RHSA-2021:2865: Moderate: RHV Manager (ovirt-engine) security update [ovirt-4.4.7]

Published Jul 22, 2021
·
Updated

The ovirt-engine package provides the manager for virtualization environments.<br>This manager enables admins to define hosts and networks, as well as to add<br>storage, create VMs and manage user permissions.<br>Security Fix(es):<br><li> nodejs-underscore: Arbitrary code execution via the template function (CVE-2021-23358)</li> <li> nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469)</li> <li> nodejs-ua-parser-js: Regular expression denial of service via the regex (CVE-2020-7733)</li> <li> nodejs-path-parse: ReDoS via splitDeviceRe, splitTailRe and splitPathRe (CVE-2021-23343)</li> For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.<br>Bug Fix(es):<br><li> Foreman integration, which allows you to provision bare metal hosts from the Administration Portal using Foreman and then added to the Manager, was deprecated in oVirt 4.4.6 / RHV 4.4.6 and removed completely in oVirt 4.4.7 / RHV 4.4.7.</li> Similar functionality to provision bare metal hosts can be achieved using Foreman directly and adding an already provisioned host using the Administration Portal or the REST API. (BZ#1901011)<br><li> Adding a message banner to the web administration welcome page is straight forward using custom branding that only contains a preamble section. </li> An example of preamble branding is given here: <a href="https://bugzilla.redhat.com/attachment.cgi?id=1783329." target="blank">https://bugzilla.redhat.com/attachment.cgi?id=1783329.</a> In an engine upgrade, the custom preamble brand remains in place and will work without issue.<br>During engine backup and subsequent restore, on engine restore the custom preamble branding needs to be manually restored/reinstalled and verified. (BZ#1804774)<br><li> The column name threadspercore in the Red hat Virtualization manager Dashboard is being deprecated, and will be removed in a future release.</li> In version 4.4.7.2 the column name for threadspercore will be changed to numberofthreads.<br>In the Data Warehouse, the old name will be retained as an additional alias, resulting in 2 columns providing the same data: numberofthreads and threadspercore, and threadspercore will be removed in a future version. (BZ#1896359)

Affected Software

29 affected componentsFixes available
redhat/ovirt-engine<4.4.7.6-0.11.el8e
4.4.7.6-0.11.el8e
redhat/ovirt-engine-dwh<4.4.7.3-1.el8e
4.4.7.3-1.el8e
redhat/ovirt-engine-extension-aaa-ldap<1.4.4-1.el8e
1.4.4-1.el8e
redhat/ovirt-engine-ui-extensions<1.2.7-1.el8e
1.2.7-1.el8e
redhat/ovirt-web-ui<1.7.0-1.el8e
1.7.0-1.el8e
redhat/rhv-log-collector-analyzer<1.0.10-1.el8e
1.0.10-1.el8e
redhat/rhvm-branding-rhv<4.4.9-1.el8e
4.4.9-1.el8e
redhat/ovirt-engine-backend<4.4.7.6-0.11.el8e
4.4.7.6-0.11.el8e
redhat/ovirt-engine-dbscripts<4.4.7.6-0.11.el8e
4.4.7.6-0.11.el8e
redhat/ovirt-engine-dwh-grafana-integration-setup<4.4.7.3-1.el8e
4.4.7.3-1.el8e
redhat/ovirt-engine-dwh-setup<4.4.7.3-1.el8e
4.4.7.3-1.el8e
redhat/ovirt-engine-extension-aaa-ldap-setup<1.4.4-1.el8e
1.4.4-1.el8e
redhat/ovirt-engine-health-check-bundler<4.4.7.6-0.11.el8e
4.4.7.6-0.11.el8e
redhat/ovirt-engine-restapi<4.4.7.6-0.11.el8e
4.4.7.6-0.11.el8e
redhat/ovirt-engine-setup<4.4.7.6-0.11.el8e
4.4.7.6-0.11.el8e
redhat/ovirt-engine-setup-base<4.4.7.6-0.11.el8e
4.4.7.6-0.11.el8e
redhat/ovirt-engine-setup-plugin-cinderlib<4.4.7.6-0.11.el8e
4.4.7.6-0.11.el8e
redhat/ovirt-engine-setup-plugin-imageio<4.4.7.6-0.11.el8e
4.4.7.6-0.11.el8e
redhat/ovirt-engine-setup-plugin-ovirt-engine<4.4.7.6-0.11.el8e
4.4.7.6-0.11.el8e
redhat/ovirt-engine-setup-plugin-ovirt-engine-common<4.4.7.6-0.11.el8e
4.4.7.6-0.11.el8e
redhat/ovirt-engine-setup-plugin-vmconsole-proxy-helper<4.4.7.6-0.11.el8e
4.4.7.6-0.11.el8e
redhat/ovirt-engine-setup-plugin-websocket-proxy<4.4.7.6-0.11.el8e
4.4.7.6-0.11.el8e
redhat/ovirt-engine-tools<4.4.7.6-0.11.el8e
4.4.7.6-0.11.el8e
redhat/ovirt-engine-tools-backup<4.4.7.6-0.11.el8e
4.4.7.6-0.11.el8e
redhat/ovirt-engine-vmconsole-proxy-helper<4.4.7.6-0.11.el8e
4.4.7.6-0.11.el8e
redhat/ovirt-engine-webadmin-portal<4.4.7.6-0.11.el8e
4.4.7.6-0.11.el8e
redhat/ovirt-engine-websocket-proxy<4.4.7.6-0.11.el8e
4.4.7.6-0.11.el8e
redhat/python3-ovirt-engine-lib<4.4.7.6-0.11.el8e
4.4.7.6-0.11.el8e
redhat/rhvm<4.4.7.6-0.11.el8e
4.4.7.6-0.11.el8e

Remediation

Event History

Mar 27, 2024
Advisory Published
via Red Hat·11:28 PM
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of RHSA-2021:2865?

The severity of RHSA-2021:2865 is critical.

2

How do I fix RHSA-2021:2865?

To fix RHSA-2021:2865, update the ovirt-engine package to version 4.4.7.6-0.11.el8e or higher.

3

Which packages are affected by RHSA-2021:2865?

The affected packages include ovirt-engine, ovirt-engine-dwh, and various ovirt-engine extensions among others.

4

What type of vulnerability is addressed in RHSA-2021:2865?

RHSA-2021:2865 addresses an arbitrary code execution vulnerability in the nodejs-underscore package.

5

Is there a specific Red Hat version required for the fix in RHSA-2021:2865?

Yes, the fix for RHSA-2021:2865 requires Red Hat Enterprise Linux 8.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203