-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat OpenShift support for Windows Containers 8.0.0 [security update] Advisory ID: RHSA-2023:1372-01 Product: Red Hat OpenShift Enterprise Advisory URL: https://access.redhat.com/errata/RHSA-2023:1372 Issue date: 2023-05-10 CVE Names: CVE-2022-41717 CVE-2023-25173 ===================================================================== 1. Summary: The components for Red Hat OpenShift support for Windows Containers 8.0.0 are now available. This product release includes bug fixes and a moderate security update for the following packages: windows-machine-config-operator and windows-machine-config-operator-bundle. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat OpenShift support for Windows Containers allows you to deploy Windows container workloads running on Windows Server containers. Security Fix(es): * golang: An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests (CVE-2022-41717) * containerd: Supplementary groups are not set up properly (CVE-2023-25173) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section 3. Solution: For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 4. Bugs fixed (https://bugzilla.redhat.com/): 2161274 - CVE-2022-41717 golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests 2174485 - CVE-2023-25173 containerd: Supplementary groups are not set up properly 5. JIRA issues fixed (https://issues.jboss.org/): OCPBUGS-10416 - Case sensitivity issue when label "openshift.io/cluster-monitoring" set to 'True' on openshift-windows-machine-config-operator namespace OCPBUGS-10709 - BYOH upgrade failed Unable to cleanup the Windows instance: error running powershell.exe -NonInteractive -ExecutionPolicy Bypass \"C:\\k\\windows-instance-config-daemon.exe cleanup - OCPBUGS-10930 - Windows pods are unable to resolve DNS records for services OCPBUGS-11444 - BYOH node upgrade failed when the node not in default namespace: deleting node winhost\nF0402 08:53:43.066039 4740 cleanup.go:56] nodes \"winhost\" is forbidden: User \"system:serviceaccount:winc-namespace-test:windows-instance-config-daemon\" OCPBUGS-11735 - oc adm node-logs failing in vSphere CI OCPBUGS-1513 - Check if Windows defender is running doesnt work OCPBUGS-2028 - [WINC] Windows nodes name not matching hostname in GCP OCPBUGS-3506 - Load balancer shows connectivity outage during Windows nodes upgrade OCPBUGS-4133 - Load Balance service with externalTrafficPolicy="Cluster" for Windows workloads intermittently unavailable in GCP and Azure OCPBUGS-5065 - Installation of WMCO in different namespace fails OCPBUGS-5354 - WMCO is unable to drain DaemonSet workloads OCPBUGS-5378 - containerd version is being misreported OCPBUGS-5732 - Windows nodes do not get drained (deconfigure) during the upgrade process OCPBUGS-5887 - Directory deletion errors are being ignored when deconfiguring Windows instances OCPBUGS-6611 - Hybrid Overlay logfile is in use and cannot be deleted OCPBUGS-6635 - WMCO kubelet version not matching OCP payload's one OCPBUGS-7287 - Kublet logs are not written to the kubelet log file WINC-1001 - Use standard library errors package WINC-1014 - Enable in-tree storage for vSphere for 4.13 WINC-733 - Instance cleanup is done by WICD cleanup command WINC-736 - WICD controller periodically reconciles the state of Windows services WINC-741 - WICD takes more responsibility of Node configuration WINC-838 - Use PodOS field in e2e tests, and document it for users WINC-898 - Containerd is added to windows-services configmap WINC-923 - Update pause image to 3.9 WINC-942 - OpenShift Branching Day release-4.13 / WMCO 8.0.0 WINC-959 - update GitHub build and testing docs WINC-962 - Pick up openshift/kubernetes 1.26 rebase updates WINC-977 - Update kube-proxy submodule to sdn-4.13-kubernetes-1.26.0 6. References: https://access.redhat.com/security/cve/CVE-2022-41717 https://access.redhat.com/security/cve/CVE-2023-25173 https://access.redhat.com/security/updates/classification/#moderate 7. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2023 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBZFsxWdzjgjWX9erEAQhHXA/6AhWeuT89b6OpYzOBwz10B+PDTwCwkzYy kGoc5p8Wu7ov2liOTBYBwPZVrAN73T6O+FAIPzeYi0Ip8m2KBa7AThuDMcBsv8kC 5jj8lD8JzZLq1IPhOtnIuDBUkBGKwadcPwu+tH+L7QHLeaAVg5ceRE/55tcTEAM6 nYkkbrcWwpbU1PKo6PmGAW80phPCb+YvmQh3w10t8o/AqHry4g+6r5VvwqoB2YEB b7fXDESPuOYVRF+7A+uh4kL0wA93OW9TMMW61H147gmoJTHxKGZ6Ts6IVQn7+dkl cZ5xHfpxuMP2YbBqh05kx3D1SP2EmTGlYr/xjoyzFS4MWQvb667kESb6MrBP9Jl2 y2EJkZw/aUAouwy6kOexfAf3gnJl+9s0McYJHVO4TC+LvPpmcE4T5G3YK1r9dnFf fZQMLwoiNQZWXk/hLh96Lmk+H9bIXHMuL7OCiRDlYHaiDXjZQG83w5aPt733DCJ8 sP44DLRmP3WkNvz9BENHn1wgQ/ihGlmuEa2GsV51pHEMpvAHlRmb5XwFJ4RLLB9O 3vOzxH1XwCPK0lc1k2af4nO9ezHChsjHve86iEYFFrvdKFO0JgmigzqNpc/eEkHC LPqktATWXARi4qcn+JHEV7d40eAHYgZYv5AA4VHpomHK92WDK7EF6YOvMREwB/K/ dbxljBPzQIg= =qVSk -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce