-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: OpenShift Container Platform 4.10.8 bug fix and security update Advisory ID: RHSA-2022:1162-01 Product: Red Hat OpenShift Enterprise Advisory URL: https://access.redhat.com/errata/RHSA-2022:1162 Issue date: 2022-04-08 CVE Names: CVE-2022-0567 ===================================================================== 1. Summary: Red Hat OpenShift Container Platform release 4.10.8 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.10. Red Hat Product Security has rated this update as having a security impact of important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.10.8. See the following advisory for the RPM packages for this release: https://access.redhat.com/errata/RHBA-2022:1161 Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes: https://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html Security Fix(es): * ovn-kubernetes: Ingress network policy can be overruled by egress network policy on another pod (CVE-2022-0567) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. You may download the oc tool and use it to inspect release image metadata as follows: (For x86_64 architecture) $ oc adm release info quay.io/openshift-release-dev/ocp-release:4.10.8-x86_64 The image digest is sha256:0696e249622b4d07d8f4501504b6c568ed6ba92416176a01a12b7f1882707117 (For s390x architecture) $ oc adm release info quay.io/openshift-release-dev/ocp-release:4.10.8-s390x The image digest is sha256:0f0f014007959a241edc31a1e135a76001dbb1030e591f53ac391e650dae2ed6 (For ppc64le architecture) $ oc adm release info quay.io/openshift-release-dev/ocp-release:4.10.8-ppc64le The image digest is sha256:8737ef996f2552a110d666fbec5ed1e7645e850725fd4954b38a418c791e48e9 All OpenShift Container Platform 4.10 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift Console or the CLI oc command. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.10/updating/updating-cluster-cli.html 3. Solution: For OpenShift Container Platform 4.10 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update: https://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html Details on how to access this content are available at https://docs.openshift.com/container-platform/4.10/updating/updating-cluster-cli.html 4. Bugs fixed (https://bugzilla.redhat.com/): 2043070 - ptpfconfig update to new interface name , old interface metrics are retained 2048481 - Update ironic-python-agent to latest bugfix release 2052804 - go fmt fails in OSM after migration to go 1.17 2053326 - CVE-2022-0567 ovn-kubernetes: Ingress network policy can be overruled by egress network policy on another pod 2054098 - [release-4.10] Gather images.conifg.openshift.io cluster resource definiition 2054650 - UI should show templates which are deployed to custom namespace by SSP 2054949 - [KMS] UI does not have option to specify kube auth path and namespace for cluster wide encryption 2055895 - NodePerfCheck fires and stays active on momentary high latency 2057507 - Git import detection does not happen for private repositories 2057961 - PodDisruptionBudgetAtLimit alert fired in SNO cluster 2059354 - [OVN]After reboot egress node, lr-policy-list was not correct, some duplicate records or missed internal IPs 2060007 - No rule to make target 'docker-push' when building the SRO bundle 2060419 - Create new app from a private git repository using 'oc new app' with basic auth does not work. 2061804 - [4.10] ErrorAddingLogicalPort: duplicate IP found in ECMP Pod route cache! 2062197 - [cluster-csi-snapshot-controller-operator] CI failure: events should not repeat pathologically 2062290 - MCC bootstrap command lacks template flag 2062429 - [IBMCloud] infrastructure asset missing CloudProviderType 2062666 - [4.10.z backport] configure-ovs: don't restart networking if not necessary 2063326 - MCO template output directories created with wrong mode causing render failure in unprivileged container environments 2064572 - nmstate interprets interface names as float64 and subsequently crashes on state update (4.10) 2064901 - cannot download operator catalogs due to missing images 2064991 - cluster-version operator stops applying manifests when blocked by a precondition check 2065265 - hw event proxy is not binding on ipv6 local address 2065480 - VolumeSnapshot creation date sorting is broken 2065500 - [oc-mirror] Catalog merging error when two or more bundles does not have a set Replace field 2065714 - [4.10] local pv's are in terminating state 2065774 - Pods stuck in OutOfpods state after running cluster-density 2065808 - stop considering Mint mode as supported on Azure 2066359 - SRO appends "arm64" instead of "aarch64" to the kernel name and it doesn't match the DTK 2068590 - release-4.10: ptp operator upgrade from 4.9 to 4.10 stuck at pending due to service account requirements not met 2069807 - Internal Image registry with GCS backend does not redirect client 5. References: https://access.redhat.com/security/cve/CVE-2022-0567 https://access.redhat.com/security/updates/classification/#important 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYlC0ENzjgjWX9erEAQij1w/7B/tSuZhYv5BmNQQexMrZD1iRCMZfYp3W QFLkAJSY5MdlLEs7NTQLxaFi7i4j5ZcTQvEhUaJDomnsmISoyvZG5wrRloRQcjKd HKCTFd0/PH3ARlGWkuuhHng3+MXze5io/zCkgueNBgyCHAQjoqIlE63FUU3rGHCi aXRbLuPalQ0AoR3MAe7xYg6NAJ36Ihtk3bg6jWcu1mqxfipQav8NyZYlDf7eAlzj Tp+P5P5OxfF8bDWD0W2h0E1UrYzfUhroXeRdeD7YQEH8JLRtHmnLhaRAqjEi7wIL xRX0cyFfU2CE1VvVeNR7i3mYyej/XSt/vFSa3P7oGGj2xPEo7Iyk5w6y+XsJXY6u j/HWHekG+6hNUQZ6pIJdAciFQ0Q/xoV3GNa3h1sLiMArmmTk80YboVseI3UGuFzz 8nn7DSUA8FYnxG8sjneTDIqOQg/mV/6DWJ8eSCpz8HAy2jjJi9AnWm17AUycKG/s 4ZUlXHNyf3+hjZt+vRpLcnjO0TjK1BJyPYrSLLmJwPyaVl4ELoQGEJh22N861OcS eBP/B88n8IqaPhZBRt3MzNSXYccgqj103MDTXYhQv+aAoIhIy4VGQtu+rOhbuCpA v4kd/aTT2EV8qvYp7AJTYLBMN1URNhUiY1KvcDbWdf/VLAirOHlZS6YnLAc6GatD MUbvuR1iU2k= =dTK6 -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce