-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   Red Hat Security Advisory

Synopsis:          Moderate: Windows Container Support for Red Hat OpenShift 5.0.0 [security update]
Advisory ID:       RHSA-2022:0577-01
Product:           Red Hat OpenShift Enterprise
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:0577
Issue date:        2022-03-28
CVE Names:         CVE-2020-28851 CVE-2020-28852 CVE-2021-3121 
                   CVE-2021-3521 CVE-2021-3712 CVE-2021-29923 
                   CVE-2021-31525 CVE-2021-33195 CVE-2021-33197 
                   CVE-2021-33198 CVE-2021-34558 CVE-2021-36221 
                   CVE-2021-42574 CVE-2022-24407 
====================================================================
1. Summary:

The components for Windows Container Support for Red Hat OpenShift 5.0.0
are now available. This product release includes bug fixes and a moderate
security update for the following packages: windows-machine-config-operator
and windows-machine-config-operator-bundle.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

Windows Container Support for Red Hat OpenShift allows you to deploy
Windows container workloads running on Windows Server containers.

Security Fix(es):

* gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index
validation (CVE-2021-3121)
* golang.org/x/text: Panic in language.ParseAcceptLanguage while parsing
- -u- extension (CVE-2020-28851)
* golang.org/x/text: Panic in language.ParseAcceptLanguage while processing
bcp47 tag (CVE-2020-28852)
* golang: net: incorrect parsing of extraneous zero characters at the
beginning of an IP address octet (CVE-2021-29923)
* golang: net/http: panic in ReadRequest and ReadResponse when reading a
very large header (CVE-2021-31525)
* golang: net: lookup functions may return invalid host names
(CVE-2021-33195)
* golang: net/http/httputil: ReverseProxy forwards connection headers if
first one is empty (CVE-2021-33197)
* golang: math/big.Rat: may cause a panic or an unrecoverable fatal error
if passed inputs with very large exponents (CVE-2021-33198)
* golang: crypto/tls: certificate of wrong type is causing TLS client to
panic (CVE-2021-34558)
* golang: net/http/httputil: panic due to racy read of persistConn after
handler panic (CVE-2021-36221)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

For Windows Machine Config Operator upgrades, see the following
documentation:
https://docs.openshift.com/container-platform/latest/windows_containers/windows-node-upgrades.html

4. Bugs fixed (https://bugzilla.redhat.com/):

1913333 - CVE-2020-28851 golang.org/x/text: Panic in language.ParseAcceptLanguage while parsing -u- extension
1913338 - CVE-2020-28852 golang.org/x/text: Panic in language.ParseAcceptLanguage while processing bcp47 tag
1921650 - CVE-2021-3121 gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation
1958341 - CVE-2021-31525 golang: net/http: panic in ReadRequest and ReadResponse when reading a very large header
1983596 - CVE-2021-34558 golang: crypto/tls: certificate of wrong type is causing TLS client to panic
1989564 - CVE-2021-33195 golang: net: lookup functions may return invalid host names
1989570 - CVE-2021-33197 golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty
1989575 - CVE-2021-33198 golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents
1990573 - Username annotation error when byoh Windows have uppercase hostname
1992006 - CVE-2021-29923 golang: net: incorrect parsing of extraneous zero characters at the beginning of an IP address octet
1992841 - Deleting Machine Node object throws reconciliation error after WMCO restart
1994859 - Windows Containers on Windows Nodes get assigned the DNS Server IP “172.30.0.10”, which is wrong, if the default kubernetes subnet is not used
1995656 - CVE-2021-36221 golang: net/http/httputil: panic due to racy read of persistConn after handler panic
2000772 - WMCO fails to configure VMs with Powershell set as the default SSH shell
2001547 - BYOH Windows instance configured with DNS name got deconfigured immediately on UPI baremetal
2002961 - CSR reconciler report error constantly when BYOH CSR approved by other Approver
2005360 - BYOH Windows instance configured twice with DNS name
2008601 - WMCO ignores delete events for machines with invalid IP addresses
2015772 - Replacing private key reconcile 2 Windows nodes in parallel
2032048 - CSR approval failures caused by update conflicts

5. JIRA issues fixed (https://issues.jboss.org/):

WINC-747 - Windows Container Support for Red Hat OpenShift 5.0.0 release

6. References:

https://access.redhat.com/security/cve/CVE-2020-28851
https://access.redhat.com/security/cve/CVE-2020-28852
https://access.redhat.com/security/cve/CVE-2021-3121
https://access.redhat.com/security/cve/CVE-2021-3521
https://access.redhat.com/security/cve/CVE-2021-3712
https://access.redhat.com/security/cve/CVE-2021-29923
https://access.redhat.com/security/cve/CVE-2021-31525
https://access.redhat.com/security/cve/CVE-2021-33195
https://access.redhat.com/security/cve/CVE-2021-33197
https://access.redhat.com/security/cve/CVE-2021-33198
https://access.redhat.com/security/cve/CVE-2021-34558
https://access.redhat.com/security/cve/CVE-2021-36221
https://access.redhat.com/security/cve/CVE-2021-42574
https://access.redhat.com/security/cve/CVE-2022-24407
https://access.redhat.com/security/updates/classification/#moderate

7. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYkHUidzjgjWX9erEAQgguhAApk3+HqFLF4+2BufU+cXbfR3ikPOum2aR
dtT/kEd17ELemORjgGNt3mfEaFl0yc+kmq59r4BQRc4kSVa0rtD5gY8loW81R/V9
QVJOO4uu160Ho92n/7M33IKNM3MJuB6Puezm6GiTiRBCE6YcggWn3f8DqSQiqcH6
GAjDfomv+WfMhDBvoZKqY+rDiFleZqOcTZT5StcZNntXEpDkJE95jttCOIB1GjjR
DbBqk2Yya78gfMMarAIjGupYoMq6Byk4ebGVjnNvQVFvmPFdalTnCjBBkuN/FHFv
QXBOQfMDZW7eYPD7Hztz7o6FgRQNctie2i2n/UtU4qhEgei97e/CFN77mdBD7zaN
9pqsz63ZNx7rhKIvrVBXktyZuV3PETPxDakH13JFFbW2pKrDr0d6lHYq9H9mHmbr
RUPObMpM3yOXI0nm0MPfAHp/PYI0GyPi6mKVJLLKiXQw7nM3t9J4RPn51ZIDdq8H
s4bFvA0cev5dZholKPPdjEkH9XfPBecXFlKFT2a+91w7d0LAAKUCk1yEsDuwlYEN
gu+uO6s7xN2qMg6S0KWf3dkBgrJjiBgWg9lUhin/CFnRmmCxjWnDzgUOiMbJfD4c
oAKvrdZ8oqe9Fl63oIFggre+fJIVl817DaHHmc6QptcrUBogdXQgsneK/86xjsZi
OzqkIK5j4RU=uE/t
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2022-0577:01 Moderate: Windows Container Support for Red Hat

The components for Windows Container Support for Red Hat OpenShift 5.0.0 are now available

Summary

Windows Container Support for Red Hat OpenShift allows you to deploy Windows container workloads running on Windows Server containers.
Security Fix(es):
* gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation (CVE-2021-3121) * golang.org/x/text: Panic in language.ParseAcceptLanguage while parsing - -u- extension (CVE-2020-28851) * golang.org/x/text: Panic in language.ParseAcceptLanguage while processing bcp47 tag (CVE-2020-28852) * golang: net: incorrect parsing of extraneous zero characters at the beginning of an IP address octet (CVE-2021-29923) * golang: net/http: panic in ReadRequest and ReadResponse when reading a very large header (CVE-2021-31525) * golang: net: lookup functions may return invalid host names (CVE-2021-33195) * golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty (CVE-2021-33197) * golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents (CVE-2021-33198) * golang: crypto/tls: certificate of wrong type is causing TLS client to panic (CVE-2021-34558) * golang: net/http/httputil: panic due to racy read of persistConn after handler panic (CVE-2021-36221)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.



Summary


Solution

For Windows Machine Config Operator upgrades, see the following documentation: https://docs.openshift.com/container-platform/latest/windows_containers/windows-node-upgrades.html

References

https://access.redhat.com/security/cve/CVE-2020-28851 https://access.redhat.com/security/cve/CVE-2020-28852 https://access.redhat.com/security/cve/CVE-2021-3121 https://access.redhat.com/security/cve/CVE-2021-3521 https://access.redhat.com/security/cve/CVE-2021-3712 https://access.redhat.com/security/cve/CVE-2021-29923 https://access.redhat.com/security/cve/CVE-2021-31525 https://access.redhat.com/security/cve/CVE-2021-33195 https://access.redhat.com/security/cve/CVE-2021-33197 https://access.redhat.com/security/cve/CVE-2021-33198 https://access.redhat.com/security/cve/CVE-2021-34558 https://access.redhat.com/security/cve/CVE-2021-36221 https://access.redhat.com/security/cve/CVE-2021-42574 https://access.redhat.com/security/cve/CVE-2022-24407 https://access.redhat.com/security/updates/classification/#moderate

Package List


Severity
Advisory ID: RHSA-2022:0577-01
Product: Red Hat OpenShift Enterprise
Advisory URL: https://access.redhat.com/errata/RHSA-2022:0577
Issued Date: : 2022-03-28
CVE Names: CVE-2020-28851 CVE-2020-28852 CVE-2021-3121 CVE-2021-3521 CVE-2021-3712 CVE-2021-29923 CVE-2021-31525 CVE-2021-33195 CVE-2021-33197 CVE-2021-33198 CVE-2021-34558 CVE-2021-36221 CVE-2021-42574 CVE-2022-24407

Topic

The components for Windows Container Support for Red Hat OpenShift 5.0.0are now available. This product release includes bug fixes and a moderatesecurity update for the following packages: windows-machine-config-operatorand windows-machine-config-operator-bundle.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.


Topic


 

Relevant Releases Architectures


Bugs Fixed

1913333 - CVE-2020-28851 golang.org/x/text: Panic in language.ParseAcceptLanguage while parsing -u- extension

1913338 - CVE-2020-28852 golang.org/x/text: Panic in language.ParseAcceptLanguage while processing bcp47 tag

1921650 - CVE-2021-3121 gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation

1958341 - CVE-2021-31525 golang: net/http: panic in ReadRequest and ReadResponse when reading a very large header

1983596 - CVE-2021-34558 golang: crypto/tls: certificate of wrong type is causing TLS client to panic

1989564 - CVE-2021-33195 golang: net: lookup functions may return invalid host names

1989570 - CVE-2021-33197 golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty

1989575 - CVE-2021-33198 golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents

1990573 - Username annotation error when byoh Windows have uppercase hostname

1992006 - CVE-2021-29923 golang: net: incorrect parsing of extraneous zero characters at the beginning of an IP address octet

1992841 - Deleting Machine Node object throws reconciliation error after WMCO restart

1994859 - Windows Containers on Windows Nodes get assigned the DNS Server IP “172.30.0.10”, which is wrong, if the default kubernetes subnet is not used

1995656 - CVE-2021-36221 golang: net/http/httputil: panic due to racy read of persistConn after handler panic

2000772 - WMCO fails to configure VMs with Powershell set as the default SSH shell

2001547 - BYOH Windows instance configured with DNS name got deconfigured immediately on UPI baremetal

2002961 - CSR reconciler report error constantly when BYOH CSR approved by other Approver

2005360 - BYOH Windows instance configured twice with DNS name

2008601 - WMCO ignores delete events for machines with invalid IP addresses

2015772 - Replacing private key reconcile 2 Windows nodes in parallel

2032048 - CSR approval failures caused by update conflicts

5. JIRA issues fixed (https://issues.jboss.org/):

WINC-747 - Windows Container Support for Red Hat OpenShift 5.0.0 release


Related News

23.Tablet Connections Esm H320
2 - 3 min read
The release of Ubuntu 24.04 LTS , also known as Noble Numbat, brings various security enhancements and exciting new features . These improvements
4.Lock AbstractDigital Esm H320
2 - 3 min read
Tails 6.2 is a new Linux distribution release that expands its multilingual support and improves security features. The distribution is a
19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
32.Lock Code Circular Esm H320
2 - 3 min read
Linux admins and security practitioners face significant challenges in keeping their Linux systems secure amidst the constant threat of kernel bugs.
1.Penguin Landscape Esm H320
2 - 3 min read
A significant security threat, known as the Spectre v2 exploit, has been observed targeting Linux systems running on modern Intel processors. Let's
10.FingerPrint Locks Esm H320
2 - 3 min read
The recent release of I2P 2.5.0 , an anonymous P2P network that protects against online censorship, surveillance, and monitoring, has brought a slew
24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved