-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: OpenShift Container Platform 4.8.4 bug fix and security update Advisory ID: RHSA-2021:2983-01 Product: Red Hat OpenShift Enterprise Advisory URL: https://access.redhat.com/errata/RHSA-2021:2983 Issue date: 2021-08-10 CVE Names: CVE-2021-31525 CVE-2021-33195 CVE-2021-33196 CVE-2021-33197 CVE-2021-33198 CVE-2021-34558 ===================================================================== 1. Summary: Red Hat OpenShift Container Platform release 4.8.4 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.8.4. See the following advisory for the RPM packages for this release: https://access.redhat.com/errata/RHSA-2021:2984 Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes: https://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-rel ease-notes.html Security Fix(es): * golang: net/http: panic in ReadRequest and ReadResponse when reading a very large header (CVE-2021-31525) * golang: net: lookup functions may return invalid host names (CVE-2021-33195) * golang: archive/zip: Malformed archive may cause panic or memory exhaustion (CVE-2021-33196) * golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty (CVE-2021-33197) * golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents (CVE-2021-33198) * golang: crypto/tls: certificate of wrong type is causing TLS client to panic (CVE-2021-34558) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. You may download the oc tool and use it to inspect release image metadata as follows: (For x86_64 architecture) $ oc adm release info quay.io/openshift-release-dev/ocp-release:4.8.4-x86_64 The image digest is sha256:841535acc09ca8412cd17e8f7702eceda1cac688ccc281278f108675c30de270 (For s390x architecture) $ oc adm release info quay.io/openshift-release-dev/ocp-release:4.8.4-s390x The image digest is sha256:78945f4ccc4c1c7fa57762f49e63b1b0e004a0026f6efa85c0a459c777fcead1 (For ppc64le architecture) $ oc adm release info quay.io/openshift-release-dev/ocp-release:4.8.4-ppc64le The image digest is sha256:ad3da79ce274c6460a3b50551c54a1eb32562c5a5cec5129cb76c018b8b4dcbb All OpenShift Container Platform 4.8 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift Console or the CLI oc command. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.8/updating/updating-cluster - -between-minor.html#understanding-upgrade-channels_updating-cluster-between - -minor 3. Solution: For OpenShift Container Platform 4.8 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update: https://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-rel ease-notes.html Details on how to access this content are available at https://docs.openshift.com/container-platform/4.8/updating/updating-cluster - -cli.html 4. Bugs fixed (https://bugzilla.redhat.com/): 1938967 - Updating baremetal-machine-controller builder & base images to be consistent with ART 1943565 - ThanosSidecarUnhealthy 1947809 - Upgrade tests should skip disruption tests on single node clusters 1948021 - e2e should fail if operators set unexpected Upgradeable post install 1948629 - Add "none" / "minimal" upgrade test suites to skip disruption tests 1957222 - Add internal option for registry info 1957512 - minor regression in openshift-tests command-line options 1958341 - CVE-2021-31525 golang: net/http: panic in ReadRequest and ReadResponse when reading a very large header 1960446 - nmstate operator doesn't handle nodes with taints 1961057 - [Driver: Gluster] tests failing in IPv6 and IPv4v6 1965503 - CVE-2021-33196 golang: archive/zip: malformed archive may cause panic or memory exhaustion 1967949 - (release-4.8) records data size is incorrectly growing when obfuscation is enabled or when there are duplicated records 1971730 - 503 Error page contains license for a vulnerable release of Bootstrap 1972478 - OLM: Failure alert message for copied CSV not helpful 1973662 - Image pruner does not use custom tolerations 1974812 - In customize create vm wizard, a warning "no registred model" 1975559 - typo in operators available 1976008 - Get invalid date when edit custom time range on monitoring dashboards 1976349 - Missing policy-group label on the openshift-console namespace manifest 1978043 - Monitoring dashboard 'Logging/Elasticsearch' isn't accessible on OCP 4.8. 1979303 - [release-4.8] CI update from 4.7 to 4.8 sticks on: EncryptionMigrationController_Error: EncryptionMigrationControllerDegraded: etcdserver: request timed out 1980136 - Binary secret data isn't properly uploaded by ui 1980302 - VNC console stays in Connecting state. 1981770 - Problematic Deployment creates infinite number Replicasets causing etcd to reach quota limit 1982221 - If loading dynamic plugin times out, the UI throws a syntax error 1982246 - Accessibility (and cypress test) issue with empty category on Operator Hub page 1982294 - OLM fails with 'ResolutionFailed' found multiple channel heads 1983247 - (release-4.8] Operator operation is not set when updating status 1983596 - CVE-2021-34558 golang: crypto/tls: certificate of wrong type is causing TLS client to panic 1984565 - Ipv6 IP addresses are not accepted for whitelisting 1984978 - [4.8z] External gateway fails to add duplicate OVN ECMP route 1985514 - allow-from-router feature doesn't work on v6 only single stack cluster 1986026 - Manila CSI driver is not in must-gather 1986573 - [4.8z] Services sync causes too many ovn load balancer deletes 1986576 - inspect on the tuning cluster operator does not gather all tuned CRs 1986955 - CRD extensions.ConsoleNotification CRD.displays YAML editor for modifying the location of ConsoleNotification instance 1987182 - Allow Cluster-api-provider-ovirt using auto pinning new namings 1989564 - CVE-2021-33195 golang: net: lookup functions may return invalid host names 1989570 - CVE-2021-33197 golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty 1989575 - CVE-2021-33198 golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents 5. References: https://access.redhat.com/security/cve/CVE-2021-31525 https://access.redhat.com/security/cve/CVE-2021-33195 https://access.redhat.com/security/cve/CVE-2021-33196 https://access.redhat.com/security/cve/CVE-2021-33197 https://access.redhat.com/security/cve/CVE-2021-33198 https://access.redhat.com/security/cve/CVE-2021-34558 https://access.redhat.com/security/updates/classification/#moderate 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYRJEiNzjgjWX9erEAQjEjQ/+MKM7aY5P/pjRnqgBIsBoJsSxkvxVeIOI D11xKq5nej7yW9pkdFbVOM5d40dtwsf6IsGu05cTrt5R+M0jiHVPit1rn4rAj1ta 4gSHF0MY+Ezm5E8ArFbGo+/vT/c0Y0th+lCE90MlElapAlA2tkPKRTGcxw9Ncu3d yoJdjles7QmWge8HBfx6H37qX498dpRjGPr85TIzE20FaGpW8W5H2rDZck8ryJEa rba7kP2sO/JnvmbOJHG0TePcMhJTFyV1j/OgQz1k4Jnf9Zn9qgeOqjjgFAl3aKGU rvBsYJn2/4HDpEu8vxzhhNq9TB0pwQmfsPtH5zEbHZJtYxFGhSLFtvI7x0igOymr rVopDVMnVRBAkCxXkxoShCrtPV6sRMf8CktIbQPj2c48pdRxzt3VXyeZpfYLBkPA oeLfOvRojgBMm609Zn8K6lKSSyn2RsqNDxRItArmp6O2ollM4Svd5f0ByfAEKQ43 STSONghXsI288EvMJrdBgddOZ1SLDaO37GpW1JjgJHzpbr5Va7/hHCfXWY9rVOzf Ozr40jtUFrfh4Ol+5H9LYbullms//yME2Gx6EzcJAbqQHVzspMGoVfkXaqeJDBG1 cdW1IlPIKE35IetV/F6LxUOizctV3qROkGnkh880J14uP14bjhln47lMt2+wKMgd gJkB5r/x/Cw= =3oEb -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce