Detections
Analytics

RHEL 8 : RHV Host (ovirt-host) (RHSA-2022:6392)

high Nessus Plugin ID 164879

Language:

Synopsis

The remote Red Hat host is missing a security update for RHV Host (ovirt-host).

Description

The remote Redhat Enterprise Linux 8 host has a package installed that is affected by a vulnerability as referenced in the RHSA-2022:6392 advisory.

 The ovirt-host package consolidates host package requirements into a single meta package.

 Security Fix(es):

 * moment: inefficient parsing algorithm resulting in DoS (CVE-2022-31129)

 For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

 Bug Fix(es):

 * The hosted-engine-ha binaries have been moved from /usr/share to /usr/libexec. As a result, the hosted- engine --clean-metadata command fails. With this release, you must use the new path for the command to succeed: /usr/libexec/ovirt-hosted-engine-ha/ovirt-ha-agent (BZ#2105781)

 * A new warning has been added to the vdsm-tool to protect users from using the unsupported user_friendly_names multipath configuration. The following is an example of the output:

 $ vdsm-tool is-configured --module multipath WARNING: Invalid configuration: 'user_friendly_names' is enabled in multipath configuration:
 section1 { key1 value1 user_friendly_names yes key2 value2 } section2 { user_friendly_names yes } This configuration is not supported and may lead to storage domain corruption. (BZ#1793207)

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Update the RHEL RHV Host (ovirt-host) package based on the guidance in RHSA-2022:6392.

See Also

http://www.nessus.org/u?fca6e31c

https://access.redhat.com/security/updates/classification/#important

https://access.redhat.com/errata/RHSA-2022:6392

https://bugzilla.redhat.com/show_bug.cgi?id=1793207

https://bugzilla.redhat.com/show_bug.cgi?id=2105075

https://bugzilla.redhat.com/show_bug.cgi?id=2105781

https://bugzilla.redhat.com/show_bug.cgi?id=2117558

Plugin Details

Severity: High

ID: 164879

File Name: redhat-RHSA-2022-6392.nasl

Version: 1.8

Type: local

Agent: unix

Published: 9/8/2022

Updated: 11/7/2024

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.4

Vendor

Vendor Severity: Important

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS Score Source: CVE-2022-31129

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:redhat:enterprise_linux:cockpit-ovirt, p-cpe:/a:redhat:enterprise_linux:cockpit-ovirt-dashboard, cpe:/o:redhat:enterprise_linux:7

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 9/8/2022

Vulnerability Publication Date: 7/6/2022

Reference Information

CVE: CVE-2022-31129

CWE: 400

RHSA: 2022:6392