Alerts This Week
Warning Icon 1 764
Alerts This Week
Warning Icon 1 764

Red Hat OpenShift 4.12 Security Advisory: Moderate Issues and Fixes

red hat
Calendar Grey January 17, 2023
Dist Redhat Esm H88
Investigate the recent bug patch and security enhancement for Red Hat OpenShift Container Platform 4.12.0 to improve your system's performance.
Red Hat OpenShift Container Platform release 4.12.0 is now available with updates to packages and images that fix several bugs and add enhancements

Solution

See the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:

https://docs.redhat.com/en/documentation/openshift_container_platform/4.12/html/release_notes/ocp-4-12-release-notes

You may download the oc tool and use it to inspect release image metadata for x86_64, s390x, ppc64le, aarch64 architectures.

The image digests may be found at https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags

The sha values for the release are:

(For x86_64 architecture) The image digest is sha256:4c5a7e26d707780be6466ddc9591865beb2e3baa5556432d23e8d57966a2dd18

(For s390x architecture) The image digest is sha256:ab70750be4fadf5a525141ae32a8577c91dd19f1d6e582a6824339c938216ec0

(For ppc64le architecture) The image digest is sha256:5a5943dea60b40f73ecee685b12fff1d65cc8bfe946f762fdfe862969483ddbb

(For aarch64 architecture) The image digest is sha256:cb34667519d1cfd8eedf0fb27e14b7b7e6209323b86977bfaadf91da012d179d

All OpenShift Container Platform 4.12 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift Console or the CLI oc command. Instructions for upgrading a cluster are available at https://docs.redhat.com/en/documentation/openshift_container_platform/4.12/html/updating_clusters/updating-cluster-cli

Summary

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.
This advisory contains the container images for Red Hat OpenShift Container Platform 4.12.0. See the following advisory for the RPM packages for this release:
https://access.redhat.com/errata/RHSA-2022:7398
Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes:
https://docs.redhat.com/en/documentation/openshift_container_platform/4.12/html/release_notes/ocp-4-12-release-notes
Security Fix(es):
* golang: out-of-bounds read in golang.org/x/text/language leads to DoS (CVE-2021-38561) * golang: net/http: improper sanitization of Transfer-Encoding header (CVE-2022-1705) * golang: archive/tar: unbounded memory consumption when reading headers(CVE-2022-2879) * golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters (CVE-2022-2880) * prometheus/client_golang: Denial of service using InstrumentHandlerCounter (CVE-2022-21698) * golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working (CVE-2022-32148) * golang: net/url: JoinPath does not strip relative path components in all circumstances (CVE-2022-32190) * vault: insufficient certificate revocation list checking (CVE-2022-41316) * golang: regexp/syntax: limit memory used by parsing regexps (CVE-2022-41715) * openshift: etcd grpc-proxy vulnerable to The Birthday attack against 64-bit block cipher (CVE-2023-0296)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Topics%20covered

Topics Covered

security advisory security update bug fix moderate severity OpenShift

References

https://access.redhat.com/security/cve/CVE-2021-4235 https://access.redhat.com/security/cve/CVE-2021-22570 https://access.redhat.com/security/cve/CVE-2021-38561 https://access.redhat.com/security/cve/CVE-2022-1705 https://access.redhat.com/security/cve/CVE-2022-2879 https://access.redhat.com/security/cve/CVE-2022-2880 https://access.redhat.com/security/cve/CVE-2022-2995 https://access.redhat.com/security/cve/CVE-2022-3162 https://access.redhat.com/security/cve/CVE-2022-3172 https://access.redhat.com/security/cve/CVE-2022-3259 https://access.redhat.com/security/cve/CVE-2022-3466 https://access.redhat.com/security/cve/CVE-2022-21698 https://access.redhat.com/security/cve/CVE-2022-24302 https://access.redhat.com/security/cve/CVE-2022-27664 https://access.redhat.com/security/cve/CVE-2022-30631 https://access.redhat.com/security/cve/CVE-2022-32148 https://access.redhat.com/security/cve/CVE-2022-32189 https://access.redhat.com/security/cve/CVE-2022-32190 https://access.redhat.com/security/cve/CVE-2022-41316 https://access.redhat.com/security/cve/CVE-2022-41715 https://access.redhat.com/security/cve/CVE-2022-42010 https://access.redhat.com/security/cve/CVE-2022-42011 https://access.redhat.com/security/cve/CVE-2022-42012 Read the Full Advisory

Package List


Advisory ID: RHSA-2022:7399-01
Product: Red Hat OpenShift Enterprise
Advisory URL: https://access.redhat.com/errata/RHSA-2022:7399
Issue date: 2023-01-17

Topic

Red Hat OpenShift Container Platform release 4.12.0 is now available withupdates to packages and images that fix several bugs and add enhancements.This release includes a security update for Red Hat OpenShift ContainerPlatform 4.12.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.

Topics%20covered

Topics Covered

security advisory security update bug fix moderate severity OpenShift

Relevant Releases Architectures

Bugs Fixed

1843043 - Config api resource has a terrible description

1876933 - No useful message after hitting volume attachment limit

1879980 - oc adm groups prune cannot find the groups present in ldap and finishes to delete all of them

1894268 - SDN to OVN migration problem due to overlap with "Join network"

1896533 - network operator degraded due to additionalNetwork in non-existent namespace

1904106 - Graphs in dev console shouldn't go below 0

1917662 - oc exec cmd run executed file in azure file volume return 139 or exec failed: container_linux.go:366: starting container process caused: interrupted system call

1924017 - [OCPonRHV] [Workers only] Special configuration for High Performance VMs is not implemented for worker nodes

1944065 - [VPA] recommender is logging errors for pods with init containers1944365 - openstack: missing validation for apiVIP and ingressVIP

1951835 - CVO should propagate ClusterOperator's Degraded to ClusterVersion's Failing during install

1951901 - incorrect Worker nodes number calculated when nodes have both master and worker role

1957709 - Creation of LoadBalancer service (Openstack Lbaas) take too much to be ready when creating IngressControllers with endpointPublishingStrategy=LoadBalancerService

1962502 - The route generated from ingress is still admitted after updating the spec.ingressClassName to mismatch

1977660 - the pod events show error codes when crio recreate the missing symlinks

Read the Full Advisory

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here