Alerts This Week
Warning Icon 1 692
Alerts This Week
Warning Icon 1 692

Red Hat OpenShift 4.13: RHSA-2023-1325 important: Container Security Update

red hat
Calendar Grey May 18, 2023
Dist Redhat Esm H88
Uncover vital information regarding the security of the OpenShift Container Platform 4.13.0, highlighting key vulnerabilities and their corresponding resolutions.
Red Hat OpenShift Container Platform release 4.13.0 is now available with updates to packages and images that fix several bugs and add enhancements

Solution

For OpenShift Container Platform 4.13 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:

https://docs.redhat.com/en/documentation/openshift_container_platform/4.13/html/release_notes/ocp-4-13-release-notes

Summary

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.
This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.13.0. See the following advisory for the container images for this release:
https://access.redhat.com/errata/RHSA-2023:1326
Security Fix(es):
* python-werkzeug: high resource usage when parsing multipart form data with many fields (CVE-2023-25577)
* golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests (CVE-2022-41717)
* net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding (CVE-2022-41723)
* golang: crypto/tls: large handshake records may cause panics (CVE-2022-41724)
* golang: net/http, mime/multipart: denial of service from excessive resource consumption (CVE-2022-41725)
* haproxy: segfault DoS (CVE-2023-0056)
* openshift/apiserver-library-go: Bypass of SCC seccomp profile restrictions (CVE-2023-0229)
* podman: symlink exchange attack in podman export volume (CVE-2023-0778)
* haproxy: request smuggling attack in HTTP/1 header parsing (CVE-2023-25725)
* buildah: possible information disclosure and modification (CVE-2022-2990)
* OpenShift: Missing HTTP Strict Transport Security (CVE-2022-3259)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
All OpenShift Container Platform 4.13 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.redhat.com/en/documentation/openshift_container_platform/4.13/html/updating_clusters/updating-cluster-cli

Topics%20covered

Topics Covered

security advisory Red Hat important resource consumption service issues OpenShift container platform

References

https://access.redhat.com/security/cve/CVE-2022-2990 https://access.redhat.com/security/cve/CVE-2022-3259 https://access.redhat.com/security/cve/CVE-2022-41717 https://access.redhat.com/security/cve/CVE-2022-41723 https://access.redhat.com/security/cve/CVE-2022-41724 https://access.redhat.com/security/cve/CVE-2022-41725 https://access.redhat.com/security/cve/CVE-2023-0056 https://access.redhat.com/security/cve/CVE-2023-0229 https://access.redhat.com/security/cve/CVE-2023-0778 https://access.redhat.com/security/cve/CVE-2023-25577 https://access.redhat.com/security/cve/CVE-2023-25725 https://access.redhat.com/security/updates/classification/#important https://docs.redhat.com/en/documentation/openshift_container_platform/4.13/html/release_notes/ocp-4-13-release-notes

Package List

Red Hat OpenShift Container Platform 4.13:
Source: ansible-runner-1.4.6-2.el8ar.src.rpm ansible-runner-http-1.0.0-2.el8ar.src.rpm atomic-openshift-service-idler-4.13.0-202303172327.p0.ga0f9090.assembly.stream.el8.src.rpm conmon-2.1.7-1.rhaos4.13.el8.src.rpm container-selinux-2.208.0-2.rhaos4.13.el8.src.rpm containernetworking-plugins-1.0.1-6.rhaos4.13.el8.src.rpm criu-3.15-4.rhaos4.11.el8.src.rpm fuse-overlayfs-1.10-2.rhaos4.13.el8.src.rpm grpc-1.18.0-4.el8ost.src.rpm haproxy-2.2.24-3.rhaos4.13.el8.src.rpm libslirp-4.4.0-2.rhaos4.11.el8.src.rpm nmstate-2.2.9-6.rhaos4.13.el8.src.rpm openshift-4.13.0-202304211155.p0.gb404935.assembly.stream.el8.src.rpm openshift-ansible-4.13.0-202304171417.p0.gb4280f6.assembly.stream.el8.src.rpm openshift-clients-4.13.0-202303241616.p0.g92b1a3d.assembly.stream.el8.src.rpm openshift-kuryr-4.13.0-202304192042.p0.g4fe6bbc.assembly.stream.el8.src.rpm openshift4-aws-iso-4.13.0-202304052215.p0.gd2acdd5.assembly.stream.el8.src.rpm podman-4.4.1-3.rhaos4.13.el8.src.rpm python-alembic-1.4.2-5.el8ost.src.rpm python-amqp-2.5.2-7.el8ost.1.src.rpm python-cmd2-1.4.0-1.1.el8.src.rpm python-construct-2.10.56-1.el8ost.src.rpm python-dogpile-cache-1.1.2-1.el8ost.1.src.rpm python-eventlet-0.30.2-1.el8.src.rpm python-flask-1.1.1-1.el8ost.src.rpm

Read the Full Advisory


Severity
important
Lowest
Low
Medium
High
Critical

Advisory ID: RHSA-2023:1325-01
Product: Red Hat OpenShift Enterprise
Advisory URL: https://access.redhat.com/errata/RHSA-2023:1325
Issue date: 2023-05-17

Topic

Red Hat OpenShift Container Platform release 4.13.0 is now available withupdates to packages and images that fix several bugs and add enhancements.This release includes a security update for Red Hat OpenShift ContainerPlatform 4.13.Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.

Topics%20covered

Topics Covered

security advisory Red Hat important resource consumption service issues OpenShift container platform

Relevant Releases Architectures

Ironic content for Red Hat OpenShift Container Platform 4.13 - aarch64, noarch, ppc64le, s390x, x86_64

Red Hat OpenShift Container Platform 4.13 - aarch64, noarch, ppc64le, s390x, x86_64

Bugs Fixed

2103220 - CVE-2022-3259 OpenShift: Missing HTTP Strict Transport Security

2121453 - CVE-2022-2990 buildah: possible information disclosure and modification

2160349 - CVE-2023-0229 openshift/apiserver-library-go: Bypass of SCC seccomp profile restrictions

2160808 - CVE-2023-0056 haproxy: segfault DoS

2161274 - CVE-2022-41717 golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests

2168256 - CVE-2023-0778 podman: symlink exchange attack in podman export volume

2169089 - CVE-2023-25725 haproxy: request smuggling attack in HTTP/1 header parsing

2170242 - CVE-2023-25577 python-werkzeug: high resource usage when parsing multipart form data with many fields

2178358 - CVE-2022-41723 net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding

2178488 - CVE-2022-41725 golang: net/http, mime/multipart: denial of service from excessive resource consumption

2178492 - CVE-2022-41724 golang: crypto/tls: large handshake records may cause panics

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here