-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   Red Hat Security Advisory

Synopsis:          Moderate: OpenShift Container Platform 4.7.5 security and bug fix update
Advisory ID:       RHSA-2021:1005-01
Product:           Red Hat OpenShift Enterprise
Advisory URL:      https://access.redhat.com/errata/RHSA-2021:1005
Issue date:        2021-04-05
CVE Names:         CVE-2021-3121 CVE-2021-20206 
====================================================================
1. Summary:

Red Hat OpenShift Container Platform release 4.7.5 is now available with
updates to packages and images that fix several bugs and add enhancements.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.

Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container
Platform 4.7.5. See the following advisory for the RPM packages for
this release:

https://access.redhat.com/errata/RHSA-2021:1006

All OpenShift Container Platform 4.7 users are advised to upgrade to these
updated packages and images when they are available in the appropriate
release channel. To check for available updates, use the OpenShift Console
or the CLI oc command. Instructions for upgrading a cluster are available
at
- -between-minor.html#understanding-upgrade-channels_updating-cluster-between
- -minor

Security Fix(es):

* gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index
validation (CVE-2021-3121)

* containernetworking-cni: Arbitrary path injection via type field in CNI
configuration (CVE-2021-20206)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

Additional Changes:

This update also fixes several bugs. Documentation for these changes is
available from the Release Notes document linked to in the References
section.

You may download the oc tool and use it to inspect release image metadata
as follows:

(For x86_64 architecture)

$ oc adm release info
quay.io/openshift-release-dev/ocp-release:4.6.20-x86_64

The image digest is
sha256:0a4c44daf1666f069258aa983a66afa2f3998b78ced79faa6174e0a0f438f0a5

(For s390x architecture)

  $ oc adm release info
quay.io/openshift-release-dev/ocp-release:4.6.20-s390x

The image digest is
sha256:3fc802aafb72402768bbf1b19ce7c6de95256e5cc50799390e63f40d96cec3cd

(For ppc64le architecture)

  $ oc adm release info
quay.io/openshift-release-dev/ocp-release:4.6.20-ppc64le

The image digest is
sha256:5cf6b61198337cd0950e63296be4e48e991721ac17c625f7fd77cf557f08efc7

3. Solution:

For OpenShift Container Platform 4.7 see the following documentation, which
will be updated shortly for this release, for important instructions on how
to upgrade your cluster and fully apply this asynchronous errata update:

https://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-release-notes.html

Details on how to access this content are available at
- -cli.html.

4. Bugs fixed (https://bugzilla.redhat.com/):

1917904 - [release-4.7] bump k8s.io/apiserver to 1.20.3
1919391 - CVE-2021-20206 containernetworking-cni: Arbitrary path injection via type field in CNI configuration
1921650 - CVE-2021-3121 gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation
1925792 - "Edit Annotation" are not correctly translated in Chinese
1927198 - [e2e][automation] Fix pvc string in pvc.view
1927311 - Performance: Console makes unnecessary requests for en-US messages on load
1927953 - [sig-network-edge][Conformance][Area:Networking][Feature:Router] The HAProxy router should be able to connect to a service that is idled because a GET on the route will unidle it
1928151 - Manually misspelled as Manualy
1928614 - NTO may fail to disable stalld when relying on Tuned '[service]' plugin
1929118 - Update plugins and Jenkins version to prepare openshift-sync-plugin 1.0.46 release
1929246 - Missing info for Operational Status, Provisioning status, BMC, Hostname, ID for BMH for OCP deployed with assisted installer
1929674 - [sig-network] pods should successfully create sandboxes by getting pod
1931382 - Pipelines shown in edit flow for Workloads created via ContainerImage flow
1931520 - multicast traffic is not working on ovn-kubernetes
1931622 - LoadBalancer service check test fails during vsphere upgrade
1931856 - ServiceAccount Registry Authfiles Do Not Contain Entries for Public Hostnames
1932268 - ovn-kubernetes endpoint slice controller doesn't run on CI jobs
1932272 - Items marked as mandatory in KMS Provider form are not enforced
1932277 - Create new pool with arbiter - wrong replica
1932806 - release-4.7: e2e: test OAuth API connections in the tests by that name
1933205 - /usr/lib/dracut/modules.d/30ignition/ignition --version sigsev
1933665 - Getting Forbidden for image in a container template when creating a sample app
1934442 - [release-4.7] Gather info about unhealthy SAP pods
1935070 - (release-4.7) Extend OLM operator gatherer to include Operator/ClusterServiceVersion conditions
1935180 - [4.7z] IGMP/MLD packets being dropped
1935605 - [Backport 4.7] Add memory and uptime metadata to IO archive
1935672 - pipelinerun status icon rendering issue
1935707 - test: Detect when the master pool is still updating after upgrade
1936337 - console operator panics in DefaultDeployment with nil cm
1936802 - (release-4.7) Authentication log gatherer shouldn't scan all the pod logs in the openshift-authentication namespace
1936975 - VSphereProblemDetectorControllerDegraded: context canceled during upgrade to 4.7.0
1937089 - cluster DNS experiencing disruptions during cluster upgrade in insights cluster
1937214 - Ingress operator performs spurious updates in response to API's defaulting of NodePort service's clusterIPs field
1937356 - Incorrect imagestream is shown as selected in knative service container image edit flow
1937375 - [release-4.7] When deploying the operator via OLM (after creating the respective catalogsource), the deployment "lost" the `resources` section.
1938316 - [sig-instrumentation][Late] Alerts shouldn't report any alerts in firing state apart from Watchdog and AlertmanagerReceiversNotConfigured: Prometheus query error
1938921 - Router HAProxy config file template is slow to render due to repetitive regex compilations
1938960 - Permissive Egress NetworkPolicy (0.0.0.0/0) is blocking all traffic
1939061 - [release-4.7] Sap license management logs gatherer 4.7
1939199 - move to go 1.15 and registry.ci.openshift.org
1939608 - FilterToolbar component does not handle 'null' value for 'rowFilters' prop
1940052 - Not all image pulls within OpenShift builds retry
1940806 - [4.7z] CNO: nodes and masters are upgrading simultaneously
1940866 - Add BareMetalPlatformType into e2e upgrade service unsupported list
1941128 - fix co upgradeableFalse status and reason
1941217 - Bare-metal operator is firing for ClusterOperatorDown for 15m during 4.6 to 4.7 upgrade
1941246 - Openshift-apiserver CO unavailable during cluster upgrade from 4.6 to 4.7
1941367 - The containerruntimecontroller doesn't roll back to CR-1 if we delete CR-2
1941468 - (release-4.7) 'More about Insights' link points to support link
1941574 - [sig-network-edge][Conformance][Area:Networking][Feature:Router] The HAProxy router should be able to connect to a service that is idled because a GET on the route will unidle it [Suite:openshift/conformance/parallel/minimal]
1942059 - `oc adm catalog mirror` doesn't work for the air-gapped cluster
1942068 - [release-4.7] Gahter datahubs.installers.datahub.sap.com resources from SAP clusters1943310 - [SCALE] enable OVN DB memory trimming on compaction

5. References:

https://access.redhat.com/security/cve/CVE-2021-3121
https://access.redhat.com/security/cve/CVE-2021-20206
https://access.redhat.com/security/updates/classification/#moderate

6. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYGsbdtzjgjWX9erEAQi9Jg//XinGV4VTRIg1jiwdm/c5YjRoEZYln/VI
ITJC7jjMO9TUyuV6WUbllthmxY7uMP/YX0LC6YyC6+7MECUta0sOqN37O2RIFdyV
VQFEzGlpNEIRIUUWM16ZCGX7om5RNFWXtBrya9/oYxNR5ftQr3MY1sO77xCE2tfs
ij0WXVMX+5V0RX2SCy5USSNTWW8ZPk8EasR3yv/rw6jeVo+AnW99plSg8lrHNlWk
Zwo6BlRkO7HGt4gkD+ECBMdKm8ND4ZUx7pcKophVRueNAsFk1M2UCpQC+WpQmXXF
1HNhwCR31HNc5lkR7nfgTDKQRsyzD1N5O4UTdmh1bnMFsgcGE37NX0dmysKPUYuh
DUuI3qc85PfkNb3/9vJvyo+r79/D5s8xsFYbHAXqYlbdeKKS13ztSsxirhwWsZ7x
jwX+UbKrt/PKTVZyyq80VPVeZvLhl/Jq8lJ9BaYEp6BROKqS6lpie7wLayZTxSWS
tCuxO0zoye/HkOzkaWLc9tygVzdJZ/aaDxtMJ+B/nghsv7w+w5/CS9RCqJiFPAz+
t9BkXKWFcqD+fpzjCmSYi4FgG3sFEeSQDIfZlm0+QyVp88tp6Xf96trYqTYdvh7e
1/dn8Wc5zN29Lv7nl5w+Mb+91cZweKQ6a8XbcZGu3v8t0Xs48u0DcYLImvqI7H+4
6Lr59pNFewo=qhQn
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2021-1005:01 Moderate: OpenShift Container Platform 4.7.5

Red Hat OpenShift Container Platform release 4.7.5 is now available with updates to packages and images that fix several bugs and add enhancements

Summary

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.
Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.
This advisory contains the container images for Red Hat OpenShift Container Platform 4.7.5. See the following advisory for the RPM packages for this release:
https://access.redhat.com/errata/RHSA-2021:1006
All OpenShift Container Platform 4.7 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift Console or the CLI oc command. Instructions for upgrading a cluster are available at - -between-minor.html#understanding-upgrade-channels_updating-cluster-between - -minor
Security Fix(es):
* gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation (CVE-2021-3121)
* containernetworking-cni: Arbitrary path injection via type field in CNI configuration (CVE-2021-20206)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
This update also fixes several bugs. Documentation for these changes is available from the Release Notes document linked to in the References section.
You may download the oc tool and use it to inspect release image metadata as follows:
(For x86_64 architecture)
$ oc adm release info quay.io/openshift-release-dev/ocp-release:4.6.20-x86_64
The image digest is sha256:0a4c44daf1666f069258aa983a66afa2f3998b78ced79faa6174e0a0f438f0a5
(For s390x architecture)
$ oc adm release info quay.io/openshift-release-dev/ocp-release:4.6.20-s390x
The image digest is sha256:3fc802aafb72402768bbf1b19ce7c6de95256e5cc50799390e63f40d96cec3cd
(For ppc64le architecture)
$ oc adm release info quay.io/openshift-release-dev/ocp-release:4.6.20-ppc64le
The image digest is sha256:5cf6b61198337cd0950e63296be4e48e991721ac17c625f7fd77cf557f08efc7

Summary

Solution

For OpenShift Container Platform 4.7 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:
https://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-release-notes.html
Details on how to access this content are available at - -cli.html.

References

https://access.redhat.com/security/cve/CVE-2021-3121 https://access.redhat.com/security/cve/CVE-2021-20206 https://access.redhat.com/security/updates/classification/#moderate

Package List

Severity

Advisory ID: RHSA-2021:1005-01

Product: Red Hat OpenShift Enterprise

Advisory URL: https://access.redhat.com/errata/RHSA-2021:1005

Issued Date: : 2021-04-05

CVE Names: CVE-2021-3121 CVE-2021-20206

Topic

Red Hat OpenShift Container Platform release 4.7.5 is now available withupdates to packages and images that fix several bugs and add enhancements.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.

Topic

Relevant Releases Architectures

Bugs Fixed

1917904 - [release-4.7] bump k8s.io/apiserver to 1.20.3

1919391 - CVE-2021-20206 containernetworking-cni: Arbitrary path injection via type field in CNI configuration

1921650 - CVE-2021-3121 gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation

1925792 - "Edit Annotation" are not correctly translated in Chinese

1927198 - [e2e][automation] Fix pvc string in pvc.view

1927311 - Performance: Console makes unnecessary requests for en-US messages on load

1927953 - [sig-network-edge][Conformance][Area:Networking][Feature:Router] The HAProxy router should be able to connect to a service that is idled because a GET on the route will unidle it

1928151 - Manually misspelled as Manualy

1928614 - NTO may fail to disable stalld when relying on Tuned '[service]' plugin

1929118 - Update plugins and Jenkins version to prepare openshift-sync-plugin 1.0.46 release

1929246 - Missing info for Operational Status, Provisioning status, BMC, Hostname, ID for BMH for OCP deployed with assisted installer

1929674 - [sig-network] pods should successfully create sandboxes by getting pod

1931382 - Pipelines shown in edit flow for Workloads created via ContainerImage flow

1931520 - multicast traffic is not working on ovn-kubernetes

1931622 - LoadBalancer service check test fails during vsphere upgrade

1931856 - ServiceAccount Registry Authfiles Do Not Contain Entries for Public Hostnames

1932268 - ovn-kubernetes endpoint slice controller doesn't run on CI jobs

1932272 - Items marked as mandatory in KMS Provider form are not enforced

1932277 - Create new pool with arbiter - wrong replica

1932806 - release-4.7: e2e: test OAuth API connections in the tests by that name

1933205 - /usr/lib/dracut/modules.d/30ignition/ignition --version sigsev

1933665 - Getting Forbidden for image in a container template when creating a sample app

1934442 - [release-4.7] Gather info about unhealthy SAP pods

1935070 - (release-4.7) Extend OLM operator gatherer to include Operator/ClusterServiceVersion conditions

1935180 - [4.7z] IGMP/MLD packets being dropped

1935605 - [Backport 4.7] Add memory and uptime metadata to IO archive

1935672 - pipelinerun status icon rendering issue

1935707 - test: Detect when the master pool is still updating after upgrade

1936337 - console operator panics in DefaultDeployment with nil cm

1936802 - (release-4.7) Authentication log gatherer shouldn't scan all the pod logs in the openshift-authentication namespace

1936975 - VSphereProblemDetectorControllerDegraded: context canceled during upgrade to 4.7.0

1937089 - cluster DNS experiencing disruptions during cluster upgrade in insights cluster

1937214 - Ingress operator performs spurious updates in response to API's defaulting of NodePort service's clusterIPs field

1937356 - Incorrect imagestream is shown as selected in knative service container image edit flow

1937375 - [release-4.7] When deploying the operator via OLM (after creating the respective catalogsource), the deployment "lost" the `resources` section.

1938316 - [sig-instrumentation][Late] Alerts shouldn't report any alerts in firing state apart from Watchdog and AlertmanagerReceiversNotConfigured: Prometheus query error

1938921 - Router HAProxy config file template is slow to render due to repetitive regex compilations

1938960 - Permissive Egress NetworkPolicy (0.0.0.0/0) is blocking all traffic

1939061 - [release-4.7] Sap license management logs gatherer 4.7

1939199 - move to go 1.15 and registry.ci.openshift.org

1939608 - FilterToolbar component does not handle 'null' value for 'rowFilters' prop

1940052 - Not all image pulls within OpenShift builds retry

1940806 - [4.7z] CNO: nodes and masters are upgrading simultaneously

1940866 - Add BareMetalPlatformType into e2e upgrade service unsupported list

1941128 - fix co upgradeableFalse status and reason

1941217 - Bare-metal operator is firing for ClusterOperatorDown for 15m during 4.6 to 4.7 upgrade

1941246 - Openshift-apiserver CO unavailable during cluster upgrade from 4.6 to 4.7

1941367 - The containerruntimecontroller doesn't roll back to CR-1 if we delete CR-2

1941468 - (release-4.7) 'More about Insights' link points to support link

1941574 - [sig-network-edge][Conformance][Area:Networking][Feature:Router] The HAProxy router should be able to connect to a service that is idled because a GET on the route will unidle it [Suite:openshift/conformance/parallel/minimal]

1942059 - `oc adm catalog mirror` doesn't work for the air-gapped cluster

1942068 - [release-4.7] Gahter datahubs.installers.datahub.sap.com resources from SAP clusters1943310 - [SCALE] enable OVN DB memory trimming on compaction