RHEL 8 : RHV Manager (ovirt-engine) [ovirt-4.5.3] (RHSA-2022:8502)

medium Nessus Plugin ID 167749

Synopsis

The remote Red Hat host is missing one or more security updates for RHV Manager (ovirt-engine) [ovirt-4.5.3].

Description

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2022:8502 advisory.

The ovirt-engine package provides the Red Hat Virtualization Manager, a centralized management platform that allows system administrators to view and manage virtual machines. The Manager provides a comprehensive range of features including search capabilities, resource management, live migrations, and virtual infrastructure provisioning.

Security Fix(es):

* follow-redirects: Exposure of Private Personal Information to an Unauthorized Actor (CVE-2022-0155)

* ovirt-engine: RHVM admin password is logged unfiltered when using otopi-style (CVE-2022-2805)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

* Ghost OVFs are written when using floating SD to migrate VMs between 2 RHV environments. (BZ#1705338)

* RHV engine is reporting a delete disk with wipe as completing successfully when it actually fails from a timeout. (BZ#1836318)

* [DR] Failover / Failback HA VM Fails to be started due to 'VM XXX is being imported' (BZ#1968433)

* Virtual Machine with lease fails to run on DR failover (BZ#1974535)

* Disk is missing after importing VM from Storage Domain that was detached from another DC. (BZ#1983567)

* Unable to switch RHV host into maintenance mode as there are image transfer in progress (BZ#2123141)

* not able to import disk in 4.5.2 (BZ#2134549)

Enhancement(s):

* [RFE] Show last events for user VMs (BZ#1886211)

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the RHEL RHV Manager (ovirt-engine) [ovirt-4.5.3] package based on the guidance in RHSA-2022:8502.

See Also

http://www.nessus.org/u?06016851

https://access.redhat.com/security/updates/classification/#moderate

https://access.redhat.com/errata/RHSA-2022:8502

https://bugzilla.redhat.com/show_bug.cgi?id=1705338

https://bugzilla.redhat.com/show_bug.cgi?id=1836318

https://bugzilla.redhat.com/show_bug.cgi?id=1886211

https://bugzilla.redhat.com/show_bug.cgi?id=1968433

https://bugzilla.redhat.com/show_bug.cgi?id=1974535

https://bugzilla.redhat.com/show_bug.cgi?id=1983567

https://bugzilla.redhat.com/show_bug.cgi?id=2044556

https://bugzilla.redhat.com/show_bug.cgi?id=2079545

https://bugzilla.redhat.com/show_bug.cgi?id=2118672

https://bugzilla.redhat.com/show_bug.cgi?id=2123141

https://bugzilla.redhat.com/show_bug.cgi?id=2127836

https://bugzilla.redhat.com/show_bug.cgi?id=2134549

https://bugzilla.redhat.com/show_bug.cgi?id=2137207

Plugin Details

Severity: Medium

ID: 167749

File Name: redhat-RHSA-2022-8502.nasl

Version: 1.7

Type: local

Agent: unix

Published: 11/16/2022

Updated: 11/7/2024

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.4

Vendor

Vendor Severity: Moderate

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.4

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N

CVSS Score Source: CVE-2022-0155

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.9

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS Score Source: CVE-2022-2805

Vulnerability Information

CPE: p-cpe:/a:redhat:enterprise_linux:python3-ovirt-engine-lib, p-cpe:/a:redhat:enterprise_linux:rhvm, p-cpe:/a:redhat:enterprise_linux:ovirt-engine-webadmin-portal, p-cpe:/a:redhat:enterprise_linux:ovirt-engine-health-check-bundler, p-cpe:/a:redhat:enterprise_linux:ovirt-engine-setup-plugin-cinderlib, p-cpe:/a:redhat:enterprise_linux:ovirt-engine-setup-plugin-ovirt-engine-common, p-cpe:/a:redhat:enterprise_linux:ovirt-engine-setup, p-cpe:/a:redhat:enterprise_linux:ovirt-engine-setup-plugin-websocket-proxy, p-cpe:/a:redhat:enterprise_linux:ovirt-engine-setup-plugin-vmconsole-proxy-helper, p-cpe:/a:redhat:enterprise_linux:ovirt-engine-tools-backup, cpe:/o:redhat:enterprise_linux:8, p-cpe:/a:redhat:enterprise_linux:ovirt-engine, p-cpe:/a:redhat:enterprise_linux:ovirt-engine-vmconsole-proxy-helper, p-cpe:/a:redhat:enterprise_linux:ovirt-engine-setup-plugin-ovirt-engine, p-cpe:/a:redhat:enterprise_linux:ovirt-engine-setup-plugin-imageio, p-cpe:/a:redhat:enterprise_linux:ovirt-web-ui, p-cpe:/a:redhat:enterprise_linux:ovirt-engine-dbscripts, p-cpe:/a:redhat:enterprise_linux:ovirt-engine-dwh-setup, p-cpe:/a:redhat:enterprise_linux:ovirt-engine-dwh, p-cpe:/a:redhat:enterprise_linux:ovirt-engine-tools, p-cpe:/a:redhat:enterprise_linux:ovirt-engine-backend, p-cpe:/a:redhat:enterprise_linux:ovirt-engine-dwh-grafana-integration-setup, p-cpe:/a:redhat:enterprise_linux:ovirt-engine-websocket-proxy, p-cpe:/a:redhat:enterprise_linux:ovirt-engine-restapi, p-cpe:/a:redhat:enterprise_linux:ovirt-engine-setup-base, p-cpe:/a:redhat:enterprise_linux:ovirt-engine-ui-extensions

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 11/16/2022

Vulnerability Publication Date: 1/10/2022

Reference Information

CVE: CVE-2022-0155, CVE-2022-2805

CWE: 312, 359

RHSA: 2022:8502