Red Hat Security Advisory 2021-2121-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.
2f1653e51f042c6274ffefb7f0845f74fde0e3cccec0fb22ff11ef5cc0c26b34
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: OpenShift Container Platform 4.7.13 bug fix and security update
Advisory ID: RHSA-2021:2121-01
Product: Red Hat OpenShift Enterprise
Advisory URL: https://access.redhat.com/errata/RHSA-2021:2121
Issue date: 2021-06-01
CVE Names: CVE-2016-10228 CVE-2019-2708 CVE-2019-3842
CVE-2019-9169 CVE-2019-13012 CVE-2019-14866
CVE-2019-18811 CVE-2019-19523 CVE-2019-19528
CVE-2019-25013 CVE-2019-25032 CVE-2019-25034
CVE-2019-25035 CVE-2019-25036 CVE-2019-25037
CVE-2019-25038 CVE-2019-25039 CVE-2019-25040
CVE-2019-25041 CVE-2019-25042 CVE-2020-0431
CVE-2020-8231 CVE-2020-8284 CVE-2020-8285
CVE-2020-8286 CVE-2020-8927 CVE-2020-9948
CVE-2020-9951 CVE-2020-9983 CVE-2020-10543
CVE-2020-10878 CVE-2020-11608 CVE-2020-12114
CVE-2020-12362 CVE-2020-12464 CVE-2020-13434
CVE-2020-13543 CVE-2020-13584 CVE-2020-13776
CVE-2020-14314 CVE-2020-14344 CVE-2020-14345
CVE-2020-14346 CVE-2020-14347 CVE-2020-14356
CVE-2020-14360 CVE-2020-14361 CVE-2020-14362
CVE-2020-14363 CVE-2020-15358 CVE-2020-15437
CVE-2020-15586 CVE-2020-16845 CVE-2020-24330
CVE-2020-24331 CVE-2020-24332 CVE-2020-24394
CVE-2020-24977 CVE-2020-25212 CVE-2020-25284
CVE-2020-25285 CVE-2020-25643 CVE-2020-25659
CVE-2020-25704 CVE-2020-25712 CVE-2020-26116
CVE-2020-26137 CVE-2020-27618 CVE-2020-27619
CVE-2020-27783 CVE-2020-27786 CVE-2020-27835
CVE-2020-28196 CVE-2020-28935 CVE-2020-28974
CVE-2020-29361 CVE-2020-29362 CVE-2020-29363
CVE-2020-35508 CVE-2020-36242 CVE-2020-36322
CVE-2021-0342 CVE-2021-3121 CVE-2021-3177
CVE-2021-3326 CVE-2021-21642 CVE-2021-21643
CVE-2021-21644 CVE-2021-21645 CVE-2021-23336
CVE-2021-25215 CVE-2021-30465
=====================================================================
1. Summary:
Red Hat OpenShift Container Platform release 4.7.13 is now available with
updates to packages and images that fix several bugs.
This release includes a security update for Red Hat OpenShift Container
Platform 4.7.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Description:
Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
This advisory contains the container images for Red Hat OpenShift Container
Platform 4.7.13. See the following advisory for the RPM packages for this
release:
https://access.redhat.com/errata/RHSA-2021:2122
Space precludes documenting all of the container images in this advisory.
See the following Release Notes documentation, which will be updated
shortly for this release, for details about these changes:
https://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-rel
ease-notes.html
This update fixes the following bug among others:
* Previously, resources for the ClusterOperator were being created early in
the update process, which led to update failures when the ClusterOperator
had no status condition while Operators were updating. This bug fix changes
the timing of when these resources are created. As a result, updates can
take place without errors. (BZ#1959238)
Security Fix(es):
* gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index
validation (CVE-2021-3121)
You may download the oc tool and use it to inspect release image metadata
as follows:
(For x86_64 architecture)
$ oc adm release info
quay.io/openshift-release-dev/ocp-release:4.7.13-x86_64
The image digest is
sha256:783a2c963f35ccab38e82e6a8c7fa954c3a4551e07d2f43c06098828dd986ed4
(For s390x architecture)
$ oc adm release info
quay.io/openshift-release-dev/ocp-release:4.7.13-s390x
The image digest is
sha256:4cf44e68413acad063203e1ee8982fd01d8b9c1f8643a5b31cd7ff341b3199cd
(For ppc64le architecture)
$ oc adm release info
quay.io/openshift-release-dev/ocp-release:4.7.13-ppc64le
The image digest is
sha256:d47ce972f87f14f1f3c5d50428d2255d1256dae3f45c938ace88547478643e36
All OpenShift Container Platform 4.7 users are advised to upgrade to these
updated packages and images when they are available in the appropriate
release channel. To check for available updates, use the OpenShift Console
or the CLI oc command. Instructions for upgrading a cluster are available
at
https://docs.openshift.com/container-platform/4.7/updating/updating-cluster
- -between-minor.html#understanding-upgrade-channels_updating-cluster-between
- -minor
3. Solution:
For OpenShift Container Platform 4.7 see the following documentation, which
will be updated shortly for this release, for important instructions on how
to upgrade your cluster and fully apply this asynchronous errata update:
https://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-rel
ease-notes.html
Details on how to access this content are available at
https://docs.openshift.com/container-platform/4.7/updating/updating-cluster
- -cli.html
4. Bugs fixed (https://bugzilla.redhat.com/):
1921650 - CVE-2021-3121 gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation
1923268 - [Assisted-4.7] [Staging] Using two both spelling "canceled" "cancelled"
1947216 - [AWS] Missing iam:ListAttachedRolePolicies permission in permissions.go
1953963 - Enable/Disable host operations returns cluster resource with incomplete hosts list
1957749 - ovn-kubernetes pod should have CPU and memory requests set but not limits
1959238 - CVO creating cloud-controller-manager too early causing upgrade failures
1960103 - SR-IOV obliviously reboot the node
1961941 - Local Storage Operator using LocalVolume CR fails to create PV's when backend storage failure is simulated
1962302 - packageserver clusteroperator does not set reason or message for Available condition
1962312 - Deployment considered unhealthy despite being available and at latest generation
1962435 - Public DNS records were not deleted when destroying a cluster which is using byo private hosted zone
1963115 - Test verify /run filesystem contents failing
5. References:
https://access.redhat.com/security/cve/CVE-2016-10228
https://access.redhat.com/security/cve/CVE-2019-2708
https://access.redhat.com/security/cve/CVE-2019-3842
https://access.redhat.com/security/cve/CVE-2019-9169
https://access.redhat.com/security/cve/CVE-2019-13012
https://access.redhat.com/security/cve/CVE-2019-14866
https://access.redhat.com/security/cve/CVE-2019-18811
https://access.redhat.com/security/cve/CVE-2019-19523
https://access.redhat.com/security/cve/CVE-2019-19528
https://access.redhat.com/security/cve/CVE-2019-25013
https://access.redhat.com/security/cve/CVE-2019-25032
https://access.redhat.com/security/cve/CVE-2019-25034
https://access.redhat.com/security/cve/CVE-2019-25035
https://access.redhat.com/security/cve/CVE-2019-25036
https://access.redhat.com/security/cve/CVE-2019-25037
https://access.redhat.com/security/cve/CVE-2019-25038
https://access.redhat.com/security/cve/CVE-2019-25039
https://access.redhat.com/security/cve/CVE-2019-25040
https://access.redhat.com/security/cve/CVE-2019-25041
https://access.redhat.com/security/cve/CVE-2019-25042
https://access.redhat.com/security/cve/CVE-2020-0431
https://access.redhat.com/security/cve/CVE-2020-8231
https://access.redhat.com/security/cve/CVE-2020-8284
https://access.redhat.com/security/cve/CVE-2020-8285
https://access.redhat.com/security/cve/CVE-2020-8286
https://access.redhat.com/security/cve/CVE-2020-8927
https://access.redhat.com/security/cve/CVE-2020-9948
https://access.redhat.com/security/cve/CVE-2020-9951
https://access.redhat.com/security/cve/CVE-2020-9983
https://access.redhat.com/security/cve/CVE-2020-10543
https://access.redhat.com/security/cve/CVE-2020-10878
https://access.redhat.com/security/cve/CVE-2020-11608
https://access.redhat.com/security/cve/CVE-2020-12114
https://access.redhat.com/security/cve/CVE-2020-12362
https://access.redhat.com/security/cve/CVE-2020-12464
https://access.redhat.com/security/cve/CVE-2020-13434
https://access.redhat.com/security/cve/CVE-2020-13543
https://access.redhat.com/security/cve/CVE-2020-13584
https://access.redhat.com/security/cve/CVE-2020-13776
https://access.redhat.com/security/cve/CVE-2020-14314
https://access.redhat.com/security/cve/CVE-2020-14344
https://access.redhat.com/security/cve/CVE-2020-14345
https://access.redhat.com/security/cve/CVE-2020-14346
https://access.redhat.com/security/cve/CVE-2020-14347
https://access.redhat.com/security/cve/CVE-2020-14356
https://access.redhat.com/security/cve/CVE-2020-14360
https://access.redhat.com/security/cve/CVE-2020-14361
https://access.redhat.com/security/cve/CVE-2020-14362
https://access.redhat.com/security/cve/CVE-2020-14363
https://access.redhat.com/security/cve/CVE-2020-15358
https://access.redhat.com/security/cve/CVE-2020-15437
https://access.redhat.com/security/cve/CVE-2020-15586
https://access.redhat.com/security/cve/CVE-2020-16845
https://access.redhat.com/security/cve/CVE-2020-24330
https://access.redhat.com/security/cve/CVE-2020-24331
https://access.redhat.com/security/cve/CVE-2020-24332
https://access.redhat.com/security/cve/CVE-2020-24394
https://access.redhat.com/security/cve/CVE-2020-24977
https://access.redhat.com/security/cve/CVE-2020-25212
https://access.redhat.com/security/cve/CVE-2020-25284
https://access.redhat.com/security/cve/CVE-2020-25285
https://access.redhat.com/security/cve/CVE-2020-25643
https://access.redhat.com/security/cve/CVE-2020-25659
https://access.redhat.com/security/cve/CVE-2020-25704
https://access.redhat.com/security/cve/CVE-2020-25712
https://access.redhat.com/security/cve/CVE-2020-26116
https://access.redhat.com/security/cve/CVE-2020-26137
https://access.redhat.com/security/cve/CVE-2020-27618
https://access.redhat.com/security/cve/CVE-2020-27619
https://access.redhat.com/security/cve/CVE-2020-27783
https://access.redhat.com/security/cve/CVE-2020-27786
https://access.redhat.com/security/cve/CVE-2020-27835
https://access.redhat.com/security/cve/CVE-2020-28196
https://access.redhat.com/security/cve/CVE-2020-28935
https://access.redhat.com/security/cve/CVE-2020-28974
https://access.redhat.com/security/cve/CVE-2020-29361
https://access.redhat.com/security/cve/CVE-2020-29362
https://access.redhat.com/security/cve/CVE-2020-29363
https://access.redhat.com/security/cve/CVE-2020-35508
https://access.redhat.com/security/cve/CVE-2020-36242
https://access.redhat.com/security/cve/CVE-2020-36322
https://access.redhat.com/security/cve/CVE-2021-0342
https://access.redhat.com/security/cve/CVE-2021-3121
https://access.redhat.com/security/cve/CVE-2021-3177
https://access.redhat.com/security/cve/CVE-2021-3326
https://access.redhat.com/security/cve/CVE-2021-21642
https://access.redhat.com/security/cve/CVE-2021-21643
https://access.redhat.com/security/cve/CVE-2021-21644
https://access.redhat.com/security/cve/CVE-2021-21645
https://access.redhat.com/security/cve/CVE-2021-23336
https://access.redhat.com/security/cve/CVE-2021-25215
https://access.redhat.com/security/cve/CVE-2021-30465
https://access.redhat.com/security/updates/classification/#moderate
6. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2021 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBYLXBgdzjgjWX9erEAQiYKw/+MeUvVzbi9kHuo6vE8J9xEQCvgpJtLfRM
yj4VFCt8lkWmfGmuAMd5LkvD5suav1Gu9yA6E60VvKrorV6+PDOZ8jiUyzRR+di6
TZZ7Ji6taqaQUuf451KF39zuxYAh29pKT6mZMhmqK65jEg7uj66R8+P2p7tahaai
Kkqe6LKxNCXyVzWmc5HHkc3AJJ6vSVIuMeA6KOHpXy0vy57jZKeyb3dau0BVl/ir
ZbnbOHdTJ+7hEVV3yGwARcVgUhHDcHiSYAS+RUj7Hqx0RIFilb9RbOdoEdbauaWx
CGIdSYmj1F4apCZuYWmhZxtQ5/Lsj7EPi+7UleyTzqgMQsqSr8kvxGe/yzfY+yAQ
++QCSnleeKu/+HjN72d73h8yWGGzMrc/rYwDJWcFwjIL6/pj4Tgm4OK30vJlQUz5
3gHuEDz+j42s270cv6dRDd9v5xpexxIOXyHzruFRLk4xVCnS17PGeJ4I9mJmkYxL
5GuCiMnixToobWtmrh9MX2Qjkhj81o4E+rLMvG/4yUk2kGejo/nLwgZNsSz8gN5Z
gMZOYSDys2zJu6/jmxY/8MXzS3yNIJj3FxXe7w5XA0mHUuuZ/EaJsMLnlCCSRARV
GpMwj1/Aj1ZSNeYplr2YwQz7lB7hp+J/vn567zBPeYQus5EAyzqzudTbSLdm8ZyL
PEh85hYKLe4=
=Xe05
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce