-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   Red Hat Security Advisory

Synopsis:          Moderate: Red Hat OpenShift Data Foundation 4.9.0 enhancement, security, and bug fix update
Advisory ID:       RHSA-2021:5086-01
Product:           Red Hat OpenShift Data Foundation
Advisory URL:      https://access.redhat.com/errata/RHSA-2021:5086
Issue date:        2021-12-13
CVE Names:         CVE-2020-8565 CVE-2021-32803 CVE-2021-32804 
                   CVE-2021-33195 CVE-2021-33197 CVE-2021-33198 
                   CVE-2021-34558 CVE-2021-37701 CVE-2021-37712 
====================================================================
1. Summary:

Updated images that include numerous enhancements, security, and bug fixes
are now available for Red Hat OpenShift Data Foundation 4.9.0 on Red Hat
Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Data Foundation is software-defined storage integrated
with and optimized for the Red Hat OpenShift Container Platform. Red Hat
OpenShift Data Foundation is a highly scalable, production-grade persistent
storage for stateful applications running in the Red Hat OpenShift
Container Platform. In addition to persistent storage, Red Hat OpenShift
Data Foundation provisions a multicloud data management service with an S3
compatible API.

Security Fix(es):

* kubernetes: Incomplete fix for CVE-2019-11250 allows for token leak in
logs when logLevel >= 9 (CVE-2020-8565)

* nodejs-tar: Insufficient symlink protection allowing arbitrary file
creation and overwrite (CVE-2021-32803)

* nodejs-tar: Insufficient absolute path sanitization allowing arbitrary
file creation and overwrite (CVE-2021-32804)

* golang: net: lookup functions may return invalid host names
(CVE-2021-33195)

* golang: net/http/httputil: ReverseProxy forwards connection headers if
first one is empty (CVE-2021-33197)

* golang: math/big.Rat: may cause a panic or an unrecoverable fatal error
if passed inputs with very large exponents (CVE-2021-33198)

* golang: crypto/tls: certificate of wrong type is causing TLS client to
panic (CVE-2021-34558)

* nodejs-tar: insufficient symlink protection due to directory cache
poisoning using symbolic links allowing arbitrary file creation and
overwrite (CVE-2021-37701)

* nodejs-tar: insufficient symlink protection due to directory cache
poisoning using symbolic links allowing arbitrary file creation and
overwrite (CVE-2021-37712)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information refer to the CVE
page(s) listed in the References section.

These updated images include numerous enhancements and bug fixes. Space
precludes documenting all of these changes in this advisory. Users are
directed to the Red Hat OpenShift Data Foundation Release Notes for
information on the most significant of these changes:

https://access.redhat.com//documentation/en-us/red_hat_openshift_data_foundation/4.9/html/4.9_release_notes/index

All Red Hat OpenShift Data Foundation users are advised to upgrade to
these updated images, which provide numerous bug fixes and enhancements.

3. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

1810525 - [GSS][RFE] [Tracker for Ceph # BZ # 1910272] Deletion of data is not allowed after the Ceph cluster reaches osd-full-ratio threshold.
1853638 - [RFE] - Can Force deletion of noobaa-db be automatically handled in case on hosting node shutdown (similar to OSD & MONS)
1886638 - CVE-2020-8565 kubernetes: Incomplete fix for CVE-2019-11250 allows for token leak in logs when logLevel >= 9
1890438 - collect rados objects created by cephcsi to store internal mapping
1890978 - [External] Improve error logging in ocs-operator
1892709 - NooBaa storage class should be deleted when uninstalling
1901954 - Allow restoring snapshot to a different pool than parent volume
1910790 - [AWS 1AZ] [OCP 4.7 / OCS 4.6] ocs-operator stuck in Installing phase, and noobaa-db-0 pod in a Pending state
1927782 - With graceful mode, storagecluster/cephcluster deletion should be blocked if OBC based on RGW SC still exists
1929242 - [GSS] [RFE]  QoS and limits in Object Bucket Claims in OpenShift for RGW
1932396 - [TRACKER for BZ #1943619] - RGW does not handle "Expect: 100-continue" answers from http requests not needing it
1934625 - [must-gather]improve logging and mention all instances in MG terminal log
1956285 - [must-gather] log collection for some ceph cmd failed with timeout: fork system call failed: Resource temporarily unavailable
1959793 - [RBD][Thick] PVC restored from a snapshot or cloned from a thick provisioned PVC, is not thick provisioned
1964083 - [RFE] ocs-must-gather should collect logs for RegionalDR
1965322 - Error code 500 is used when page not found
1968510 - OCS uninstall should check for Volumesnapshots before proceeding with graceful Uninstall
1968606 - OCS CSV Status moves to Failed and Installs again when a StorageCluster is created
1969216 - Rook may recreate a file system with existing pools
1973256 - [Tracker for BZ #1975608] [Mon Recovery testing(bz1965768)] After replacing degraded cephfs with new cephfs, the cephfs app-pod created before mon corruption is not accessible
1975272 - [RFE] [KMS] Add support for auto-detection of the Vault KV version
1975581 - OCS is still using deprecated api v1beta1
1979244 - [KMS] Keys are still listed in vault after deleting encrypted PVCs while using kv-v2 secret engine
1979502 - Multi-Cloud Object Gateway with v4.7 RC5 performs slow compared to v4.6 with mongodb - read flows
1980818 - RBD Snapshot of encrypted PVC may fail with error "BUG: "xyz" and "xyz" have the same VolID (xyz)  set!? Call stack: goroutine 118 [running]:
1981331 - New namespace OBCs stuck in Pending, even though underlying bucketclass is Ready
1983596 - CVE-2021-34558 golang: crypto/tls: certificate of wrong type is causing TLS client to panic
1983756 - [Multus] Deletion of CephBlockPool get stuck and blocks creation of new pools
1984284 - [GSS] [4.9 clone] Standalone Object Gateway is failing to connect
1984334 - [RFE] [4.9 clone] VAULT_BACKEND parameter should be added to the csi-kms-connection-details
1984396 - Failing the only OSD of a node on a 3 node cluster doesn't create blocking PDBs
1984735 - [External Mode] Monitoring spec is getting reset in CephCluster resource
1985074 - must-gather is skipping the ceph collection when there are two must-gather-helper pods
1986444 - Alert NooBaaNamespaceBucketErrorState is not triggered when namespacestore's target bucket is deleted
1986794 - [Tracker for Ceph BZ #2000434] [RBD][Thick] PVC is not reaching Bound state
1987806 - [External] External Cluster resources are not updated even after updating the JSON input secret
1988518 - ocs-metrics-exporter runAsNonRoot error
1989482 - odf-operator.v4.9.0-43.ci fails to install
1989564 - CVE-2021-33195 golang: net: lookup functions may return invalid host names
1989570 - CVE-2021-33197 golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty
1989575 - CVE-2021-33198 golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents
1990230 - ocs-operator.v4.9.0-50.ci csv not found
1990409 - CVE-2021-32804 nodejs-tar: Insufficient absolute path sanitization allowing arbitrary file creation and overwrite
1990415 - CVE-2021-32803 nodejs-tar: Insufficient symlink protection allowing arbitrary file creation and overwrite
1991822 - ocs-operator.v4.9.0-53.ci: install strategy failed with  "noobaa-operator" is invalid
1992472 - How to add toleration to OCS pods for any non OCS taints?
1994261 - odf-operator.v4.9.0-91.ci fails to install with odf-console
1994577 - openshift-storage namespace is not created automatically when installing odf-operator
1994584 - ocs-operator is not hidden when installed as a dependency of odf-operator 4.9
1994602 - Icon for odf-operator is missing during and post installation
1994606 - Details missing on the card while installing ODF Operator via UI
1994687 - [vSphere]: csv ocs-registry:4.9.0-91.ci is in Installing phase
1995009 - Warning to create storage system is missing in odf operator Details page
1995056 - OCS_CSV_NAME is not correct in odf-operator-manager-config configmap
1995271 - [GSS] noobaa-db-pg-0 Pod get in stuck CrashLoopBackOff state when enabling hugepages
1995718 - [External Mode] Script "ceph-external-cluster-details-exporter.py" incompatible with python 2.x
1997237 - [UI] 404: Page Not Found error when creating storage system
1997624 - [KMS] PV encryption fails when using vault namespace functionality in ODF 4.9
1997738 - RBD pvc creation fails on VMware
1997922 - ODF-Operator installed failed because odf-console pod is in ImagePullBackOff
1998851 - Disabling Ceph File System also disable Ceph RBD VolumeSnapshotStorageClass
1999050 - [UI] Storage system link on OpenShift Data Foundation Page is not redirecting to the details page of the particular storage system
1999731 - CVE-2021-37701 nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite
1999739 - CVE-2021-37712 nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite
1999748 - Update OCP CSI sidecar to 4.9
1999763 - odf-operator.v4.9.0-119.ci failed with version in range: 4.9.0-119.ci for noobaa-operator
1999767 - [Tracker for Ceph BZ #2002557] Raw capacity is not shown in block pool page
2000082 - 2 of the odf quick starts guides 'getting started' and 'configuration & management' doesn't disappear from UI on odf-operator uninstallation
2000098 - ODF operator 4.9.0-120.ci fails to install on s390x due to incompatible ibm-storage-odf-plugin Docker image
2000143 - OCS 4.8 to ODF 4.9 upgrade failed on OCP 4.9 AWS cluster
2000190 - Current must-gather doesn't collect some of the odf-operator and storagesystem related logs for odf 4.9
2000579 - [UI] ODF tab under Storage found missing and appears and then disappears again with 404: Page not found error message on URL reload
2000588 - Bucket creation is failing from nooba management console
2000860 - Hide thick provisioning from the UI
2000865 - Revert the creation of thick provisioned storage class in 4.9
2001482 - StorageCluster stuck in Progressing state for MCG only deployment
2001539 - [UI] ODF Overview showing two different status for the same storage system
2001580 - [UI] Title "OpenShift Data Foundation" should be used instead of "OpenShift Data Foundation Overview"
2001970 - Openshift Data Foundation navitem missing under "Storage" navsection.
2002225 - [Tracker for Ceph BZ #2002398] [4.9.0-129.ci]: ceph health in WARN state due to mon.a crashed
2003444 - [IBM] odf metrics data is not shown in odf-console
2003904 - odf-operator.v4.9.0-136.ci fails to install with odf-console in ImagePullBackOff
2004003 - [External Mode] rook TLS certificate was not created
2004013 - [DR] After performing failover mirroringStatus reports image_health: ERROR
2004030 - Storagecluster should have a reference under storageSystem
2004824 - remove ibm-console from the odf-operator
2005103 - Bucket replication does not work (objects are not replicated)
2005290 - namespace: openshift-storage label missing for few OCS alerts
2005812 - [Recovery DOC Tracker 1978769] recover documents when ceph cluster filled up because of CephFS snapshots and clones
2005838 - [Tracker for Ceph BZ #1981186] [DR] Rbdmirror pod keeps showing unable to find a keyring
2005843 - [DR] odfmo-controller-manager pod label should be set based on Deployment name
2005937 - Not able to add toleration for MDS pods via StorageCluster yaml
2006176 - [DR] token-exchange-agent pod logs flooded with failed to sync and Failed to watch messages
2006865 - Ceph alerts that are auto-resolved should not be fired
2007130 - [External Mode] Exporter script fails if multiple monitoring endpoints are provided
2007202 - VolumeReplication condition "Degraded" never moves to "False" when recovering from a split brain
2007212 - VolumeReplication condition "Degraded" never moves to "False" when recovering from a split brain
2007377 - CephObjectStore does not update the RGW configuration period if 'period --commit' fails in the first reconcile
2007717 - ODF 4.9 is failing to deploy
2010041 - Backport to 4.9: Inject default label to noobaa_system_reconciler
2010185 - MirrorPeer status always in ExchangedSecret Phase
2010188 - [DR] odfmo-controller-manager pod label should be set based on Deployment name
2010194 - [DR] token-exchange-agent pod logs flooded with failed to sync and Failed to watch messages
2010202 - Backport to 4.9: Adding the ability to change/add labels in service monitor
2011225 - NooBaa Operator repo generates invalid CSV

5. References:

https://access.redhat.com/security/cve/CVE-2020-8565
https://access.redhat.com/security/cve/CVE-2021-32803
https://access.redhat.com/security/cve/CVE-2021-32804
https://access.redhat.com/security/cve/CVE-2021-33195
https://access.redhat.com/security/cve/CVE-2021-33197
https://access.redhat.com/security/cve/CVE-2021-33198
https://access.redhat.com/security/cve/CVE-2021-34558
https://access.redhat.com/security/cve/CVE-2021-37701
https://access.redhat.com/security/cve/CVE-2021-37712
https://access.redhat.com/security/updates/classification/#moderate

6. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYbei+dzjgjWX9erEAQj9ow//QhaukAiKpIm579W/smWGhYvMRojDp0gq
vx74LCpSz03rPPyZxeoaDxGNDJohtpKaqGXvBn+2yyrul/F6zrsN4YIuaILre4EI
Hk8BKm+0LsG6INfLvTGNIhjW36fXb+vgR+Iv7tDQ85swAoC6e9JWFingqeSZTi6h
jE6HlcVDox57X0cntB3o6D1nqJlASTMwi09tg6R0yknRunuXpUwVHdQBqx4xDpr7
74OyifVqJKpJ46xVg01LZPBuUdKhFIzU6q60JNFMOTN6m9oaDfVg35eaRti3QomV
0BJkosldZkl3DdNy1FlPDj3xETn23DGEd4O00uvtW4Wh0Nr0z1Xi28h8Rz4TrtEG
r+90LQG36HmJd/13eEIJh3Q5YYLOivr+y/HwZ0lzx8jYHGMjx8gEkb/TxSOMEqs0
rRnLB+o4qogObIyog+TntW3A6HqYQ2KPqLIOoyc/ybEqaPazSlyV9hlSBZYMGOKh
AL7dF+siGIAUjlFBwmFGBquJYkKHncMkrE7R71Nj5qQtFoIKUUO9RQwHUHgrSRRg
anFkMTnu3Y7SxdzuHPxxG8kear2T9u5zk0nTQvL5mKDCbGCsukJgx0+t0WSWCkZz
BjRx0Ey2Uvsul9HYcYABz9w2pWip4SXOws3k/eF23Tg2GAHALIm5GcFuL6ByvUHx
+7kNvf3sAbA=CApk
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/rhsa-announce