Login
Newsletter
Werbung
Sicherheit: Mehrere Probleme in OpenShift
Aktuelle Meldungen Distributionen
Name: Mehrere Probleme in OpenShift
ID: RHSA-2023:3304-01
Distribution: Red Hat
Plattformen: Red Hat OpenShift Enterprise
Datum: So, 4. Juni 2023, 07:34
Referenzen: https://access.redhat.com/security/cve/CVE-2023-25815
https://access.redhat.com/security/cve/CVE-2022-41723
https://access.redhat.com/security/cve/CVE-2021-36157
https://access.redhat.com/security/cve/CVE-2023-25652
https://access.redhat.com/security/cve/CVE-2023-29007
https://access.redhat.com/security/cve/CVE-2018-17419
https://access.redhat.com/security/cve/CVE-2022-25147
https://docs.openshift.com/container-platform/4.13/release_notes/ocp-4-12-release-notes.html
https://access.redhat.com/security/cve/CVE-2022-41722
Applikationen: OKD

Originalnachricht

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: OpenShift Container Platform 4.13.1 bug fix and
 security update
Advisory ID:       RHSA-2023:3304-01
Product:           Red Hat OpenShift Enterprise
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:3304
Issue date:        2023-05-30
CVE Names:         CVE-2018-17419 CVE-2021-36157 CVE-2022-25147 
                   CVE-2022-41722 CVE-2022-41723 CVE-2023-25652 
                   CVE-2023-25815 CVE-2023-29007 
=====================================================================

1. Summary:

Red Hat OpenShift Container Platform release 4.13.1 is now available with
updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container
Platform 4.13.

Red Hat Product Security has rated this update as having a security impact
of [impact]. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container
Platform 4.13.1. See the following advisory for the RPM packages for this
release:

https://access.redhat.com/errata/RHSA-2023:3303

Space precludes documenting all of the container images in this advisory.
See the following Release Notes documentation, which will be updated
shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.13/release_notes/ocp-4-13-release-notes.html

Security Fix(es):

* dns: Denial of Service (DoS) (CVE-2018-17419)

* cortex: Grafana Cortex directory traversal (CVE-2021-36157)

* golang: path/filepath: path-filepath filepath.Clean path traversal
(CVE-2022-41722)

* net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK
decoding (CVE-2022-41723)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section. All OpenShift Container Platform
4.13 users are advised to upgrade to these updated packages and images when
they are available in the appropriate release channel. To check for
available updates, use the OpenShift CLI (oc) or web console. Instructions
for upgrading a cluster are available at
https://docs.openshift.com/container-platform/4.13/updating/updating-cluster-cli.html

3. Solution:

For OpenShift Container Platform 4.13 see the following documentation,
which will be updated shortly for this release, for important instructions
on how to upgrade your cluster and fully apply this asynchronous errata
update:

https://docs.openshift.com/container-platform/4.13/release_notes/ocp-4-13-release-notes.html

You may download the oc tool and use it to inspect release image metadata
for x86_64, s390x, ppc64le, and aarch64 architectures. The image digests
may be found at
https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags.

The sha values for the release are:

(For x86_64 architecture)
The image digest is
sha256:9c92b5ec203ee7f81626cc4e9f02086484056a76548961e5895916f136302b1f

(For s390x architecture)
The image digest is
sha256:dbc768473b99538c15a35ea1be7ff656a6ac01e5001af4fac117c51f461c6054

(For ppc64le architecture)
The image digest is
sha256:dc4bab40680fb4ed84665abc34aefef5e0689eafef1c878776c3685ddaa759d5

(For aarch64 architecture)
The image digest is
sha256:5415fb0c33370014b9be83bc3120cc9d35a95922b2e93e218cac603e4179717a

All OpenShift Container Platform 4.13 users are advised to upgrade to these
updated packages and images when they are available in the appropriate
release channel. To check for available updates, use the OpenShift CLI (oc)
or web console. Instructions for upgrading a cluster are available at
https://docs.openshift.com/container-platform/4.13/updating/updating-cluster-cli.html

4. Bugs fixed (https://bugzilla.redhat.com/):

2178358 - CVE-2022-41723 net/http, golang.org/x/net/http2: avoid quadratic
 complexity in HPACK decoding
2183169 - CVE-2021-36157 cortex: Grafana Cortex directory traversal
2188523 - CVE-2018-17419 dns: Denial of Service (DoS)
2203008 - CVE-2022-41722 golang: path/filepath: path-filepath filepath.Clean
 path traversal

5. JIRA issues fixed (https://issues.redhat.com/):

OCPBUGS-11294 - [4.13] Missing metric for CSI migration opt-in
OCPBUGS-11302 - Incorrect domain resolution by the coredns/Corefile in Vsphere
 IPI Clusters | openshift-vsphere-infra
OCPBUGS-11336 - NTO: PAO e2e: profile update tests are flaky (time out)
OCPBUGS-11353 - --external-cloud-volume-plugin for out-of tree providers
OCPBUGS-11387 - build regression on 4.13: ERROR: bash-5.0.11-r1.post-install:
 script exited with error 127
OCPBUGS-11432 - hostpath and node-driver-registrar containers are not pinned to
 mgmt cores - no WLP annotation
OCPBUGS-11775 - wait-for command doesn't handle
 installing-pending-user-action
OCPBUGS-12363 - structured logs are borked in BMO
OCPBUGS-12461 - Improve telemetry epic (ODC-7171) doesn't work without
 PrometheusRule (4.13)
OCPBUGS-12722 - Wrong cleanup of stale conditions from OCPBUGS-2783
OCPBUGS-12770 - Create BuildConfig button in the Devconsole opens the form in
 default namespace
OCPBUGS-13082 - Root device hints should accept by-path device alias
OCPBUGS-13083 - Assisted Root device hints should accept by-path device alias
OCPBUGS-13085 - hypershift_hostedclusters_failure_conditions metric incorrectly
 reports multiple clusters for a single cluster
OCPBUGS-13086 - Bootstrap on aws should have same metadata service type as on
 other nodes
OCPBUGS-13127 - EgressIP was NOT migrated to correct workers after deleting
 machine it was assigned in GCP XPN cluster.
OCPBUGS-13138 - 4.13.0-RC.6 Enter to Cluster status: error while trying to
 install cluster with agent base installer
OCPBUGS-13150 - EgressNetworkPolicy DNS resolution does not fall back to TCP
 for truncated responses
OCPBUGS-13155 - CNO doesn't handle nodeSelector in HyperShift
OCPBUGS-13162 - Rebase vSphere CSI driver to 3.0.1
OCPBUGS-13170 - Routes are not restored to new vNIC by hybrid-overlay on
 Windows nodes
OCPBUGS-13222 - NTO profiles not removed when node is removed in hypershift
 guest cluster
OCPBUGS-13312 - Failing test [bz-Machine Config Operator] Nodes should reach
 OSUpdateStaged in a timely fashion
OCPBUGS-13321 - collect-profiles pods causing regular CPU bursts
OCPBUGS-13410 - 'vendor' root device hint does not work correctly in
 ZTP/ABI
OCPBUGS-13427 - kuryr-controller crashes on KuryrPort cleanup when subport is
 already gone: Request requires an ID but none was found
OCPBUGS-13497 - kube-apiserver isn't healthy after a cluster comes up
OCPBUGS-13531 - AWS VPC endpoint service not cleaned up when access to customer
 credentials lost
OCPBUGS-13563 - [vmware csi driver] vsphere-syncher does not retry populate the
 CSINodeTopology with topology information when registration fails
OCPBUGS-13591 - [TELCO:CASE]  Limit the nested repository path while mirroring
 the images using oc-mirror for those who cant have nested paths in their container registry
OCPBUGS-13598 - OSD clusters' Ingress health checks & routes fail after
 swapping application router between public and private
OCPBUGS-13683 - Yum Config Manager Not Found
OCPBUGS-13692 - Failed to create STS resources on AWS GovCloud regions using
 ccoctl
OCPBUGS-13731 - unusual error log in cluster-policy-controller
OCPBUGS-13742 - [4.13] container_network* metrics fail to report
OCPBUGS-13783 - [Hypershift Guest] OperatorHub details page returns error
OCPBUGS-13828 - 4.13: aws-ebs-csi-driver-controller-sa ServiceAccount does not
 include the HCP pull-secret in its imagePullSecrets
OCPBUGS-13887 - Verify that upstream gRPC issue #4632 (leak of net.Conn) is
 fixed in 4.13
OCPBUGS-13888 - CPMS?create two replace machines when deleting a master machine
 on vSphere
OCPBUGS-13959 - [CI Watcher]:  logs in as 'test' user via htpasswd
 identity provider: Auth test logs in as 'test' user via htpasswd identity provider
OCPBUGS-1598 - Resourse added toast always have text "Deployment created
 successfully." irrespective of any resource type selected in the form
OCPBUGS-2290 - IPI for Power VS: Deploy fails when there is are certain
 preexisting resources
OCPBUGS-3160 - In some directories(under
 /run/containers/storage/overlay-containers/) on two of the Infra nodes permissions are rw for other user
OCPBUGS-3166 - assisted-installer: pod creation fails due to violations of
 security policies in 4.12
OCPBUGS-7147 - [Descheduler] ? The minKubeVersion should be 1.26.0 for
 descheduler operator

6. References:

https://access.redhat.com/security/cve/CVE-2018-17419
https://access.redhat.com/security/cve/CVE-2021-36157
https://access.redhat.com/security/cve/CVE-2022-25147
https://access.redhat.com/security/cve/CVE-2022-41722
https://access.redhat.com/security/cve/CVE-2022-41723
https://access.redhat.com/security/cve/CVE-2023-25652
https://access.redhat.com/security/cve/CVE-2023-25815
https://access.redhat.com/security/cve/CVE-2023-29007
https://access.redhat.com/security/updates/classification/#moderate
https://docs.openshift.com/container-platform/4.13/release_notes/ocp-4-12-release-notes.html

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBZHsD8dzjgjWX9erEAQiTfA//duDVDDmwhcaooaY8TSJ3Pof/t84/zILB
Mxt5PJaJ2nkRZmjADWML8LxBGQ9QpBQEiLPauevwTJJOQnLL2gWgs0mS+RKoIu+V
M0V6cs/LrsdrekgiaxDkbQGO8Vq9V6SKPoM6WKf6Z70P6gTdDG0uy5BzwNYkVldf
/skqH+cUxKOszgadiFHWaoWU1qh0zUCpCNtRMr0nQ64UuP9061bs3L3vfYwmC6vY
rLyejSHAw6rSOS/P9USTbrq1NVdNfFdHwqVDAZa/uS0GgstbAhwXPqe1XG4KGIDu
sILeX/XK04QWdhfWJh5Tvwv+B1ZNp9g1vu/gJgFQ+E+ToGCFMFXgfy10R+KhYU4t
yjZUGSZ1EuIKpdYAlgAsqxLrNaoLuW5rlGxjQpsKI/CoD3EaJOOqWUN3NsXe+n5c
hpzdCmA6nJ3ld9o/7ew+vD2i7xqRlKot5KVV3FGhDZ/kvcMq6JqckLqeGvdMBCxN
MNC3EKbbFzDLcBCsCxl5CK3T94mP4jtu3Gq9aWw4uqIHFqvDqnEIf3Qzv3OzUfRs
BPRwXSiYyUAx9qZmOJoEmudH2MF0wzCNUDkP2TxS1hJE5vBKxOWjdQmyGZgNcbaV
8g7zF3EpIItRDbCqtfnoHtbGYXy3n7QEkdMkTytTEngnq7ZMM0nrk7Qu4mYbj1l1
io3sLp+fdQU=
=dITn
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce
Pro-Linux
Pro-Linux @Facebook
Neue Nachrichten

141
Mach­t's gut!

51
Neue Raspber­ry Pi-Va­ri­an­te mit 8 GB RAM

0
Genode 20.05 frei­ge­ge­ben

9
Sub­ver­si­on 1.14.0-LTS vor­ge­stellt

0
»Hum­ble Ci­ties: Sky­lines Bund­le« vor­ge­stellt

0
End of Life für Co­reOS Con­tai­ner Linux ver­kün­det

32
Elek­tra 0.9.2 er­schie­nen

8
Nex­tDNS ver­lässt die Be­ta-Pha­se

23
Tu­xe­do stellt Ga­mer-Note­book vor

0
Libre Gra­phics Mee­ting be­ginnt als On­li­ne-Va­ri­an­te
 
Werbung