Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2023.3164
OpenShift Container Platform 4.13.1 bug fix and security update
5 June 2023
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: OpenShift Container Platform 4.13.1
Publisher: Red Hat
Operating System: Red Hat
Resolution: Patch/Upgrade
CVE Names: CVE-2023-29007 CVE-2023-25815 CVE-2023-25652
CVE-2022-41723 CVE-2022-41722 CVE-2022-25147
CVE-2021-36157 CVE-2018-17419
Original Bulletin:
https://access.redhat.com/errata/RHSA-2023:3304
Comment: CVSS (Max): 7.8 CVE-2023-29007 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
CVSS Source: Red Hat
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: OpenShift Container Platform 4.13.1 bug fix and security update
Advisory ID: RHSA-2023:3304-01
Product: Red Hat OpenShift Enterprise
Advisory URL: https://access.redhat.com/errata/RHSA-2023:3304
Issue date: 2023-05-30
CVE Names: CVE-2018-17419 CVE-2021-36157 CVE-2022-25147
CVE-2022-41722 CVE-2022-41723 CVE-2023-25652
CVE-2023-25815 CVE-2023-29007
=====================================================================
1. Summary:
Red Hat OpenShift Container Platform release 4.13.1 is now available with
updates to packages and images that fix several bugs and add enhancements.
This release includes a security update for Red Hat OpenShift Container
Platform 4.13.
Red Hat Product Security has rated this update as having a security impact
of [impact]. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Description:
Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.
This advisory contains the container images for Red Hat OpenShift Container
Platform 4.13.1. See the following advisory for the RPM packages for this
release:
https://access.redhat.com/errata/RHSA-2023:3303
Space precludes documenting all of the container images in this advisory.
See the following Release Notes documentation, which will be updated
shortly for this release, for details about these changes:
https://docs.openshift.com/container-platform/4.13/release_notes/ocp-4-13-release-notes.html
Security Fix(es):
* dns: Denial of Service (DoS) (CVE-2018-17419)
* cortex: Grafana Cortex directory traversal (CVE-2021-36157)
* golang: path/filepath: path-filepath filepath.Clean path traversal
(CVE-2022-41722)
* net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK
decoding (CVE-2022-41723)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section. All OpenShift Container Platform
4.13 users are advised to upgrade to these updated packages and images when
they are available in the appropriate release channel. To check for
available updates, use the OpenShift CLI (oc) or web console. Instructions
for upgrading a cluster are available at
https://docs.openshift.com/container-platform/4.13/updating/updating-cluster-cli.html
3. Solution:
For OpenShift Container Platform 4.13 see the following documentation,
which will be updated shortly for this release, for important instructions
on how to upgrade your cluster and fully apply this asynchronous errata
update:
https://docs.openshift.com/container-platform/4.13/release_notes/ocp-4-13-release-notes.html
You may download the oc tool and use it to inspect release image metadata
for x86_64, s390x, ppc64le, and aarch64 architectures. The image digests
may be found at
https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags.
The sha values for the release are:
(For x86_64 architecture)
The image digest is
sha256:9c92b5ec203ee7f81626cc4e9f02086484056a76548961e5895916f136302b1f
(For s390x architecture)
The image digest is
sha256:dbc768473b99538c15a35ea1be7ff656a6ac01e5001af4fac117c51f461c6054
(For ppc64le architecture)
The image digest is
sha256:dc4bab40680fb4ed84665abc34aefef5e0689eafef1c878776c3685ddaa759d5
(For aarch64 architecture)
The image digest is
sha256:5415fb0c33370014b9be83bc3120cc9d35a95922b2e93e218cac603e4179717a
All OpenShift Container Platform 4.13 users are advised to upgrade to these
updated packages and images when they are available in the appropriate
release channel. To check for available updates, use the OpenShift CLI (oc)
or web console. Instructions for upgrading a cluster are available at
https://docs.openshift.com/container-platform/4.13/updating/updating-cluster-cli.html
4. Bugs fixed (https://bugzilla.redhat.com/):
2178358 - CVE-2022-41723 net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding
2183169 - CVE-2021-36157 cortex: Grafana Cortex directory traversal
2188523 - CVE-2018-17419 dns: Denial of Service (DoS)
2203008 - CVE-2022-41722 golang: path/filepath: path-filepath filepath.Clean path traversal
5. JIRA issues fixed (https://issues.redhat.com/):
OCPBUGS-11294 - [4.13] Missing metric for CSI migration opt-in
OCPBUGS-11302 - Incorrect domain resolution by the coredns/Corefile in Vsphere IPI Clusters | openshift-vsphere-infra
OCPBUGS-11336 - NTO: PAO e2e: profile update tests are flaky (time out)
OCPBUGS-11353 - --external-cloud-volume-plugin for out-of tree providers
OCPBUGS-11387 - build regression on 4.13: ERROR: bash-5.0.11-r1.post-install: script exited with error 127
OCPBUGS-11432 - hostpath and node-driver-registrar containers are not pinned to mgmt cores - no WLP annotation
OCPBUGS-11775 - wait-for command doesn't handle installing-pending-user-action
OCPBUGS-12363 - structured logs are borked in BMO
OCPBUGS-12461 - Improve telemetry epic (ODC-7171) doesn't work without PrometheusRule (4.13)
OCPBUGS-12722 - Wrong cleanup of stale conditions from OCPBUGS-2783
OCPBUGS-12770 - Create BuildConfig button in the Devconsole opens the form in default namespace
OCPBUGS-13082 - Root device hints should accept by-path device alias
OCPBUGS-13083 - Assisted Root device hints should accept by-path device alias
OCPBUGS-13085 - hypershift_hostedclusters_failure_conditions metric incorrectly reports multiple clusters for a single cluster
OCPBUGS-13086 - Bootstrap on aws should have same metadata service type as on other nodes
OCPBUGS-13127 - EgressIP was NOT migrated to correct workers after deleting machine it was assigned in GCP XPN cluster.
OCPBUGS-13138 - 4.13.0-RC.6 Enter to Cluster status: error while trying to install cluster with agent base installer
OCPBUGS-13150 - EgressNetworkPolicy DNS resolution does not fall back to TCP for truncated responses
OCPBUGS-13155 - CNO doesn't handle nodeSelector in HyperShift
OCPBUGS-13162 - Rebase vSphere CSI driver to 3.0.1
OCPBUGS-13170 - Routes are not restored to new vNIC by hybrid-overlay on Windows nodes
OCPBUGS-13222 - NTO profiles not removed when node is removed in hypershift guest cluster
OCPBUGS-13312 - Failing test [bz-Machine Config Operator] Nodes should reach OSUpdateStaged in a timely fashion
OCPBUGS-13321 - collect-profiles pods causing regular CPU bursts
OCPBUGS-13410 - 'vendor' root device hint does not work correctly in ZTP/ABI
OCPBUGS-13427 - kuryr-controller crashes on KuryrPort cleanup when subport is already gone: Request requires an ID but none was found
OCPBUGS-13497 - kube-apiserver isn't healthy after a cluster comes up
OCPBUGS-13531 - AWS VPC endpoint service not cleaned up when access to customer credentials lost
OCPBUGS-13563 - [vmware csi driver] vsphere-syncher does not retry populate the CSINodeTopology with topology information when registration fails
OCPBUGS-13591 - [TELCO:CASE] Limit the nested repository path while mirroring the images using oc-mirror for those who cant have nested paths in their container registry
OCPBUGS-13598 - OSD clusters' Ingress health checks & routes fail after swapping application router between public and private
OCPBUGS-13683 - Yum Config Manager Not Found
OCPBUGS-13692 - Failed to create STS resources on AWS GovCloud regions using ccoctl
OCPBUGS-13731 - unusual error log in cluster-policy-controller
OCPBUGS-13742 - [4.13] container_network* metrics fail to report
OCPBUGS-13783 - [Hypershift Guest] OperatorHub details page returns error
OCPBUGS-13828 - 4.13: aws-ebs-csi-driver-controller-sa ServiceAccount does not include the HCP pull-secret in its imagePullSecrets
OCPBUGS-13887 - Verify that upstream gRPC issue #4632 (leak of net.Conn) is fixed in 4.13
OCPBUGS-13888 - CPMS?create two replace machines when deleting a master machine on vSphere
OCPBUGS-13959 - [CI Watcher]: logs in as 'test' user via htpasswd identity provider: Auth test logs in as 'test' user via htpasswd identity provider
OCPBUGS-1598 - Resourse added toast always have text "Deployment created successfully." irrespective of any resource type selected in the form
OCPBUGS-2290 - IPI for Power VS: Deploy fails when there is are certain preexisting resources
OCPBUGS-3160 - In some directories(under /run/containers/storage/overlay-containers/) on two of the Infra nodes permissions are rw for other user
OCPBUGS-3166 - assisted-installer: pod creation fails due to violations of security policies in 4.12
OCPBUGS-7147 - [Descheduler] ? The minKubeVersion should be 1.26.0 for descheduler operator
6. References:
https://access.redhat.com/security/cve/CVE-2018-17419
https://access.redhat.com/security/cve/CVE-2021-36157
https://access.redhat.com/security/cve/CVE-2022-25147
https://access.redhat.com/security/cve/CVE-2022-41722
https://access.redhat.com/security/cve/CVE-2022-41723
https://access.redhat.com/security/cve/CVE-2023-25652
https://access.redhat.com/security/cve/CVE-2023-25815
https://access.redhat.com/security/cve/CVE-2023-29007
https://access.redhat.com/security/updates/classification/#moderate
https://docs.openshift.com/container-platform/4.13/release_notes/ocp-4-12-release-notes.html
7. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2023 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBZHsD8dzjgjWX9erEAQiTfA//duDVDDmwhcaooaY8TSJ3Pof/t84/zILB
Mxt5PJaJ2nkRZmjADWML8LxBGQ9QpBQEiLPauevwTJJOQnLL2gWgs0mS+RKoIu+V
M0V6cs/LrsdrekgiaxDkbQGO8Vq9V6SKPoM6WKf6Z70P6gTdDG0uy5BzwNYkVldf
/skqH+cUxKOszgadiFHWaoWU1qh0zUCpCNtRMr0nQ64UuP9061bs3L3vfYwmC6vY
rLyejSHAw6rSOS/P9USTbrq1NVdNfFdHwqVDAZa/uS0GgstbAhwXPqe1XG4KGIDu
sILeX/XK04QWdhfWJh5Tvwv+B1ZNp9g1vu/gJgFQ+E+ToGCFMFXgfy10R+KhYU4t
yjZUGSZ1EuIKpdYAlgAsqxLrNaoLuW5rlGxjQpsKI/CoD3EaJOOqWUN3NsXe+n5c
hpzdCmA6nJ3ld9o/7ew+vD2i7xqRlKot5KVV3FGhDZ/kvcMq6JqckLqeGvdMBCxN
MNC3EKbbFzDLcBCsCxl5CK3T94mP4jtu3Gq9aWw4uqIHFqvDqnEIf3Qzv3OzUfRs
BPRwXSiYyUAx9qZmOJoEmudH2MF0wzCNUDkP2TxS1hJE5vBKxOWjdQmyGZgNcbaV
8g7zF3EpIItRDbCqtfnoHtbGYXy3n7QEkdMkTytTEngnq7ZMM0nrk7Qu4mYbj1l1
io3sLp+fdQU=
=dITn
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBZH1EF8kNZI30y1K9AQgsXw/9H3S8XdvzaHmBi84kHTjZqWbaLlzwGJ6N
3uv3ML+2LlM8u8r95HRIs8S6mVvuS7+SUhRrXZeeKlo7VBlI6DYHbV0rKfwanO7n
MOwBPhvEDVBHw03BQks4qzJlg7rU3Mr8qUYkOYn0SMxV7y3hROrgXNqyezvOG4Ay
d2tkU++R4+bVb965xIs/nDGeyKlA2chxJd90wfU/sN8pvns3i6mPXcpnKK318aNT
0+uVXl1g3xkh7Q+F+gKStHZ7UyxsWEsvbMI9nj63+fgdjFqRwAqA9miXU2MT3La1
4p4sawe0tT8we9pfC3eWveH9atE2LFM6FX0ywJzkqCXnHMFbTIhPH9mIKHv1InaS
priWsmKEd6DrZERODVfxR6ycRxg7gCVRSRY0l0NtGcUzOrXj2hCRypvw2DbucYHq
nj8vDsN0Hxtyhn8t0omwGMrgmu+vFIJ1M55ZAdayH9W9HR8ExgnLMlg+Vfm7z7KK
hH4+UhWyzavUvW+fEVMWsngcapFwCLXSesXFRUoYN0D1D8GVn1II09SfZ5FKUVqb
pZZfYssRjt1aTNXtVYnGekzFOg7ZPLVeyOKPwuMRLYKHn9bqvlCAfVQbnm0lJYie
9vpGASyBV6hLRKDuPBgElqUbavud8vokae/cHuXkG0eWVN+YJvK8NT+z2A/60h7V
11nFDfePLug=
=JJ4V
-----END PGP SIGNATURE-----