Detections
Analytics
RHEL 8 : RHV Manager (ovirt-engine) [ovirt-4.5.3] (RHSA-2022:8502)
medium Nessus Plugin ID 167749
Language:
Synopsis
The remote Red Hat host is missing one or more security updates for RHV Manager (ovirt-engine) [ovirt-4.5.3].Description
The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2022:8502 advisory.The ovirt-engine package provides the Red Hat Virtualization Manager, a centralized management platform that allows system administrators to view and manage virtual machines. The Manager provides a comprehensive range of features including search capabilities, resource management, live migrations, and virtual infrastructure provisioning.
Security Fix(es):
* follow-redirects: Exposure of Private Personal Information to an Unauthorized Actor (CVE-2022-0155)
* ovirt-engine: RHVM admin password is logged unfiltered when using otopi-style (CVE-2022-2805)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Bug Fix(es):
* Ghost OVFs are written when using floating SD to migrate VMs between 2 RHV environments. (BZ#1705338)
* RHV engine is reporting a delete disk with wipe as completing successfully when it actually fails from a timeout. (BZ#1836318)
* [DR] Failover / Failback HA VM Fails to be started due to 'VM XXX is being imported' (BZ#1968433)
* Virtual Machine with lease fails to run on DR failover (BZ#1974535)
* Disk is missing after importing VM from Storage Domain that was detached from another DC. (BZ#1983567)
* Unable to switch RHV host into maintenance mode as there are image transfer in progress (BZ#2123141)
* not able to import disk in 4.5.2 (BZ#2134549)
Enhancement(s):
* [RFE] Show last events for user VMs (BZ#1886211)
Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
Solution
Update the RHEL RHV Manager (ovirt-engine) [ovirt-4.5.3] package based on the guidance in RHSA-2022:8502.See Also
http://www.nessus.org/u?06016851
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/errata/RHSA-2022:8502
https://bugzilla.redhat.com/show_bug.cgi?id=1705338
https://bugzilla.redhat.com/show_bug.cgi?id=1836318
https://bugzilla.redhat.com/show_bug.cgi?id=1886211
https://bugzilla.redhat.com/show_bug.cgi?id=1968433
https://bugzilla.redhat.com/show_bug.cgi?id=1974535
https://bugzilla.redhat.com/show_bug.cgi?id=1983567
https://bugzilla.redhat.com/show_bug.cgi?id=2044556
https://bugzilla.redhat.com/show_bug.cgi?id=2079545
https://bugzilla.redhat.com/show_bug.cgi?id=2118672
https://bugzilla.redhat.com/show_bug.cgi?id=2123141
https://bugzilla.redhat.com/show_bug.cgi?id=2127836
Plugin Details
Severity: Medium
ID: 167749
File Name: redhat-RHSA-2022-8502.nasl
Version: 1.7
Type: local
Agent: unix
Family: Red Hat Local Security Checks
Published: 11/16/2022
Updated: 11/7/2024
Supported Sensors: Agentless Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus
Risk Information
VPR
Risk Factor: Medium
Score: 4.4
Vendor
Vendor Severity: Moderate
CVSS v2
Risk Factor: Medium
Base Score: 4.3
Temporal Score: 3.4
Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N
CVSS Score Source: CVE-2022-0155
CVSS v3
Risk Factor: Medium
Base Score: 6.5
Temporal Score: 5.9
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C
CVSS Score Source: CVE-2022-2805
Vulnerability Information
CPE: p-cpe:/a:redhat:enterprise_linux:python3-ovirt-engine-lib, p-cpe:/a:redhat:enterprise_linux:rhvm, p-cpe:/a:redhat:enterprise_linux:ovirt-engine-webadmin-portal, p-cpe:/a:redhat:enterprise_linux:ovirt-engine-health-check-bundler, p-cpe:/a:redhat:enterprise_linux:ovirt-engine-setup-plugin-cinderlib, p-cpe:/a:redhat:enterprise_linux:ovirt-engine-setup-plugin-ovirt-engine-common, p-cpe:/a:redhat:enterprise_linux:ovirt-engine-setup, p-cpe:/a:redhat:enterprise_linux:ovirt-engine-setup-plugin-websocket-proxy, p-cpe:/a:redhat:enterprise_linux:ovirt-engine-setup-plugin-vmconsole-proxy-helper, p-cpe:/a:redhat:enterprise_linux:ovirt-engine-tools-backup, cpe:/o:redhat:enterprise_linux:8, p-cpe:/a:redhat:enterprise_linux:ovirt-engine, p-cpe:/a:redhat:enterprise_linux:ovirt-engine-vmconsole-proxy-helper, p-cpe:/a:redhat:enterprise_linux:ovirt-engine-setup-plugin-ovirt-engine, p-cpe:/a:redhat:enterprise_linux:ovirt-engine-setup-plugin-imageio, p-cpe:/a:redhat:enterprise_linux:ovirt-web-ui, p-cpe:/a:redhat:enterprise_linux:ovirt-engine-dbscripts, p-cpe:/a:redhat:enterprise_linux:ovirt-engine-dwh-setup, p-cpe:/a:redhat:enterprise_linux:ovirt-engine-dwh, p-cpe:/a:redhat:enterprise_linux:ovirt-engine-tools, p-cpe:/a:redhat:enterprise_linux:ovirt-engine-backend, p-cpe:/a:redhat:enterprise_linux:ovirt-engine-dwh-grafana-integration-setup, p-cpe:/a:redhat:enterprise_linux:ovirt-engine-websocket-proxy, p-cpe:/a:redhat:enterprise_linux:ovirt-engine-restapi, p-cpe:/a:redhat:enterprise_linux:ovirt-engine-setup-base, p-cpe:/a:redhat:enterprise_linux:ovirt-engine-ui-extensions
Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu
Exploit Available: true
Exploit Ease: Exploits are available
Patch Publication Date: 11/16/2022
Vulnerability Publication Date: 1/10/2022
Reference Information
CVE: CVE-2022-0155, CVE-2022-2805