Alerts This Week
Warning Icon 1 714
Alerts This Week
Warning Icon 1 714

Red Hat OpenShift 4.7.0 Moderate Advisory: Multiple Security Issues

red hat
Calendar Grey May 19, 2021
Dist Redhat Esm H88
New updates featuring security enhancements and bug corrections released for Red Hat OpenShift Container Storage 4.7.0 on RHEL 8.
Updated images which include numerous security fixes, bug fixes, and enhancements are now available for Red Hat OpenShift Container Storage 4.7.0 on Red Hat Enterprise Linux 8

Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Summary

Red Hat OpenShift Container Storage is software-defined storage integrated with and optimized for the Red Hat OpenShift Container Platform. Red Hat OpenShift Container Storage is a highly scalable, production-grade persistent storage for stateful applications running in the Red Hat OpenShift Container Platform. In addition to persistent storage, Red Hat OpenShift Container Storage provisions a multicloud data management service with an S3 compatible API.
Security Fix(es):
* nodejs-y18n: prototype pollution vulnerability (CVE-2020-7774)
* kubernetes: Incomplete fix for CVE-2019-11250 allows for token leak in logs when logLevel >= 9 (CVE-2020-8565)
* jwt-go: access restriction bypass vulnerability (CVE-2020-26160)
* nodejs-date-and-time: ReDoS in parsing via date.compile (CVE-2020-26289)
* golang: math/big: panic during recursive division of very large numbers(CVE-2020-28362)
* golang: crypto/elliptic: incorrect operations on the P-224 curve (CVE-2021-3114)
* NooBaa: noobaa-operator leaking RPC AuthToken into log files (CVE-2021-3528)
* nodejs-yargs-parser: prototype pollution vulnerability (CVE-2020-7608)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Bug Fix(es):
This update includes various bug fixes and enhancements. Space precludes documenting all of these changes in this advisory. Users are directed to the Red Hat OpenShift Container Storage Release Notes for information on the most significant of these changes:
torage/4.7/html-single/4.7_release_notes/index
All Red Hat OpenShift Container Storage users are advised to upgrade to these updated images.

Topics%20covered

Topics Covered

security advisory security fix moderate impact access restriction Red Hat OpenShift container storage token leak

References

https://access.redhat.com/security/cve/CVE-2020-7608 https://access.redhat.com/security/cve/CVE-2020-7774 https://access.redhat.com/security/cve/CVE-2020-8565 https://access.redhat.com/security/cve/CVE-2020-25678 https://access.redhat.com/security/cve/CVE-2020-26160 https://access.redhat.com/security/cve/CVE-2020-26289 https://access.redhat.com/security/cve/CVE-2020-28362 https://access.redhat.com/security/cve/CVE-2021-3114 https://access.redhat.com/security/cve/CVE-2021-3139 https://access.redhat.com/security/cve/CVE-2021-3449 https://access.redhat.com/security/cve/CVE-2021-3450 https://access.redhat.com/security/cve/CVE-2021-3528 https://access.redhat.com/security/cve/CVE-2021-20305 https://access.redhat.com/security/updates/classification/#moderate

Package List


Severity
important
Lowest
Low
Medium
High
Critical

Advisory ID: RHSA-2021:2041-01
Product: Red Hat OpenShift Container Storage
Advisory URL: https://access.redhat.com/errata/RHSA-2021:2041
Issue date: 2021-05-19

Topic

Updated images which include numerous security fixes, bug fixes, andenhancements are now available for Red Hat OpenShift Container Storage4.7.0 on Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.

Topics%20covered

Topics Covered

security advisory security fix moderate impact access restriction Red Hat OpenShift container storage token leak

Relevant Releases Architectures

Bugs Fixed

1803849 - [RFE] Include per volume encryption with Vault integration in RHCS 4.1

1814681 - [RFE] use topologySpreadConstraints to evenly spread OSDs across hosts

1840004 - CVE-2020-7608 nodejs-yargs-parser: prototype pollution vulnerability

1850089 - OBC CRD is outdated and leads to missing columns in get queries

1860594 - Toolbox pod should have toleration for OCS tainted nodes

1861104 - OCS podDisruptionBudget prevents successful OCP upgrades

1861878 - [RFE] use appropriate PDB values for OSD

1866301 - [RHOCS Usability Study][Installation] “Create storage cluster” should be a part of the installation flow or need to be emphasized as a crucial step.

1869406 - must-gather should include historical pod logs

1872730 - [RFE][External mode] Re-configure noobaa to use the updated RGW endpoint from the RHCS cluster

1874367 - "Create Backing Store" page doesn't allow to select already defined k8s secret as target bucket credentials when Google Cloud Storage is selected as a provider

1883371 - CVE-2020-26160 jwt-go: access restriction bypass vulnerability

1886112 - log message flood with Reconciling StorageCluster","Request.Namespace":"openshift-storage","Request.Name":"ocs-storagecluster"

1886416 - Uninstall 4.6: ocs-operator logging regarding noobaa-core PVC needs change

1886638 - CVE-2020-8565 kubernetes: Incomplete fix for CVE-2019-11250 allows for token leak in logs when logLevel >= 9

Read the Full Advisory

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here