-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Windows Container Support for Red Hat OpenShift 5.0.0 [security update] Advisory ID: RHSA-2022:0577-01 Product: Red Hat OpenShift Enterprise Advisory URL: https://access.redhat.com/errata/RHSA-2022:0577 Issue date: 2022-03-28 CVE Names: CVE-2020-28851 CVE-2020-28852 CVE-2021-3121 CVE-2021-3521 CVE-2021-3712 CVE-2021-29923 CVE-2021-31525 CVE-2021-33195 CVE-2021-33197 CVE-2021-33198 CVE-2021-34558 CVE-2021-36221 CVE-2021-42574 CVE-2022-24407 ===================================================================== 1. Summary: The components for Windows Container Support for Red Hat OpenShift 5.0.0 are now available. This product release includes bug fixes and a moderate security update for the following packages: windows-machine-config-operator and windows-machine-config-operator-bundle. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Windows Container Support for Red Hat OpenShift allows you to deploy Windows container workloads running on Windows Server containers. Security Fix(es): * gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation (CVE-2021-3121) * golang.org/x/text: Panic in language.ParseAcceptLanguage while parsing - -u- extension (CVE-2020-28851) * golang.org/x/text: Panic in language.ParseAcceptLanguage while processing bcp47 tag (CVE-2020-28852) * golang: net: incorrect parsing of extraneous zero characters at the beginning of an IP address octet (CVE-2021-29923) * golang: net/http: panic in ReadRequest and ReadResponse when reading a very large header (CVE-2021-31525) * golang: net: lookup functions may return invalid host names (CVE-2021-33195) * golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty (CVE-2021-33197) * golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents (CVE-2021-33198) * golang: crypto/tls: certificate of wrong type is causing TLS client to panic (CVE-2021-34558) * golang: net/http/httputil: panic due to racy read of persistConn after handler panic (CVE-2021-36221) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: For Windows Machine Config Operator upgrades, see the following documentation: https://docs.openshift.com/container-platform/latest/windows_containers/windows-node-upgrades.html 4. Bugs fixed (https://bugzilla.redhat.com/): 1913333 - CVE-2020-28851 golang.org/x/text: Panic in language.ParseAcceptLanguage while parsing -u- extension 1913338 - CVE-2020-28852 golang.org/x/text: Panic in language.ParseAcceptLanguage while processing bcp47 tag 1921650 - CVE-2021-3121 gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation 1958341 - CVE-2021-31525 golang: net/http: panic in ReadRequest and ReadResponse when reading a very large header 1983596 - CVE-2021-34558 golang: crypto/tls: certificate of wrong type is causing TLS client to panic 1989564 - CVE-2021-33195 golang: net: lookup functions may return invalid host names 1989570 - CVE-2021-33197 golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty 1989575 - CVE-2021-33198 golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents 1990573 - Username annotation error when byoh Windows have uppercase hostname 1992006 - CVE-2021-29923 golang: net: incorrect parsing of extraneous zero characters at the beginning of an IP address octet 1992841 - Deleting Machine Node object throws reconciliation error after WMCO restart 1994859 - Windows Containers on Windows Nodes get assigned the DNS Server IP “172.30.0.10”, which is wrong, if the default kubernetes subnet is not used 1995656 - CVE-2021-36221 golang: net/http/httputil: panic due to racy read of persistConn after handler panic 2000772 - WMCO fails to configure VMs with Powershell set as the default SSH shell 2001547 - BYOH Windows instance configured with DNS name got deconfigured immediately on UPI baremetal 2002961 - CSR reconciler report error constantly when BYOH CSR approved by other Approver 2005360 - BYOH Windows instance configured twice with DNS name 2008601 - WMCO ignores delete events for machines with invalid IP addresses 2015772 - Replacing private key reconcile 2 Windows nodes in parallel 2032048 - CSR approval failures caused by update conflicts 5. JIRA issues fixed (https://issues.jboss.org/): WINC-747 - Windows Container Support for Red Hat OpenShift 5.0.0 release 6. References: https://access.redhat.com/security/cve/CVE-2020-28851 https://access.redhat.com/security/cve/CVE-2020-28852 https://access.redhat.com/security/cve/CVE-2021-3121 https://access.redhat.com/security/cve/CVE-2021-3521 https://access.redhat.com/security/cve/CVE-2021-3712 https://access.redhat.com/security/cve/CVE-2021-29923 https://access.redhat.com/security/cve/CVE-2021-31525 https://access.redhat.com/security/cve/CVE-2021-33195 https://access.redhat.com/security/cve/CVE-2021-33197 https://access.redhat.com/security/cve/CVE-2021-33198 https://access.redhat.com/security/cve/CVE-2021-34558 https://access.redhat.com/security/cve/CVE-2021-36221 https://access.redhat.com/security/cve/CVE-2021-42574 https://access.redhat.com/security/cve/CVE-2022-24407 https://access.redhat.com/security/updates/classification/#moderate 7. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYkHUidzjgjWX9erEAQgguhAApk3+HqFLF4+2BufU+cXbfR3ikPOum2aR dtT/kEd17ELemORjgGNt3mfEaFl0yc+kmq59r4BQRc4kSVa0rtD5gY8loW81R/V9 QVJOO4uu160Ho92n/7M33IKNM3MJuB6Puezm6GiTiRBCE6YcggWn3f8DqSQiqcH6 GAjDfomv+WfMhDBvoZKqY+rDiFleZqOcTZT5StcZNntXEpDkJE95jttCOIB1GjjR DbBqk2Yya78gfMMarAIjGupYoMq6Byk4ebGVjnNvQVFvmPFdalTnCjBBkuN/FHFv QXBOQfMDZW7eYPD7Hztz7o6FgRQNctie2i2n/UtU4qhEgei97e/CFN77mdBD7zaN 9pqsz63ZNx7rhKIvrVBXktyZuV3PETPxDakH13JFFbW2pKrDr0d6lHYq9H9mHmbr RUPObMpM3yOXI0nm0MPfAHp/PYI0GyPi6mKVJLLKiXQw7nM3t9J4RPn51ZIDdq8H s4bFvA0cev5dZholKPPdjEkH9XfPBecXFlKFT2a+91w7d0LAAKUCk1yEsDuwlYEN gu+uO6s7xN2qMg6S0KWf3dkBgrJjiBgWg9lUhin/CFnRmmCxjWnDzgUOiMbJfD4c oAKvrdZ8oqe9Fl63oIFggre+fJIVl817DaHHmc6QptcrUBogdXQgsneK/86xjsZi OzqkIK5j4RU= =uE/t -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce