Red Hat OpenShift Data Foundation 4.12.3 Moderate Security Update
red hat
May 23, 2023
Updated images that fix several bugs are now available for Red Hat OpenShift Data Foundation 4.12.3 on Red Hat Enterprise Linux 8 from Red Hat Container Registry
Solution
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
Summary
Red Hat OpenShift Data Foundation is software-defined storage integrated
with and optimized for the Red Hat OpenShift Data Foundation. Red Hat
OpenShift Data Foundation is a highly scalable, production-grade persistent
storage for stateful applications running in the Red Hat OpenShift
Container Platform. In addition to persistent storage, Red Hat OpenShift
Data Foundation provisions a multi-cloud data management service with an
S3-compatible API.
Security Fix(es):
* jsonwebtoken: Unrestricted key type could lead to legacy keys usagen
(CVE-2022-23539)
* express: "qs" prototype poisoning causes the hang of the node process
(CVE-2022-24999)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Bug Fix(es):
* Previously, odf-csi-addons-operator had low memory resource limit and as
a result the odf-csi-addons-operator pod was OOMKilled (out of memory).
With this fix, the default memory and the CPU resource limit has been
increased and odf-csi-addons-operator OOMKills are not observed.
(BZ#2177184)
* Previously, non optimized database related flows on deletions caused
Multicloud Object Gateway to spike in CPU usage and perform slowly on mass
delete scenarios. For example, reclaiming a deleted object bucket claim
(OBC). With this fix, indexes for the bucket reclaimer process are
optimized, a new index is added to the database to speed up the database
cleaner flows, and bucket reclaimer changes are introduced to work on
batches of objects. (BZ#2186482)
* Previously, the list of regions for creating the default Multicloud
Object Gateway backing store on AWS did not have the new regions that were
added recently to AWS. With this fix, the new regions are included to the
list of regions and it is possible to deploy default backing store on the
new regions. (BZ#2187637)
* Previously, creating a storage system in OpenShift Data Foundation using
an external Ceph cluster would fail if the RADOS block device (RBD) pool
name contained an underscore (_) or a period(.). With this fix, the Python
script (`ceph-external-cluster-details-exporter.py`) is enhanced to contain
underscore (_) and period (.) so that an alias for the RBD pool names can
be passed in. This alias allows the OpenShift Data Foundation to adopt an
external Ceph cluster with RBD pool names containing an underscore(_) or a
period(.). (BZ#2188379)
All users of Red Hat OpenShift Data Foundation are advised to upgrade to
these updated images, which provide these bug fixes.
References
https://access.redhat.com/security/cve/CVE-2022-23539 https://access.redhat.com/security/cve/CVE-2022-24999 https://access.redhat.com/security/cve/CVE-2022-36227 https://access.redhat.com/security/cve/CVE-2022-40023 https://access.redhat.com/security/cve/CVE-2023-0361 https://access.redhat.com/security/cve/CVE-2023-27535 https://access.redhat.com/security/cve/CVE-2023-28617 https://access.redhat.com/security/updates/classification/#moderate
Package List
PREVIOUS
NEXT
Advisory ID: RHSA-2023:3265-01
Product: RHODF
Advisory URL: https://access.redhat.com/errata/RHSA-2023:3265
Issue date: 2023-05-23
Topic
Updated images that fix several bugs are now available for Red HatOpenShift Data Foundation 4.12.3 on Red Hat Enterprise Linux 8 from Red HatContainer Registry.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.
Relevant Releases Architectures
Bugs Fixed
2150323 - CVE-2022-24999 express: "qs" prototype poisoning causes the hang of the node process
2155978 - CVE-2022-23539 jsonwebtoken: Unrestricted key type could lead to legacy keys usagen
2167304 - [4.12 clone] [rook clone] Security and VA issues with ODF operator
2174336 - [Backport to 4.12.z] Placeholder bug to backport the odf changes of Managed services epic RHSTOR-3194 to 4.12.z
2177184 - [csi-addons] odf-csi-addons-operator oomkilled with fresh installation 4.12
2179235 - [Fusion-aaS][4.12.z clone] Within 'prometheus-ceph-rules' the namespace for 'rook-ceph-mgr' jobs should be configurable.
2180685 - [4.12 clone] Security and VA issues with ODF operator
2180724 - [4.12 clone] [mcg-clone] Security and VA issues with ODF operator
2183687 - [Fusion-aaS][Backport to 4.12.3]failed to mount the the cephfs subvolume as subvolumegroup name is not sent in the GetStorageConfig RPC call
2185190 - [4.12.z]Fix storagecluster watch request for OCSInitialization
2185725 - [Fusion-aaS][Backport to 4.12.3]OCS-Operator expects NooBaa CRDs to be present on the cluster when installed directly without ODF Operator
2186443 - [Backport bug for 4.12.3][Fusion-aaS]Remove storageclassclaim cr and create new cr storageclass request cr
2186482 - [GSS] [4.12 backport] Object storage in degraded state
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!