Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.1402 OpenShift Container Platform 4.7.8 security and bug fix update 27 April 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: OpenShift Container Platform 4.7.8 Publisher: Red Hat Operating System: Red Hat Impact/Access: Denial of Service -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Reduced Security -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2021-20305 CVE-2021-3121 Reference: ESB-2021.1320 ESB-2021.1279 ESB-2021.1226 ESB-2021.1198 Original Bulletin: https://access.redhat.com/errata/RHSA-2021:1225 https://access.redhat.com/errata/RHSA-2021:1227 Comment: This bulletin contains two (2) Red Hat security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: OpenShift Container Platform 4.7.8 security and bug fix update Advisory ID: RHSA-2021:1225-01 Product: Red Hat OpenShift Enterprise Advisory URL: https://access.redhat.com/errata/RHSA-2021:1225 Issue date: 2021-04-26 CVE Names: CVE-2021-3121 CVE-2021-20305 ===================================================================== 1. Summary: Red Hat OpenShift Container Platform release 4.7.8 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. Security Fix(es): * gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation (CVE-2021-3121) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. This advisory contains the container images for Red Hat OpenShift Container Platform 4.7.8. See the following advisory for the RPM packages for this release: https://access.redhat.com/errata/RHSA-2021:1226 Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes: https://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-rel ease-notes.html You may download the oc tool and use it to inspect release image metadata as follows: (For x86_64 architecture) $ oc adm release info quay.io/openshift-release-dev/ocp-release:4.7.8-x86_64 The image digest is sha256:7456516a64edf63268522565cf00dc581f1d7ad22355ffab8157a9e106cf607f (For s390x architecture) $ oc adm release info quay.io/openshift-release-dev/ocp-release:4.7.8-s390x The image digest is sha256:857c2b62a3029511626c2c52264fc2f087319a65089300e59338062e3a237421 (For ppc64le architecture) $ oc adm release info quay.io/openshift-release-dev/ocp-release:4.7.8-ppc64le The image digest is sha256:6eb9625c0b7ff10a58e72d19e95c6ae027213debfc26bfdfa51700590eca5e55 All OpenShift Container Platform 4.7 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift Console or the CLI oc command. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.7/updating/updating-cluster - - -between-minor.html#understanding-upgrade-channels_updating-cluster-between - - -minor. 3. Solution: For OpenShift Container Platform 4.7 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update: https://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-rel ease-notes.html Details on how to access this content are available at https://docs.openshift.com/container-platform/4.7/updating/updating-cluster - - -cli.html 4. Bugs fixed (https://bugzilla.redhat.com/): 1921650 - CVE-2021-3121 gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation 1927321 - openshift-apiserver Available is False with 3 pods not ready for a while during upgrade 1932113 - [Kuryr] Enforce nodes MTU for the Namespaces and Pods 1936544 - [IPI Baremetal] Proxy Information Not passed to metal3 1936719 - network-metrics-deamon not associated with a priorityClassName 1941212 - multus DaemonSets should use maxUnavailable: 33% 1941993 - Inconsistent ovs-flow rule on one of the app node for egress node 1942843 - Description for storage class encryption during storagecluster creation needs to be updated 1943316 - [OVN SCALE] Combine Logical Flows inside Southbound DB. 1947122 - [CI] [UPI] use a standardized and reliable way to install google cloud SDK in UPI image 1947909 - Copied CSVs show up as adopted components 1948267 - [kube-descheduler]descheduler operator pod should not run as â\x{128}\x{156}BestEffortâ\x{128}\x{157} qosClass 1948938 - [e2e][automation][prow] Prow script point to deleted resource 1949024 - Openshift 4 has a zombie problem 1949239 - [4.7z] Bump OVN: Lots of conjunction warnings in ovn-controller container logs 5. References: https://access.redhat.com/security/cve/CVE-2021-3121 https://access.redhat.com/security/cve/CVE-2021-20305 https://access.redhat.com/security/updates/classification/#moderate 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYIbqXtzjgjWX9erEAQgQhhAAgL2hTjAaPtkEDyEpLDyMB3ROxJbAYejE 5r4q0PcdCVakZKPIH9Wkc7MBrLXxdhnl1iogVfmt0n1IbxSYsOFaXr4wFw9nmE98 uZPp+qdr1segbV/0eG86gSw1LnV3Mo/T8dzWmlH2b0dadBIZfTG87FFLmqtkmtRF YQdWMsnw0jIHCWgTJxs4FDSogDz4OT4BPi9+Ec5WWRsQVJtCVMS+Ujh2E345wU4K zUc+gcaLEoITDJfDKrkF2CDRz9mwgyYpRazu6yc4xLAXuY7yI76p9J38e4AeZHiM VE+o1nHXsgyxToyJZAZC/MdUU5EqaBTSXTd+nqpVBDwXFnY4iX9LZ7nk3vkUCaVE /53t9WYL8wXBWKnUrnO6hr37ht9UpbWS7m4IrD+SF8Fq3fAUpkFxvRhKtGfLApmo darHCGCGiZQyvqNytCVcFo6xVo7xXA5Nneom5w77vrqoNncAkAqTiPuFik0o7xe+ QsZmwL+N4VvTKjY48iyfxN3/loQVdWS6zPyZwCqmhnGVIJCG3muXPlF++sD+aVUv GRDA2hV7PP0kW+iGlqZsSpKvbE2voMnhgsIZGYBeUHLfkMUJ+gVLu2ArD01KcJfH Sn3MmrS7OsYEwRry6xj+WtMymEsumHFHogmf9IBa2CBU0NhV7UYKVW4uDopScmcC WNIRuGOwrLE= =x3i+ - -----END PGP SIGNATURE----- - -------------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: OpenShift Container Platform 4.7.8 security and extras update Advisory ID: RHSA-2021:1227-01 Product: Red Hat OpenShift Enterprise Advisory URL: https://access.redhat.com/errata/RHSA-2021:1227 Issue date: 2021-04-26 CVE Names: CVE-2021-3121 ===================================================================== 1. Summary: Red Hat OpenShift Container Platform release 4.7.8 is now available with updates to packages and images that fix several bugs. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. Security Fix(es): * gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation (CVE-2021-3121) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.7.8. See the following advisory for the container images for this release: https://access.redhat.com/errata/RHSA-2021:1225 All OpenShift Container Platform 4.7 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift Console or the CLI oc command. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.7/updating/updating-cluster - - -between-minor.html#understanding-upgrade-channels_updating-cluster-between - - -minor 3. Solution: For OpenShift Container Platform 4.7 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update: https://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-rel ease-notes.html Details on how to access this content are available at https://docs.openshift.com/container-platform/4.7/updating/updating-cluster - - -cli.html 4. Bugs fixed (https://bugzilla.redhat.com/): 1921650 - CVE-2021-3121 gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation 1950891 - Placeholder bug for OCP 4.7.0 extras release 5. References: https://access.redhat.com/security/cve/CVE-2021-3121 https://access.redhat.com/security/updates/classification/#moderate 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYIbqPdzjgjWX9erEAQjkTw/9Gl8fRWtywhbT6fN1rx48sTEWb8/db388 pHWNqQp2rB+t65vZRTzUMgA+2c2FiRdVEWVN/BNMQk7Jh9/WdGJaetCKmEOPZOqM 0MpWT5a8mhMT5Ckzl8Dlz44qm1g0cgxGja0rZIhYBcAnDINAoEiPadvUWzHmfw1p SX6HGCW46BnYCjMXY9/2lNEZxBY14Gv6k4lw41dh4hEMujZX490rdk/PXpcIeJLG z1nfrhbkHL8m8SBVqb0YI1Agd+lJ2zuBh5dBM01mhqHHK9ziwJtW9nM1Ti8nIWLY hu9npIJnvO0DtO1MJy5UClr8rcLMBl+0Iiara6nDxAafud5JKFwZ7/k5Orxfnier iVxGQBfm5FVOLCUY9EPra01McyIawvpx3NvB6ivCo8+zj37AecZp/KfVz5InkNtH msuIlqKXjwuwzMlcuNWVuh3Bq9C/6mXvoZYs5YUo6MZxyoTs6zWAnvF3WLGpmzW+ JzoL3KRi+LFYBIu5xxKVXpGXNydEs+mwrMnFpWyMYNvY4fR1JM/tl8JkVMSRk38u PHHuUvAlmgi/14ZTwdcWJhk0Lvu2qAD5vYCBlvT65fIRZrPpMvQBw+0+7DyyKmUH AIhk0mDIiowy3B5SfTRrieH64/2FuVP66r0bWXoBKBf8oRU+sUiMK/W2w+wDrZzG nk75I3cl3o8= =F/bt - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYIdmxuNLKJtyKPYoAQicFhAAhPGlvVRAdRowsgXQOzwnBUgALMHiKKQA XIsM6FUF6y9dey1uUATL89LnR7FtGGGSJIy/wNtzmqSOZhXQnHw7rFivt0CTmiGj 6KTNsGcDnNP9trXW2rqs0bZbLNDfXdUW+7LGK1tOGiKsu90eWxQV5Cx0gpGMyg7o U4oxFVeWijRQ/+45pkFrDlbzp1Jso1O7nJGslClxRkkNn0kxp/ROJ2lJW9K+eO3C S0Or7g8iff5EXnJwh5wHt5Do9ejJvonHjRrDrGNPbbdBfDgX4b2q4b3qjSRG5DpD tb+h2bcnZYBf6clGl/s4//obEMpteQaiAIXWHBbOxVfzDfdVVNwZ2ZLau9ryu4pt NX7cN5iT/X1XzwRXL83s8nSFbkgYSD0c1k8NApIjFrRsWCP6oskvieGw07T96l7h scy0+7g0f4Vmej8F4OpHEcCMnuPaombPSXc8yj5pBxZdgw6n1/uB4wL/TfRgTwxU Oed+A8H8dDxjrx3jDZTDO/TUwoGEeo2hci8pNG/iXJD+T2C0AF/McK+2HQ4THMxZ 0gEd1kNBJy0/DGf9zyDCmhThq6UueKLZrxIK5vIF1U3ZSJTK2ufnA7nMz5zo6HhR o811kWSqamHUyPr6F2DRh6NGtgaKtRQEJcjaBswkMxfsKthwXo/6nrGVJ5V0tMW0 VAZRTLv+F98= =XobQ -----END PGP SIGNATURE-----