-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Critical: OpenShift Container Platform 4.10.56 security update Advisory ID: RHSA-2023:1655-01 Product: Red Hat OpenShift Enterprise Advisory URL: https://access.redhat.com/errata/RHSA-2023:1655 Issue date: 2023-04-12 CVE Names: CVE-2022-3172 CVE-2022-31690 CVE-2022-31692 CVE-2022-42889 CVE-2023-24422 CVE-2023-27898 CVE-2023-27899 CVE-2023-27903 CVE-2023-27904 ===================================================================== 1. Summary: Red Hat OpenShift Container Platform release 4.10.56 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.10. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat OpenShift Container Platform 4.10 - aarch64, noarch, ppc64le, s390x, x86_64 3. Description: Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.10.56. See the following advisory for the container images for this release: https://access.redhat.com/errata/RHSA-2023:1656 Security Fix(es): * apache-commons-text: variable interpolation RCE (CVE-2022-42889) * spring-security-oauth2-client: Privilege Escalation in spring-security-oauth2-client (CVE-2022-31690) * spring-security: Authorization rules can be bypassed via forward or include dispatcher types in Spring Security (CVE-2022-31692) * jenkins-2-plugins/script-security: Sandbox bypass vulnerability in Script Security Plugin (CVE-2023-24422) * Jenkins: XSS vulnerability in plugin manager (CVE-2023-27898) * Jenkins: Temporary plugin file created with insecure permissions (CVE-2023-27899) * kube-apiserver: Aggregated API server can cause clients to be redirected (SSRF) (CVE-2022-3172) * Jenkins: Temporary file parameter created with insecure permissions (CVE-2023-27903) * Jenkins: Information disclosure through error stack traces related to agents (CVE-2023-27904) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For OpenShift Container Platform 4.10 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update: https://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html 5. Bugs fixed (https://bugzilla.redhat.com/): 2127804 - CVE-2022-3172 kube-apiserver: Aggregated API server can cause clients to be redirected (SSRF) 2135435 - CVE-2022-42889 apache-commons-text: variable interpolation RCE 2162200 - CVE-2022-31690 spring-security-oauth2-client: Privilege Escalation in spring-security-oauth2-client 2162206 - CVE-2022-31692 spring-security: Authorization rules can be bypassed via forward or include dispatcher types in Spring Security 2164278 - CVE-2023-24422 jenkins-2-plugins/script-security: Sandbox bypass vulnerability in Script Security Plugin 2177626 - CVE-2023-27899 Jenkins: Temporary plugin file created with insecure permissions 2177629 - CVE-2023-27898 Jenkins: XSS vulnerability in plugin manager 2177632 - CVE-2023-27903 Jenkins: Temporary file parameter created with insecure permissions 2177634 - CVE-2023-27904 Jenkins: Information disclosure through error stack traces related to agents 6. Package List: Red Hat OpenShift Container Platform 4.10: Source: cri-o-1.23.5-8.rhaos4.10.gitcc8441d.el7.src.rpm openshift-4.10.0-202303221742.p0.g16bcd69.assembly.stream.el7.src.rpm openshift-clients-4.10.0-202304032041.p0.g3a7500d.assembly.stream.el7.src.rpm x86_64: cri-o-1.23.5-8.rhaos4.10.gitcc8441d.el7.x86_64.rpm cri-o-debuginfo-1.23.5-8.rhaos4.10.gitcc8441d.el7.x86_64.rpm openshift-clients-4.10.0-202304032041.p0.g3a7500d.assembly.stream.el7.x86_64.rpm openshift-clients-redistributable-4.10.0-202304032041.p0.g3a7500d.assembly.stream.el7.x86_64.rpm openshift-hyperkube-4.10.0-202303221742.p0.g16bcd69.assembly.stream.el7.x86_64.rpm Red Hat OpenShift Container Platform 4.10: Source: cri-o-1.23.5-8.rhaos4.10.gitcc8441d.el8.src.rpm haproxy-2.2.19-4.el8.src.rpm jenkins-2-plugins-4.10.1680703106-1.el8.src.rpm jenkins-2.387.1.1680701869-1.el8.src.rpm kernel-4.18.0-305.85.1.el8_4.src.rpm kernel-rt-4.18.0-305.85.1.rt7.157.el8_4.src.rpm openshift-4.10.0-202303221742.p0.g16bcd69.assembly.stream.el8.src.rpm openshift-clients-4.10.0-202304032041.p0.g3a7500d.assembly.stream.el8.src.rpm toolbox-0.0.9-1.rhaos4.10.el8.src.rpm aarch64: bpftool-4.18.0-305.85.1.el8_4.aarch64.rpm bpftool-debuginfo-4.18.0-305.85.1.el8_4.aarch64.rpm cri-o-1.23.5-8.rhaos4.10.gitcc8441d.el8.aarch64.rpm cri-o-debuginfo-1.23.5-8.rhaos4.10.gitcc8441d.el8.aarch64.rpm cri-o-debugsource-1.23.5-8.rhaos4.10.gitcc8441d.el8.aarch64.rpm haproxy-debugsource-2.2.19-4.el8.aarch64.rpm haproxy22-2.2.19-4.el8.aarch64.rpm haproxy22-debuginfo-2.2.19-4.el8.aarch64.rpm kernel-4.18.0-305.85.1.el8_4.aarch64.rpm kernel-core-4.18.0-305.85.1.el8_4.aarch64.rpm kernel-cross-headers-4.18.0-305.85.1.el8_4.aarch64.rpm kernel-debug-4.18.0-305.85.1.el8_4.aarch64.rpm kernel-debug-core-4.18.0-305.85.1.el8_4.aarch64.rpm kernel-debug-debuginfo-4.18.0-305.85.1.el8_4.aarch64.rpm kernel-debug-devel-4.18.0-305.85.1.el8_4.aarch64.rpm kernel-debug-modules-4.18.0-305.85.1.el8_4.aarch64.rpm kernel-debug-modules-extra-4.18.0-305.85.1.el8_4.aarch64.rpm kernel-debug-modules-internal-4.18.0-305.85.1.el8_4.aarch64.rpm kernel-debuginfo-4.18.0-305.85.1.el8_4.aarch64.rpm kernel-debuginfo-common-aarch64-4.18.0-305.85.1.el8_4.aarch64.rpm kernel-devel-4.18.0-305.85.1.el8_4.aarch64.rpm kernel-headers-4.18.0-305.85.1.el8_4.aarch64.rpm kernel-modules-4.18.0-305.85.1.el8_4.aarch64.rpm kernel-modules-extra-4.18.0-305.85.1.el8_4.aarch64.rpm kernel-modules-internal-4.18.0-305.85.1.el8_4.aarch64.rpm kernel-selftests-internal-4.18.0-305.85.1.el8_4.aarch64.rpm kernel-tools-4.18.0-305.85.1.el8_4.aarch64.rpm kernel-tools-debuginfo-4.18.0-305.85.1.el8_4.aarch64.rpm kernel-tools-libs-4.18.0-305.85.1.el8_4.aarch64.rpm kernel-tools-libs-devel-4.18.0-305.85.1.el8_4.aarch64.rpm openshift-clients-4.10.0-202304032041.p0.g3a7500d.assembly.stream.el8.aarch64.rpm openshift-hyperkube-4.10.0-202303221742.p0.g16bcd69.assembly.stream.el8.aarch64.rpm perf-4.18.0-305.85.1.el8_4.aarch64.rpm perf-debuginfo-4.18.0-305.85.1.el8_4.aarch64.rpm python3-perf-4.18.0-305.85.1.el8_4.aarch64.rpm python3-perf-debuginfo-4.18.0-305.85.1.el8_4.aarch64.rpm noarch: jenkins-2-plugins-4.10.1680703106-1.el8.noarch.rpm jenkins-2.387.1.1680701869-1.el8.noarch.rpm kernel-doc-4.18.0-305.85.1.el8_4.noarch.rpm toolbox-0.0.9-1.rhaos4.10.el8.noarch.rpm ppc64le: bpftool-4.18.0-305.85.1.el8_4.ppc64le.rpm bpftool-debuginfo-4.18.0-305.85.1.el8_4.ppc64le.rpm cri-o-1.23.5-8.rhaos4.10.gitcc8441d.el8.ppc64le.rpm cri-o-debuginfo-1.23.5-8.rhaos4.10.gitcc8441d.el8.ppc64le.rpm cri-o-debugsource-1.23.5-8.rhaos4.10.gitcc8441d.el8.ppc64le.rpm haproxy-debugsource-2.2.19-4.el8.ppc64le.rpm haproxy22-2.2.19-4.el8.ppc64le.rpm haproxy22-debuginfo-2.2.19-4.el8.ppc64le.rpm kernel-4.18.0-305.85.1.el8_4.ppc64le.rpm kernel-core-4.18.0-305.85.1.el8_4.ppc64le.rpm kernel-cross-headers-4.18.0-305.85.1.el8_4.ppc64le.rpm kernel-debug-4.18.0-305.85.1.el8_4.ppc64le.rpm kernel-debug-core-4.18.0-305.85.1.el8_4.ppc64le.rpm kernel-debug-debuginfo-4.18.0-305.85.1.el8_4.ppc64le.rpm kernel-debug-devel-4.18.0-305.85.1.el8_4.ppc64le.rpm kernel-debug-modules-4.18.0-305.85.1.el8_4.ppc64le.rpm kernel-debug-modules-extra-4.18.0-305.85.1.el8_4.ppc64le.rpm kernel-debug-modules-internal-4.18.0-305.85.1.el8_4.ppc64le.rpm kernel-debuginfo-4.18.0-305.85.1.el8_4.ppc64le.rpm kernel-debuginfo-common-ppc64le-4.18.0-305.85.1.el8_4.ppc64le.rpm kernel-devel-4.18.0-305.85.1.el8_4.ppc64le.rpm kernel-headers-4.18.0-305.85.1.el8_4.ppc64le.rpm kernel-ipaclones-internal-4.18.0-305.85.1.el8_4.ppc64le.rpm kernel-modules-4.18.0-305.85.1.el8_4.ppc64le.rpm kernel-modules-extra-4.18.0-305.85.1.el8_4.ppc64le.rpm kernel-modules-internal-4.18.0-305.85.1.el8_4.ppc64le.rpm kernel-selftests-internal-4.18.0-305.85.1.el8_4.ppc64le.rpm kernel-tools-4.18.0-305.85.1.el8_4.ppc64le.rpm kernel-tools-debuginfo-4.18.0-305.85.1.el8_4.ppc64le.rpm kernel-tools-libs-4.18.0-305.85.1.el8_4.ppc64le.rpm kernel-tools-libs-devel-4.18.0-305.85.1.el8_4.ppc64le.rpm openshift-clients-4.10.0-202304032041.p0.g3a7500d.assembly.stream.el8.ppc64le.rpm openshift-hyperkube-4.10.0-202303221742.p0.g16bcd69.assembly.stream.el8.ppc64le.rpm perf-4.18.0-305.85.1.el8_4.ppc64le.rpm perf-debuginfo-4.18.0-305.85.1.el8_4.ppc64le.rpm python3-perf-4.18.0-305.85.1.el8_4.ppc64le.rpm python3-perf-debuginfo-4.18.0-305.85.1.el8_4.ppc64le.rpm s390x: bpftool-4.18.0-305.85.1.el8_4.s390x.rpm bpftool-debuginfo-4.18.0-305.85.1.el8_4.s390x.rpm cri-o-1.23.5-8.rhaos4.10.gitcc8441d.el8.s390x.rpm cri-o-debuginfo-1.23.5-8.rhaos4.10.gitcc8441d.el8.s390x.rpm cri-o-debugsource-1.23.5-8.rhaos4.10.gitcc8441d.el8.s390x.rpm haproxy-debugsource-2.2.19-4.el8.s390x.rpm haproxy22-2.2.19-4.el8.s390x.rpm haproxy22-debuginfo-2.2.19-4.el8.s390x.rpm kernel-4.18.0-305.85.1.el8_4.s390x.rpm kernel-core-4.18.0-305.85.1.el8_4.s390x.rpm kernel-cross-headers-4.18.0-305.85.1.el8_4.s390x.rpm kernel-debug-4.18.0-305.85.1.el8_4.s390x.rpm kernel-debug-core-4.18.0-305.85.1.el8_4.s390x.rpm kernel-debug-debuginfo-4.18.0-305.85.1.el8_4.s390x.rpm kernel-debug-devel-4.18.0-305.85.1.el8_4.s390x.rpm kernel-debug-modules-4.18.0-305.85.1.el8_4.s390x.rpm kernel-debug-modules-extra-4.18.0-305.85.1.el8_4.s390x.rpm kernel-debug-modules-internal-4.18.0-305.85.1.el8_4.s390x.rpm kernel-debuginfo-4.18.0-305.85.1.el8_4.s390x.rpm kernel-debuginfo-common-s390x-4.18.0-305.85.1.el8_4.s390x.rpm kernel-devel-4.18.0-305.85.1.el8_4.s390x.rpm kernel-headers-4.18.0-305.85.1.el8_4.s390x.rpm kernel-modules-4.18.0-305.85.1.el8_4.s390x.rpm kernel-modules-extra-4.18.0-305.85.1.el8_4.s390x.rpm kernel-modules-internal-4.18.0-305.85.1.el8_4.s390x.rpm kernel-selftests-internal-4.18.0-305.85.1.el8_4.s390x.rpm kernel-tools-4.18.0-305.85.1.el8_4.s390x.rpm kernel-tools-debuginfo-4.18.0-305.85.1.el8_4.s390x.rpm kernel-zfcpdump-4.18.0-305.85.1.el8_4.s390x.rpm kernel-zfcpdump-core-4.18.0-305.85.1.el8_4.s390x.rpm kernel-zfcpdump-debuginfo-4.18.0-305.85.1.el8_4.s390x.rpm kernel-zfcpdump-devel-4.18.0-305.85.1.el8_4.s390x.rpm kernel-zfcpdump-modules-4.18.0-305.85.1.el8_4.s390x.rpm kernel-zfcpdump-modules-extra-4.18.0-305.85.1.el8_4.s390x.rpm kernel-zfcpdump-modules-internal-4.18.0-305.85.1.el8_4.s390x.rpm openshift-clients-4.10.0-202304032041.p0.g3a7500d.assembly.stream.el8.s390x.rpm openshift-hyperkube-4.10.0-202303221742.p0.g16bcd69.assembly.stream.el8.s390x.rpm perf-4.18.0-305.85.1.el8_4.s390x.rpm perf-debuginfo-4.18.0-305.85.1.el8_4.s390x.rpm python3-perf-4.18.0-305.85.1.el8_4.s390x.rpm python3-perf-debuginfo-4.18.0-305.85.1.el8_4.s390x.rpm x86_64: bpftool-4.18.0-305.85.1.el8_4.x86_64.rpm bpftool-debuginfo-4.18.0-305.85.1.el8_4.x86_64.rpm cri-o-1.23.5-8.rhaos4.10.gitcc8441d.el8.x86_64.rpm cri-o-debuginfo-1.23.5-8.rhaos4.10.gitcc8441d.el8.x86_64.rpm cri-o-debugsource-1.23.5-8.rhaos4.10.gitcc8441d.el8.x86_64.rpm haproxy-debugsource-2.2.19-4.el8.x86_64.rpm haproxy22-2.2.19-4.el8.x86_64.rpm haproxy22-debuginfo-2.2.19-4.el8.x86_64.rpm kernel-4.18.0-305.85.1.el8_4.x86_64.rpm kernel-core-4.18.0-305.85.1.el8_4.x86_64.rpm kernel-cross-headers-4.18.0-305.85.1.el8_4.x86_64.rpm kernel-debug-4.18.0-305.85.1.el8_4.x86_64.rpm kernel-debug-core-4.18.0-305.85.1.el8_4.x86_64.rpm kernel-debug-debuginfo-4.18.0-305.85.1.el8_4.x86_64.rpm kernel-debug-devel-4.18.0-305.85.1.el8_4.x86_64.rpm kernel-debug-modules-4.18.0-305.85.1.el8_4.x86_64.rpm kernel-debug-modules-extra-4.18.0-305.85.1.el8_4.x86_64.rpm kernel-debug-modules-internal-4.18.0-305.85.1.el8_4.x86_64.rpm kernel-debuginfo-4.18.0-305.85.1.el8_4.x86_64.rpm kernel-debuginfo-common-x86_64-4.18.0-305.85.1.el8_4.x86_64.rpm kernel-devel-4.18.0-305.85.1.el8_4.x86_64.rpm kernel-headers-4.18.0-305.85.1.el8_4.x86_64.rpm kernel-ipaclones-internal-4.18.0-305.85.1.el8_4.x86_64.rpm kernel-modules-4.18.0-305.85.1.el8_4.x86_64.rpm kernel-modules-extra-4.18.0-305.85.1.el8_4.x86_64.rpm kernel-modules-internal-4.18.0-305.85.1.el8_4.x86_64.rpm kernel-rt-4.18.0-305.85.1.rt7.157.el8_4.x86_64.rpm kernel-rt-core-4.18.0-305.85.1.rt7.157.el8_4.x86_64.rpm kernel-rt-debug-4.18.0-305.85.1.rt7.157.el8_4.x86_64.rpm kernel-rt-debug-core-4.18.0-305.85.1.rt7.157.el8_4.x86_64.rpm kernel-rt-debug-debuginfo-4.18.0-305.85.1.rt7.157.el8_4.x86_64.rpm kernel-rt-debug-devel-4.18.0-305.85.1.rt7.157.el8_4.x86_64.rpm kernel-rt-debug-kvm-4.18.0-305.85.1.rt7.157.el8_4.x86_64.rpm kernel-rt-debug-modules-4.18.0-305.85.1.rt7.157.el8_4.x86_64.rpm kernel-rt-debug-modules-extra-4.18.0-305.85.1.rt7.157.el8_4.x86_64.rpm kernel-rt-debug-modules-internal-4.18.0-305.85.1.rt7.157.el8_4.x86_64.rpm kernel-rt-debuginfo-4.18.0-305.85.1.rt7.157.el8_4.x86_64.rpm kernel-rt-debuginfo-common-x86_64-4.18.0-305.85.1.rt7.157.el8_4.x86_64.rpm kernel-rt-devel-4.18.0-305.85.1.rt7.157.el8_4.x86_64.rpm kernel-rt-kvm-4.18.0-305.85.1.rt7.157.el8_4.x86_64.rpm kernel-rt-modules-4.18.0-305.85.1.rt7.157.el8_4.x86_64.rpm kernel-rt-modules-extra-4.18.0-305.85.1.rt7.157.el8_4.x86_64.rpm kernel-rt-modules-internal-4.18.0-305.85.1.rt7.157.el8_4.x86_64.rpm kernel-rt-selftests-internal-4.18.0-305.85.1.rt7.157.el8_4.x86_64.rpm kernel-selftests-internal-4.18.0-305.85.1.el8_4.x86_64.rpm kernel-tools-4.18.0-305.85.1.el8_4.x86_64.rpm kernel-tools-debuginfo-4.18.0-305.85.1.el8_4.x86_64.rpm kernel-tools-libs-4.18.0-305.85.1.el8_4.x86_64.rpm kernel-tools-libs-devel-4.18.0-305.85.1.el8_4.x86_64.rpm openshift-clients-4.10.0-202304032041.p0.g3a7500d.assembly.stream.el8.x86_64.rpm openshift-clients-redistributable-4.10.0-202304032041.p0.g3a7500d.assembly.stream.el8.x86_64.rpm openshift-hyperkube-4.10.0-202303221742.p0.g16bcd69.assembly.stream.el8.x86_64.rpm perf-4.18.0-305.85.1.el8_4.x86_64.rpm perf-debuginfo-4.18.0-305.85.1.el8_4.x86_64.rpm python3-perf-4.18.0-305.85.1.el8_4.x86_64.rpm python3-perf-debuginfo-4.18.0-305.85.1.el8_4.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2022-3172 https://access.redhat.com/security/cve/CVE-2022-31690 https://access.redhat.com/security/cve/CVE-2022-31692 https://access.redhat.com/security/cve/CVE-2022-42889 https://access.redhat.com/security/cve/CVE-2023-24422 https://access.redhat.com/security/cve/CVE-2023-27898 https://access.redhat.com/security/cve/CVE-2023-27899 https://access.redhat.com/security/cve/CVE-2023-27903 https://access.redhat.com/security/cve/CVE-2023-27904 https://access.redhat.com/security/updates/classification/#critical https://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2023 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBZDbdMtzjgjWX9erEAQjYThAAhqisQ9b44x+9/wyDxxvk76uR2NaZPzNo kabifxq1PnMHASvaD1UwOa9SlMTUSE0WOK0TKSQeLmpPWVSMtbTwg7TQ4ITBCKg3 ci3YZUGUfd8kitT8m+YFabRdjjEvp4zquA7jGHAiyeVNxUqVSCm+3Xu/qnTJBZU+ Lg+ZSHOIGXoAMwrK5tcrjNdWLcXRHwhTx+yTEtI78zT8gOR1SwKeiBeo9PZejwvI hpzS60Lf2RRvgE1XYpW1QGk27FDEqnKZQwq/xA8VmEFvv5PUn2a/HuzPV6+TE+go yw3hwZj+NdeVu0tEuPn/nwdybc74LfSN3oQOsJ+IxDHl8wRECe/Ki4db1NlwPCOR v33fnObzojt8wMSobA63X8smklQTT3h4C5OjG3QH3R7uLv2hUIlrRqBW1+frzMMi hN7DMt7DCMdSn8a5keKd2apsIHvtzFQLeZDS49fcqkIDEGSmPs/bXHWnRTjlrown PqJayWgk0LpZcyqxV/K/y4fdCm/+skaY1bX6GLpvMEd29z8LT3R/E3N/HqMHEZO7 DJ/YGc2cxtOBMq5uaLUDIFhcvTUCU46zh+1H8XRlSm4nTFIX0p7tvTCDPVuGvaYv eAHIdGls6f9obPkOTaLkdN0UCtUDnhT5nSSbL7NH/Tw+rgR/U/idXyuZUt1XrnO8 rcrquYe48D0= =Ywi7 -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce