-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2021.0437
      OpenShift Container Platform 4.6.16 security and bug fix update
                              9 February 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           OpenShift Container Platform 4.6.16
Publisher:         Red Hat
Operating System:  Red Hat
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Increased Privileges            -- Existing Account      
                   Denial of Service               -- Remote/Unauthenticated
                   Access Confidential Data        -- Remote/Unauthenticated
                   Unauthorised Access             -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2021-20198 CVE-2021-3344 CVE-2020-14382
                   CVE-2016-2183 CVE-2015-8011 

Reference:         ASB-2017.0169
                   ASB-2016.0120
                   ESB-2020.4513
                   ESB-2020.3421

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2021:0308

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: OpenShift Container Platform 4.6.16 security and bug fix update
Advisory ID:       RHSA-2021:0308-01
Product:           Red Hat OpenShift Enterprise
Advisory URL:      https://access.redhat.com/errata/RHSA-2021:0308
Issue date:        2021-02-08
CVE Names:         CVE-2015-8011 CVE-2016-2183 CVE-2020-14382 
                   CVE-2021-3344 CVE-2021-20198 
=====================================================================

1. Summary:

Red Hat OpenShift Container Platform release 4.6.16 is now available with
updates to packages and images that fix several bugs.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container
Platform 4.6.16. See the following advisory for the RPM packages for this
release:

https://access.redhat.com/errata/RHBA-2021:0309

Space precludes documenting all of the container images in this advisory.
See the following Release Notes documentation, which will be updated
shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-rel
ease-notes.html

You may download the oc tool and use it to inspect release image metadata
as follows:

(For x86_64 architecture)

  $ oc adm release info
quay.io/openshift-release-dev/ocp-release:4.6.16-x86_64

The image digest is
sha256:3e855ad88f46ad1b7f56c312f078ca6adaba623c5d4b360143f9f82d2f349741

(For s390x architecture)

  $ oc adm release info
quay.io/openshift-release-dev/ocp-release:4.6.16-s390x

The image digest is
sha256:2335685cda334ecf9e12c056b148c483fb81412fbfc96c885dc669d775e1f1ee

(For ppc64le architecture)

  $ oc adm release info
quay.io/openshift-release-dev/ocp-release:4.6.16-ppc64le

The image digest is
sha256:953ccacf79467b3e8ebfb8def92013f1574d75e24b3ea9a455aa8931f7f17b88

All OpenShift Container Platform 4.6 users are advised to upgrade to these
updated packages and images when they are available in the appropriate
release channel. To check for available updates, use the OpenShift Console
or the CLI oc command. Instructions for upgrading a cluster are available
at
https://docs.openshift.com/container-platform/4.6/updating/updating-cluster
- - -between-minor.html#understanding-upgrade-channels_updating-cluster-between
- - -minor.

Security Fix(es):

* SSL/TLS: Birthday attack against 64-bit block ciphers (SWEET32)
(CVE-2016-2183)

* openshift/builder: privilege escalation during container image builds via
mounted secrets (CVE-2021-3344)

* openshift/installer: Bootstrap nodes allow anonymous authentication on
kubelet port 10250 (CVE-2021-20198)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

For OpenShift Container Platform 4.6 see the following documentation, which
will be updated shortly for this release, for important instructions on how
to upgrade your cluster and fully apply this asynchronous errata update:

https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-rel
ease-notes.html

Details on how to access this content are available at
https://docs.openshift.com/container-platform/4.6/updating/updating-cluster
- - -cli.html.

4. Bugs fixed (https://bugzilla.redhat.com/):

1369383 - CVE-2016-2183 SSL/TLS: Birthday attack against 64-bit block ciphers (SWEET32)
1873004 - [downstream] Should indicate the version info instead of the commit info
1887759 - [release 4.6] Gather MachineConfigPools
1889676 - [release 4.6] Gather top installplans and their count
1889865 - operator-registry image needs clean up in /tmp
1890274 - [4.6] External IP doesn't work if the IP address is not assigned to a node
1890452 - Adding BYOK disk encryption through DES
1891697 - Handle missing labels as empty.
1891892 - The windows oc.exe binary does not have version metadata
1893409 - [release-4.6] MCDPivotError alert/metric missing
1893738 - Examining agones helm chart resources results in "Oh no!"
1894916 - [4.6] Panic output due to timeouts in openshift-apiserver
1896919 - start creating new-style Secrets for AWS
1898672 - Pod gets stuck in ContainerCreating state with exhausted Whereabouts IPAM range with a daemonset
1899107 - [4.6] ironic-api used by metal3 is over provisioned and consumes a lot of RAM
1899535 - ds/machine-config-daemon takes 100+ minutes to rollout on  250 node cluster
1901602 - Extra reboot during 4.5 -> 4.6 upgrade
1901605 - CNO blocks editing Kuryr options
1903649 - Automated cleaning is disabled by default
1903887 - dns daemonset rolls out slowly in large clusters
1904091 - Missing registry v1 protocol usage metric on telemetry
1904577 - [4.6] Local storage operator doesn't include correctly populate LocalVolumeDiscoveryResult in console
1905031 - (release-4.6) Collect spec config for clusteroperator resources
1905195 - [release-4.6] Detecting broken connections to the Kube API takes up to 15 minutes
1905573 - [4.6] Changing the bound token service account issuer invalids previously issued bound tokens
1905788 - Role name missing on create role binding form
1906332 - update discovery burst to reflect lots of CRDs on openshift clusters
1906741 - KeyError: 'nodeName' on NP deletion
1906796 - [SA] verify-image-signature using service account does not work
1907827 - Kn resources are not showing in Topology if triggers has KSVC and IMC as subscriber
1907830 - "Evaluating rule failed" for "record: cluster:kube_persistentvolumeclaim_resource_requests_storage_bytes:provisioner:sum" and "record: cluster:kubelet_volume_stats_used_bytes:provisioner:sum"
1909673 - scale up / down buttons available on pod details side panel
1912388 - [OVN]: `make check` broken on 4.6
1912430 - thanosRuler.resources.requests does not take effect in user-workload-monitoring-config confimap
1913109 - oc debug of an init container no longer works
1913645 - Improved Red Hat image and crashlooping OpenShift pod collection
1915560 - OCP 4.4.9: EtcdMemberIPMigratorDegraded: rpc error: code = Canceled desc = grpc: the client connection is closing
1916096 - [oVirt] csi operator panics if ovirt-engine suddenly becomes unavailable.
1916100 - [oVirt] Consume 23-10 ovirt sdk - csi operator
1916347 - Updating scheduling component builder & base images to be consistent with ART
1916857 - configs.imageregistry.operator.openshift.io cluster does not update its status fields after URL change
1916907 - dns-node-resolver corrupts /etc/hosts if internal registry is not in use
1917240 - [4.6] Network Policies are not working as expected with OVN-Kubernetes when traffic hairpins back to the same source through a service
1917498 - Regression OLM uses scoped client for CRD installation
1917547 - oc adm catalog mirror does not mirror the index image itself
1917548 - [4.6] Cannot filter the platform/arch of the index image
1917549 - Failed to mirror operator catalog - error: destination registry required
1917550 - oc adm catalog mirror command attempts to pull from registry.redhat.io when using --from-dir option
1917609 - [4.6z] Deleting an exgw causes pods to no longer route to other exgws
1918194 - with sharded ingresscontrollers, all shards reload when any endpoint changes
1918202 - Grafana - The resulting dataset is too large to graph (OCS RBD volumes being counted as disks)
1918525 - OLM enters infinite loop if Pending CSV replaces itself
1918779 - [Negative Test] After deleting metal3 pod, scaling worker stuck on provisioning state
1918792 - [BUG] Thanos having possible memory leak consuming huge amounts of node's memory and killing them
1918961 - [IPI on vsphere] Executing 'openshift-installer destroy cluster' leaves installer tag categories in vsphere
1920764 - CVE-2021-20198 openshift/installer: Bootstrap nodes allow anonymous authentication on kubelet port 10250
1920873 - Failure to upgrade operator when a Service is included in a Bundle
1920995 - kuryr-cni pods using unreasonable amount of CPU
1921450 - CVE-2021-3344 openshift/builder: privilege escalation during container image builds via mounted secrets
1921473 - test-cmd is failing on volumes.sh pretty consistently
1921599 - OCP 4.5 to 4.6 upgrade for "aws-ebs-csi-driver-operator" fails when "defaultNodeSelector" is set

5. References:

https://access.redhat.com/security/cve/CVE-2015-8011
https://access.redhat.com/security/cve/CVE-2016-2183
https://access.redhat.com/security/cve/CVE-2020-14382
https://access.redhat.com/security/cve/CVE-2021-3344
https://access.redhat.com/security/cve/CVE-2021-20198
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/articles/2548661

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYCFGJ9zjgjWX9erEAQh2PA/+NAoSXyr9EhOEhGE1ulSdePMwXe5IBTtl
wEAZlLYmG/AQsbudZt9U6mB6FUVn2TRcYyOEE/S5DRKPJhYwo2Q96UeASIRu83mA
nBZCIUC7hDT0t8Xfr4OHrZjDECfVSr//BR643aLjgs3jsllq4zxNkoBg7DrvVFCv
mugOdZm548l8CSpZvqE6fb/LENgadfuQtf71bIB2AbH4Pex9NuO6+RUWB78TVlAs
5WFJGQ9US4ImxcUILdbyFxbFynWxq2F3oNrmb1cyWDNABXBw5nGErg3A/C4gAjSA
rmG/rRpWRAMqemsVWf2JY1qAlBs3AfYYx4KBmmHKTgDdFFZppeYoYdjC8Y69l9O/
NYt8zN1VoBXrcpQq3rnRykPXu/POnWSIaEy8Y0/00WZdV3eZVRRgTgd5dlXPCq/U
07Y1vP+nD3MYLnIW2I7w6nxmkBppcz5rFj4812E9RVIIgP+ogaGXlcpPvho3j9aB
UK0TFSSWeYUr+wycS3O1u89IL9Nsn6gfqy9CO+Q7VxfZa7n2nOZfZXeba/pDSe+P
HBAzPfjJn5cg+7MSm/9FAFNxYwcVtAr2qItROo7XFz+DdkDFNtcvghK4zora+wqm
42G6ZBo8wuehESp+SDwWy2uWm5uycrMo3+8zR0xy/jobLLGAZJnSXHv4vWZfaGGh
N2Eu9TwlKtw=
=0+xZ
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYCISFONLKJtyKPYoAQh77A/+K9F1vr5Q4q5SOk6/P9EcelY75+TYwhoe
JNbg4Nphkxg8PEetACJn1/4UqJxu9xbGCOpGLIDw+WNZQRvrVC1USotU/UQX40J1
ZOjqOiwgjSiD3zXRgjte2fXbFaXKw0qJTFx2QJ2tcDj9dSv851tXLSmEZwmVamZu
sTHGqHhTjsFzr19s+INX0eAwQF7oZ1pi+Kvli10Y9Y4pGZUhNavUo2N3wKdBW86U
uxcHxaegGCxCcH8hO7plE05gi3RpsEc7zOOdF6Aq5MpSZrqJpQzVdW6f0IkdKAgJ
tCkJGXBhnOIDJmUJ3B0YL0Liz2KruqdLO5j/79MRyreOaxIuEvPUnmiSdg9DNjxX
hfArJP/ZIzI8Rv2Z8labLz7wsp3LeIHx6lTduktkK7UhmfEv9zpwdwyROidqoi4O
xEKZR4t4+bzlomm56TkMkIh+8nk1xY02HXL5yA5PzDLOnOrVa1yuNuJtft1q2yTX
xkLQT8tnw+FBiHRurDDvmqvBsGKf742VIDm0DzC3qr/tzKhFYV+nExCTvpuBC/G8
dRCSlclMdauEXORYCAwSKucC3xd50rJSaxWP44xtPqPy3ke+l0/V3SWpI3kflS/S
QPioBUTZ+c/0uCknzbOAxXecv/X3jfYHsUnm1qUaB7NUVi6o2CLHEWsjr4cVMG6N
SXRbQ3D44eA=
=r8Rh
-----END PGP SIGNATURE-----