Alerts This Week
Warning Icon 1 764
Alerts This Week
Warning Icon 1 764

OpenShift: RHSA-2020:5633 Moderate: Network Threats And Auth Issues

red hat
Calendar Grey February 24, 2021
Dist Redhat Esm H88
Advisory issued for OpenShift Container Platform version 4.7.0, detailing significant vulnerabilities related to authentication and networking protocols.
Red Hat OpenShift Container Platform release 4.7.0 is now available

Solution

For OpenShift Container Platform 4.7, see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:

https://docs.redhat.com/en/documentation/openshift_container_platform/4.7/html/release_notes/ocp-4-7-release-notes

Details on how to access this content are available at - -cli.html.

Summary

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.
This advisory contains the container images for Red Hat OpenShift Container Platform 4.7.0. See the following advisory for the RPM packages for this release:
https://access.redhat.com/errata/RHSA-2020:5634
Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes:
https://docs.redhat.com/en/documentation/openshift_container_platform/4.7/html/release_notes/ocp-4-7-release-notes
You may download the oc tool and use it to inspect release image metadata as follows:
(For x86_64 architecture)
$ oc adm release info quay.io/openshift-release-dev/ocp-release:4.7.0-x86_64
The image digest is sha256:d74b1cfa81f8c9cc23336aee72d8ae9c9905e62c4874b071317a078c316f8a70
(For s390x architecture)
$ oc adm release info quay.io/openshift-release-dev/ocp-release:4.7.0-s390x
The image digest is sha256:a68ca03d87496ddfea0ac26b82af77231583a58a7836b95de85efe5e390ad45d
(For ppc64le architecture)
$ oc adm release info quay.io/openshift-release-dev/ocp-release:4.7.0-ppc64le
The image digest is sha256:bc7b04e038c8ff3a33b827f4ee19aa79b26e14c359a7dcc1ced9f3b58e5f1ac6
All OpenShift Container Platform 4.7 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift Console or the CLI oc command. Instructions for upgrading a cluster are available at - -between-minor.html#understanding-upgrade-channels_updating-cluster-between - -minor.
Security Fix(es):
* crewjam/saml: authentication bypass in saml authentication (CVE-2020-27846)
* golang: crypto/ssh: crafted authentication request can lead to nil pointer dereference (CVE-2020-29652)
* gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation (CVE-2021-3121)
* nodejs-y18n: prototype pollution vulnerability (CVE-2020-7774)
* kubernetes: Secret leaks in kube-controller-manager when using vSphere Provider (CVE-2020-8563)
* containernetworking/plugins: IPv6 router advertisements allow for MitM attacks on IPv4 clusters (CVE-2020-10749)
* heketi: gluster-block volume password details available in logs (CVE-2020-10763)
* golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash (CVE-2020-14040)
* jwt-go: access restriction bypass vulnerability (CVE-2020-26160)
* golang-github-gorilla-websocket: integer overflow leads to denial of service (CVE-2020-27813)
* golang: math/big: panic during recursive division of very large numbers(CVE-2020-28362)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Topics%20covered

Topics Covered

security advisory bug fix moderate severity authentication issue authentication bypass cloud security network threat network vulnerabilities Red Hat OpenShift container platform openshift 4.7 kubernetes threats Kubernetes update

References

https://access.redhat.com/security/cve/CVE-2018-10103 https://access.redhat.com/security/cve/CVE-2018-10105 https://access.redhat.com/security/cve/CVE-2018-14461 https://access.redhat.com/security/cve/CVE-2018-14462 https://access.redhat.com/security/cve/CVE-2018-14463 https://access.redhat.com/security/cve/CVE-2018-14464 https://access.redhat.com/security/cve/CVE-2018-14465 https://access.redhat.com/security/cve/CVE-2018-14466 https://access.redhat.com/security/cve/CVE-2018-14467 https://access.redhat.com/security/cve/CVE-2018-14468 https://access.redhat.com/security/cve/CVE-2018-14469 https://access.redhat.com/security/cve/CVE-2018-14470 https://access.redhat.com/security/cve/CVE-2018-14553 https://access.redhat.com/security/cve/CVE-2018-14879 https://access.redhat.com/security/cve/CVE-2018-14880 https://access.redhat.com/security/cve/CVE-2018-14881 https://access.redhat.com/security/cve/CVE-2018-14882 https://access.redhat.com/security/cve/CVE-2018-16227 https://access.redhat.com/security/cve/CVE-2018-16228 https://access.redhat.com/security/cve/CVE-2018-16229 https://access.redhat.com/security/cve/CVE-2018-16230 https://access.redhat.com/security/cve/CVE-2018-16300 https://access.redhat.com/security/cve/CVE-2018-16451 Read the Full Advisory

Package List


Advisory ID: RHSA-2020:5633-01
Product: Red Hat OpenShift Enterprise
Advisory URL: https://access.redhat.com/errata/RHSA-2020:5633
Issue date: 2021-02-24

Topic

Red Hat OpenShift Container Platform release 4.7.0 is now available.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.

Topics%20covered

Topics Covered

security advisory bug fix moderate severity authentication issue authentication bypass cloud security network threat network vulnerabilities Red Hat OpenShift container platform openshift 4.7 kubernetes threats Kubernetes update

Relevant Releases Architectures

Bugs Fixed

1620608 - Restoring deployment config with history leads to weird state

1752220 - [OVN] Network Policy fails to work when project label gets overwritten

1756096 - Local storage operator should implement must-gather spec

1756173 - /etc/udev/rules.d/66-azure-storage.rules missing from initramfs

1768255 - installer reports 100% complete but failing components

1770017 - Init containers restart when the exited container is removed from node.

1775057 - [MSTR-485] Cluster is abnormal after etcd backup/restore when the backup is conducted during etcd encryption is migrating

1775444 - RFE: k8s cpu manager does not restrict /usr/bin/pod cpuset

1777038 - Cluster scaled beyond host subnet limits does not fire alert or cleanly report why it cannot scale

1777224 - InfraID in metadata.json and .openshift_install_state.json is not consistent when repeating `create` commands

1784298 - "Displaying with reduced resolution due to large dataset." would show under some conditions

1785399 - Under condition of heavy pod creation, creation fails with 'error reserving pod name ...: name is reserved"

1797766 - Resource Requirements" specDescriptor fields - CPU and Memory injects empty string YAML editor

1801089 - [OVN] Installation failed and monitoring pod not created due to some network error.

1805025 - [OSP] Machine status doesn't become "Failed" when creating a machine with invalid image

Read the Full Advisory

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here