kubemacpool-mac-controller-manager pod is running
2143165 - Missing documentation for snapshot recording rules
2154319 - KubevirtHyperconvergedClusterOperatorCRModification alert in firing state during cnv upgrade (4.11.2->4.12.0)
2156525 - VMExport: can't download a PVC that was created from DV on NFS (when there's no VM that owns this PVC) - the storage doesn't support fsGroup
2164836 - Unable to do post-copy migration
2172544 - empty libvirt metrics output, when executing metrics Prometheus query on a vm that is paused status
2174744 - The filter items on instanceType page is not horizontal aligned
2175651 - "No NetworkAttachmentDefinitions available" should not show when editing pod networking
2175710 - CNV 4.13 nightly | manually increasing the number of virt-api pods does not work
2177977 - The volume in instanceTypes page should be selected automatically just after it's been added
2178358 - CVE-2022-41723 net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding
2180666 - PVC size is not readable while selecting "PVC (creates PVC)" in disk modal
2180719 - "Copy SSH command" get undefined user
2181432 - [Nonpriv] VM Memory does not show in details card of overview or details tab
2181515 - spec.firmware.bootloader is not copied while cloning a UEFI VM
2181999 - kubevirt-plugin (now kubevirt-console-plugin) ignores node placement configuration
2182000 - VM metrics graphs are render incorrectly
2182317 - Restore VM's pretty names
2182938 - Cannot clone VM to other namespace if the VM is created from instanceType
2183915 - "No data available" shows on Virtualization overview metrics chart
2184481 - CVE-2023-24538 golang: html/template: backticks not treated as string delimiters
2184482 - CVE-2023-24536 golang: net/http, net/textproto, mime/multipart: denial of service from excessive resource consumption
2184483 - CVE-2023-24534 golang: net/http, net/textproto: denial of service from excessive memory allocation
2184484 - CVE-2023-24537 golang: go/parser: Infinite loop in parsing
2187509 - Some CNV installation components are missing required labels
2188144 - Custom SELinux policy for virt_launcher still present on CNV with DisableCustomSELinuxPolicy feature gate enabled
2189744 - VM created from CD source registry cannot be started due to InvalidImageName
2190171 - lun can not be used with DVs
2196026 - CVE-2023-24539 golang: html/template: improper sanitization of CSS values
2196027 - CVE-2023-24540 golang: html/template: improper handling of JavaScript whitespace
2196029 - CVE-2023-29400 golang: html/template: improper handling of empty HTML attributes
2203727 - [4.13.z] Missing?virtctl vmexport download manifests command
2212085 - CVE-2023-3089 openshift: OCP & FIPS mode
2220844 - [4.13]Missing StorageProfile defaults for IBM and AWS EFS CSI provisioners
2221913 - [4.13]DataImportCron Garbage Collection can mistakenly delete latest PVC
2229148 - [cnv-4.13] isolateEmulatorThread should not block live migration
5. References:
https://access.redhat.com/security/cve/CVE-2022-41723
https://access.redhat.com/security/cve/CVE-2022-45869
https://access.redhat.com/security/cve/CVE-2022-46663
https://access.redhat.com/security/cve/CVE-2023-0458
https://access.redhat.com/security/cve/CVE-2023-1998
https://access.redhat.com/security/cve/CVE-2023-2002
https://access.redhat.com/security/cve/CVE-2023-2124
https://access.redhat.com/security/cve/CVE-2023-2194
https://access.redhat.com/security/cve/CVE-2023-2235
https://access.redhat.com/security/cve/CVE-2023-2700
https://access.redhat.com/security/cve/CVE-2023-3089
https://access.redhat.com/security/cve/CVE-2023-3090
https://access.redhat.com/security/cve/CVE-2023-22652
https://access.redhat.com/security/cve/CVE-2023-24534
https://access.redhat.com/security/cve/CVE-2023-24536
https://access.redhat.com/security/cve/CVE-2023-24537
https://access.redhat.com/security/cve/CVE-2023-24538
https://access.redhat.com/security/cve/CVE-2023-24539
https://access.redhat.com/security/cve/CVE-2023-24540
https://access.redhat.com/security/cve/CVE-2023-28321
https://access.redhat.com/security/cve/CVE-2023-28322
https://access.redhat.com/security/cve/CVE-2023-28466
https://access.redhat.com/security/cve/CVE-2023-28484
https://access.redhat.com/security/cve/CVE-2023-29400
https://access.redhat.com/security/cve/CVE-2023-29469
https://access.redhat.com/security/cve/CVE-2023-32233
https://access.redhat.com/security/cve/CVE-2023-32681
https://access.redhat.com/security/cve/CVE-2023-35788
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/security/vulnerabilities/RHSB-2023-001
6. Contact:
The Red Hat security contact is [secalert@redhat.com]. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2023 Red Hat, Inc.
--
An OpenShift Virtualization 4.13.3 Images security and bug fix update has been released.
