RHEL 8 : RHV Manager (ovirt-engine) security update [ovirt-4.4.7] (Moderate) (RHSA-2021:2865)

high Nessus Plugin ID 152005

Synopsis

The remote Red Hat host is missing one or more security updates for RHV Manager (ovirt-engine).

Description

The remote Redhat Enterprise Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2021:2865 advisory.

The ovirt-engine package provides the manager for virtualization environments.
This manager enables admins to define hosts and networks, as well as to add storage, create VMs and manage user permissions.

Security Fix(es):

* nodejs-underscore: Arbitrary code execution via the template function (CVE-2021-23358)

* nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469)

* nodejs-ua-parser-js: Regular expression denial of service via the regex (CVE-2020-7733)

* nodejs-path-parse: ReDoS via splitDeviceRe, splitTailRe and splitPathRe (CVE-2021-23343)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

* Foreman integration, which allows you to provision bare metal hosts from the Administration Portal using Foreman and then added to the Manager, was deprecated in oVirt 4.4.6 / RHV 4.4.6 and removed completely in oVirt 4.4.7 / RHV 4.4.7.

Similar functionality to provision bare metal hosts can be achieved using Foreman directly and adding an already provisioned host using the Administration Portal or the REST API. (BZ#1901011)

* Adding a message banner to the web administration welcome page is straight forward using custom branding that only contains a preamble section.
An example of preamble branding is given here: https://bugzilla.redhat.com/attachment.cgi?id=1783329.

In an engine upgrade, the custom preamble brand remains in place and will work without issue.

During engine backup and subsequent restore, on engine restore the custom preamble branding needs to be manually restored/reinstalled and verified. (BZ#1804774)

* The column name threads_per_core in the Red hat Virtualization manager Dashboard is being deprecated, and will be removed in a future release.
In version 4.4.7.2 the column name for threads_per_core will be changed to number_of_threads.
In the Data Warehouse, the old name will be retained as an additional alias, resulting in 2 columns providing the same data: number_of_threads and threads_per_core, and threads_per_core will be removed in a future version. (BZ#1896359)

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the RHEL RHV Manager (ovirt-engine) package based on the guidance in RHSA-2021:2865.

See Also

http://www.nessus.org/u?8b7fa05e

https://access.redhat.com/security/updates/classification/#moderate

https://access.redhat.com/errata/RHSA-2021:2865

https://bugzilla.redhat.com/show_bug.cgi?id=1752996

https://bugzilla.redhat.com/show_bug.cgi?id=1765644

https://bugzilla.redhat.com/show_bug.cgi?id=1779983

https://bugzilla.redhat.com/show_bug.cgi?id=1804774

https://bugzilla.redhat.com/show_bug.cgi?id=1817346

https://bugzilla.redhat.com/show_bug.cgi?id=1877478

https://bugzilla.redhat.com/show_bug.cgi?id=1879733

https://bugzilla.redhat.com/show_bug.cgi?id=1887434

https://bugzilla.redhat.com/show_bug.cgi?id=1888354

https://bugzilla.redhat.com/show_bug.cgi?id=1896359

https://bugzilla.redhat.com/show_bug.cgi?id=1901011

https://bugzilla.redhat.com/show_bug.cgi?id=1902179

https://bugzilla.redhat.com/show_bug.cgi?id=1937714

https://bugzilla.redhat.com/show_bug.cgi?id=1939198

https://bugzilla.redhat.com/show_bug.cgi?id=1941581

https://bugzilla.redhat.com/show_bug.cgi?id=1944286

https://bugzilla.redhat.com/show_bug.cgi?id=1945459

https://bugzilla.redhat.com/show_bug.cgi?id=1946876

https://bugzilla.redhat.com/show_bug.cgi?id=1951579

https://bugzilla.redhat.com/show_bug.cgi?id=1954878

https://bugzilla.redhat.com/show_bug.cgi?id=1955582

https://bugzilla.redhat.com/show_bug.cgi?id=1956818

https://bugzilla.redhat.com/show_bug.cgi?id=1960968

https://bugzilla.redhat.com/show_bug.cgi?id=1961338

https://bugzilla.redhat.com/show_bug.cgi?id=1967169

https://bugzilla.redhat.com/show_bug.cgi?id=1970718

Plugin Details

Severity: High

ID: 152005

File Name: redhat-RHSA-2021-2865.nasl

Version: 1.11

Type: local

Agent: unix

Published: 7/22/2021

Updated: 11/7/2024

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

Vendor

Vendor Severity: Moderate

CVSS v2

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.1

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P

CVSS Score Source: CVE-2021-23358

CVSS v3

Risk Factor: High

Base Score: 7.2

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:redhat:enterprise_linux:ovirt-engine-ui-extensions, cpe:/o:redhat:enterprise_linux:8

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 7/22/2021

Vulnerability Publication Date: 9/16/2020

Reference Information

CVE: CVE-2020-28469, CVE-2020-7733, CVE-2021-23343, CVE-2021-23358

CWE: 400, 94

RHSA: 2021:2865