Operating System:

[RedHat]

Published:

11 August 2022

Protect yourself against future threats.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2022.3975
      OpenShift Container Platform 4.11.0 extras and security update
                              11 August 2022

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           OpenShift Container Platform 4.11.0
Publisher:         Red Hat
Operating System:  Red Hat
Resolution:        Patch/Upgrade
CVE Names:         CVE-2022-29824 CVE-2022-29162 CVE-2022-28327
                   CVE-2022-27782 CVE-2022-27776 CVE-2022-27774
                   CVE-2022-27191 CVE-2022-25314 CVE-2022-25313
                   CVE-2022-24921 CVE-2022-24903 CVE-2022-24675
                   CVE-2022-24407 CVE-2022-23806 CVE-2022-23773
                   CVE-2022-23772 CVE-2022-22576 CVE-2022-21698
                   CVE-2022-1729 CVE-2022-1706 CVE-2022-1629
                   CVE-2022-1621 CVE-2022-1271 CVE-2022-0778
                   CVE-2021-42771 CVE-2021-40528 CVE-2021-38561
                   CVE-2021-36087 CVE-2021-36086 CVE-2021-36085
                   CVE-2021-36084 CVE-2021-31566 CVE-2021-25219
                   CVE-2021-23177 CVE-2021-20232 CVE-2021-20231
                   CVE-2021-20095 CVE-2021-4189 CVE-2021-3737
                   CVE-2021-3634 CVE-2021-3580 CVE-2020-28493
                   CVE-2020-24370 CVE-2020-14155 CVE-2020-13435
                   CVE-2019-20838 CVE-2019-19603 CVE-2019-18874
                   CVE-2019-18218 CVE-2019-17595 CVE-2019-17594
                   CVE-2019-13751 CVE-2019-13750 CVE-2019-5827
                   CVE-2018-25032  

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2022:5070

Comment: CVSS (Max):  9.8 CVE-2019-18218 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
         CVSS Source: Red Hat
         Calculator:  https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: OpenShift Container Platform 4.11.0 extras and security update
Advisory ID:       RHSA-2022:5070-01
Product:           Red Hat OpenShift Enterprise
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:5070
Issue date:        2022-08-10
CVE Names:         CVE-2018-25032 CVE-2019-5827 CVE-2019-13750 
                   CVE-2019-13751 CVE-2019-17594 CVE-2019-17595 
                   CVE-2019-18218 CVE-2019-18874 CVE-2019-19603 
                   CVE-2019-20838 CVE-2020-13435 CVE-2020-14155 
                   CVE-2020-24370 CVE-2020-28493 CVE-2021-3580 
                   CVE-2021-3634 CVE-2021-3737 CVE-2021-4189 
                   CVE-2021-20095 CVE-2021-20231 CVE-2021-20232 
                   CVE-2021-23177 CVE-2021-25219 CVE-2021-31566 
                   CVE-2021-36084 CVE-2021-36085 CVE-2021-36086 
                   CVE-2021-36087 CVE-2021-38561 CVE-2021-40528 
                   CVE-2021-42771 CVE-2022-0778 CVE-2022-1271 
                   CVE-2022-1621 CVE-2022-1629 CVE-2022-1706 
                   CVE-2022-1729 CVE-2022-21698 CVE-2022-22576 
                   CVE-2022-23772 CVE-2022-23773 CVE-2022-23806 
                   CVE-2022-24407 CVE-2022-24675 CVE-2022-24903 
                   CVE-2022-24921 CVE-2022-25313 CVE-2022-25314 
                   CVE-2022-27191 CVE-2022-27774 CVE-2022-27776 
                   CVE-2022-27782 CVE-2022-28327 CVE-2022-29162 
                   CVE-2022-29824 
=====================================================================

1. Summary:

Red Hat OpenShift Container Platform release 4.11.0 is now available with
updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container
Platform 4.11.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.

This advisory contains the RPM packages for Red Hat OpenShift Container
Platform 4.11.0. See the following advisory for the container images for
this release:

https://access.redhat.com/errata/RHSA-2022:5068

Security Fix(es):

* golang: out-of-bounds read in golang.org/x/text/language leads to DoS
(CVE-2021-38561)
* prometheus/client_golang: Denial of service using
InstrumentHandlerCounter (CVE-2022-21698)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

All OpenShift Container Platform 4.11 users are advised to upgrade to these
updated packages and images when they are available in the appropriate
release channel. To check for available updates, use the OpenShift Console
or the CLI oc command. Instructions for upgrading a cluster are available
at
https://docs.openshift.com/container-platform/4.11/updating/updating-cluster-cli.html

3. Solution:

For OpenShift Container Platform 4.11 see the following documentation,
which will be updated shortly for this release, for important instructions
on how to upgrade your cluster and fully apply this asynchronous errata
update:

https://docs.openshift.com/container-platform/4.11/release_notes/ocp-4-11-release-notes.html

Details on how to access this content are available at
https://docs.openshift.com/container-platform/4.11/updating/updating-cluster-cli.html

4. Bugs fixed (https://bugzilla.redhat.com/):

2042536 - OCP 4.10:  nfd-topology-updater daemonset fails to get created on worker nodes - forbidden: unable to validate against any security context constraint
2042652 - Unable to deploy hw-event-proxy operator
2045880 - CVE-2022-21698 prometheus/client_golang: Denial of service using InstrumentHandlerCounter
2047308 - Remove metrics and events for master port offsets
2055049 - No pre-caching for NFD images
2055436 - nfd-master tracking the wrong api group
2055439 - nfd-master tracking the wrong api group (operand)
2057569 - nfd-worker: drop 'custom-' prefix from matchFeatures custom rules
2058256 - LeaseDuration for NFD Operator seems to be rather small, causing Operator restarts when running etcd defrag
2062849 - hw event proxy is not binding on ipv6 local address
2066860 - Wrong spec in NFD documentation under `operand`
2066887 - Dependabot alert: Path traversal in github.com/valyala/fasthttp
2066889 - Dependabot alert: Path traversal in github.com/valyala/fasthttp
2067312 - PPT event source is lost when received by the consumer
2077243 - NFD os release label lost after upgrade to ocp 4.10.6
2087511 - NFD SkipRange is wrong causing OLM install problems
2089962 - Node feature Discovery operator installation failed.
2090774 - Add Readme to plugin directory
2091106 - Dependabot alert: Unhandled exception in gopkg.in/yaml.v3
2091142 - Dependabot alert: Unhandled exception in gopkg.in/yaml.v3
2100495 - CVE-2021-38561 golang: out-of-bounds read in golang.org/x/text/language leads to DoS

5. References:

https://access.redhat.com/security/cve/CVE-2018-25032
https://access.redhat.com/security/cve/CVE-2019-5827
https://access.redhat.com/security/cve/CVE-2019-13750
https://access.redhat.com/security/cve/CVE-2019-13751
https://access.redhat.com/security/cve/CVE-2019-17594
https://access.redhat.com/security/cve/CVE-2019-17595
https://access.redhat.com/security/cve/CVE-2019-18218
https://access.redhat.com/security/cve/CVE-2019-18874
https://access.redhat.com/security/cve/CVE-2019-19603
https://access.redhat.com/security/cve/CVE-2019-20838
https://access.redhat.com/security/cve/CVE-2020-13435
https://access.redhat.com/security/cve/CVE-2020-14155
https://access.redhat.com/security/cve/CVE-2020-24370
https://access.redhat.com/security/cve/CVE-2020-28493
https://access.redhat.com/security/cve/CVE-2021-3580
https://access.redhat.com/security/cve/CVE-2021-3634
https://access.redhat.com/security/cve/CVE-2021-3737
https://access.redhat.com/security/cve/CVE-2021-4189
https://access.redhat.com/security/cve/CVE-2021-20095
https://access.redhat.com/security/cve/CVE-2021-20231
https://access.redhat.com/security/cve/CVE-2021-20232
https://access.redhat.com/security/cve/CVE-2021-23177
https://access.redhat.com/security/cve/CVE-2021-25219
https://access.redhat.com/security/cve/CVE-2021-31566
https://access.redhat.com/security/cve/CVE-2021-36084
https://access.redhat.com/security/cve/CVE-2021-36085
https://access.redhat.com/security/cve/CVE-2021-36086
https://access.redhat.com/security/cve/CVE-2021-36087
https://access.redhat.com/security/cve/CVE-2021-38561
https://access.redhat.com/security/cve/CVE-2021-40528
https://access.redhat.com/security/cve/CVE-2021-42771
https://access.redhat.com/security/cve/CVE-2022-0778
https://access.redhat.com/security/cve/CVE-2022-1271
https://access.redhat.com/security/cve/CVE-2022-1621
https://access.redhat.com/security/cve/CVE-2022-1629
https://access.redhat.com/security/cve/CVE-2022-1706
https://access.redhat.com/security/cve/CVE-2022-1729
https://access.redhat.com/security/cve/CVE-2022-21698
https://access.redhat.com/security/cve/CVE-2022-22576
https://access.redhat.com/security/cve/CVE-2022-23772
https://access.redhat.com/security/cve/CVE-2022-23773
https://access.redhat.com/security/cve/CVE-2022-23806
https://access.redhat.com/security/cve/CVE-2022-24407
https://access.redhat.com/security/cve/CVE-2022-24675
https://access.redhat.com/security/cve/CVE-2022-24903
https://access.redhat.com/security/cve/CVE-2022-24921
https://access.redhat.com/security/cve/CVE-2022-25313
https://access.redhat.com/security/cve/CVE-2022-25314
https://access.redhat.com/security/cve/CVE-2022-27191
https://access.redhat.com/security/cve/CVE-2022-27774
https://access.redhat.com/security/cve/CVE-2022-27776
https://access.redhat.com/security/cve/CVE-2022-27782
https://access.redhat.com/security/cve/CVE-2022-28327
https://access.redhat.com/security/cve/CVE-2022-29162
https://access.redhat.com/security/cve/CVE-2022-29824
https://access.redhat.com/security/updates/classification/#moderate

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYvOfLtzjgjWX9erEAQh7aQ//QAKxZilehv3o6x6Iw6VhjUan4BQK62o0
wOxUKHXbDxB+QT9oHOm2w0C1K1FOGrPcDlkOw9oIK5KS8gWUyNL5r2NjZ0FH0/wu
oLIXIZ94BB5cIcpiQx7LtljFjDl0dp2/NlTV5KHKtZrCkm68/e4Xh35tYJK+NL1a
9hTqoXgH07TiUYhOORKig9Sa90tDodWWLs3M6pGri8SrOwUWXz7AuN0p2hD0AKNj
2UxAWrmviYLrNzmBEg9gIjZRF7D8cog/60Wu0cWT2GlRj1oFIv0Dj3KvTvQFq2gH
JEOB+eNVlShqoXF8WTuJy358hVOO3ybeCO9M+w6jXJnM4tXttPp5J0CHuxc+SrH3
YfoqG/OaAuNz0r2ZwPj+LxL9isN0JtKvGZgZJIVi//1JWk1Jc9IAJrNJukqL6Nr9
iHojxb9Exk1EGllrpashh70KBZ+uTU94SctLeXyXIENuHq0pPGym6SbQfcnN3Ntq
8eOxHaBmY5uZPfTAuNFSmT+uK1Fia+IsbCZ/6a1A5VNR2zAk4LtGV8JbM/Vzwnwi
cDFaurOrKAZRq6L9v6i2/DuNKUlaqoKCF8Mp1RyONTy1cxkb34Yzm189JPsqbM02
GDIdDSqVb8vMzdVjSoMmYJ3rBsMbB6pw+B8VbhIMcYkyC/TOZ8Z1uD/tnpGtUTgf
eR+IlWwr9oE=
=ftiF
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/

iQIVAwUBYvR+MMkNZI30y1K9AQgajBAAjrO9Xk28Y0EL7AjypgPu49MBrD/sNUF4
67ImodqJLDdYWM2CTi26+eE9cfqRpwev0O06rN8WX+1OGOJLmp7NczHg8AGrfgTn
byjAodU9sbyynL0IYftxHk2GXoF9szLcKwHWMLe6ilkU0QZ63O9uyvS40UKP8r+y
BeuncDIUykLr9tVrkorJ2U2bCXFbBNp7gA7T5S2a0RPSU4vfUSs1cndyyNjIgU+x
x0bVWNarmRDEte3YeGixdoI8DNXibIkjv1jOY/9xbnZURTJarbZlFrFNBhc6lFjH
od5A45sDscTbgAnUyq4z66ArRp3SlTYCzmC5tsmufDhHfrgU1foBFRVT9sXMeYzR
uiCcJRoprKTLjEjrjSxqTxpNdJZ1h91h1yG5twNzXdVEDELIlssu0PEhdQNVuQpG
Hxq1Gs1ShKjlN+AmukLvpPqVCdakhWwz0emaTwci2dF8qGwgxySNcH9RMuFt6ThX
lAMKmV2mabipPEDA/VktBtPhNW/U+FMuQgtUGM/NrDKp01zw7kTJecwOM2TBvp3d
xnIINLnTtPpyBUNgrw1ATcqx2ZodTAkAZ1BMbTWwWm+wpY0OBvsz5Rlfm0AaFdwN
xYK46JgN2DI2/NsABrTKO/nfLAR5AghTPe4x/IdL+s72mYcz7wsaKWQyNbHk1SeX
PQg0U/tePeI=
=I6NF
-----END PGP SIGNATURE-----