Chapter 3. RHSA-2018:1524 Red Hat Virtualization Host 4.2 GA

The bugs in this chapter are addressed by advisory RHSA-2018:1524. Further information about this advisory is available at https://access.redhat.com/errata/RHSA-2018:1524.

imgbased

Currently, the Red Hat Virtualization Host generates VDSM certificates at the time of the first boot. This means that if the system clock was not set correctly at install time then chrony or ntpd may resynchronize the clock after the VDSM certificate was generated, leading to a certificate that is not valid yet if the appropriate timezone is behind UTC. A workaround for this is to set the system clock appropriately at install time. Now, imgbased-configure-vdsm starts after chronyd or ntpd and waits two seconds for the clock to synchronize, but this is not a guarantee.

Red Hat Virtualization Host now ensures that deleted configuration files are no longer restored from previous layers when upgrading.

ovirt-node-ng

This update ensures that Red Hat Virtualization Host (RHVH) synchronizes system-specific data in /usr. This ensures that systems registered to Satellite are still able to receive updates after upgrading.

In order to allow for faster remediation of kernel CVEs and for testing of fixes from newer kernels, RHVH now supports installation of new kernels without a full image update. New kernel installations properly update the bootloader configuration.

Previously, Red Hat Virtualization Host did not warn users if a local storage domain was placed on the same file system as / (root). As a result, local storage domains on the same file system as / were not migrated when the host was updated, leading to a potential loss of local virtual machines.

In this release, the host now fails to upgrade if storage domains are located on the same file system as /, and a message appears instructing the user how to resolved the issue and local storage domains on / are no longer at risk.

Red Hat Virtualization Manager now displays the Red Hat Virtualization Host version installed.

To properly set boot flags if grub2-mkconfig is run, or a new kernel is installed, Red Hat Virtualization Host (RHVH) ships with a custom grub generator. This generator uses a list of all local LVM volume groups to create boot arguments, but systems with local storage domains on separate volume groups are currently present in the list, which could result in incorrect flags being in the grub.conf file. This update enables RHVH grub generators to explicitly look for the RHVH volume group, and ignore others.

redhat-release-rhev-hypervisor

This update ensures that tuned.service is enabled by default to enable tuned-adm to set the active profile.

rhev-hypervisor-ng

In this release, a new version of Anaconda now includes storage constraint checks and default settings for Red Hat Virtualization Hosts (RHVH), which require a special partitioning layout. When custom partitioning is selected, LVM-thin is the default for RHVH.

In this release, Red Hat Virtualization Host supports NIST SP 800-53 partitioning requirements to improve the security. Environments upgrading to Red Hat Virtualization 4.2 will also be configured to match NIST SP 800-53 partitioning requirements.

NTP is deprecated in favor of chrony in RHV 4.2. The updated default configuration allows users upgrading to RHV 4.2 from RHV-H to seamlessly transition from NTP to chrony without intervention.

vulnerability

A command injection vulnerability was found in the 11-dhclient script provided by dhcp-client located in /etc/NetworkManager/dispatcher.d/11-dhclient. A malicious DHCP server, or an attacker on the local network able to spoof DHCP responses, could use this flaw to execute arbitrary commands with root privileges on systems using NetworkManager and configured to obtain network configuration using the DHCP protocol.

A privilege escalation flaw was found in gluster snapshot scheduler. Any gluster client allowed to mount gluster volumes could also mount shared gluster storage volume and escalate privileges by scheduling malicious cronjob via symlink.

A flaw was found in the way the Linux kernel's KVM hypervisor handled exceptions delivered after a stack switch operation via Mov SS or Pop SS instructions. During the stack switch operation, the processor did not deliver interrupts and exceptions, rather they are delivered once the first instruction after the stack switch is executed. An unprivileged KVM guest user could use this flaw to crash the guest or, potentially, escalate their privileges in the guest.

A flaw was found in the way the Linux kernel handled exceptions delivered after a stack switch operation via Mov SS or Pop SS instructions. During the stack switch operation, the processor did not deliver interrupts and exceptions, rather they are delivered once the first instruction after the stack switch is executed. An unprivileged system user could use this flaw to crash the system kernel resulting in the denial of service.