-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: OpenShift Container Platform 4.6.16 security and bug fix update Advisory ID: RHSA-2021:0308-01 Product: Red Hat OpenShift Enterprise Advisory URL: https://access.redhat.com/errata/RHSA-2021:0308 Issue date: 2021-02-08 CVE Names: CVE-2015-8011 CVE-2016-2183 CVE-2020-14382 CVE-2021-3344 CVE-2021-20198 ==================================================================== 1. Summary: Red Hat OpenShift Container Platform release 4.6.16 is now available with updates to packages and images that fix several bugs. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.6.16. See the following advisory for the RPM packages for this release: https://access.redhat.com/errata/RHBA-2021:0309 Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes: https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-rel ease-notes.html You may download the oc tool and use it to inspect release image metadata as follows: (For x86_64 architecture) $ oc adm release info quay.io/openshift-release-dev/ocp-release:4.6.16-x86_64 The image digest is sha256:3e855ad88f46ad1b7f56c312f078ca6adaba623c5d4b360143f9f82d2f349741 (For s390x architecture) $ oc adm release info quay.io/openshift-release-dev/ocp-release:4.6.16-s390x The image digest is sha256:2335685cda334ecf9e12c056b148c483fb81412fbfc96c885dc669d775e1f1ee (For ppc64le architecture) $ oc adm release info quay.io/openshift-release-dev/ocp-release:4.6.16-ppc64le The image digest is sha256:953ccacf79467b3e8ebfb8def92013f1574d75e24b3ea9a455aa8931f7f17b88 All OpenShift Container Platform 4.6 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift Console or the CLI oc command. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.6/updating/updating-cluster - -between-minor.html#understanding-upgrade-channels_updating-cluster-between - -minor. Security Fix(es): * SSL/TLS: Birthday attack against 64-bit block ciphers (SWEET32) (CVE-2016-2183) * openshift/builder: privilege escalation during container image builds via mounted secrets (CVE-2021-3344) * openshift/installer: Bootstrap nodes allow anonymous authentication on kubelet port 10250 (CVE-2021-20198) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: For OpenShift Container Platform 4.6 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update: https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-rel ease-notes.html Details on how to access this content are available at https://docs.openshift.com/container-platform/4.6/updating/updating-cluster - -cli.html. 4. Bugs fixed (https://bugzilla.redhat.com/): 1369383 - CVE-2016-2183 SSL/TLS: Birthday attack against 64-bit block ciphers (SWEET32) 1873004 - [downstream] Should indicate the version info instead of the commit info 1887759 - [release 4.6] Gather MachineConfigPools 1889676 - [release 4.6] Gather top installplans and their count 1889865 - operator-registry image needs clean up in /tmp 1890274 - [4.6] External IP doesn't work if the IP address is not assigned to a node 1890452 - Adding BYOK disk encryption through DES 1891697 - Handle missing labels as empty. 1891892 - The windows oc.exe binary does not have version metadata 1893409 - [release-4.6] MCDPivotError alert/metric missing 1893738 - Examining agones helm chart resources results in "Oh no!" 1894916 - [4.6] Panic output due to timeouts in openshift-apiserver 1896919 - start creating new-style Secrets for AWS 1898672 - Pod gets stuck in ContainerCreating state with exhausted Whereabouts IPAM range with a daemonset 1899107 - [4.6] ironic-api used by metal3 is over provisioned and consumes a lot of RAM 1899535 - ds/machine-config-daemon takes 100+ minutes to rollout on 250 node cluster 1901602 - Extra reboot during 4.5 -> 4.6 upgrade 1901605 - CNO blocks editing Kuryr options 1903649 - Automated cleaning is disabled by default 1903887 - dns daemonset rolls out slowly in large clusters 1904091 - Missing registry v1 protocol usage metric on telemetry 1904577 - [4.6] Local storage operator doesn't include correctly populate LocalVolumeDiscoveryResult in console 1905031 - (release-4.6) Collect spec config for clusteroperator resources 1905195 - [release-4.6] Detecting broken connections to the Kube API takes up to 15 minutes 1905573 - [4.6] Changing the bound token service account issuer invalids previously issued bound tokens 1905788 - Role name missing on create role binding form 1906332 - update discovery burst to reflect lots of CRDs on openshift clusters 1906741 - KeyError: 'nodeName' on NP deletion 1906796 - [SA] verify-image-signature using service account does not work 1907827 - Kn resources are not showing in Topology if triggers has KSVC and IMC as subscriber 1907830 - "Evaluating rule failed" for "record: cluster:kube_persistentvolumeclaim_resource_requests_storage_bytes:provisioner:sum" and "record: cluster:kubelet_volume_stats_used_bytes:provisioner:sum" 1909673 - scale up / down buttons available on pod details side panel 1912388 - [OVN]: `make check` broken on 4.6 1912430 - thanosRuler.resources.requests does not take effect in user-workload-monitoring-config confimap 1913109 - oc debug of an init container no longer works 1913645 - Improved Red Hat image and crashlooping OpenShift pod collection 1915560 - OCP 4.4.9: EtcdMemberIPMigratorDegraded: rpc error: code = Canceled desc = grpc: the client connection is closing 1916096 - [oVirt] csi operator panics if ovirt-engine suddenly becomes unavailable. 1916100 - [oVirt] Consume 23-10 ovirt sdk - csi operator 1916347 - Updating scheduling component builder & base images to be consistent with ART 1916857 - configs.imageregistry.operator.openshift.io cluster does not update its status fields after URL change 1916907 - dns-node-resolver corrupts /etc/hosts if internal registry is not in use 1917240 - [4.6] Network Policies are not working as expected with OVN-Kubernetes when traffic hairpins back to the same source through a service 1917498 - Regression OLM uses scoped client for CRD installation 1917547 - oc adm catalog mirror does not mirror the index image itself 1917548 - [4.6] Cannot filter the platform/arch of the index image 1917549 - Failed to mirror operator catalog - error: destination registry required 1917550 - oc adm catalog mirror command attempts to pull from registry.redhat.io when using --from-dir option 1917609 - [4.6z] Deleting an exgw causes pods to no longer route to other exgws 1918194 - with sharded ingresscontrollers, all shards reload when any endpoint changes 1918202 - Grafana - The resulting dataset is too large to graph (OCS RBD volumes being counted as disks) 1918525 - OLM enters infinite loop if Pending CSV replaces itself 1918779 - [Negative Test] After deleting metal3 pod, scaling worker stuck on provisioning state 1918792 - [BUG] Thanos having possible memory leak consuming huge amounts of node's memory and killing them 1918961 - [IPI on vsphere] Executing 'openshift-installer destroy cluster' leaves installer tag categories in vsphere 1920764 - CVE-2021-20198 openshift/installer: Bootstrap nodes allow anonymous authentication on kubelet port 10250 1920873 - Failure to upgrade operator when a Service is included in a Bundle 1920995 - kuryr-cni pods using unreasonable amount of CPU 1921450 - CVE-2021-3344 openshift/builder: privilege escalation during container image builds via mounted secrets 1921473 - test-cmd is failing on volumes.sh pretty consistently 1921599 - OCP 4.5 to 4.6 upgrade for "aws-ebs-csi-driver-operator" fails when "defaultNodeSelector" is set 5. References: https://access.redhat.com/security/cve/CVE-2015-8011 https://access.redhat.com/security/cve/CVE-2016-2183 https://access.redhat.com/security/cve/CVE-2020-14382 https://access.redhat.com/security/cve/CVE-2021-3344 https://access.redhat.com/security/cve/CVE-2021-20198 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/articles/2548661 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYCFGJ9zjgjWX9erEAQh2PA/+NAoSXyr9EhOEhGE1ulSdePMwXe5IBTtl wEAZlLYmG/AQsbudZt9U6mB6FUVn2TRcYyOEE/S5DRKPJhYwo2Q96UeASIRu83mA nBZCIUC7hDT0t8Xfr4OHrZjDECfVSr//BR643aLjgs3jsllq4zxNkoBg7DrvVFCv mugOdZm548l8CSpZvqE6fb/LENgadfuQtf71bIB2AbH4Pex9NuO6+RUWB78TVlAs 5WFJGQ9US4ImxcUILdbyFxbFynWxq2F3oNrmb1cyWDNABXBw5nGErg3A/C4gAjSA rmG/rRpWRAMqemsVWf2JY1qAlBs3AfYYx4KBmmHKTgDdFFZppeYoYdjC8Y69l9O/ NYt8zN1VoBXrcpQq3rnRykPXu/POnWSIaEy8Y0/00WZdV3eZVRRgTgd5dlXPCq/U 07Y1vP+nD3MYLnIW2I7w6nxmkBppcz5rFj4812E9RVIIgP+ogaGXlcpPvho3j9aB UK0TFSSWeYUr+wycS3O1u89IL9Nsn6gfqy9CO+Q7VxfZa7n2nOZfZXeba/pDSe+P HBAzPfjJn5cg+7MSm/9FAFNxYwcVtAr2qItROo7XFz+DdkDFNtcvghK4zora+wqm 42G6ZBo8wuehESp+SDwWy2uWm5uycrMo3+8zR0xy/jobLLGAZJnSXHv4vWZfaGGh N2Eu9TwlKtw=0+xZ -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce