Red Hat Security Advisory 2015-0158-01 - Red Hat Enterprise Virtualization Manager is a visual tool for centrally managing collections of virtual servers running Red Hat Enterprise Linux and Microsoft Windows. This package also includes the Red Hat Enterprise Virtualization Manager API, a set of scriptable commands that give administrators the ability to perform queries and operations on Red Hat Enterprise Virtualization Manager. The Manager is a JBoss Application Server application that provides several interfaces through which the virtual environment can be accessed and interacted with, including an Administration Portal, a User Portal, and a Representational State Transfer Application Programming Interface .
d9bb9ff72c6bd97b60e38ccf8918a120f640422e9b3d209587866a2130fb7674
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Important: Red Hat Enterprise Virtualization Manager 3.5.0
Advisory ID: RHSA-2015:0158-01
Product: Red Hat Enterprise Virtualization
Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-0158.html
Issue date: 2014-07-13
Updated on: 2015-02-11
CVE Names: CVE-2012-6153 CVE-2014-0151 CVE-2014-0154
CVE-2014-3577
=====================================================================
1. Summary:
Red Hat Enterprise Virtualization Manager 3.5.0 is now available.
Red Hat Product Security has rated this update as having Important security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
RHEV-M 3.5 - noarch
3. Description:
Red Hat Enterprise Virtualization Manager is a visual tool for centrally
managing collections of virtual servers running Red Hat Enterprise Linux
and Microsoft Windows. This package also includes the Red Hat Enterprise
Virtualization Manager API, a set of scriptable commands that give
administrators the ability to perform queries and operations on Red Hat
Enterprise Virtualization Manager.
The Manager is a JBoss Application Server application that provides several
interfaces through which the virtual environment can be accessed and
interacted with, including an Administration Portal, a User Portal, and a
Representational State Transfer (REST) Application Programming Interface
(API).
It was discovered that the HttpClient incorrectly extracted the host name
from an X.509 certificate subject's Common Name (CN) field.
A man-in-the-middle attacker could use this flaw to spoof an SSL server
using a specially crafted X.509 certificate. (CVE-2012-6153, CVE-2014-3577)
A Cross-Site Request Forgery (CSRF) flaw was found in the oVirt REST API.
A remote attacker could provide a specially crafted web page that, when
visited by a user with a valid REST API session, would allow the attacker
to trigger calls to the oVirt REST API. (CVE-2014-0151)
It was found that the oVirt web admin interface did not include the
HttpOnly flag when setting session IDs with the Set-Cookie header.
This flaw could make it is easier for a remote attacker to hijack an oVirt
web admin session by leveraging a cross-site scripting (XSS) vulnerability.
(CVE-2014-0154)
The CVE-2012-6153 issue was discovered by Florian Weimer of Red Hat
Product Security.
These updated Red Hat Enterprise Virtualization Manager packages also
include numerous bug fixes and various enhancements. Space precludes
documenting all of these changes in this advisory. Users are directed to
the Red Hat Enterprise Virtualization 3.5 Manager Release Notes document,
linked to in the References, for information on the most significant of
these changes.
All Red Hat Enterprise Virtualization Manager users are advised to upgrade
to these updated packages, which resolve these issues and add these
enhancements.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
570191 - PRD35 - [RFE] [AAA] support Kerberos authentication (for REST API)
716511 - PRD35 - [RFE] support discovery of existing virtual machines on RHEV storage
723211 - PRD35 - [RFE] clone vm - support copy/duplicate virtual machines (without having to create a template)
800155 - PRD35 - [RFE] configure SPICE disable-copy-paste in GUIs
804530 - PRD35 - [RFE] Change the "Slot" field to "Service Profile" when cisco_ucs is selected as the fencing type
817180 - PRD35 - [RFE] sysprep needs ability to specify Active Directory OU for VMs to join
828591 - PRD35 - [RFE] ability to "rebalance" cluster load with a single button
832167 - PRD35 - [RFE] NUMA information(memory and cpu) in guest - RHEV-M support
859024 - PRD35 - [RFE] Provide confirmation prompt while deactivating a NIC
874328 - PRD35 - [RFE] Add Instance Types (hardware profiles/flavors)
878662 - PRD35 - [RFE] Mechanism for adding additional fence agents to mgr
879077 - PRD35 - [RFE] left-hand pane in the AdminPortal (the tree) should auto-refresh
884653 - [RFE][AAA] support single sign-on to user and admin portals
890517 - PRD35 - [RFE] add gluster profile support
894027 - PRD35 - [RFE] [restapi] Display the current logged in user in API
894084 - PRD35 - [RFE] report SELinux policy and show it in UI + warn when not enabled
895222 - PRD35 - [RFE] Unable to sort on columns in WebAdmin for RHEV
902298 - PRD35 - [RFE] Change Time Zone after the initial-run
906243 - PRD35 - [RFE] provide separate netbios name VM property for Windows sysprep, and relax the VM name limitations
906938 - PRD35 - [RFE] Support blkio SLA features
912057 - PRD35 - [RFE] webadmin [TEXT]: unclear warning that template of linked vm does not exist in export domain
918138 - PRD35 - [RFE] Allow guest serial number to be configurable
920708 - [RESTAPI] Create Data Storage Domain request on non-empty mount results in attempt to import existing domain
922377 - PRD35 - [RFE] Allow to edit VM properties that need VM to be down to apply, just mark it as such and apply on VM shutdown
928727 - [RFE] [engine-webadmin-portal] Resizable columns in add virtual disk window
947965 - RHEVM Backend : VM can be removed while in other state than down, like migrating and powering off
955235 - PRD35 - [RFE] support BIOS boot device menu
961753 - PRD35 - [RFE] Improve fencing robustness by retrying failed attempts
962220 - PRD35 - [RFE] allow to set locale, language and keyboard settings for sysprep operation per vm
962880 - PRD35 - [RFE] when viewing a grid that contains only one item, *automatically* select that item
967466 - PRD35 - [RFE] Show live migration progress in the UI
977079 - [RFE] Add virtio-rng support [EL 6.6 only]
977306 - Password validity time related information is missing in "console.vv" for rhevm 3.2.
985945 - PRD35 - [RFE] rhevm-websocket-proxy - using as standalone service - automatic configuration
987295 - PRD35 - [RFE] Add periodic power management health check to detect/warn about link-down detection of power management LAN
987299 - PRD35 - [RFE] Display of NIC Slave/Bond fault on RHEV-M Event Log and UI
988392 - PRD35 - [RFE] Ability to dismiss alerts from web-admin portal
988422 - PRD35 - [RFE] Neutron Integration: Providing a Neutron appliance
989546 - PRD35 - [RFE] Re-work engine ovirt-node host-deploy sequence
996512 - PRD35 - [RFE] Need API to 'unlock' a running VM when connecting to it through the REST API
999975 - PRD35 - [RFE] Accept vlan devices identified by any name
1001419 - [User Portal] Right hand pane in user portal takes too much space
1003785 - [RFE] cannot edit/create network on DC via left hand panel tree on DC which was recreated
1007133 - PRD35 - [RFE][host-deploy] support more ciphers for ssh - upgrade apache-sshd to 0.11.0
1008512 - [RFE] QoS support is missing from CLI, SDK and REST API
1013670 - New Template: comment is not saved when creating new template
1014326 - Adding a new VM and choosing the OS of any linux, prevents you from changing the time zone.
1015186 - PRD35 - [RFE] Give notification to Admin User, when RHEV Storage Domain approaches the limit of 350 LVs
1016916 - PRD35 - [RFE] Search VMs based on MAC address from RHEVM web-admin portal
1022795 - PRD35 - [RFE] Disk alias recycling in web-admin portal
1025376 - PRD35 - [RFE] [rhevm] Webadmin - RFE - Run Once from CD should Show ISO name
1025831 - PRD35 - [RFE] add administrator password and OrgName properties to Initial Run of Run Once of VMs of Windows OS type
1028387 - virtio-serial and balloon should be managed devices
1029934 - No error message displayed when trying to add an already existing (but unattached) SD in a DC
1032686 - PRD35 - [RFE] Save "domain related" OVFs on any data domain
1034309 - PRD35 - [RFE] add a warning when adding display network
1034885 - PRD35 - [RFE] Snapshot overview in webadmin portal
1038632 - PRD35 - [RFE] [spice-html5] spice-html5 js client is dumb: no error about network connection issue
1040952 - Job and step tables not cleaned after the failure or completion of some tasks.
1043430 - Add Firefox 31 to supported browsers (replacing FF17)
1043808 - For an interface with multiple VLAN interfaces, rhev Host assigns highest mtu of a vlan interface to all vlan interface under the parent interface .
1044033 - PRD35 - [RFE] Support ethtool_opts functionality within RHEV
1044042 - PRD35 - [RFE] Support bridging_opts functionality within RHEV
1048019 - PRD35 - [RFE] [slow RHEV-M portal] optimize queries invocation for left-pane tree data retrieval
1052348 - PRD35 - [RFE] Include iotop package in RHEV-H images
1053884 - Guest fails to migrate while paused
1058022 - PRD35 - [RFE] Decommission the Storage Pool Metadata
1059435 - PRD35 - [RFE] RHEVM Self Hosted Engine on RHEV-H
1061156 - PRD35 - [RFE] Description field in Virtual machines tab
1062435 - PRD35 - [RFE] have rhevm-shell and API provide same functionality that the UI does for ovirt-scheduler-proxy
1064273 - Cannot create a new VM in a local SD
1064544 - PRD35 - [RFE] new engine GUI look and feel (LAF) - phase 1
1065753 - PRD35 - [RFE] Maintenance operations on a VM would ask for an optional reason
1067162 - PRD35 - [RFE] Hosted Engine on iSCSI data centers
1070348 - PRD35 - [RFE] RHEVM GUI - Add host uptime information to the "General" tab
1070823 - PRD35 - [RFE] Wipe after Delete flag modification while VM is Up
1071217 - Misleading error message when user with ClusterAdmin role on cluster tries to add a disk to a VM without permissions on any storage domain
1076705 - RHEV 3.3 rhevm-shell can't change cluster policy to a custom policy
1077284 - [RFE] Allow big ranges in MacPoolManager
1079583 - When RHEV reports a problem with a storage domain, it should report **which** storage domain
1080144 - USB Support select box always shows "Disabled" choice.
1081533 - SPICE ActiveX download fails if user performs upgrade from 3.3.0 to 3.3.1
1081849 - CVE-2014-0151 ovirt-engine: cross-site request forgery (CSRF)
1081896 - CVE-2014-0154 ovirt-engine-webadmin: HttpOnly flag is not included when the session ID is set
1082110 - Event ID 1200 (VM rename) does not record the initating User id
1082681 - RHEV-M displays and uses the same values for hypervisor cores regardless of cluster setting for "Count Threads as Cores"
1083760 - PRD35 - [RFE] Prevent host fencing while kdumping
1083763 - PRD35 - [RFE] replace XML-RPC communication (engine-vdsm) with json-rpc based on bidirectional transport
1083766 - console.vv file does not display name of VM for VNC consoles
1083769 - PRD35 - [RFE] - introduction of Command-Coordination infrastructure
1083926 - The hosts max_scheduling_memory should be updated when a live migration starts.
1083998 - PRD35 - [RFE] using foreman provider to provision bare-metal hosts
1084120 - PRD35 - [RFE] Please add host count and guest count columns to "Clusters" tab in webadmin
1084611 - [RFE] RHEV-M networking went down, 90% of hosts were fenced causing a massive outage
1085136 - PRD35 - [RFE] webadmin : Allow online vDisk description editing.
1085380 - Dialog is not highlighted if VM cannot be created before clicking to "Show Advanced Options"
1087745 - Recommended size of memory is too low for RHEL6 64bit systems
1087917 - [GUI/General sub-tab] Windows-based Template & Pool: Time Zone is blank when set to the global default
1091692 - [Network labels] Removal of labelled network from DC inconsistent with removal from cluster
1092609 - Searching for objects that _do not_ have a tag in the search bar is not possible
1092884 - [RFE] Please improve RHEVM Webadmin portal vm migration displayed only into min:sec format.
1093393 - [engine-backend] [iSCSI multipath] Required cluster network shouldn't be allowed to be added to an iSCSI multipath bond
1093742 - System is not power on after a fencing operation (ILO3).
1093784 - The Expect header is ignored
1093786 - Negative values for "Shared Memory"
1095240 - PRD35 - [RFE] Support logging of commands parameters
1096662 - [RFE] Long strings in dialogs adversely affect GUI
1096971 - Importing an Export/ISO storage domain automatically activates the domain
1097256 - 10 minute delay on migrating VMs out after requesting maintenance mode
1097622 - Inconsistent VirtIO direct lun disk attachment behaviour.
1098591 - [TEXT] Tool tips for weights on Cluster Policy module in Configuration Dialogue are incorrect
1098638 - smartcard entries are duplicated every time a template is saved, resulting in unbootable VMs
1098791 - Reduce blocking operations as part of hosts & VMs monitoring cycles
1100194 - Unable to scroll down template list using IE9
1100810 - Edit button for Setup Host Networks window should always be displayed
1101018 - PRD35 - [RFE][RHEV] Support single disk snapshot on preview snapshot action in REST-API
1101565 - Cannot approve hosts using REST API
1102018 - PRD35 - [RFE] Drop Linux bridge plugin support from neutron integration
1103490 - [REST API]: Missing VM statistics field.
1103676 - ovirt-engine should not store long term files in "/var/tmp/ovirt-engine/": tmpwatch will remove that directory after 30 days
1103707 - application list database limit is too small (4000 chars)
1103976 - rhevm-engine-setup: weak default passwords for PostgreSQL database users
1104030 - Failed VM migrations do not release VM resource lock properly leading to failures in subsequent migration attempts
1104195 - "Domain not found: no domain with matching uuid" error logged to audit_log after live migration fails due to timeout exceeded
1104233 - VM Pools do not properly inherit admin roles in the admin portal
1109326 - 3.4 upgrade does not set correct iptables rules when serving ISO domain from RHEV-M host
1109721 - storage domain ownership of LUN not displayed
1110172 - [RFE]API to check if a host has renew its lease
1110636 - [RFE] Enable PPC Support in RHEV
1111551 - [rhevm] unable to create template from Windows 2012 guest with SPICE videocard in RHEV 3.4
1112359 - Failed to remove host xxxxxxxx
1113499 - [RHEVM] Special character handling on VM Description is not correct
1113937 - [RFE][AAA] Single sign-on into web applications
1114041 - Cannot add AD group to a new VM from the user portal
1114241 - PRD35 - [RFE] Set 'save network configuration' default to 'true' on setup networks dialog
1114244 - [RFE] Admin GUI: Sort by 'IP address' (in VM tab) should not treat the IP address as a string
1114253 - PRD35 - [RFE] Allow to perform fence operations from a host in another DC
1114260 - [RFE] Public extension API for ovirt-engine
1114554 - [RFE] Expose bookmarks through REST API
1115845 - Enable sync of LUNs after storage domain activation for FC - duplicate LUNs
1115966 - Update storage domain from rhevm-shell fails with java.lang.NullPointerException
1116486 - When importing a VM in RHEVM 3.4 all its disks turn from thin provision to preallocated
1118191 - unlock_entity.sh fails with "psql: fe_sendauth: no password supplied"
1118818 - Luns either missing from or having no 'volume_group_id' in the luns table in the RHEV database.
1118847 - ovirt-engine currently sets the disk device to "lun" for all virtio-scsi direct LUN connections and disables read-only for these devices
1118879 - [RFE] Provide configuration screen for "Fencing Policy" within the "Edit Cluster" dialog
1119922 - [RFE]embed the check ("if a host has renew its lease on any SD") into the fencing flow - according to cluster level policy
1120197 - The Balloon driver on VM ... on host ... is requested but unavailable.
1120829 - [RFE] Do not fence hosts when more than X% of hosts are in a Non-Responding or Connecting state
1120858 - [RFE] Option to disable fencing for a cluster
1121454 - In RHEV, admin UI rejects FQDNs ending in a digit when creating NFS storage domains
1123396 - Admin Portal: Unresponsive script leading to Virtual Machines not being displayed any more
1123754 - Direct FC lun disk details aren't validated
1125834 - [engine-setup] "badly formed hexadecimal UUID string" error when ISO domain path contains a directory
1126839 - "There is no over-utilized host in cluster " repeated every minute
1128949 - OvfUpdateIntervalInMinutes/OvfItemsCountPerUpdate fields should be exposed to engine-config tool
1129012 - Unable to add description for "Affinity Group" with space character.
1129074 - CVE-2014-3577 Apache HttpComponents client / Apache CXF: SSL hostname verification bypass, incomplete CVE-2012-6153 fix
1129634 - Cannot export VM. Disk configuration (COW Preallocated) is incompatible with the storage domain type.
1129916 - CVE-2012-6153 Apache HttpComponents client / Apache CXF: SSL hostname verification bypass, incomplete CVE-2012-5783 fix
1130076 - engine.log is flooded with messages as "Executing a command: java.util.concurrent.FutureTask , but note that there are 1 tasks in the queue."
1131693 - Error connecting to VM using RDP if NLA is enabled
1132078 - RESTAPI: RSDL does not document all available parameters
1132191 - [Windows sysprep] Run Once: Special characters are not encoded in XML sysprep files for Windows 7, 8, 2008, 2012
1133938 - SD inactive after 2nd extension (with already added LUN)
1134009 - [Network label] RHEV does not allow adding label for a network being used by VMs
1136087 - engine-manage-domains always searches for KDC servers over DNS, even when --resolve-kdc is not set
1139866 - PRD35 - [RFE] Test RHEV 3.5 on RHEL 6.6
1140098 - [RHEV-M] System is not power on after a fencing operation in power management (agent: ipmilan)
1140430 - Failure to Attach ISO domain causes SPM failover
1141693 - VM Importer Screen does not update disk tab if more than one machine are selected for import
1142233 - Description of affinity group not loaded to edit affinity group tab
1148379 - In case of using new template version (sealed with sysprep) for a pool, VMs get stuck in minisetup
1148623 - Windows 7 guests reports incorrect time after a cold restart.
1149135 - Prestarted VMs dissapear from UI after failure to restore snapshot once VM turns from Unknown status to Down
1149235 - [Admin Portal][ppc64][Power mgmt] ipmi doesn't work - Authentication type NONE not supported/Unable to obtain correct plug status or plug is not available
1153544 - Failed VM migrations do not release VM resource lock properly
1154607 - GetAllFromVms stored function is inefficient
1154630 - [PPC]-Can't Hotplug/unplug VM nic while vm is running and has OS installed
1156577 - [AAA] Adding an LDAP domain against ldap installed on rhel 6.6 fails
1157211 - Engine does not free pending_vmem_size and pending_vcpus_count on migrate host, in case of VM migration failure.
1160889 - Live Storage Migration "completes" but the engine sequence does not, leaving an unfinished job.
6. Package List:
RHEV-M 3.5:
Source:
rhevm-3.5.0-0.29.el6ev.src.rpm
noarch:
rhevm-3.5.0-0.29.el6ev.noarch.rpm
rhevm-backend-3.5.0-0.29.el6ev.noarch.rpm
rhevm-dbscripts-3.5.0-0.29.el6ev.noarch.rpm
rhevm-extensions-api-impl-3.5.0-0.29.el6ev.noarch.rpm
rhevm-extensions-api-impl-javadoc-3.5.0-0.29.el6ev.noarch.rpm
rhevm-lib-3.5.0-0.29.el6ev.noarch.rpm
rhevm-restapi-3.5.0-0.29.el6ev.noarch.rpm
rhevm-setup-3.5.0-0.29.el6ev.noarch.rpm
rhevm-setup-base-3.5.0-0.29.el6ev.noarch.rpm
rhevm-setup-plugin-allinone-3.5.0-0.29.el6ev.noarch.rpm
rhevm-setup-plugin-ovirt-engine-3.5.0-0.29.el6ev.noarch.rpm
rhevm-setup-plugin-ovirt-engine-common-3.5.0-0.29.el6ev.noarch.rpm
rhevm-setup-plugin-websocket-proxy-3.5.0-0.29.el6ev.noarch.rpm
rhevm-tools-3.5.0-0.29.el6ev.noarch.rpm
rhevm-userportal-3.5.0-0.29.el6ev.noarch.rpm
rhevm-webadmin-portal-3.5.0-0.29.el6ev.noarch.rpm
rhevm-websocket-proxy-3.5.0-0.29.el6ev.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2012-6153
https://access.redhat.com/security/cve/CVE-2014-0151
https://access.redhat.com/security/cve/CVE-2014-0154
https://access.redhat.com/security/cve/CVE-2014-3577
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.5/html/Manager_Release_Notes/index.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFU2521XlSAg2UNWIIRAlpBAJ4qJ09kkqJQZliit+6/Qt/+UCdSQwCeJaJR
nC4RORf/00dOzvZXzMPNDL0=
=mB9a
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce