7.4 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H
5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:P/A:P
0.061 Low
EPSS
Percentile
93.4%
The org.ovirt.engine-root is a core component of oVirt.
The following packages have been upgraded to a later upstream version: ansible-runner-service (1.0.5), org.ovirt.engine-root (4.4.2.3), ovirt-engine-dwh (4.4.2.1), ovirt-engine-extension-aaa-ldap (1.4.1), ovirt-engine-ui-extensions (1.2.3), ovirt-log-collector (4.4.3), ovirt-web-ui (1.6.4), rhvm-branding-rhv (4.4.5), rhvm-dependencies (4.4.1), vdsm-jsonrpc-java (1.5.5). (BZ#1674420, BZ#1866734)
A list of bugs fixed in this update is available in the Technical Notes
book:
https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/html-single/technical_notes
Security Fix(es):
nodejs-lodash: prototype pollution in zipObjectDeep function (CVE-2020-8203)
jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022)
jQuery: passing HTML containing <option> elements to manipulation methods could result in untrusted code execution (CVE-2020-11023)
ovirt-engine: Reflected cross site scripting vulnerability (CVE-2020-14333)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Bug Fix(es):
Cannot assign direct LUN from FC storage - grayed out (BZ#1625499)
VM portal always asks how to open console.vv even it has been set to default application. (BZ#1638217)
RESTAPI Not able to remove the QoS from a disk profile (BZ#1643520)
On OVA import, qemu-img fails to write to NFS storage domain (BZ#1748879)
Possible missing block path for a SCSI host device needs to be handled in the UI (BZ#1801206)
Scheduling Memory calculation disregards huge-pages (BZ#1804037)
Engine does not reduce scheduling memory when a VM with dynamic hugepages runs. (BZ#1804046)
In Admin Portal, “Huge Pages (size: amount)” needs to be clarified (BZ#1806339)
Refresh LUN is using host from different Data Center to scan the LUN (BZ#1838051)
Unable to create Windows VM’s with Mozilla Firefox version 74.0.1 and greater for RHV-M GUI/Webadmin portal (BZ#1843234)
[RHV-CNV] - NPE when creating new VM in cnv cluster (BZ#1854488)
[CNV&RHV] Add-Disk operation failed to complete. (BZ#1855377)
Cannot create KubeVirt VM as a normal user (BZ#1859460)
Welcome page - remove Metrics Store links and update “Insights Guide” link (BZ#1866466)
[RHV 4.4] Change in CPU model name after RHVH upgrade (BZ#1869209)
VM vm-name is down with error. Exit message: unsupported configuration: Can’t add USB input device. USB bus is disabled. (BZ#1871235)
spec_ctrl host feature not detected (BZ#1875609)
Enhancement(s):
[RFE] API for changed blocks/sectors for a disk for incremental backup usage (BZ#1139877)
[RFE] Improve workflow for storage migration of VMs with multiple disks (BZ#1749803)
[RFE] Move the Remove VM button to the drop down menu when viewing details such as snapshots (BZ#1763812)
[RFE] enhance search filter for Storage Domains with free argument (BZ#1819260)
7.4 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H
5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:P/A:P
0.061 Low
EPSS
Percentile
93.4%