Detections
Analytics

RHEL 8 : Red Hat Virtualization (RHSA-2020:5179)

high Nessus Plugin ID 143235

Language:

Synopsis

The remote Red Hat host is missing one or more security updates.

Description

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:5179 advisory.

 The org.ovirt.engine-root is a core component of oVirt.

 The following packages have been upgraded to a later upstream version: engine-db-query (1.6.2), org.ovirt.engine-root (4.4.3.8), ovirt-engine-dwh (4.4.3.1), ovirt-engine-extension-aaa-ldap (1.4.2), ovirt-engine-extension-logger-log4j (1.1.1), ovirt-engine-metrics (1.4.2.1), ovirt-engine-ui-extensions (1.2.4), ovirt-log-collector (4.4.4), ovirt-web-ui (1.6.5), rhv-log-collector-analyzer (1.0.5), rhvm- branding-rhv (4.4.6). (BZ#1866981, BZ#1879377)

 Security Fix(es):

 * nodejs-handlebars: lookup helper fails to properly validate templates allowing for arbitrary JavaScript execution (CVE-2019-20920)

 * nodejs-handlebars: an endless loop while processing specially-crafted templates leads to DoS (CVE-2019-20922)

 * nodejs-lodash: prototype pollution in zipObjectDeep function (CVE-2020-8203)

 For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

 Bug Fix(es):

 * send --nowait to libvirt when we collect qemu stats, to consume bz#1552092 (BZ#1613514)

 * Block moving HE hosts into different Data Centers and make HE host moved to different cluster NonOperational after activation (BZ#1702016)

 * If an in-use MAC is held by a VM on a different cluster, the engine does not attempt to get the next free MAC. (BZ#1760170)

 * Search backend cannot find VMs which name starts with a search keyword (BZ#1797717)

 * [Permissions] DataCenterAdmin role defined on DC level does not allow Cluster creation (BZ#1808320)

 * enable-usb-autoshare is always 0 in console.vv and usb-filter option is listed two times (BZ#1811466)

 * NumaPinningHelper is not huge pages aware, denies migration to suitable host (BZ#1812316)

 * Adding quota to group doesn't propagate to users (BZ#1822372)

 * Engine adding PCI-E elements on XML of i440FX SeaBIOS VM created from Q35 Template (BZ#1829691)

 * Live Migration Bandwidth unit is different from Engine configuration (Mbps) and VDSM (MBps) (BZ#1845397)

 * RHV-M shows successful operation if OVA export/import failed during qemu-img convert phase (BZ#1854888)

 * Cannot hotplug disk reports libvirtError: Requested operation is not valid: Domain already contains a disk with that address (BZ#1855305)

 * rhv-log-collector-analyzer --json fails with TypeError (BZ#1859314)

 * RHV 4.4 on AMD EPYC 7742 throws an NUMA related error on VM run (BZ#1866862)

 * Issue with dashboards creation when sending metrics to external Elasticsearch (BZ#1870133)

 * HostedEngine VM is broken after Cluster changed to UEFI (BZ#1871694)

 * [CNV&RHV]Notification about VM creation contain <UNKNOWN> string (BZ#1873136)

 * VM stuck in Migrating status after migration completed due to incorrect status reported by VDSM after restart (BZ#1877632)

 * Use 4.5 as compatibility level for the Default DataCenter and the Default Cluster during installation (BZ#1879280)

 * unable to create/add index pattern in step 5 from kcs articles#4921101 (BZ#1881634)

 * [CNV&RHV] Remove warning about no active storage domain for Kubevirt VMs (BZ#1883844)

 * Deprecate and remove ovirt-engine-api-explorer (BZ#1884146)

 * [CNV&RHV] Disable creating new disks for Kubevirt VM (BZ#1884634)

 * Require ansible-2.9.14 in ovirt-engine (BZ#1888626)

 Enhancement(s):

 * [RFE] Virtualization support for NVDIMM - RHV (BZ#1361718)

 * [RFE] - enable renaming HostedEngine VM name (BZ#1657294)

 * [RFE] Enabling Icelake new NIs - RHV (BZ#1745024)

 * [RFE] Show vCPUs and allocated memory in virtual machines summary (BZ#1752751)

 * [RFE] RHV-M Deployment/Install Needs it's own UUID (BZ#1825020)

 * [RFE] Destination Host in migrate VM dialog has to be searchable and sortable (BZ#1851865)

 * [RFE] Expose the reinstallation required flag of the hosts in the API (BZ#1856671)

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

http://www.nessus.org/u?6c916b37

https://access.redhat.com/security/updates/classification/#low

https://access.redhat.com/errata/RHSA-2020:5179

https://bugzilla.redhat.com/show_bug.cgi?id=1613514

https://bugzilla.redhat.com/show_bug.cgi?id=1657294

https://bugzilla.redhat.com/show_bug.cgi?id=1691253

https://bugzilla.redhat.com/show_bug.cgi?id=1702016

https://bugzilla.redhat.com/show_bug.cgi?id=1752751

https://bugzilla.redhat.com/show_bug.cgi?id=1760170

https://bugzilla.redhat.com/show_bug.cgi?id=1797717

https://bugzilla.redhat.com/show_bug.cgi?id=1808320

https://bugzilla.redhat.com/show_bug.cgi?id=1811466

https://bugzilla.redhat.com/show_bug.cgi?id=1812316

https://bugzilla.redhat.com/show_bug.cgi?id=1822372

https://bugzilla.redhat.com/show_bug.cgi?id=1825020

https://bugzilla.redhat.com/show_bug.cgi?id=1828241

https://bugzilla.redhat.com/show_bug.cgi?id=1829691

https://bugzilla.redhat.com/show_bug.cgi?id=1842344

https://bugzilla.redhat.com/show_bug.cgi?id=1845432

https://bugzilla.redhat.com/show_bug.cgi?id=1851865

https://bugzilla.redhat.com/show_bug.cgi?id=1854888

https://bugzilla.redhat.com/show_bug.cgi?id=1855305

https://bugzilla.redhat.com/show_bug.cgi?id=1856671

https://bugzilla.redhat.com/show_bug.cgi?id=1857412

https://bugzilla.redhat.com/show_bug.cgi?id=1859314

https://bugzilla.redhat.com/show_bug.cgi?id=1862101

https://bugzilla.redhat.com/show_bug.cgi?id=1866981

https://bugzilla.redhat.com/show_bug.cgi?id=1870133

https://bugzilla.redhat.com/show_bug.cgi?id=1871694

https://bugzilla.redhat.com/show_bug.cgi?id=1872911

https://bugzilla.redhat.com/show_bug.cgi?id=1873136

https://bugzilla.redhat.com/show_bug.cgi?id=1876923

https://bugzilla.redhat.com/show_bug.cgi?id=1877632

https://bugzilla.redhat.com/show_bug.cgi?id=1877679

https://bugzilla.redhat.com/show_bug.cgi?id=1879199

https://bugzilla.redhat.com/show_bug.cgi?id=1879280

https://bugzilla.redhat.com/show_bug.cgi?id=1879377

https://bugzilla.redhat.com/show_bug.cgi?id=1881634

https://bugzilla.redhat.com/show_bug.cgi?id=1882256

https://bugzilla.redhat.com/show_bug.cgi?id=1882260

https://bugzilla.redhat.com/show_bug.cgi?id=1883844

https://bugzilla.redhat.com/show_bug.cgi?id=1884146

https://bugzilla.redhat.com/show_bug.cgi?id=1884634

https://bugzilla.redhat.com/show_bug.cgi?id=1885976

https://bugzilla.redhat.com/show_bug.cgi?id=1887268

https://bugzilla.redhat.com/show_bug.cgi?id=1888626

https://bugzilla.redhat.com/show_bug.cgi?id=1889522

Plugin Details

Severity: High

ID: 143235

File Name: redhat-RHSA-2020-5179.nasl

Version: 1.10

Type: local

Agent: unix

Published: 11/24/2020

Updated: 6/3/2024

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.6

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2019-20920

CVSS v3

Risk Factor: High

Base Score: 8.1

Temporal Score: 7.3

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:redhat:enterprise_linux:python3-ovirt-engine-lib, p-cpe:/a:redhat:enterprise_linux:rhvm, p-cpe:/a:redhat:enterprise_linux:ovirt-engine-webadmin-portal, p-cpe:/a:redhat:enterprise_linux:ovirt-engine-health-check-bundler, p-cpe:/a:redhat:enterprise_linux:ovirt-engine-setup-plugin-cinderlib, p-cpe:/a:redhat:enterprise_linux:ovirt-engine-setup-plugin-ovirt-engine-common, p-cpe:/a:redhat:enterprise_linux:ovirt-engine-setup, p-cpe:/a:redhat:enterprise_linux:ovirt-engine-setup-plugin-websocket-proxy, p-cpe:/a:redhat:enterprise_linux:ovirt-engine-setup-plugin-vmconsole-proxy-helper, p-cpe:/a:redhat:enterprise_linux:ovirt-engine-tools-backup, cpe:/o:redhat:enterprise_linux:8, p-cpe:/a:redhat:enterprise_linux:ovirt-engine, p-cpe:/a:redhat:enterprise_linux:ovirt-engine-vmconsole-proxy-helper, p-cpe:/a:redhat:enterprise_linux:ovirt-engine-setup-plugin-ovirt-engine, p-cpe:/a:redhat:enterprise_linux:ovirt-engine-setup-plugin-imageio, p-cpe:/a:redhat:enterprise_linux:ovirt-web-ui, p-cpe:/a:redhat:enterprise_linux:ovirt-engine-dbscripts, p-cpe:/a:redhat:enterprise_linux:ovirt-engine-tools, p-cpe:/a:redhat:enterprise_linux:ovirt-engine-backend, p-cpe:/a:redhat:enterprise_linux:ovirt-engine-websocket-proxy, p-cpe:/a:redhat:enterprise_linux:ovirt-engine-restapi, p-cpe:/a:redhat:enterprise_linux:ovirt-engine-setup-base

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 11/24/2020

Vulnerability Publication Date: 7/15/2020

Reference Information

CVE: CVE-2019-20920, CVE-2019-20922, CVE-2020-8203

CWE: 20, 400

RHSA: 2020:5179