-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2021.1866
      OpenShift Container Platform 4.7.13 bug fix and security update
                                1 June 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           OpenShift Container Platform 4.7.13
Publisher:         Red Hat
Operating System:  Red Hat
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Increased Privileges            -- Existing Account      
                   Denial of Service               -- Remote/Unauthenticated
                   Access Confidential Data        -- Remote/Unauthenticated
                   Provide Misleading Information  -- Existing Account      
                   Reduced Security                -- Existing Account      
Resolution:        Patch/Upgrade
CVE Names:         CVE-2021-30465 CVE-2021-25215 CVE-2021-23336
                   CVE-2021-21645 CVE-2021-21644 CVE-2021-21643
                   CVE-2021-21642 CVE-2021-3326 CVE-2021-3177
                   CVE-2021-3121 CVE-2021-0342 CVE-2020-36322
                   CVE-2020-36242 CVE-2020-35508 CVE-2020-29363
                   CVE-2020-29362 CVE-2020-29361 CVE-2020-28974
                   CVE-2020-28935 CVE-2020-28196 CVE-2020-27835
                   CVE-2020-27786 CVE-2020-27783 CVE-2020-27619
                   CVE-2020-27618 CVE-2020-26137 CVE-2020-26116
                   CVE-2020-25712 CVE-2020-25704 CVE-2020-25659
                   CVE-2020-25643 CVE-2020-25285 CVE-2020-25284
                   CVE-2020-25212 CVE-2020-24977 CVE-2020-24394
                   CVE-2020-24332 CVE-2020-24331 CVE-2020-24330
                   CVE-2020-16845 CVE-2020-15586 CVE-2020-15437
                   CVE-2020-15358 CVE-2020-14363 CVE-2020-14362
                   CVE-2020-14361 CVE-2020-14360 CVE-2020-14356
                   CVE-2020-14347 CVE-2020-14346 CVE-2020-14345
                   CVE-2020-14344 CVE-2020-14314 CVE-2020-13776
                   CVE-2020-13584 CVE-2020-13543 CVE-2020-13434
                   CVE-2020-12464 CVE-2020-12362 CVE-2020-12114
                   CVE-2020-11608 CVE-2020-10878 CVE-2020-10543
                   CVE-2020-9983 CVE-2020-9951 CVE-2020-9948
                   CVE-2020-8927 CVE-2020-8286 CVE-2020-8285
                   CVE-2020-8284 CVE-2020-8231 CVE-2020-0431
                   CVE-2019-25042 CVE-2019-25041 CVE-2019-25040
                   CVE-2019-25039 CVE-2019-25038 CVE-2019-25037
                   CVE-2019-25036 CVE-2019-25035 CVE-2019-25034
                   CVE-2019-25032 CVE-2019-25013 CVE-2019-19528
                   CVE-2019-19523 CVE-2019-18811 CVE-2019-14866
                   CVE-2019-13012 CVE-2019-9169 CVE-2019-3842
                   CVE-2019-2708 CVE-2016-10228 

Reference:         ASB-2020.0179
                   ESB-2021.1863
                   ESB-2021.1862
                   ESB-2021.1857
                   ESB-2021.1842
                   ESB-2021.1841
                   ESB-2021.1827
                   ESB-2021.1823
                   ESB-2021.1820
                   ESB-2021.1799

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2021:2121

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: OpenShift Container Platform 4.7.13 bug fix and security update
Advisory ID:       RHSA-2021:2121-01
Product:           Red Hat OpenShift Enterprise
Advisory URL:      https://access.redhat.com/errata/RHSA-2021:2121
Issue date:        2021-06-01
CVE Names:         CVE-2016-10228 CVE-2019-2708 CVE-2019-3842 
                   CVE-2019-9169 CVE-2019-13012 CVE-2019-14866 
                   CVE-2019-18811 CVE-2019-19523 CVE-2019-19528 
                   CVE-2019-25013 CVE-2019-25032 CVE-2019-25034 
                   CVE-2019-25035 CVE-2019-25036 CVE-2019-25037 
                   CVE-2019-25038 CVE-2019-25039 CVE-2019-25040 
                   CVE-2019-25041 CVE-2019-25042 CVE-2020-0431 
                   CVE-2020-8231 CVE-2020-8284 CVE-2020-8285 
                   CVE-2020-8286 CVE-2020-8927 CVE-2020-9948 
                   CVE-2020-9951 CVE-2020-9983 CVE-2020-10543 
                   CVE-2020-10878 CVE-2020-11608 CVE-2020-12114 
                   CVE-2020-12362 CVE-2020-12464 CVE-2020-13434 
                   CVE-2020-13543 CVE-2020-13584 CVE-2020-13776 
                   CVE-2020-14314 CVE-2020-14344 CVE-2020-14345 
                   CVE-2020-14346 CVE-2020-14347 CVE-2020-14356 
                   CVE-2020-14360 CVE-2020-14361 CVE-2020-14362 
                   CVE-2020-14363 CVE-2020-15358 CVE-2020-15437 
                   CVE-2020-15586 CVE-2020-16845 CVE-2020-24330 
                   CVE-2020-24331 CVE-2020-24332 CVE-2020-24394 
                   CVE-2020-24977 CVE-2020-25212 CVE-2020-25284 
                   CVE-2020-25285 CVE-2020-25643 CVE-2020-25659 
                   CVE-2020-25704 CVE-2020-25712 CVE-2020-26116 
                   CVE-2020-26137 CVE-2020-27618 CVE-2020-27619 
                   CVE-2020-27783 CVE-2020-27786 CVE-2020-27835 
                   CVE-2020-28196 CVE-2020-28935 CVE-2020-28974 
                   CVE-2020-29361 CVE-2020-29362 CVE-2020-29363 
                   CVE-2020-35508 CVE-2020-36242 CVE-2020-36322 
                   CVE-2021-0342 CVE-2021-3121 CVE-2021-3177 
                   CVE-2021-3326 CVE-2021-21642 CVE-2021-21643 
                   CVE-2021-21644 CVE-2021-21645 CVE-2021-23336 
                   CVE-2021-25215 CVE-2021-30465 
=====================================================================

1. Summary:

Red Hat OpenShift Container Platform release 4.7.13 is now available with
updates to packages and images that fix several bugs.

This release includes a security update for Red Hat OpenShift Container
Platform 4.7.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

This advisory contains the container images for Red Hat OpenShift Container
Platform 4.7.13. See the following advisory for the RPM packages for this
release:

https://access.redhat.com/errata/RHSA-2021:2122

Space precludes documenting all of the container images in this advisory.
See the following Release Notes documentation, which will be updated
shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-rel
ease-notes.html

This update fixes the following bug among others:

* Previously, resources for the ClusterOperator were being created early in
the update process, which led to update failures when the ClusterOperator
had no status condition while Operators were updating. This bug fix changes
the timing of when these resources are created. As a result, updates can
take place without errors. (BZ#1959238)

Security Fix(es):

* gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index
validation (CVE-2021-3121)

You may download the oc tool and use it to inspect release image metadata
as follows:

(For x86_64 architecture)

  $ oc adm release info
quay.io/openshift-release-dev/ocp-release:4.7.13-x86_64

The image digest is
sha256:783a2c963f35ccab38e82e6a8c7fa954c3a4551e07d2f43c06098828dd986ed4

(For s390x architecture)

  $ oc adm release info
quay.io/openshift-release-dev/ocp-release:4.7.13-s390x

The image digest is
sha256:4cf44e68413acad063203e1ee8982fd01d8b9c1f8643a5b31cd7ff341b3199cd

(For ppc64le architecture)

  $ oc adm release info
quay.io/openshift-release-dev/ocp-release:4.7.13-ppc64le

The image digest is
sha256:d47ce972f87f14f1f3c5d50428d2255d1256dae3f45c938ace88547478643e36

All OpenShift Container Platform 4.7 users are advised to upgrade to these
updated packages and images when they are available in the appropriate
release channel. To check for available updates, use the OpenShift Console
or the CLI oc command. Instructions for upgrading a cluster are available
at
https://docs.openshift.com/container-platform/4.7/updating/updating-cluster
- - -between-minor.html#understanding-upgrade-channels_updating-cluster-between
- - -minor

3. Solution:

For OpenShift Container Platform 4.7 see the following documentation, which
will be updated shortly for this release, for important instructions on how
to upgrade your cluster and fully apply this asynchronous errata update:

https://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-rel
ease-notes.html

Details on how to access this content are available at
https://docs.openshift.com/container-platform/4.7/updating/updating-cluster
- - -cli.html

4. Bugs fixed (https://bugzilla.redhat.com/):

1921650 - CVE-2021-3121 gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation
1923268 - [Assisted-4.7] [Staging] Using two both spelling "canceled"  "cancelled"
1947216 - [AWS] Missing iam:ListAttachedRolePolicies permission in permissions.go
1953963 - Enable/Disable host operations returns cluster resource with incomplete hosts list
1957749 - ovn-kubernetes pod should have CPU and memory requests set but not limits
1959238 - CVO creating cloud-controller-manager too early causing upgrade failures
1960103 - SR-IOV obliviously reboot the node
1961941 - Local Storage Operator using LocalVolume CR fails to create PV's when backend storage failure is simulated
1962302 - packageserver clusteroperator does not set reason or message for Available condition
1962312 - Deployment considered unhealthy despite being available and at latest generation
1962435 - Public DNS records were not deleted when destroying a cluster which is using byo private hosted zone
1963115 - Test verify /run filesystem contents failing

5. References:

https://access.redhat.com/security/cve/CVE-2016-10228
https://access.redhat.com/security/cve/CVE-2019-2708
https://access.redhat.com/security/cve/CVE-2019-3842
https://access.redhat.com/security/cve/CVE-2019-9169
https://access.redhat.com/security/cve/CVE-2019-13012
https://access.redhat.com/security/cve/CVE-2019-14866
https://access.redhat.com/security/cve/CVE-2019-18811
https://access.redhat.com/security/cve/CVE-2019-19523
https://access.redhat.com/security/cve/CVE-2019-19528
https://access.redhat.com/security/cve/CVE-2019-25013
https://access.redhat.com/security/cve/CVE-2019-25032
https://access.redhat.com/security/cve/CVE-2019-25034
https://access.redhat.com/security/cve/CVE-2019-25035
https://access.redhat.com/security/cve/CVE-2019-25036
https://access.redhat.com/security/cve/CVE-2019-25037
https://access.redhat.com/security/cve/CVE-2019-25038
https://access.redhat.com/security/cve/CVE-2019-25039
https://access.redhat.com/security/cve/CVE-2019-25040
https://access.redhat.com/security/cve/CVE-2019-25041
https://access.redhat.com/security/cve/CVE-2019-25042
https://access.redhat.com/security/cve/CVE-2020-0431
https://access.redhat.com/security/cve/CVE-2020-8231
https://access.redhat.com/security/cve/CVE-2020-8284
https://access.redhat.com/security/cve/CVE-2020-8285
https://access.redhat.com/security/cve/CVE-2020-8286
https://access.redhat.com/security/cve/CVE-2020-8927
https://access.redhat.com/security/cve/CVE-2020-9948
https://access.redhat.com/security/cve/CVE-2020-9951
https://access.redhat.com/security/cve/CVE-2020-9983
https://access.redhat.com/security/cve/CVE-2020-10543
https://access.redhat.com/security/cve/CVE-2020-10878
https://access.redhat.com/security/cve/CVE-2020-11608
https://access.redhat.com/security/cve/CVE-2020-12114
https://access.redhat.com/security/cve/CVE-2020-12362
https://access.redhat.com/security/cve/CVE-2020-12464
https://access.redhat.com/security/cve/CVE-2020-13434
https://access.redhat.com/security/cve/CVE-2020-13543
https://access.redhat.com/security/cve/CVE-2020-13584
https://access.redhat.com/security/cve/CVE-2020-13776
https://access.redhat.com/security/cve/CVE-2020-14314
https://access.redhat.com/security/cve/CVE-2020-14344
https://access.redhat.com/security/cve/CVE-2020-14345
https://access.redhat.com/security/cve/CVE-2020-14346
https://access.redhat.com/security/cve/CVE-2020-14347
https://access.redhat.com/security/cve/CVE-2020-14356
https://access.redhat.com/security/cve/CVE-2020-14360
https://access.redhat.com/security/cve/CVE-2020-14361
https://access.redhat.com/security/cve/CVE-2020-14362
https://access.redhat.com/security/cve/CVE-2020-14363
https://access.redhat.com/security/cve/CVE-2020-15358
https://access.redhat.com/security/cve/CVE-2020-15437
https://access.redhat.com/security/cve/CVE-2020-15586
https://access.redhat.com/security/cve/CVE-2020-16845
https://access.redhat.com/security/cve/CVE-2020-24330
https://access.redhat.com/security/cve/CVE-2020-24331
https://access.redhat.com/security/cve/CVE-2020-24332
https://access.redhat.com/security/cve/CVE-2020-24394
https://access.redhat.com/security/cve/CVE-2020-24977
https://access.redhat.com/security/cve/CVE-2020-25212
https://access.redhat.com/security/cve/CVE-2020-25284
https://access.redhat.com/security/cve/CVE-2020-25285
https://access.redhat.com/security/cve/CVE-2020-25643
https://access.redhat.com/security/cve/CVE-2020-25659
https://access.redhat.com/security/cve/CVE-2020-25704
https://access.redhat.com/security/cve/CVE-2020-25712
https://access.redhat.com/security/cve/CVE-2020-26116
https://access.redhat.com/security/cve/CVE-2020-26137
https://access.redhat.com/security/cve/CVE-2020-27618
https://access.redhat.com/security/cve/CVE-2020-27619
https://access.redhat.com/security/cve/CVE-2020-27783
https://access.redhat.com/security/cve/CVE-2020-27786
https://access.redhat.com/security/cve/CVE-2020-27835
https://access.redhat.com/security/cve/CVE-2020-28196
https://access.redhat.com/security/cve/CVE-2020-28935
https://access.redhat.com/security/cve/CVE-2020-28974
https://access.redhat.com/security/cve/CVE-2020-29361
https://access.redhat.com/security/cve/CVE-2020-29362
https://access.redhat.com/security/cve/CVE-2020-29363
https://access.redhat.com/security/cve/CVE-2020-35508
https://access.redhat.com/security/cve/CVE-2020-36242
https://access.redhat.com/security/cve/CVE-2020-36322
https://access.redhat.com/security/cve/CVE-2021-0342
https://access.redhat.com/security/cve/CVE-2021-3121
https://access.redhat.com/security/cve/CVE-2021-3177
https://access.redhat.com/security/cve/CVE-2021-3326
https://access.redhat.com/security/cve/CVE-2021-21642
https://access.redhat.com/security/cve/CVE-2021-21643
https://access.redhat.com/security/cve/CVE-2021-21644
https://access.redhat.com/security/cve/CVE-2021-21645
https://access.redhat.com/security/cve/CVE-2021-23336
https://access.redhat.com/security/cve/CVE-2021-25215
https://access.redhat.com/security/cve/CVE-2021-30465
https://access.redhat.com/security/updates/classification/#moderate

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYLXBgdzjgjWX9erEAQiYKw/+MeUvVzbi9kHuo6vE8J9xEQCvgpJtLfRM
yj4VFCt8lkWmfGmuAMd5LkvD5suav1Gu9yA6E60VvKrorV6+PDOZ8jiUyzRR+di6
TZZ7Ji6taqaQUuf451KF39zuxYAh29pKT6mZMhmqK65jEg7uj66R8+P2p7tahaai
Kkqe6LKxNCXyVzWmc5HHkc3AJJ6vSVIuMeA6KOHpXy0vy57jZKeyb3dau0BVl/ir
ZbnbOHdTJ+7hEVV3yGwARcVgUhHDcHiSYAS+RUj7Hqx0RIFilb9RbOdoEdbauaWx
CGIdSYmj1F4apCZuYWmhZxtQ5/Lsj7EPi+7UleyTzqgMQsqSr8kvxGe/yzfY+yAQ
++QCSnleeKu/+HjN72d73h8yWGGzMrc/rYwDJWcFwjIL6/pj4Tgm4OK30vJlQUz5
3gHuEDz+j42s270cv6dRDd9v5xpexxIOXyHzruFRLk4xVCnS17PGeJ4I9mJmkYxL
5GuCiMnixToobWtmrh9MX2Qjkhj81o4E+rLMvG/4yUk2kGejo/nLwgZNsSz8gN5Z
gMZOYSDys2zJu6/jmxY/8MXzS3yNIJj3FxXe7w5XA0mHUuuZ/EaJsMLnlCCSRARV
GpMwj1/Aj1ZSNeYplr2YwQz7lB7hp+J/vn567zBPeYQus5EAyzqzudTbSLdm8ZyL
PEh85hYKLe4=
=Xe05
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYLXl6+NLKJtyKPYoAQg7fw/+KU7ls+OjxgRYy+I/KPDQbdXmcbAIKjQi
BPFvzA7T1ILC541sS/HirID8Onwo5L6ezEcBgW4uaMqiAGtGrhyhzRSScRm6ToQD
QKv2cOYzq73B5hZKq1C7/IHgwhBUnvHKHDS1N5/O40qVsYRI+w+sHSVIkLlCas3T
nBcnHnkf1SbK9bIUTu/8S5wWdwTnlowcjofQph4OUpnmyEOYTlB2dGl0spN4onhs
J2fcFjhksl9l229q+kzQE4+bVJi7Xk41da1rYz5CrfBTcJk7BU3l4DSpiWo0QI8r
bghjtgtejrHOPGG/jkGU8i0pHahTmNsxGDnQImul6VG3WjIbiTg3B8MUn0K9j6a7
HIwYqwnqHnyO94rdYCPaOPXTKez2iiZUhSPXL2Jfa8WSTpYvdvyAQi3GKaabrzpX
Z4/iPByoF6UtYIXjUiMeSnQiWTG6as9ZvwB5N2Q0EiSbivvrn0coN4GJRSimsOOC
7qCEF1xC07vN9toz5Q/5EHJ6fDaldMkL3J0xCFnRup0cecXFxJnqcTrdmwIF7w3N
YyuMHtmApxs8BBy/B316CEBejgsw/vW93JSMhEaGAzy1GxDafvsVrdz+N7nEiehg
nq8BMJc3QrWrYQwMzs0fTtOywgkKQEOJMCmdQbYpn24SmwHTIaexaSnZMTo7VxQf
Mxb04vLBHy0=
=K0hp
-----END PGP SIGNATURE-----