-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: OpenShift Container Platform 4.13.1 bug fix and security update Advisory ID: RHSA-2023:3304-01 Product: Red Hat OpenShift Enterprise Advisory URL: https://access.redhat.com/errata/RHSA-2023:3304 Issue date: 2023-05-30 CVE Names: CVE-2018-17419 CVE-2021-36157 CVE-2022-25147 CVE-2022-41722 CVE-2022-41723 CVE-2023-25652 CVE-2023-25815 CVE-2023-29007 ==================================================================== 1. Summary: Red Hat OpenShift Container Platform release 4.13.1 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.13. Red Hat Product Security has rated this update as having a security impact of [impact]. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.13.1. See the following advisory for the RPM packages for this release: https://access.redhat.com/errata/RHSA-2023:3303 Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes: https://docs.openshift.com/container-platform/4.13/release_notes/ocp-4-13-release-notes.html Security Fix(es): * dns: Denial of Service (DoS) (CVE-2018-17419) * cortex: Grafana Cortex directory traversal (CVE-2021-36157) * golang: path/filepath: path-filepath filepath.Clean path traversal (CVE-2022-41722) * net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding (CVE-2022-41723) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. All OpenShift Container Platform 4.13 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.13/updating/updating-cluster-cli.html 3. Solution: For OpenShift Container Platform 4.13 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update: https://docs.openshift.com/container-platform/4.13/release_notes/ocp-4-13-release-notes.html You may download the oc tool and use it to inspect release image metadata for x86_64, s390x, ppc64le, and aarch64 architectures. The image digests may be found at https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags. The sha values for the release are: (For x86_64 architecture) The image digest is sha256:9c92b5ec203ee7f81626cc4e9f02086484056a76548961e5895916f136302b1f (For s390x architecture) The image digest is sha256:dbc768473b99538c15a35ea1be7ff656a6ac01e5001af4fac117c51f461c6054 (For ppc64le architecture) The image digest is sha256:dc4bab40680fb4ed84665abc34aefef5e0689eafef1c878776c3685ddaa759d5 (For aarch64 architecture) The image digest is sha256:5415fb0c33370014b9be83bc3120cc9d35a95922b2e93e218cac603e4179717a All OpenShift Container Platform 4.13 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.13/updating/updating-cluster-cli.html 4. Bugs fixed (https://bugzilla.redhat.com/): 2178358 - CVE-2022-41723 net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding 2183169 - CVE-2021-36157 cortex: Grafana Cortex directory traversal 2188523 - CVE-2018-17419 dns: Denial of Service (DoS) 2203008 - CVE-2022-41722 golang: path/filepath: path-filepath filepath.Clean path traversal 5. JIRA issues fixed (https://issues.redhat.com/): OCPBUGS-11294 - [4.13] Missing metric for CSI migration opt-in OCPBUGS-11302 - Incorrect domain resolution by the coredns/Corefile in Vsphere IPI Clusters | openshift-vsphere-infra OCPBUGS-11336 - NTO: PAO e2e: profile update tests are flaky (time out) OCPBUGS-11353 - --external-cloud-volume-plugin for out-of tree providers OCPBUGS-11387 - build regression on 4.13: ERROR: bash-5.0.11-r1.post-install: script exited with error 127 OCPBUGS-11432 - hostpath and node-driver-registrar containers are not pinned to mgmt cores - no WLP annotation OCPBUGS-11775 - wait-for command doesn't handle installing-pending-user-action OCPBUGS-12363 - structured logs are borked in BMO OCPBUGS-12461 - Improve telemetry epic (ODC-7171) doesn't work without PrometheusRule (4.13) OCPBUGS-12722 - Wrong cleanup of stale conditions from OCPBUGS-2783 OCPBUGS-12770 - Create BuildConfig button in the Devconsole opens the form in default namespace OCPBUGS-13082 - Root device hints should accept by-path device alias OCPBUGS-13083 - Assisted Root device hints should accept by-path device alias OCPBUGS-13085 - hypershift_hostedclusters_failure_conditions metric incorrectly reports multiple clusters for a single cluster OCPBUGS-13086 - Bootstrap on aws should have same metadata service type as on other nodes OCPBUGS-13127 - EgressIP was NOT migrated to correct workers after deleting machine it was assigned in GCP XPN cluster. OCPBUGS-13138 - 4.13.0-RC.6 Enter to Cluster status: error while trying to install cluster with agent base installer OCPBUGS-13150 - EgressNetworkPolicy DNS resolution does not fall back to TCP for truncated responses OCPBUGS-13155 - CNO doesn't handle nodeSelector in HyperShift OCPBUGS-13162 - Rebase vSphere CSI driver to 3.0.1 OCPBUGS-13170 - Routes are not restored to new vNIC by hybrid-overlay on Windows nodes OCPBUGS-13222 - NTO profiles not removed when node is removed in hypershift guest cluster OCPBUGS-13312 - Failing test [bz-Machine Config Operator] Nodes should reach OSUpdateStaged in a timely fashion OCPBUGS-13321 - collect-profiles pods causing regular CPU bursts OCPBUGS-13410 - 'vendor' root device hint does not work correctly in ZTP/ABI OCPBUGS-13427 - kuryr-controller crashes on KuryrPort cleanup when subport is already gone: Request requires an ID but none was found OCPBUGS-13497 - kube-apiserver isn't healthy after a cluster comes up OCPBUGS-13531 - AWS VPC endpoint service not cleaned up when access to customer credentials lost OCPBUGS-13563 - [vmware csi driver] vsphere-syncher does not retry populate the CSINodeTopology with topology information when registration fails OCPBUGS-13591 - [TELCO:CASE] Limit the nested repository path while mirroring the images using oc-mirror for those who cant have nested paths in their container registry OCPBUGS-13598 - OSD clusters' Ingress health checks & routes fail after swapping application router between public and private OCPBUGS-13683 - Yum Config Manager Not Found OCPBUGS-13692 - Failed to create STS resources on AWS GovCloud regions using ccoctl OCPBUGS-13731 - unusual error log in cluster-policy-controller OCPBUGS-13742 - [4.13] container_network* metrics fail to report OCPBUGS-13783 - [Hypershift Guest] OperatorHub details page returns error OCPBUGS-13828 - 4.13: aws-ebs-csi-driver-controller-sa ServiceAccount does not include the HCP pull-secret in its imagePullSecrets OCPBUGS-13887 - Verify that upstream gRPC issue #4632 (leak of net.Conn) is fixed in 4.13 OCPBUGS-13888 - CPMS?create two replace machines when deleting a master machine on vSphere OCPBUGS-13959 - [CI Watcher]: logs in as 'test' user via htpasswd identity provider: Auth test logs in as 'test' user via htpasswd identity provider OCPBUGS-1598 - Resourse added toast always have text "Deployment created successfully." irrespective of any resource type selected in the form OCPBUGS-2290 - IPI for Power VS: Deploy fails when there is are certain preexisting resources OCPBUGS-3160 - In some directories(under /run/containers/storage/overlay-containers/) on two of the Infra nodes permissions are rw for other user OCPBUGS-3166 - assisted-installer: pod creation fails due to violations of security policies in 4.12 OCPBUGS-7147 - [Descheduler] ? The minKubeVersion should be 1.26.0 for descheduler operator 6. References: https://access.redhat.com/security/cve/CVE-2018-17419 https://access.redhat.com/security/cve/CVE-2021-36157 https://access.redhat.com/security/cve/CVE-2022-25147 https://access.redhat.com/security/cve/CVE-2022-41722 https://access.redhat.com/security/cve/CVE-2022-41723 https://access.redhat.com/security/cve/CVE-2023-25652 https://access.redhat.com/security/cve/CVE-2023-25815 https://access.redhat.com/security/cve/CVE-2023-29007 https://access.redhat.com/security/updates/classification/#moderate https://docs.openshift.com/container-platform/4.13/release_notes/ocp-4-12-release-notes.html 7. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2023 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBZHsD8dzjgjWX9erEAQiTfA//duDVDDmwhcaooaY8TSJ3Pof/t84/zILB Mxt5PJaJ2nkRZmjADWML8LxBGQ9QpBQEiLPauevwTJJOQnLL2gWgs0mS+RKoIu+V M0V6cs/LrsdrekgiaxDkbQGO8Vq9V6SKPoM6WKf6Z70P6gTdDG0uy5BzwNYkVldf /skqH+cUxKOszgadiFHWaoWU1qh0zUCpCNtRMr0nQ64UuP9061bs3L3vfYwmC6vY rLyejSHAw6rSOS/P9USTbrq1NVdNfFdHwqVDAZa/uS0GgstbAhwXPqe1XG4KGIDu sILeX/XK04QWdhfWJh5Tvwv+B1ZNp9g1vu/gJgFQ+E+ToGCFMFXgfy10R+KhYU4t yjZUGSZ1EuIKpdYAlgAsqxLrNaoLuW5rlGxjQpsKI/CoD3EaJOOqWUN3NsXe+n5c hpzdCmA6nJ3ld9o/7ew+vD2i7xqRlKot5KVV3FGhDZ/kvcMq6JqckLqeGvdMBCxN MNC3EKbbFzDLcBCsCxl5CK3T94mP4jtu3Gq9aWw4uqIHFqvDqnEIf3Qzv3OzUfRs BPRwXSiYyUAx9qZmOJoEmudH2MF0wzCNUDkP2TxS1hJE5vBKxOWjdQmyGZgNcbaV 8g7zF3EpIItRDbCqtfnoHtbGYXy3n7QEkdMkTytTEngnq7ZMM0nrk7Qu4mYbj1l1 io3sLp+fdQU=dITn -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce