Login
Newsletter
Werbung

Sicherheit: XML External Entity-Verarbeitung in jackson-databind
Aktuelle Meldungen Distributionen
Name: XML External Entity-Verarbeitung in jackson-databind
ID: RHSA-2021:0381-01
Distribution: Red Hat
Plattformen: Red Hat Virtualization
Datum: Di, 2. Februar 2021, 22:36
Referenzen: https://access.redhat.com/security/cve/CVE-2020-25649
Applikationen: Jackson

Originalnachricht

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
Red Hat Security Advisory

Synopsis: Low: RHV-M(ovirt-engine) 4.4.z security, bug fix,
enhancement update [ovirt-4.4.4]
Advisory ID: RHSA-2021:0381-01
Product: Red Hat Virtualization
Advisory URL: https://access.redhat.com/errata/RHSA-2021:0381
Issue date: 2021-02-02
CVE Names: CVE-2020-25649
=====================================================================

1. Summary:

Updated ovirt-engine packages that fix several bugs and add various
enhancements are now available.

Red Hat Product Security has rated this update as having a security impact
of Low. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4 - noarch

3. Description:

The ovirt-engine package provides the Red Hat Virtualization Manager, a
centralized management platform that allows system administrators to view
and manage virtual machines. The Manager provides a comprehensive range of
features including search capabilities, resource management, live
migrations, and virtual infrastructure provisioning.

The Manager is a JBoss Application Server application that provides several
interfaces through which the virtual environment can be accessed and
interacted with, including an Administration Portal, a VM Portal, and a
Representational State Transfer (REST) Application Programming Interface
(API).

Security Fix(es):

* jackson-databind: FasterXML DOMDeserializer insecure entity expansion is
vulnerable to XML external entity (XXE) (CVE-2020-25649)

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.

Bug Fix(es):

* Red Hat Virtualization Manager now requires Ansible 2.9.15. (BZ#1901946)

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/2974891

5. Bugs fixed (https://bugzilla.redhat.com/):

1627997 - [RFE] Allow SPM switching if all tasks have finished via REST-API
1702237 - [RFE] add API for listing disksnapshots under disk resource
1796231 - VM disk remains in locked state if image transfer (image download)
timesout due to inactivity.
1868114 - RHV-M UI/Webadmin: The "Disk Snapshots" tab reflects
incorrect "Creation Date" information.
1875951 - Disk hot-unplug fails on engine side with NPE in setDiskVmElements
after unplugging from the VM.
1879655 - [RFE] Implement searching VM's with partial name or case
sensitive vm names in VM Portal.
1880015 - oVirt metrics example Kibana dashboards are broken in Kibana 7.x
1881115 - RHEL VM icons squashed, please adhere to brand rules
1881357 - German language greeting page says Red Hat®
1887664 - CVE-2020-25649 jackson-databind: FasterXML DOMDeserializer insecure
entity expansion is vulnerable to XML external entity (XXE)
1893035 - rhv-log-collector-analyzer: check for double quotes in
IPTablesConfigSiteCustom
1894298 - ModuleNotFoundError: No module named 'ovirt_engine' raised
when starting ovirt-engine-dwhd.py in dev env
1901946 - [RFE] Bump ovirt-engine version lock to the newest Ansible version
1903385 - RFE: rhv-image-discrepancies should report if the truesize from VDSM
has different size in images in the engine.
1903595 - [PPC] Can't add PPC host to Engine

6. Package List:

RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4:

Source:
ovirt-engine-4.4.4.5-0.10.el8ev.src.rpm
ovirt-engine-dwh-4.4.4.2-1.el8ev.src.rpm
ovirt-web-ui-1.6.6-1.el8ev.src.rpm
rhv-log-collector-analyzer-1.0.6-1.el8ev.src.rpm
rhvm-branding-rhv-4.4.7-1.el8ev.src.rpm
vdsm-jsonrpc-java-1.6.0-1.el8ev.src.rpm

noarch:
ovirt-engine-4.4.4.5-0.10.el8ev.noarch.rpm
ovirt-engine-backend-4.4.4.5-0.10.el8ev.noarch.rpm
ovirt-engine-dbscripts-4.4.4.5-0.10.el8ev.noarch.rpm
ovirt-engine-dwh-4.4.4.2-1.el8ev.noarch.rpm
ovirt-engine-dwh-grafana-integration-setup-4.4.4.2-1.el8ev.noarch.rpm
ovirt-engine-dwh-setup-4.4.4.2-1.el8ev.noarch.rpm
ovirt-engine-health-check-bundler-4.4.4.5-0.10.el8ev.noarch.rpm
ovirt-engine-restapi-4.4.4.5-0.10.el8ev.noarch.rpm
ovirt-engine-setup-4.4.4.5-0.10.el8ev.noarch.rpm
ovirt-engine-setup-base-4.4.4.5-0.10.el8ev.noarch.rpm
ovirt-engine-setup-plugin-cinderlib-4.4.4.5-0.10.el8ev.noarch.rpm
ovirt-engine-setup-plugin-imageio-4.4.4.5-0.10.el8ev.noarch.rpm
ovirt-engine-setup-plugin-ovirt-engine-4.4.4.5-0.10.el8ev.noarch.rpm
ovirt-engine-setup-plugin-ovirt-engine-common-4.4.4.5-0.10.el8ev.noarch.rpm
ovirt-engine-setup-plugin-vmconsole-proxy-helper-4.4.4.5-0.10.el8ev.noarch.rpm
ovirt-engine-setup-plugin-websocket-proxy-4.4.4.5-0.10.el8ev.noarch.rpm
ovirt-engine-tools-4.4.4.5-0.10.el8ev.noarch.rpm
ovirt-engine-tools-backup-4.4.4.5-0.10.el8ev.noarch.rpm
ovirt-engine-vmconsole-proxy-helper-4.4.4.5-0.10.el8ev.noarch.rpm
ovirt-engine-webadmin-portal-4.4.4.5-0.10.el8ev.noarch.rpm
ovirt-engine-websocket-proxy-4.4.4.5-0.10.el8ev.noarch.rpm
ovirt-web-ui-1.6.6-1.el8ev.noarch.rpm
python3-ovirt-engine-lib-4.4.4.5-0.10.el8ev.noarch.rpm
rhv-log-collector-analyzer-1.0.6-1.el8ev.noarch.rpm
rhvm-4.4.4.5-0.10.el8ev.noarch.rpm
rhvm-branding-rhv-4.4.7-1.el8ev.noarch.rpm
vdsm-jsonrpc-java-1.6.0-1.el8ev.noarch.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2020-25649
https://access.redhat.com/security/updates/classification/#low

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYBlba9zjgjWX9erEAQhjzQ/9E966aSphBTdfmsL3Upuj4b2vmhXuDcea
r+XD21Q8GkvTK0s4yB7q+Vn/TPquTAVkX13AW+tHHM0sp4NfMB+c6Anzogw2AHq9
o/5aeiB+CJdDX2IwHhPDCioPVpZt4cHYCDeNGUfa7tww7b91y72kJQTbQ/GvnHvj
bGlZ4RTkA1tmSEA/JC0ZzUasIKXidNFK88D755dbyWFxlz3HMkXV/FuDOO1NwtGw
JMH/knAtkN/z9rrYFKotO8wHzt/PfG/V09taK5vogMqVJIpYXDtxwOfer6HjyLsC
9H/jAAYjKL/SQO2Dgsh7VMCEZ4Qlut+ahcbsg/L0dGOLq9OFngdusxTqqhUR9UIb
AqFfniY/xwdddfaFVKnI2CVr0QU6hWTj8wFgBdCbMd80zmanVwpk1lLnlex3bjn2
T52CbKABXhV8RDuGdLQyGgfXksYVaKoLeTnqC9nSfMeQ62PEqq0iLNtYDi5EjqLd
ijiB9+NmB/e0vjU5TSsKaD9Rpf6KbFRUwep8ygSwApMQ8H4CQ2HCy5v4GxsQFYFK
OeA2uJmZT9ELvfOybgwdzV9XWF4R9MnbgYuWrh75Cc5v3FCz2CbwddZy5QdPiRhn
k4n6RFelAAvulO8WbkJ0N90EIC7nI2d7S3MgaO+gFWoDIuNnedqDU0Ydp9ZN9DHd
P8Fb7Gf1V+M=
=XP00
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
Pro-Linux
Pro-Linux @Facebook
Neue Nachrichten
Werbung