Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.2894 OpenShift Container Platform 3.11.z security and bug fix update 27 August 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: OpenShift Container Platform Publisher: Red Hat Operating System: Red Hat Impact/Access: Access Confidential Data -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2020-8564 Reference: ESB-2021.0407 ESB-2021.0282 Original Bulletin: https://access.redhat.com/errata/RHSA-2021:3193 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: OpenShift Container Platform 3.11.z security and bug fix update Advisory ID: RHSA-2021:3193-01 Product: Red Hat OpenShift Enterprise Advisory URL: https://access.redhat.com/errata/RHSA-2021:3193 Issue date: 2021-08-25 CVE Names: CVE-2020-8564 ===================================================================== 1. Summary: Red Hat OpenShift Container Platform release 3.11.z is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat OpenShift Container Platform 3.11 - noarch, ppc64le, x86_64 3. Description: Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. Security Fix(es): * kubernetes: Docker config secrets leaked when file is malformed and loglevel >= 4 (CVE-2020-8564) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * [3.11] Wrong message error displayed when creating a route with path based (BZ#1884421) * [3.11] passthrough route created using path (BZ#1884422) * Hawkular cassandra pod readiness probe failed when run on the CRIO node. (BZ#1958718) * Pods are getting stuck in ContainerCreating/ContainerCreateError/Terminating status (BZ#1965900) * [3.11.z] Egress IP iptables rules not added due to iptables: Resource temporarily unavailable (BZ#1979216) * Slowness in services propagation after upgrading to v3.11.465 (BZ#1981736) * [3.11] NodePort is not working when configuring an egress IP address (BZ#1986413) 4. Solution: See the following documentation, which will be updated shortly for release 3.11.z, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update: https://docs.openshift.com/container-platform/3.11/release_notes/ocp_3_11_r elease_notes.html This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/articles/11258. 5. Bugs fixed (https://bugzilla.redhat.com/): 1884421 - [3.11] Wrong message error displayed when creating a route with path based 1884422 - [3.11] passthrough route created using path 1886637 - CVE-2020-8564 kubernetes: Docker config secrets leaked when file is malformed and loglevel >= 4 1958718 - Hawkular cassandra pod readiness probe failed when run on the CRIO node. 1965900 - Pods are getting stuck in ContainerCreating/ContainerCreateError/Terminating status 1979216 - [3.11.z] Egress IP iptables rules not added due to iptables: Resource temporarily unavailable 1981736 - Slowness in services propagation after upgrading to v3.11.465 1986413 - [3.11] NodePort is not working when configuring an egress IP address 6. Package List: Red Hat OpenShift Container Platform 3.11: Source: atomic-enterprise-service-catalog-3.11.501-1.git.2e6be86.el7.src.rpm atomic-openshift-3.11.501-1.git.0.f8c4746.el7.src.rpm atomic-openshift-cluster-autoscaler-3.11.501-1.git.99b2acf.el7.src.rpm atomic-openshift-descheduler-3.11.501-1.git.d435537.el7.src.rpm atomic-openshift-dockerregistry-3.11.501-1.git.3571208.el7.src.rpm atomic-openshift-metrics-server-3.11.501-1.git.f8bf728.el7.src.rpm atomic-openshift-node-problem-detector-3.11.501-1.git.c8f26da.el7.src.rpm atomic-openshift-service-idler-3.11.501-1.git.39cfc66.el7.src.rpm atomic-openshift-web-console-3.11.501-1.git.fc3b323.el7.src.rpm cri-o-1.11.16-0.16.rhaos3.11.git54f9e69.el7.src.rpm golang-github-openshift-oauth-proxy-3.11.501-1.git.edebe84.el7.src.rpm golang-github-prometheus-alertmanager-3.11.501-1.git.13de638.el7.src.rpm golang-github-prometheus-node_exporter-3.11.501-1.git.609cd20.el7.src.rpm golang-github-prometheus-prometheus-3.11.501-1.git.99aae51.el7.src.rpm openshift-ansible-3.11.501-1.git.0.5ea39b1.el7.src.rpm openshift-enterprise-autoheal-3.11.501-1.git.f2f435d.el7.src.rpm openshift-enterprise-cluster-capacity-3.11.501-1.git.22be164.el7.src.rpm openshift-kuryr-3.11.501-1.git.c33a657.el7.src.rpm noarch: atomic-openshift-docker-excluder-3.11.501-1.git.0.f8c4746.el7.noarch.rpm atomic-openshift-excluder-3.11.501-1.git.0.f8c4746.el7.noarch.rpm openshift-ansible-3.11.501-1.git.0.5ea39b1.el7.noarch.rpm openshift-ansible-docs-3.11.501-1.git.0.5ea39b1.el7.noarch.rpm openshift-ansible-playbooks-3.11.501-1.git.0.5ea39b1.el7.noarch.rpm openshift-ansible-roles-3.11.501-1.git.0.5ea39b1.el7.noarch.rpm openshift-ansible-test-3.11.501-1.git.0.5ea39b1.el7.noarch.rpm openshift-kuryr-cni-3.11.501-1.git.c33a657.el7.noarch.rpm openshift-kuryr-common-3.11.501-1.git.c33a657.el7.noarch.rpm openshift-kuryr-controller-3.11.501-1.git.c33a657.el7.noarch.rpm python2-kuryr-kubernetes-3.11.501-1.git.c33a657.el7.noarch.rpm ppc64le: atomic-enterprise-service-catalog-3.11.501-1.git.2e6be86.el7.ppc64le.rpm atomic-enterprise-service-catalog-svcat-3.11.501-1.git.2e6be86.el7.ppc64le.rpm atomic-openshift-3.11.501-1.git.0.f8c4746.el7.ppc64le.rpm atomic-openshift-clients-3.11.501-1.git.0.f8c4746.el7.ppc64le.rpm atomic-openshift-cluster-autoscaler-3.11.501-1.git.99b2acf.el7.ppc64le.rpm atomic-openshift-descheduler-3.11.501-1.git.d435537.el7.ppc64le.rpm atomic-openshift-hyperkube-3.11.501-1.git.0.f8c4746.el7.ppc64le.rpm atomic-openshift-hypershift-3.11.501-1.git.0.f8c4746.el7.ppc64le.rpm atomic-openshift-master-3.11.501-1.git.0.f8c4746.el7.ppc64le.rpm atomic-openshift-metrics-server-3.11.501-1.git.f8bf728.el7.ppc64le.rpm atomic-openshift-node-3.11.501-1.git.0.f8c4746.el7.ppc64le.rpm atomic-openshift-node-problem-detector-3.11.501-1.git.c8f26da.el7.ppc64le.rpm atomic-openshift-pod-3.11.501-1.git.0.f8c4746.el7.ppc64le.rpm atomic-openshift-sdn-ovs-3.11.501-1.git.0.f8c4746.el7.ppc64le.rpm atomic-openshift-service-idler-3.11.501-1.git.39cfc66.el7.ppc64le.rpm atomic-openshift-template-service-broker-3.11.501-1.git.0.f8c4746.el7.ppc64le.rpm atomic-openshift-tests-3.11.501-1.git.0.f8c4746.el7.ppc64le.rpm atomic-openshift-web-console-3.11.501-1.git.fc3b323.el7.ppc64le.rpm cri-o-1.11.16-0.16.rhaos3.11.git54f9e69.el7.ppc64le.rpm cri-o-debuginfo-1.11.16-0.16.rhaos3.11.git54f9e69.el7.ppc64le.rpm golang-github-openshift-oauth-proxy-3.11.501-1.git.edebe84.el7.ppc64le.rpm openshift-enterprise-autoheal-3.11.501-1.git.f2f435d.el7.ppc64le.rpm openshift-enterprise-cluster-capacity-3.11.501-1.git.22be164.el7.ppc64le.rpm prometheus-3.11.501-1.git.99aae51.el7.ppc64le.rpm prometheus-alertmanager-3.11.501-1.git.13de638.el7.ppc64le.rpm prometheus-node-exporter-3.11.501-1.git.609cd20.el7.ppc64le.rpm x86_64: atomic-enterprise-service-catalog-3.11.501-1.git.2e6be86.el7.x86_64.rpm atomic-enterprise-service-catalog-svcat-3.11.501-1.git.2e6be86.el7.x86_64.rpm atomic-openshift-3.11.501-1.git.0.f8c4746.el7.x86_64.rpm atomic-openshift-clients-3.11.501-1.git.0.f8c4746.el7.x86_64.rpm atomic-openshift-clients-redistributable-3.11.501-1.git.0.f8c4746.el7.x86_64.rpm atomic-openshift-cluster-autoscaler-3.11.501-1.git.99b2acf.el7.x86_64.rpm atomic-openshift-descheduler-3.11.501-1.git.d435537.el7.x86_64.rpm atomic-openshift-dockerregistry-3.11.501-1.git.3571208.el7.x86_64.rpm atomic-openshift-hyperkube-3.11.501-1.git.0.f8c4746.el7.x86_64.rpm atomic-openshift-hypershift-3.11.501-1.git.0.f8c4746.el7.x86_64.rpm atomic-openshift-master-3.11.501-1.git.0.f8c4746.el7.x86_64.rpm atomic-openshift-metrics-server-3.11.501-1.git.f8bf728.el7.x86_64.rpm atomic-openshift-node-3.11.501-1.git.0.f8c4746.el7.x86_64.rpm atomic-openshift-node-problem-detector-3.11.501-1.git.c8f26da.el7.x86_64.rpm atomic-openshift-pod-3.11.501-1.git.0.f8c4746.el7.x86_64.rpm atomic-openshift-sdn-ovs-3.11.501-1.git.0.f8c4746.el7.x86_64.rpm atomic-openshift-service-idler-3.11.501-1.git.39cfc66.el7.x86_64.rpm atomic-openshift-template-service-broker-3.11.501-1.git.0.f8c4746.el7.x86_64.rpm atomic-openshift-tests-3.11.501-1.git.0.f8c4746.el7.x86_64.rpm atomic-openshift-web-console-3.11.501-1.git.fc3b323.el7.x86_64.rpm cri-o-1.11.16-0.16.rhaos3.11.git54f9e69.el7.x86_64.rpm cri-o-debuginfo-1.11.16-0.16.rhaos3.11.git54f9e69.el7.x86_64.rpm golang-github-openshift-oauth-proxy-3.11.501-1.git.edebe84.el7.x86_64.rpm openshift-enterprise-autoheal-3.11.501-1.git.f2f435d.el7.x86_64.rpm openshift-enterprise-cluster-capacity-3.11.501-1.git.22be164.el7.x86_64.rpm prometheus-3.11.501-1.git.99aae51.el7.x86_64.rpm prometheus-alertmanager-3.11.501-1.git.13de638.el7.x86_64.rpm prometheus-node-exporter-3.11.501-1.git.609cd20.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-8564 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYSe+Q9zjgjWX9erEAQij0g//W4MfZODenX/q5X0nd1UPrH9QLhASyxqE b1NHhHI7nZPZ8ISaq0Mi/mJwJJu7swloVFt0p3aylKPw+4iBsYAeVLf1kFE1OYAd /h/OnWEoGVc2l1MeVSy9765uRd2EDjGXXKLmvABu/8jj2fI8Vs6WULi9DA0WldQq hNvOWdKBf0dnzMdfqlDfEuqcbLHeDDynn6D+B+lzZBK13agYXJchtZkQgMgpa1XM jx3GeMHyRzsv+tyKh7upUbEBw3rCP2Ubg/40Hzlyh2Q6JO9aZkCOF4X6ZXuSA5vt hEdVcZ5zz1CqEVMk1hvhR43exYcag8EN8uyNqLMthYPrPPYBaa2vXTvk+vqi0ZCn IGcdD/DFIMFiQJpX+r2mOQghcctdc2LYs65o+M3ayKWtEc6iBxnpu7bBLM2fcr3A 3nVHLkmlPVmLm1pxlfgr1vIIdhCwV5OUPkS+CiBFkc8L5vxytk5nD2PH2ndY5H/h pePjYr1BzJYx2+GHHILE+bFvzGtU9zpzjDiOo5GZItcjOJmUrpmOV5eAId89Kq3X ibsblNk0TaiCHGPbiomClKdPfcz6vkZLSw87aR8W8dyLLrDkgALqIwVfl0oyp5Gp dm7KTxLrj0OwnBnKpJDh7pvo6j6gbZRW8FBl+7t74vUWYnvCrbem1IZ8B+XYLsfj fiBPSP5Df7Q= =tHoT - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYSgb5eNLKJtyKPYoAQgxZw/+J7E2Wlj7DVrl5zgbsjb4jEcFmYa1DT/q sqJIwYnefu9QQEM0buV1aa+SHYZXXvEhl48eMZY7Re+ahWln0WsBNJoxiqqgpA8w gG5sW+mZIcP6PDhzOanJqE56ObqzsxsVt6dvgZYqIazAly6ph2TvJBI7h09jhnI8 KTMujZTrlghciwu5eMkP446Qbs1KkKoNgUqLgM8KDGiTeDs472cL4tqX1n04JAKe 64tjOxP7ed7yVNhLH6keXFAN1yyXh7OMLlXVVYCI4rd4UIPBl7qhw5tRRjBn1yYW K+Q33T74dUvcB0sPNKMO58lbRhASumvYoGWTmKDyOm1QpJ3c3jBFIOlJESOmMc+i B12lpMVx50sH0nIGYgq69ZqSanwIby/yncSjScCPgO6LdOD2LcG273rFj8Lj17k3 9yAv/1bET8CCYzm4h2rA6j+QztwKcIpH6J/WNH4Y5zStG1J0cJ4eX40K/j7MAal0 N0XBP2TI658WVRdK/SlllTNyhzvVAzeKn9skPg4UzGqzRzD7L96pSYXf+8TP3KYL 43LhiYlnqPnSqnOdxDwBQGmhz2ScW2kKr5ucewguRcU/Ub/spo9If5K4pdCRt4N3 mM1Dj5amcCWFOxAYZpieZjet70ro6+sKzPLu4njkGxObXCy/5AECQT4g6RsGDo3y b1JseyOcvjg= =j/QY -----END PGP SIGNATURE-----