-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   Red Hat Security Advisory

Synopsis:          Moderate: OpenShift Container Platform 4.13.5 security update
Advisory ID:       RHSA-2023:4091-01
Product:           Red Hat OpenShift Enterprise
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:4091
Issue date:        2023-07-20
CVE Names:         CVE-2022-4304 CVE-2022-4450 CVE-2022-41717 
                   CVE-2022-41723 CVE-2022-46663 CVE-2023-0215 
                   CVE-2023-0361 CVE-2023-0464 CVE-2023-0465 
                   CVE-2023-0466 CVE-2023-1255 CVE-2023-1260 
                   CVE-2023-2253 CVE-2023-2650 CVE-2023-2700 
                   CVE-2023-3089 CVE-2023-24329 CVE-2023-24534 
                   CVE-2023-24536 CVE-2023-24537 CVE-2023-24538 
                   CVE-2023-24539 CVE-2023-27561 CVE-2023-29400 
                   CVE-2023-32067 
====================================================================
1. Summary:

Red Hat OpenShift Container Platform release 4.13.5 is now available with
updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container
Platform 4.13.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container
Platform 4.13.5 See the following advisory for the RPM packages for this
release:

https://access.redhat.com/errata/RHSA-2023:4093

Space precludes documenting all of the container images in this advisory.
See the following Release Notes documentation, which will be updated
shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.13/release_notes/ocp-4-13-release-notes.html

Security Fix(es):

* golang: net/http: excessive memory growth in a Go server accepting HTTP/2
requests (CVE-2022-41717)

* net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK
decoding (CVE-2022-41723)

* distribution/distribution: DoS from malicious API request (CVE-2023-2253)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

All OpenShift Container Platform 4.13 users are advised to upgrade to these
updated packages and images when they are available in the appropriate
release channel. To check for available updates, use the OpenShift CLI (oc)
or web console. Instructions for upgrading a cluster are available at
https://docs.openshift.com/container-platform/4.13/updating/updating-cluster-cli.html

3. Solution:

For OpenShift Container Platform 4.13 see the following documentation,
which will be updated shortly for this release, for important instructions
on how to upgrade your cluster and fully apply this asynchronous errata
update:
https://docs.openshift.com/container-platform/4.13/release_notes/ocp-4-13-release-notes.html

You may download the oc tool and use it to inspect release image metadata
for x86_64, s390x, ppc64le, and aarch64 architectures. The image digests
may be found at
https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags

The sha values for the release are:

(For x86_64 architecture)
The image digest is
sha256:af19e94813478382e36ae1fa2ae7bbbff1f903dded6180f4eb0624afe6fc6cd4

(For s390x architecture)
The image digest is
sha256:d4d2c747fade057e55f64e02a34bb752bd2cd1484b02f029d0842d346f872870

(For ppc64le architecture)
The image digest is
sha256:48466f0b7c86292379c5d987ec37f0d4a4cc26a69357374e127a7293b230c943

(For aarch64 architecture)
The image digest is
sha256:e9afcbe007e2440d2b862dc7709138df73dd851421d69c7f39f195301e0cda53

All OpenShift Container Platform 4.13 users are advised to upgrade to these
updated packages and images when they are available in the appropriate
release channel. To check for available updates, use the OpenShift Console
or the CLI oc command. Instructions for upgrading a cluster are available
at
https://docs.openshift.com/container-platform/4.13/updating/updating-cluster-cli.html

4. Bugs fixed (https://bugzilla.redhat.com/):

2161274 - CVE-2022-41717 golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests
2178358 - CVE-2022-41723 net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding
2189886 - CVE-2023-2253 distribution/distribution: DoS from malicious API request

5. JIRA issues fixed (https://issues.redhat.com/):

OCPBUGS-10326 - Re-enable operator-install-single-namespace.spec.ts test
OCPBUGS-11143 - [Azure] Replace master failed as new master did not add into lb backend 
OCPBUGS-11974 - User telemetry is broken (inaccurate) due to the fact that page titles are not unique.
OCPBUGS-12206 - [4.13] Keep systemd journal using LZ4 compression (via new env var)
OCPBUGS-12256 - ptp operator socket management need rework since a few test case fails due to cleaning up the file before other processes are terminated.
OCPBUGS-12743 - [4.13] SNO cluster deployment failing due to authentication and console CO in degraded state
OCPBUGS-12785 - [release-4.13] Enable/Disable plugin options are not shown on Operator details page
OCPBUGS-13311 - Kubelet CA file not written by MCD firstboot
OCPBUGS-13323 - [4.13] Bootimage bump tracker
OCPBUGS-13642 - [release-4.13] OLM k8sResourcePrefix x-descriptor dropdown unexpectedly clears selections
OCPBUGS-13747 - [4.13] cgroupv1 support for cpu balancing is broken for non-SNO nodes
OCPBUGS-13752 - AdditionalTrustBundle is only included when doing mirroring
OCPBUGS-13809 - OVN image pre-puller pod uses `imagePullPolicy: Always` and blocks upgrade when there is no registry
OCPBUGS-13812 - [azure] Installer doesn't validate diskType on ASH which lead to install fails with unsupported disktype
OCPBUGS-14030 - Invalid CA certificate bundle provided by service account token
OCPBUGS-14166 - Make Serverless form is broken
OCPBUGS-14189 - Route Checkbox getting checked even if it is unchecked during editing the Serverless Function form
OCPBUGS-14251 - Add new console metrics to cluster-monitoring-operator telemetry configuration (4.13)
OCPBUGS-14267 - [Openshift Pipelines] Metrics page is broken
OCPBUGS-14310 - Could not import multiple resources via JSON (while YAML supports this)
OCPBUGS-14318 - [release-4.13] gather podDisruptionBudget only from openshift namespaces
OCPBUGS-14336 - [Openshift Pipelines] Link to Openshift Route from service is breaking because of hardcoded value of targetPort
OCPBUGS-14426 - Failed to list Kepler CSV
OCPBUGS-14459 - The MCD repeats a "State and Reason" log line even when nothing is happening
OCPBUGS-14482 - Sync RHEL9 Dockerfiles to regular Dockerfiles
OCPBUGS-14598 - Update Jenkins to use 4.13 images
OCPBUGS-14773 - (release-4.13) gather "gateway-mode-config" config map from "openshift-network-operator" namespace
OCPBUGS-14867 - When installing SNO with bootstrap in place it takes cluster-policy-controller 6 minutes to acquire the leader lease
OCPBUGS-14916 - images: RHEL-8-based container image is broken
OCPBUGS-14943 - visiting Configurations page returns error Cannot read properties of undefined (reading 'apiGroup')
OCPBUGS-15031 - (release-4.13) Insights config not correctly deserialized
OCPBUGS-15101 - IngressVIP getting attach to two nodes at once
OCPBUGS-15130 - Helm Repository "Edit" button results in 404
OCPBUGS-15139 - The whereabouts-reconciler should not set an hard-coded node selector on the kubernetes.io/architecture label
OCPBUGS-15161 - CPMS: Surface cpms vs machine diff
OCPBUGS-15171 - CPO doesn't skip AWS resource deletion for 'Unknown' OIDC state
OCPBUGS-15187 - images: RHEL-8 container image is missing `xz`
OCPBUGS-15224 - [4.13] openvswitch user is not in the hugetblfs group
OCPBUGS-15225 - while/after upgrading to OKD 4.11 2023-01-14 CoreDNS has a problem with UDP overflows
OCPBUGS-15228 - Create helm release page doesn't show a YAML editor when schema isn't available (httpd-imagestreams chart)
OCPBUGS-15230 - Allow installer to use existing Azure NSG during OpenShift IPI install
OCPBUGS-15246 - Bump to kubernetes 1.26.6
OCPBUGS-15281 - Leftover IngressController Preventing Clean Uninstall
OCPBUGS-15289 - GCP XPN Installs Require bindPrivateDNSZone Permission in host project
OCPBUGS-15330 - CPMSO: fix linting issue comment in test
OCPBUGS-15335 - PipelineRun failed with log 'Tasks Completed: 3 (Failed: 1, Cancelled 0), Skipped: 1.'
OCPBUGS-15360 - Serverless functions UI warning is misleading
OCPBUGS-15372 - [4.13z] Duplicate acls cause network policy failure for namespaces with long names (>61 chars)
OCPBUGS-15376 - [4.13] Cleanup Tech debt: remove unused repo code
OCPBUGS-15410 - [release-4.13] Add Git Repository (PAC) doesn't setup GitLab and Bitbucket configuration correct
OCPBUGS-15434 - [GWAPI] [4.13.z] The DNS provider failed to ensure the record, invalid value for name (gcp)
OCPBUGS-15457 - python-grpcio and python-protobuf are unneeded dependencies
OCPBUGS-15463 - [release-4.13] Unable to set protectKernelDefaults from "true" to "false" in kubelet.conf [release-4.13]
OCPBUGS-15465 - [CI Watcher] Testing uninstall of Business Automation Operator "attempts to uninstall the Operator and delete all Operand Instances, shows 'Error Deleting Operands' alert"
OCPBUGS-15476 - Network Operator not setting its version and blocking upgrade completion
OCPBUGS-15481 - [CI Watcher] Broken pipeline-plugin e2e tests: PipelineResource CRD isn't installed anymore
OCPBUGS-15512 - HCP Service Loadbalancer uses default SecurityGroup
OCPBUGS-15515 - CI fails on TestAWSELBConnectionIdleTimeout
OCPBUGS-15557 - TUI stuck on agent installer network boot setup
OCPBUGS-15580 - updated nmstate builds will not work for MCO
OCPBUGS-15585 - [4.13] Cannot fix a misconfigured Egress Firewall
OCPBUGS-15586 - [4.13] NetworkPolicy not working as expected when allowing inbound traffic from any namespace
OCPBUGS-15589 - Dynamic conversion webhook clientConfig not retained as operator installs
OCPBUGS-15591 - GCP bootstrap VM should allow SecureBoot setting on 4.13 clustersOCPBUGS-15606 - Can't use git lfs in BuildConfig git source with strategy Docker
OCPBUGS-15608 - [release-4.13] Clean up old RHEL9 dockerfiles to reduce confusion
OCPBUGS-15720 - Helm Chart installation form hangs on create if JSON-schema is using 2019-09 or 2020-20 standard revisions
OCPBUGS-15721 - Helm Chart installation form hangs on create if JSON-schema contains unknown value format
OCPBUGS-15722 - Helm Chart installation screen fails to render if JSON schema contains remote $refs
OCPBUGS-15734 - [4.13] binary should be compiled on RHEL9
OCPBUGS-15736 - TuneD reverts node level profiles on termination
OCPBUGS-15738 - tuned daemonset rprivate default mount propagation with `hostPath: path: /`  volumeMount breaks CSI driver relying on multipath
OCPBUGS-15746 - Alibaba clusters are TechPreview and should not be upgradeable
OCPBUGS-15756 - [release-4.13] Bump Jenkins and Jenkins Agent Base image versions
OCPBUGS-15777 - ironic-agent-image PRs permafailing due to udevadm command missing
OCPBUGS-15782 - [OSD] There is no error message shown on node label edit modal
OCPBUGS-15787 - Project admins cannot see 'Pipelines' section in 'import from git' from RHOCP4 web console
OCPBUGS-15808 - [4.13.x] Downstream OLM PSA plug-in is disabled
OCPBUGS-15848 - The upgrade Helm Release tab in OpenShift GUI Developer console is not refreshing with updated values.
OCPBUGS-15892 - 9% of OKD tests failing on error: tag latest failed: Internal error occurred: registry.centos.org/dotnet/dotnet-31-centos7:latest: Get "": dial tcp: lookup registry.centos.org on 172.30.0.10:53: no such host
OCPBUGS-15962 - ovn-k8s-cni-overlay: /lib64/libc.so.6: version `GLIBC_2.34' not found on 4.12-to-4.13
OCPBUGS-15965 - Active Endpoint Connection blocks cluster uninstallation
OCPBUGS-16084 - [4.13] OCP 4.14.0-ec.3 machine-api-controller pod crashing 
OCPBUGS-7762 - openshift-tests does not file Azure Disk zone topology

6. References:

https://access.redhat.com/security/cve/CVE-2022-4304
https://access.redhat.com/security/cve/CVE-2022-4450
https://access.redhat.com/security/cve/CVE-2022-41717
https://access.redhat.com/security/cve/CVE-2022-41723
https://access.redhat.com/security/cve/CVE-2022-46663
https://access.redhat.com/security/cve/CVE-2023-0215
https://access.redhat.com/security/cve/CVE-2023-0361
https://access.redhat.com/security/cve/CVE-2023-0464
https://access.redhat.com/security/cve/CVE-2023-0465
https://access.redhat.com/security/cve/CVE-2023-0466
https://access.redhat.com/security/cve/CVE-2023-1255
https://access.redhat.com/security/cve/CVE-2023-1260
https://access.redhat.com/security/cve/CVE-2023-2253
https://access.redhat.com/security/cve/CVE-2023-2650
https://access.redhat.com/security/cve/CVE-2023-2700
https://access.redhat.com/security/cve/CVE-2023-3089
https://access.redhat.com/security/cve/CVE-2023-24329
https://access.redhat.com/security/cve/CVE-2023-24534
https://access.redhat.com/security/cve/CVE-2023-24536
https://access.redhat.com/security/cve/CVE-2023-24537
https://access.redhat.com/security/cve/CVE-2023-24538
https://access.redhat.com/security/cve/CVE-2023-24539
https://access.redhat.com/security/cve/CVE-2023-27561
https://access.redhat.com/security/cve/CVE-2023-29400
https://access.redhat.com/security/cve/CVE-2023-32067
https://access.redhat.com/security/updates/classification/#moderate
https://docs.openshift.com/container-platform/4.13/release_notes/ocp-4-13-release-notes.html

7. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJkuYVOAAoJENzjgjWX9erExUgP/2/25PbUv77tHgYG+Oj5rmcT
oTnu0LnBLOsDXYGOomnrE/UZFvWtQr8lGWpvkHpZjJjg7IZo4vN4mUhK+z7dM+3M
zuyV++GHDF/zr1XxYf6xWWWNtdCTwWsUKcb6FB4J+WCiUJ8PSYFY3lbPcvAbTamP
Hj1JHc3/NxYswwfwBcmK+E4DX4y0XImRdu5+vIXZdp5dpTBehchnSa+Mgjt7vdwi
rHi7CdAsHDrPQhThlIRmc17cwsqiZS760xxpx9UNHvix5UQA9ns+OcUx/dLaGR9E
dp41kCebze5st+wpBMCPoOZEvHJIMjC6ODFVb4mzRbhbAbWJS6GZl2V783v5RGrr
FemE7DDKKt6QEjZhT61GXVS9EdWdFrNii5kmgEiUc/F6Md0fHrPcdt5yxK0dhPZb
3R/64vcMsHllsEStpg8s1aieAZbpmheylEKK+zf82Vz3nlBNX5kxi2IxCrl4nG6X
KublzGkkKiNXS9rZqzPDRgtGAn5Qi01U9kUzVgdKGfMsyRnvAVDeZf/FUdOhCm7M
h2Yt9M2cgPImRWatKkECpsAwcHbgGtsFL96/5z6CSOoXbqkB2xV6LVixsoa4ys76
cHsXRPJFDU97Y1I9h1kJbro/N8UdPZSicVdsWrLYadujBrhaPq5MoW+B1FpayaDh
+AfFGtVd9LRp5sYROCuT
=2EuA
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce