RHSA-2020:5614 - Security Advisory

Topic

Red Hat OpenShift Container Platform release 4.6.9 is now available with updates to packages and images that fix several bugs and add enhancements.

This release also includes a security update for Red Hat OpenShift Container Platform 4.6.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.

Security Fix(es):

• cluster-ingress-operator: changes to loadBalancerSourceRanges overwritten by operator (CVE-2020-27836)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

This advisory contains the container images for Red Hat OpenShift Container Platform 4.6.9. See the following advisory for the RPM packages for this release:

https://access.redhat.com/errata/RHSA-2020:5615

Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html

This update fixes the following bugs among others:

• Previously, pre-flight installer validation for OpenShift Container Platform on OpenStack was performed on the flavor metadata. This could prevent installations to flavors detected as `baremetal`, which might have the required capacity to complete the installation. This is usually caused by OpenStack administrators not setting the appropriate metadata on their bare metal flavors. Validations are now skipped on flavors detected as `baremetal`, to prevent incorrect failures from being reported. (BZ#1889416)
• Previously, there was a broken link on the OperatorHub install page of the web console, which was intended to reference the cluster monitoring documentation. This has been fixed. (BZ#1904600)

You may download the oc tool and use it to inspect release image metadata as follows:

(For x86_64 architecture)

$ oc adm release info quay.io/openshift-release-dev/ocp-release:4.6.9-x86_64

The image digest is sha256:43d5c84169a4b3ff307c29d7374f6d69a707de15e9fa90ad352b432f77c0cead

(For s390x architecture)

$ oc adm release info quay.io/openshift-release-dev/ocp-release:4.6.9-s390x

The image digest is sha256:3d77e9b0fd14a5c4d50995bbb17494a02f27a69f2ffa9771b29d112fe084699f

(For ppc64le architecture)

$ oc adm release info quay.io/openshift-release-dev/ocp-release:4.6.9-ppc64le

The image digest is sha256:0975188e83f8688f97180b408a447b41f492ee35d1dacd43a826b14db7d486e5

All OpenShift Container Platform 4.6 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift Console or the CLI oc command. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.6/updating/updating-cluster-between-minor.html#understanding-upgrade-channels_updating-cluster-between-minor.

Solution

For OpenShift Container Platform 4.6 see the following documentation, which
will be updated shortly for this release, for important instructions on how
to upgrade your cluster and fully apply this asynchronous errata update:

https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html

Details on how to access this content are available at
https://docs.openshift.com/container-platform/4.6/updating/updating-cluster-cli.html.

Affected Products

• Red Hat OpenShift Container Platform 4.6 for RHEL 8 x86_64
• Red Hat OpenShift Container Platform for Power 4.6 for RHEL 8 ppc64le
• Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.6 for RHEL 8 s390x

Fixes

• BZ - 1885442 - Console doesn't load in iOS Safari when using self-signed certificates
• BZ - 1885946 - console-master-e2e-gcp-console test periodically fail due to no Alerts found
• BZ - 1887551 - Unsupported access mode should not be available to select when creating pvc by aws-ebs-csi-driver(gp2-csi) from web-console
• BZ - 1888165 - [release 4.6] IO doesn't recognize namespaces - 2 resources with the same name in 2 namespaces -> only 1 gets collected
• BZ - 1888650 - Fix CVE-2015-7501 affecting agent-maven-3.5
• BZ - 1888717 - Cypress: Fix 'link-name' accesibility violation
• BZ - 1888721 - ovn-masters stuck in crashloop after scale test
• BZ - 1890993 - Selected Capacity is showing wrong size
• BZ - 1890994 - When the user clicked cancel at the Create Storage Class confirmation dialog all the data from the Local volume set goes off
• BZ - 1891427 - CLI does not save login credentials as expected when using the same username in multiple clusters
• BZ - 1891454 - EgressNetworkPolicy does not work when setting Allow rule to a dnsName
• BZ - 1891499 - Other machine config pools do not show during update
• BZ - 1891891 - Wrong detail head on network policy detail page.
• BZ - 1896149 - TLS secrets are not able to edit on console.
• BZ - 1896625 - with Serverless 1.10 version of trigger/subscription/channel/IMC is V1 as latest
• BZ - 1897019 - "Attach to Virtual Machine OS" button should not be visible on old clusters
• BZ - 1897766 - [release-4.6]Incorrect instructions in the Serverless operator and application quick starts
• BZ - 1898172 - installer missing permission definitions for TagResources and UntagResources when installing in existing VPC
• BZ - 1898302 - E2E test: Use KUBEADM_PASSWORD_FILE by default
• BZ - 1898746 - opm index add cannot batch add multiple bundles that use skips
• BZ - 1899056 - Max unavailable and Max surge value are not shown on Deployment Config Details page
• BZ - 1899382 - Remove TechPreview Badge from Eventing in Serverless version 1.11.0
• BZ - 1899728 - overview filesystem utilization of OCP is showing the wrong values
• BZ - 1901110 - pod donut shows incorrect information
• BZ - 1901871 - catalog-operator repeatedly crashes with "runtime error: index out of range [0] with length 0"
• BZ - 1901877 - linuxptp-daemon crash when enable debug log level [release-4.6]
• BZ - 1902029 - [sig-builds][Feature:Builds][valueFrom] process valueFrom in build strategy environment variables should successfully resolve valueFrom in docker build environment variables
• BZ - 1904014 - (release 4.6) Hostsubnet gatherer produces wrong output
• BZ - 1904028 - [release-4.6] The quota controllers should resync on new resources and make progress
• BZ - 1904065 - [release 4.6] [Openstack] HTTP_PROXY setting for NetworkManager-resolv-prepender not working
• BZ - 1904260 - VPA-operator has version: 1.0.0 every build
• BZ - 1904583 - Operator upgrades can delete existing CSV before completion
• BZ - 1904600 - Cluster monitoring documentation link is broken - 404 not found
• BZ - 1905004 - Use new packages for ipa ramdisks
• BZ - 1905230 - Multus errors when cachefile is not found
• BZ - 1905619 - [4.6.z] usbguard extension fails to install because of missing correct protobuf dependency version
• BZ - 1905622 - [Platform] Remove restriction on disk type selection for LocalVolumeSet
• BZ - 1905746 - Subscription manual approval test is flaky
• BZ - 1905903 - Rules in kube-apiserver.rules are taking too long and consuming too much memory for Prometheus to evaluate them
• BZ - 1906267 - CVE-2020-27836 cluster-ingress-operator: changes to loadBalancerSourceRanges overwritten by operator
• BZ - 1906416 - Errant change to lastupdatetime in copied CSV status can trigger runaway csv syncs

CVEs

• CVE-2020-1971
• CVE-2020-8177
• CVE-2020-15862
• CVE-2020-16166
• CVE-2020-27836

References

• https://access.redhat.com/security/updates/classification/#important