From 8d28dbb6c784ec3331f2d10978cf4c194ba34fe1 Mon Sep 17 00:00:00 2001 From: Andy Arnold Date: Mon, 5 Feb 2024 22:01:03 +0000 Subject: [PATCH 01/22] MTV-921: MTV 2.5.5 Release notes Signed-off-by: Andy Arnold --- documentation/modules/rn-2.5.adoc | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/documentation/modules/rn-2.5.adoc b/documentation/modules/rn-2.5.adoc index 2854c59b0f1..bed00cfc03d 100644 --- a/documentation/modules/rn-2.5.adoc +++ b/documentation/modules/rn-2.5.adoc @@ -135,6 +135,10 @@ For a complete list of all known issues in this release, see the list of link:ht This release has the following resolved issues: +.Flaw was found in jsrsasign package which is vulnerable to Observable Discrepancy + +Versions of the package `jsrsasign` before 11.0.0, used in previous releases of {project-short}, are vulnerable to Observable Discrepancy via the RSA PKCS1.5 or RSAOAEP decryption process. An attacker can decrypt ciphertexts by exploiting this vulnerability. Exploiting this vulnerability requires the attacker to have access to a large number of ciphertexts encrypted with the same key. Workaround This vulnerability can be mitigated by finding and replacing RSA and RSAOAEP decryption with another crypto library. This issue has been resolved in MTV 2.5.5. + .Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) From e9b262966e2c5d0ded9a707dc9822342d1b7f82a Mon Sep 17 00:00:00 2001 From: Andy Arnold Date: Wed, 7 Feb 2024 12:11:21 +0000 Subject: [PATCH 02/22] Update documentation/modules/rn-2.5.adoc --- documentation/modules/rn-2.5.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/documentation/modules/rn-2.5.adoc b/documentation/modules/rn-2.5.adoc index bed00cfc03d..f98f25c43be 100644 --- a/documentation/modules/rn-2.5.adoc +++ b/documentation/modules/rn-2.5.adoc @@ -137,7 +137,7 @@ This release has the following resolved issues: .Flaw was found in jsrsasign package which is vulnerable to Observable Discrepancy -Versions of the package `jsrsasign` before 11.0.0, used in previous releases of {project-short}, are vulnerable to Observable Discrepancy via the RSA PKCS1.5 or RSAOAEP decryption process. An attacker can decrypt ciphertexts by exploiting this vulnerability. Exploiting this vulnerability requires the attacker to have access to a large number of ciphertexts encrypted with the same key. Workaround This vulnerability can be mitigated by finding and replacing RSA and RSAOAEP decryption with another crypto library. This issue has been resolved in MTV 2.5.5. +Versions of the package `jsrsasign` before 11.0.0, used in previous releases of {project-short}, are vulnerable to Observable Discrepancy via the RSA PKCS1.5 or RSAOAEP decryption process. An attacker can decrypt ciphertexts by exploiting this vulnerability. Exploiting this vulnerability requires the attacker to have access to a large number of ciphertexts encrypted with the same key. One proposed workaround is to find and replace RSA and RSAOAEP decryption with another crypto library. This issue has been resolved in {project-short} 2.5.5. .Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) From bbb7b16cd237f606c0f2cf25175ede0ea1cb2cbf Mon Sep 17 00:00:00 2001 From: Andy Arnold Date: Wed, 7 Feb 2024 12:12:42 +0000 Subject: [PATCH 03/22] Update documentation/modules/rn-2.5.adoc --- documentation/modules/rn-2.5.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/documentation/modules/rn-2.5.adoc b/documentation/modules/rn-2.5.adoc index f98f25c43be..5f249f8a3ab 100644 --- a/documentation/modules/rn-2.5.adoc +++ b/documentation/modules/rn-2.5.adoc @@ -137,7 +137,7 @@ This release has the following resolved issues: .Flaw was found in jsrsasign package which is vulnerable to Observable Discrepancy -Versions of the package `jsrsasign` before 11.0.0, used in previous releases of {project-short}, are vulnerable to Observable Discrepancy via the RSA PKCS1.5 or RSAOAEP decryption process. An attacker can decrypt ciphertexts by exploiting this vulnerability. Exploiting this vulnerability requires the attacker to have access to a large number of ciphertexts encrypted with the same key. One proposed workaround is to find and replace RSA and RSAOAEP decryption with another crypto library. This issue has been resolved in {project-short} 2.5.5. +Versions of the package `jsrsasign` before 11.0.0, used in previous releases of {project-short}, are vulnerable to Observable Discrepancy in the RSA PKCS1.5 or RSAOAEP decryption process. This discrepancy means an attacker could decrypt ciphertexts by exploiting this vulnerability. However, exploiting this vulnerability requires the attacker to have access to a large number of ciphertexts encrypted with the same key. One proposed workaround is to find and replace RSA and RSAOAEP decryption with another crypto library. This issue has been resolved in {project-short} 2.5.5. .Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) From 32167b0339e0928ae1f696a926c6e39d4a1f4428 Mon Sep 17 00:00:00 2001 From: HagayVider1 Date: Thu, 8 Feb 2024 15:50:29 +0200 Subject: [PATCH 04/22] MTV-921: MTV release notes 2.5.5 Signed-off-by: HagayVider1 --- documentation/modules/rn-2.5.adoc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/documentation/modules/rn-2.5.adoc b/documentation/modules/rn-2.5.adoc index 5f249f8a3ab..ee4a63a28ce 100644 --- a/documentation/modules/rn-2.5.adoc +++ b/documentation/modules/rn-2.5.adoc @@ -20,6 +20,8 @@ The release notes describe technical changes, new features and enhancements, and This release has the following technical changes: +// Speak to Arik about technical changes for MTV 2.5.5 + .Migration from OpenStack moves to being a fully supported feature In this version of {project-short}, migration using OpenStack source providers graduated from a Technology Preview feature to a fully supported feature. From e11dbde359de37d214f651eab04a732bb0b1255f Mon Sep 17 00:00:00 2001 From: Andy Arnold Date: Tue, 13 Feb 2024 19:21:33 +0000 Subject: [PATCH 05/22] Update rn-2.5.adoc --- documentation/modules/rn-2.5.adoc | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/documentation/modules/rn-2.5.adoc b/documentation/modules/rn-2.5.adoc index ee4a63a28ce..dc05d7d4f06 100644 --- a/documentation/modules/rn-2.5.adoc +++ b/documentation/modules/rn-2.5.adoc @@ -129,6 +129,7 @@ When migrating VMs that are installed with RHEL 9 as guest operating system from When adding an OVA provider, the error message `ConnectionTestFailed` may instantly appear, although the provider is created successfully. If the message does not disappear after a few minutes and the provider status does not move to `Ready`, this means that the `ova server pod creation` has failed. link:https://issues.redhat.com/browse/MTV-671[(MTV-671)] +// update filter For a complete list of all known issues in this release, see the list of link:https://issues.redhat.com/browse/MTV-740?filter=12424645[Known Issues] in Jira. @@ -293,7 +294,7 @@ This issue is resolved in {project-short} {project-version}, VM with multiple di .Transfer network not taken into account for cold migrations from vSphere In {project-short} releases 2.4.0-2.5.3, cold migrations from vSphere to the local cluster on which {project-short} was deployed did not take a specified transfer network into account. This issue is resolved in {project-short} 2.5.4. link:https://issues.redhat.com/browse/MTV-846[(MTV-846)] - +// update filter For a complete list of all resolved issues in this release, see the list of link:https://issues.redhat.com/browse/MTV-666?filter=12424644[Resolved Issues] in Jira. [id="upgrade-notes-25_{context}"] From f291119682e8877dad17a0b28a3c5e96f2d5a390 Mon Sep 17 00:00:00 2001 From: Andy Arnold Date: Tue, 13 Feb 2024 21:53:36 +0000 Subject: [PATCH 06/22] Update documentation/modules/rn-2.5.adoc --- documentation/modules/rn-2.5.adoc | 1 + 1 file changed, 1 insertion(+) diff --git a/documentation/modules/rn-2.5.adoc b/documentation/modules/rn-2.5.adoc index dc05d7d4f06..a5ac4833bb7 100644 --- a/documentation/modules/rn-2.5.adoc +++ b/documentation/modules/rn-2.5.adoc @@ -142,6 +142,7 @@ This release has the following resolved issues: Versions of the package `jsrsasign` before 11.0.0, used in previous releases of {project-short}, are vulnerable to Observable Discrepancy in the RSA PKCS1.5 or RSAOAEP decryption process. This discrepancy means an attacker could decrypt ciphertexts by exploiting this vulnerability. However, exploiting this vulnerability requires the attacker to have access to a large number of ciphertexts encrypted with the same key. One proposed workaround is to find and replace RSA and RSAOAEP decryption with another crypto library. This issue has been resolved in {project-short} 2.5.5. +For more information, see link:https://access.redhat.com/security/cve/CVE-2023-26159[CVE-2023-26159]. .Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) From 6f3a4491a2b26586078d73d7e2d2561487f3e491 Mon Sep 17 00:00:00 2001 From: Andy Arnold Date: Tue, 13 Feb 2024 21:54:14 +0000 Subject: [PATCH 07/22] Update documentation/modules/rn-2.5.adoc --- documentation/modules/rn-2.5.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/documentation/modules/rn-2.5.adoc b/documentation/modules/rn-2.5.adoc index a5ac4833bb7..5a9f704353c 100644 --- a/documentation/modules/rn-2.5.adoc +++ b/documentation/modules/rn-2.5.adoc @@ -140,7 +140,7 @@ This release has the following resolved issues: .Flaw was found in jsrsasign package which is vulnerable to Observable Discrepancy -Versions of the package `jsrsasign` before 11.0.0, used in previous releases of {project-short}, are vulnerable to Observable Discrepancy in the RSA PKCS1.5 or RSAOAEP decryption process. This discrepancy means an attacker could decrypt ciphertexts by exploiting this vulnerability. However, exploiting this vulnerability requires the attacker to have access to a large number of ciphertexts encrypted with the same key. One proposed workaround is to find and replace RSA and RSAOAEP decryption with another crypto library. This issue has been resolved in {project-short} 2.5.5. +Versions of the package `jsrsasign` before 11.0.0, used in previous releases of {project-short}, are vulnerable to Observable Discrepancy in the RSA PKCS1.5 or RSA-OAEP decryption process. This discrepancy means an attacker could decrypt ciphertexts by exploiting this vulnerability. However, exploiting this vulnerability requires the attacker to have access to a large number of ciphertexts encrypted with the same key. One proposed workaround is to find and replace RSA and RSAOAEP decryption with another crypto library. This issue has been resolved in {project-short} 2.5.5. For more information, see link:https://access.redhat.com/security/cve/CVE-2023-26159[CVE-2023-26159]. From 555194b30aa872ca3c7e82fe14ab0f50ff792f36 Mon Sep 17 00:00:00 2001 From: Hagay Vider <117353486+HagayVider1@users.noreply.github.com> Date: Thu, 15 Feb 2024 14:26:16 +0200 Subject: [PATCH 08/22] Update added CVE-2024-21484 to resolved issues rn-2.5.adoc --- documentation/modules/rn-2.5.adoc | 210 +----------------------------- 1 file changed, 5 insertions(+), 205 deletions(-) diff --git a/documentation/modules/rn-2.5.adoc b/documentation/modules/rn-2.5.adoc index 5a9f704353c..2069f0fecb0 100644 --- a/documentation/modules/rn-2.5.adoc +++ b/documentation/modules/rn-2.5.adoc @@ -95,218 +95,18 @@ To make use of this new feature, set the value of the parameter `controller_bloc This release has the following known issues: -.Deleting migration plan does not remove temporary resources +.Known issue -Deleting a migration plan does not remove temporary resources such as importer pods, conversion pods, config maps, secrets, failed VMs and data volumes. You must archive a migration plan before deleting it to clean up the temporary resources. link:https://bugzilla.redhat.com/show_bug.cgi?id=2018974[(BZ#2018974)] +Known issue -.Unclear error status message for VM with no operating system - -The error status message for a VM with no operating system on the *Plans* page of the web console does not describe the reason for the failure. link:https://bugzilla.redhat.com/show_bug.cgi?id=2008846[(BZ#22008846)] - -.Migration of virtual machines with encrypted partitions fails during conversion - -vSphere only: Migrations from {rhv-short} and OpenStack do not fail, but the encryption key may be missing on the target {ocp} cluster. - - -.Migration fails during precopy/cutover while a snapshot operation is performed on the source VM - -Warm migration from {rhv-short} fails if a snapshot operation is performed on the source VM. If a user performs a snapshot operation on the source VM at the time when a migration snapshot is scheduled, the migration fails instead of waiting for the user’s snapshot operation to finish. link:https://issues.redhat.com/browse/MTV-456[(MTV-456)] - -.Unable to schedule migrated VM with multiple disks to more than one storage classes of type hostPath - -When migrating a VM with multiple disks to more than one storage classes of type `hostPath`, it might happen that a VM cannot be scheduled. Workaround: Use shared storage on the target {ocp} cluster. - -.Non-supported guest operating systems in warm migrations - -Warm migrations and migrations to remote {ocp} clusters from vSphere do not support all types of guest operating systems that are supported in cold migrations to the local {ocp} cluster. This is a consequence of using RHEL 8 in the former case and RHEL 9 in the latter case. + -See link:https://access.redhat.com/articles/1351473[Converting virtual machines from other hypervisors to KVM with virt-v2v in RHEL 7, RHEL 8, and RHEL 9] for the list of supported guest operating systems. - -.VMs from vSphere with RHEL 9 guest operating system may start with network interfaces that are down - -When migrating VMs that are installed with RHEL 9 as guest operating system from vSphere, the network interfaces of the VMs could be disabled when they start in {ocp-name} Virtualization. link:https://issues.redhat.com/browse/MTV-491[(MTV-491)] - -.Import OVA: ConnectionTestFailed message appears when adding OVA provider - -When adding an OVA provider, the error message `ConnectionTestFailed` may instantly appear, although the provider is created successfully. If the message does not disappear after a few minutes and the provider status does not move to `Ready`, this means that the `ova server pod creation` has failed. link:https://issues.redhat.com/browse/MTV-671[(MTV-671)] - -// update filter -For a complete list of all known issues in this release, see the list of link:https://issues.redhat.com/browse/MTV-740?filter=12424645[Known Issues] in Jira. - - -[id="resolved-issues-25_{context}"] +[id="resolved-issues-255_{context}"] == Resolved issues This release has the following resolved issues: -.Flaw was found in jsrsasign package which is vulnerable to Observable Discrepancy - -Versions of the package `jsrsasign` before 11.0.0, used in previous releases of {project-short}, are vulnerable to Observable Discrepancy in the RSA PKCS1.5 or RSA-OAEP decryption process. This discrepancy means an attacker could decrypt ciphertexts by exploiting this vulnerability. However, exploiting this vulnerability requires the attacker to have access to a large number of ciphertexts encrypted with the same key. One proposed workaround is to find and replace RSA and RSAOAEP decryption with another crypto library. This issue has been resolved in {project-short} 2.5.5. - -For more information, see link:https://access.redhat.com/security/cve/CVE-2023-26159[CVE-2023-26159]. - -.Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) - -A flaw was found in handling multiplexed streams in the HTTP/2 protocol. In previous releases of {project-short}, the HTTP/2 protocol allowed a denial of service (server resource consumption) because request cancellation could reset multiple streams quickly. The server had to set up and tear down the streams while not hitting any server-side limit for the maximum number of active streams per connection, which resulted in a denial of service due to server resource consumption. - -This issue has been resolved in {project-short} 2.5.2. It is advised to update to this version of MTV or later. - -For more information, see link:https://access.redhat.com/security/cve/cve-2023-44487[CVE-2023-44487 (Rapid Reset Attack)] and link:https://access.redhat.com/security/cve/cve-2023-39325[CVE-2023-39325 (Rapid Reset Attack)]. - - -.Gin Web Framework does not properly sanitize filename parameter of Context.FileAttachment function - -A flaw was found in the Gin-Gonic Gin Web Framework, used by {project-short}. The filename parameter of the `Context.FileAttachment` function was not properly sanitized. This flaw in the package could allow a remote attacker to bypass security restrictions caused by improper input validation by the filename parameter of the `Context.FileAttachment` function.  A maliciously created filename could cause the `Content-Disposition` header to be sent with an unexpected filename value, or otherwise modify the `Content-Disposition` header. - - -This issue has been resolved in {project-short} 2.5.2. It is advised to update to this version of {project-short} or later. - -For more information, see link:https://access.redhat.com/security/cve/cve-2023-29401[CVE-2023-29401 (Gin-Gonic Gin Web Framework)] and link:https://access.redhat.com/security/cve/CVE-2023-26125[CVE-2023-26125]. - - -.CVE-2023-26144: mtv-console-plugin-container: graphql: Insufficient checks in the OverlappingFieldsCanBeMergedRule.ts - -A flaw was found in the package GraphQL from 16.3.0 and before 16.8.1. This flaw means {project-short} versions before {project-short} 2.5.2 are vulnerable to Denial of Service (DoS) due to insufficient checks in the `OverlappingFieldsCanBeMergedRule.ts` file when parsing large queries. This issue may allow an attacker to degrade system performance. link:https://issues.redhat.com/browse/MTV-712[(MTV-712)] - -This issue has been resolved in {project-short} 2.5.2. It is advised to update to this version of {project-short} or later. - -For more information, see link:https://access.redhat.com/security/cve/CVE-2023-26144[CVE-2023-26144]. - - -.CVE-2023-45142: Memory leak found in the otelhttp handler of open-telemetry - -A flaw was found in `otelhttp handler` of OpenTelemetry-Go. This flaw means {project-short} versions before {project-short} 2.5.3 are vulnerable to a memory leak caused by `http.user_agent` and `http.method` having unbound cardinality, which could allow a remote, unauthenticated attacker to exhaust the server's memory by sending many malicious requests, affecting the availability. link:https://issues.redhat.com/browse/MTV-795[(MTV-795)] - -This issue has been resolved in {project-short} 2.5.3. It is advised to update to this version of {project-short} or later. - -For more information, see link:https://access.redhat.com/security/cve/CVE-2023-45142[CVE-2023-45142]. - - -.CVE-2023-39322: QUIC connections do not set an upper bound on the amount of data buffered when reading post-handshake messages - -A flaw was found in Golang. This flaw means {project-short} versions before {project-short} 2.5.3 are vulnerable to QUIC connections not setting an upper bound on the amount of data buffered when reading post-handshake messages, allowing a malicious QUIC connection to cause unbounded memory growth. With the fix, connections now consistently reject messages larger than 65KiB in size. link:https://issues.redhat.com/browse/MTV-708[(MTV-708)] - -This issue has been resolved in {project-short} 2.5.3. It is advised to update to this version of {project-short} or later. - -For more information, see link:https://access.redhat.com/security/cve/CVE-2023-39322[CVE-2023-39322]. - - -.CVE-2023-39321: Processing an incomplete post-handshake message for a QUIC connection can cause a panic - -A flaw was found in Golang. This flaw means {project-short} versions before {project-short} 2.5.3 are vulnerable to processing an incomplete post-handshake message for a QUIC connection, which causes a panic. link:https://issues.redhat.com/browse/MTV-693[(MTV-693)] - -This issue has been resolved in {project-short} 2.5.3. It is advised to update to this version of {project-short} or later. - -For more information, see link:https://access.redhat.com/security/cve/CVE-2023-39321[CVE-2023-39321]. - - -.CVE-2023-39319: Flaw in html/template package - -A flaw was found in the Golang `html/template` package used in {project-short}. This flaw means {project-short} versions before {project-short} 2.5.3 are vulnerable, as the `html/template` package did not properly handle occurrences of `` contexts. This flaw could cause the template parser to improperly consider script contexts to be terminated early, causing actions to be improperly escaped, which could be leveraged to perform an `XSS` attack. link:https://issues.redhat.com/browse/MTV-693[(MTV-693)] - -This issue has been resolved in {project-short} 2.5.3. It is advised to update to this version of {project-short} or later. - -For more information, see link:https://access.redhat.com/security/cve/CVE-2023-39319[CVE-2023-39319]. - - -.CVE-2023-39318: Flaw in html/template package - -A flaw was found in the Golang `html/template` package used in {project-short}. This flaw means {project-short} versions before {project-short} 2.5.3 are vulnerable as the `html/template` package did not properly handle HMTL-like `""` comment tokens, nor hashbang `\#!` comment tokens. This flaw could cause the template parser to improperly interpret the contents of `