RHBA-2022:6657 - Bug Fix Advisory

Topic

An updated OpenShift Compliance Operator image that fixes various bugs is now available for the Red Hat OpenShift Enterprise 4 catalog.

Description

The OpenShift Compliance Operator v0.1.57 is now available. See the documentation for bug fix information:

https://docs.openshift.com/container-platform/4.11/security/compliance_operator/compliance-operator-release-notes.html

Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to:

https://docs.openshift.com/container-platform/4.11/updating/updating-cluster-cli.html

Affected Products

• Red Hat OpenShift Container Platform 4.10 for RHEL 8 x86_64
• Red Hat OpenShift Container Platform 4.9 for RHEL 8 x86_64
• Red Hat OpenShift Container Platform 4.8 for RHEL 8 x86_64
• Red Hat OpenShift Container Platform 4.7 for RHEL 8 x86_64
• Red Hat OpenShift Container Platform 4.6 for RHEL 8 x86_64

Fixes

• BZ - 2060726 - Compliance operator does not generate alert notification for non-control namespace
• BZ - 2062530 - CU found ocp4-var-oauth-inactivity-timeout and other compliance-operator variables are having an issue
• BZ - 2075041 - Compliance Check Results FAIL even if the kubelet parameter is correct by default
• BZ - 2082416 - The rule: ocp4-kubelet-configure-event-creation is failing after auto remediation applied
• BZ - 2091794 - Instructions for rule ocp4-configure-network-policies not clear
• BZ - 2092913 - When debug is setting to true, the pod generated by scansettingbinding won?t get deleted when the scansettingbinding get deleted
• BZ - 2098581 - APIRemovedInNextEUSReleaseInUse alert fired for openshift-compliance cronjobs
• BZ - 2102511 - [OSD] mcp puase status stuck at true issue as Compliance Operator failed to check if kubeletconfig custom-kubelet is subset of rendered MC 99-worker-generated-kubelet
• BZ - 2105153 - Rule ocp4-kubelet-enable-client-cert-rotation is not working as expected
• BZ - 2105878 - Rule ocp4-kubelet-enable-streaming-connections not working as expected when variable is set while streamingConnectionIdleTimeout in kubeletconfig unset
• BZ - 2117268 - ocp4-pci-dss-api-checks-pod in CrashLoopBackoff state due to ignition spec.config not in MC
• BZ - 2117747 - Compliance rules are failing after remediated automatically from scan setting successfully
• OCPBUGS-2156 - Compliancesuite could not be deleted successfully for 4.6 and 4.7
• OCPBUGS-1066 - ocp4-oauth-or-oauthclient-inactivity-timeout fail even if all oauthclient have set accessTokenInactivityTimeoutSeconds to 600
• OCPBUGS-1792 - The instructions for rule ocp4-machine-volume-encrypted need to be updated
• OCPBUGS-2331 - CIS scan rules fail to validate newer TLS cipher suites

CVEs

• CVE-2015-20107
• CVE-2020-35525
• CVE-2020-35527
• CVE-2022-0391
• CVE-2022-1292
• CVE-2022-1586
• CVE-2022-1785
• CVE-2022-1897
• CVE-2022-1927
• CVE-2022-2068
• CVE-2022-2097
• CVE-2022-2509
• CVE-2022-3515
• CVE-2022-32206
• CVE-2022-32208
• CVE-2022-34903
• CVE-2022-37434
• CVE-2022-40674

References

• null