Red Hat OpenShift Data Foundation 4.9.0 Security Advisory RHSA-2021-5086
red hat
December 13, 2021
Updated images that include numerous enhancements, security, and bug fixes are now available for Red Hat OpenShift Data Foundation 4.9.0 on Red Hat Enterprise Linux 8
Solution
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
Summary
Red Hat OpenShift Data Foundation is software-defined storage integrated
with and optimized for the Red Hat OpenShift Container Platform. Red Hat
OpenShift Data Foundation is a highly scalable, production-grade persistent
storage for stateful applications running in the Red Hat OpenShift
Container Platform. In addition to persistent storage, Red Hat OpenShift
Data Foundation provisions a multicloud data management service with an S3
compatible API.
Security Fix(es):
* kubernetes: Incomplete fix for CVE-2019-11250 allows for token leak in
logs when logLevel >= 9 (CVE-2020-8565)
* nodejs-tar: Insufficient symlink protection allowing arbitrary file
creation and overwrite (CVE-2021-32803)
* nodejs-tar: Insufficient absolute path sanitization allowing arbitrary
file creation and overwrite (CVE-2021-32804)
* golang: net: lookup functions may return invalid host names
(CVE-2021-33195)
* golang: net/http/httputil: ReverseProxy forwards connection headers if
first one is empty (CVE-2021-33197)
* golang: math/big.Rat: may cause a panic or an unrecoverable fatal error
if passed inputs with very large exponents (CVE-2021-33198)
* golang: crypto/tls: certificate of wrong type is causing TLS client to
panic (CVE-2021-34558)
* nodejs-tar: insufficient symlink protection due to directory cache
poisoning using symbolic links allowing arbitrary file creation and
overwrite (CVE-2021-37701)
* nodejs-tar: insufficient symlink protection due to directory cache
poisoning using symbolic links allowing arbitrary file creation and
overwrite (CVE-2021-37712)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information refer to the CVE
page(s) listed in the References section.
These updated images include numerous enhancements and bug fixes. Space
precludes documenting all of these changes in this advisory. Users are
directed to the Red Hat OpenShift Data Foundation Release Notes for
information on the most significant of these changes:
https://docs.redhat.com/en/documentation/red_hat_openshift_data_foundation/4.9/html/4.9_release_notes/index
All Red Hat OpenShift Data Foundation users are advised to upgrade to
these updated images, which provide numerous bug fixes and enhancements.
Topics Covered
References
https://access.redhat.com/security/cve/CVE-2020-8565 https://access.redhat.com/security/cve/CVE-2021-32803 https://access.redhat.com/security/cve/CVE-2021-32804 https://access.redhat.com/security/cve/CVE-2021-33195 https://access.redhat.com/security/cve/CVE-2021-33197 https://access.redhat.com/security/cve/CVE-2021-33198 https://access.redhat.com/security/cve/CVE-2021-34558 https://access.redhat.com/security/cve/CVE-2021-37701 https://access.redhat.com/security/cve/CVE-2021-37712 https://access.redhat.com/security/updates/classification#moderate
Package List
PREVIOUS
NEXT
Advisory ID: RHSA-2021:5086-01
Product: Red Hat OpenShift Data Foundation
Advisory URL: https://access.redhat.com/errata/RHSA-2021:5086
Issue date: 2021-12-13
Topic
Updated images that include numerous enhancements, security, and bug fixes
are now available for Red Hat OpenShift Data Foundation 4.9.0 on Red Hat
Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
Topics Covered
Relevant Releases Architectures
Bugs Fixed
1810525 - [GSS][RFE] [Tracker for Ceph # BZ # 1910272] Deletion of data is not allowed after the Ceph cluster reaches osd-full-ratio threshold.
1853638 - [RFE] - Can Force deletion of noobaa-db be automatically handled in case on hosting node shutdown (similar to OSD & MONS)
1886638 - CVE-2020-8565 kubernetes: Incomplete fix for CVE-2019-11250 allows for token leak in logs when logLevel >= 9
1890438 - collect rados objects created by cephcsi to store internal mapping
1890978 - [External] Improve error logging in ocs-operator
1892709 - NooBaa storage class should be deleted when uninstalling
1901954 - Allow restoring snapshot to a different pool than parent volume
1910790 - [AWS 1AZ] [OCP 4.7 / OCS 4.6] ocs-operator stuck in Installing phase, and noobaa-db-0 pod in a Pending state
1927782 - With graceful mode, storagecluster/cephcluster deletion should be blocked if OBC based on RGW SC still exists
1929242 - [GSS] [RFE] QoS and limits in Object Bucket Claims in OpenShift for RGW
1932396 - [TRACKER for BZ #1943619] - RGW does not handle "Expect: 100-continue" answers from http requests not needing it
1934625 - [must-gather]improve logging and mention all instances in MG terminal log
1956285 - [must-gather] log collection for some ceph cmd failed with timeout: fork system call failed: Resource temporarily unavailable
1959793 - [RBD][Thick] PVC restored from a snapshot or cloned from a thick provisioned PVC, is not thick provisioned
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!