RHEL 6 : Virtualization Manager (RHSA-2016:1929)

medium Nessus Plugin ID 93681

Synopsis

The remote Red Hat host is missing one or more security updates.

Description

An update for org.ovirt.engine-root is now available for RHEV Manager version 3.6.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The Red Hat Virtualization Manager is a centralized management platform that allows system administrators to view and manage virtual machines. The Manager provides a comprehensive range of features including search capabilities, resource management, live migrations, and virtual infrastructure provisioning.

The Manager is a JBoss Application Server application that provides several interfaces through which the virtual environment can be accessed and interacted with, including an Administration Portal, a User Portal, and a Representational State Transfer (REST) Application Programming Interface (API).

Security Fix(es) :

* A flaw was found in RHEV Manager, where it wrote sensitive data to the engine-setup log file. A local attacker could exploit this flaw to view sensitive information such as encryption keys and certificates (which could then be used to steal other sensitive information such as passwords). (CVE-2016-4443)

This issue was discovered by Simone Tiraboschi (Red Hat).

Bug Fix(es) :

* With this update, users are now warned to set the system in global maintenance mode before running the engine-setup command. This is because data corruption may occur if the engine-setup command is run without setting the system into global maintenance mode. This update means that the user is warned and the setup will be aborted if the system is not in global maintenance mode and the engine is running in the hosted engine configuration. (BZ#1359844)

* Previously, the update of the compatibility version of a cluster with many running virtual machines that are installed with the guest-agent caused a deadlock that caused the update to fail. In some cases, these clusters could not be upgraded to a newer compatibility version. Now, the deadlock in the database has been prevented so that a cluster with many running virtual machines that are installed with the guest-agent can be upgraded to newer compatibility version.
(BZ#1369415)

* Previously, a virtual machine with a null CPU profile id stored in the database caused a NPE when editing the virtual machine. Now, a virtual machine with a null CPU profile id stored in the database is correctly handled and the virtual machine can be edited. (BZ#1373090)

* Setting only one of the thresholds for power saving/evenly distributed memory based balancing (high or low) can lead to unexpected results. For example, when in power saving load balancing the threshold for memory over utilized hosts was set with a value, and the threshold for memory under utilized hosts was undefined thus getting a default value of 0. All hosts were considered as under utilized hosts and were chosen as sources for migration, but no host was chosen as a destination for migration.

This has now been changed so that when the threshold for memory under utilized host is undefined, it gets a default value of Long.MAX. Now, when the threshold for memory over utilized hosts is set with a value, and the threshold for memory under utilized host is undefined, only over utilized hosts will be selected as sources for migration, and destination hosts will be hosts that are not over utilized.
(BZ#1359767)

* Previously, recently added logs that printed the amount of virtual machines running on a host were excessively written to the log file.
Now, the frequency of these log have been reduced by printing them only upon a change in the number of virtual machines running on the host. (BZ#1367519)

Solution

Update the affected packages.

See Also

https://access.redhat.com/errata/RHSA-2016:1929

https://access.redhat.com/security/cve/cve-2016-4443

Plugin Details

Severity: Medium

ID: 93681

File Name: redhat-RHSA-2016-1929.nasl

Version: 2.11

Type: local

Agent: unix

Published: 9/23/2016

Updated: 10/24/2019

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.6

CVSS v2

Risk Factor: Low

Base Score: 2.1

Temporal Score: 1.6

Vector: CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:N

CVSS v3

Risk Factor: Medium

Base Score: 5.5

Temporal Score: 4.8

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:redhat:enterprise_linux:rhevm-lib, p-cpe:/a:redhat:enterprise_linux:rhevm-extensions-api-impl, p-cpe:/a:redhat:enterprise_linux:rhevm-websocket-proxy, cpe:/o:redhat:enterprise_linux:6, p-cpe:/a:redhat:enterprise_linux:rhevm-tools-backup, p-cpe:/a:redhat:enterprise_linux:rhevm-vmconsole-proxy-helper, p-cpe:/a:redhat:enterprise_linux:rhevm-setup-plugin-websocket-proxy, p-cpe:/a:redhat:enterprise_linux:rhevm-setup-base, p-cpe:/a:redhat:enterprise_linux:rhevm-setup-plugin-vmconsole-proxy-helper, p-cpe:/a:redhat:enterprise_linux:rhevm-setup-plugin-ovirt-engine, p-cpe:/a:redhat:enterprise_linux:rhevm-setup, p-cpe:/a:redhat:enterprise_linux:rhevm-tools, p-cpe:/a:redhat:enterprise_linux:rhevm-webadmin-portal, p-cpe:/a:redhat:enterprise_linux:rhevm-dbscripts, p-cpe:/a:redhat:enterprise_linux:rhevm-extensions-api-impl-javadoc, p-cpe:/a:redhat:enterprise_linux:rhevm-setup-plugin-ovirt-engine-common, p-cpe:/a:redhat:enterprise_linux:rhevm-userportal-debuginfo, p-cpe:/a:redhat:enterprise_linux:rhevm-webadmin-portal-debuginfo, p-cpe:/a:redhat:enterprise_linux:rhevm-backend, p-cpe:/a:redhat:enterprise_linux:rhevm-restapi, p-cpe:/a:redhat:enterprise_linux:rhevm, p-cpe:/a:redhat:enterprise_linux:rhevm-userportal

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu

Exploit Ease: No known exploits are available

Patch Publication Date: 9/21/2016

Vulnerability Publication Date: 12/14/2016

Reference Information

CVE: CVE-2016-4443

RHSA: 2016:1929