RHEL 8 : RHV Host (ovirt-host) 4.4.z security, (Moderate) (RHSA-2021:1184)

high Nessus Plugin ID 148540

Synopsis

The remote Red Hat host is missing a security update.

Description

The remote Redhat Enterprise Linux 8 host has a package installed that is affected by a vulnerability as referenced in the RHSA-2021:1184 advisory.

The ovirt-hosted-engine-setup package provides a self-hosted engine tool for the Red Hat Virtualization Manager. A self-hosted engine is a virtualized environment in which the Manager runs on a virtual machine on the hosts managed by the Manager.
Bug Fix(es):

* In this release, it is now possible to enter a path to the OVA archive for local appliance installation using the cockpit-ovirt UI. (BZ#1755156)

* Previously, following a successful migration on the Self-hosted Engine, he HA agent on the source host immediately moved to the state EngineDown, and shorly thereafter tried to start the engine locally, if the destination host didn't update the shared storage quickly enough, marking the Manager virtual machine as being up.
As a result, starting the virtual machine failed due to a shared lock held by the destination host. This also resulted in generating false alarms and notifications.
In this release, the HA agent first moves to the state EngineMaybeAway, providing the destination host more time to update the shared storage with the updated state. As a result, no notifications or false alarms are generated.
Note: in scenarios where the virtual machine needs to be started on the source host, this fix slightly increases the time it takes the Manager virtual machine on the source host to start. (BZ#1815589)

* Previously, if a host in the Self-hosted Engine had an ID number higher than 64, other hosts did not recognize that host, and the host did not appear in 'hosted-engine --vm-status'.
In this release, the Self-hosted Engine allows host ID numbers of up to 2000. (BZ#1916032)

* ovirt-hosted-engine-setup now requires ansible-2.9.17. (BZ#1921108)

* Previously the logical names for disks without a mounted filesystem were not displayed in the Red Hat Virtualization Manager.
In this release, logical names for such disks are properly reported provided the version of QEMU Guest Agent in the virtual machine is 5.2 or higher. (BZ#1836661)

* Previously, if the Seal option was used when creating a template for Linux virtual machines, the original host name was not removed from the template.
In this release, the host name is set to localhost or the new virtual machine host name. (BZ#1860492)

* Previously, the used memory of the host didn't take the SReclaimable memory into consideration while it did for free memory. As a result, there were discrepancies in the host statistics.
In this release, the SReclaimable memory is a part of the used memory calculation. (BZ#1916519)

Security Fix(es):

* datatables.net: prototype pollution if 'constructor' were used in a data property name (CVE-2020-28458)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Update the affected cockpit-ovirt-dashboard package.

See Also

http://www.nessus.org/u?71e6e6a2

https://access.redhat.com/security/updates/classification/#moderate

https://access.redhat.com/errata/RHSA-2021:1184

https://bugzilla.redhat.com/show_bug.cgi?id=1755156

https://bugzilla.redhat.com/show_bug.cgi?id=1796415

https://bugzilla.redhat.com/show_bug.cgi?id=1815589

https://bugzilla.redhat.com/show_bug.cgi?id=1836661

https://bugzilla.redhat.com/show_bug.cgi?id=1860492

https://bugzilla.redhat.com/show_bug.cgi?id=1870435

https://bugzilla.redhat.com/show_bug.cgi?id=1901503

https://bugzilla.redhat.com/show_bug.cgi?id=1908441

https://bugzilla.redhat.com/show_bug.cgi?id=1909956

https://bugzilla.redhat.com/show_bug.cgi?id=1916032

https://bugzilla.redhat.com/show_bug.cgi?id=1916519

https://bugzilla.redhat.com/show_bug.cgi?id=1916947

https://bugzilla.redhat.com/show_bug.cgi?id=1917927

https://bugzilla.redhat.com/show_bug.cgi?id=1919246

https://bugzilla.redhat.com/show_bug.cgi?id=1921014

https://bugzilla.redhat.com/show_bug.cgi?id=1921108

Plugin Details

Severity: High

ID: 148540

File Name: redhat-RHSA-2021-1184.nasl

Version: 1.11

Type: local

Agent: unix

Published: 4/14/2021

Updated: 11/7/2024

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.2

Vendor

Vendor Severity: Moderate

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2020-28458

CVSS v3

Risk Factor: High

Base Score: 7.3

Temporal Score: 6.6

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:redhat:enterprise_linux:cockpit-ovirt, p-cpe:/a:redhat:enterprise_linux:cockpit-ovirt-dashboard, cpe:/o:redhat:enterprise_linux:7

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 4/14/2021

Vulnerability Publication Date: 12/16/2020

Reference Information

CVE: CVE-2020-28458

CWE: 400

RHSA: 2021:1184