RHBA-2024:6761 - Bug Fix Advisory

Topic

OpenShift Compliance Operator 1.6.0 is now available for the Red
Hat OpenShift Enterprise 4 catalog, which includes various bug
fixes and enhancements.

Description

The OpenShift Compliance Operator 1.6.0 is now available. See the
documentation for bug fix information:

https://docs.openshift.com/container-platform/latest/security/compliance_operator/compliance-operator-release-notes.html

Solution

Before applying this update, make sure all previously released
errata relevant to your system have been applied. For details on how
to apply this update, refer to:

https://docs.openshift.com/container-platform/latest/updating/updating_a_cluster/updating-cluster-cli.html

Affected Products

• Red Hat OpenShift Container Platform 4.13 for RHEL 9 x86_64
• Red Hat OpenShift Container Platform 4.12 for RHEL 8 x86_64
• Red Hat OpenShift Container Platform 4.8 for RHEL 8 x86_64
• Red Hat OpenShift Container Platform 4.7 for RHEL 8 x86_64
• Red Hat OpenShift Container Platform 4.6 for RHEL 8 x86_64

Fixes

• CMP-2485 - Conflicting titles for rules `ocp4-route-ip-whitelist` & `ocp4-routes-rate-limit`
• CMP-2610 - Use FIPS compliant rhel-els image for Compliance Operator
• CMP-2614 - Implement update timestamps on ComplianceCheckResults
• CMP-2615 - Add a check aggregate to the compliance scan metadata
• OCPBUGS-17828 - Improve ocp4-cis-scc-limit-container-allowed-capabilities instructions
• OCPBUGS-19690 - Some rules with auto-remediations available get failed after auto-remediation have been applied for rhcos4-high profile
• OCPBUGS-304 - Compliance rule ocp4-resource-requests-limits-in-deployment failing for rhacs-operatro-controller-manager operator.
• OCPBUGS-31674 - After auto remediation applied, some rules still failed for rhcos4-moderate and rhcos4-high profiles
• OCPBUGS-32551 - accessTokenInactivityTimeoutSeconds used in oauthclient-inactivity-timeout is immutable
• OCPBUGS-34982 - The annotations for the deprecated rules should be updated
• OCPBUGS-35765 - bios-enable-execution-restrictions should be excluded for ppc64le
• OCPBUGS-35854 - The rule ocp4-etcd-unique-ca gets fail by default for 4.17 payload
• OCPBUGS-39417 - [CEE.neXT]PrometheusOperatorRejectedResources alert after upgrading compliance operator to 1.5.1
• OCPBUGS-42177 - Rule ocp4-moderate-resource-requests-quota fail if the ResourceQuota exists in all non-control namespaces
• OCPBUGS-42185 - The must-gather image name is too long
• OCPBUGS-42247 - The must-gather image for compliance operator is not working as expected

CVEs

• CVE-2021-43618
• CVE-2021-46848
• CVE-2022-1271
• CVE-2022-36227
• CVE-2022-47629
• CVE-2022-48554
• CVE-2023-2602
• CVE-2023-2603
• CVE-2023-7104
• CVE-2023-29491
• CVE-2024-6119
• CVE-2024-25062
• CVE-2024-28182
• CVE-2024-28834
• CVE-2024-28835
• CVE-2024-34397
• CVE-2024-37370
• CVE-2024-37371
• CVE-2024-45490
• CVE-2024-45491
• CVE-2024-45492

References

(none)