RHSA-2020:3247: Important: RHV Manager (ovirt-engine) 4.4 security, bug fix, and enhancement update

The ovirt-engine package provides the Red Hat Virtualization Manager, a<br>centralized management platform that allows system administrators to view and manage virtual machines. The Manager provides a comprehensive range of features including search capabilities, resource management, live migrations, and virtual infrastructure provisioning. <br>The Manager is a JBoss Application Server application that provides several interfaces through which the virtual environment can be accessed and interacted with, including an Administration Portal, a VM Portal, and a Representational State Transfer (REST) Application Programming Interface (API).<br>A list of bugs fixed in this update is available in the Technical Notes<br>book:<br><a href="https://access.redhat.com/documentation/en-us/redhatvirtualization/4.4/html-single/technicalnotes" target="blank">https://access.redhat.com/documentation/en-us/redhatvirtualization/4.4/html-single/technicalnotes</a> Security Fix(es):<br><li> apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default (CVE-2019-10086)</li> <li> libquartz: XXE attacks via job description (CVE-2019-13990)</li> <li> novnc: XSS vulnerability via the messages propagated to the status field (CVE-2017-18635)</li> <li> bootstrap: XSS in the tooltip or popover data-template attribute (CVE-2019-8331)</li> <li> nimbus-jose-jwt: Uncaught exceptions while parsing a JWT (CVE-2019-17195)</li> <li> ovirt-engine: responsetype parameter allows reflected XSS (CVE-2019-19336)</li> <li> nodejs-minimist: prototype pollution allows adding or modifying properties of Object.prototype using a constructor or proto payload (CVE-2020-7598)</li> <li> ovirt-engine: Redirect to arbitrary URL allows for phishing (CVE-2020-10775)</li> <li> Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022)</li> <li> jQuery: passing HTML containing &lt;option&gt; elements to manipulation methods could result in untrusted code execution (CVE-2020-11023)</li> For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.