Red Hat Product Errata RHSA-2021:1005 - Security Advisory
Issued:
2021-04-05
Updated:
2021-04-05

RHSA-2021:1005 - Security Advisory

Synopsis

Moderate: OpenShift Container Platform 4.7.5 security and bug fix update

Type/Severity

Security Advisory: Moderate

Topic

Red Hat OpenShift Container Platform release 4.7.5 is now available with
updates to packages and images that fix several bugs and add enhancements.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.

Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container
Platform 4.7.5. See the following advisory for the RPM packages for
this release:

https://access.redhat.com/errata/RHSA-2021:1006

All OpenShift Container Platform 4.7 users are advised to upgrade to these
updated packages and images when they are available in the appropriate
release channel. To check for available updates, use the OpenShift Console
or the CLI oc command. Instructions for upgrading a cluster are available
at
https://docs.openshift.com/container-platform/4.7/updating/updating-cluster-between-minor.html#understanding-upgrade-channels_updating-cluster-between-minor

Security Fix(es):

  • gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation (CVE-2021-3121)
  • containernetworking-cni: Arbitrary path injection via type field in CNI configuration (CVE-2021-20206)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

This update also fixes several bugs. Documentation for these changes is available from the Release Notes document linked to in the References section.

You may download the oc tool and use it to inspect release image metadata
as follows:

(For x86_64 architecture)

$ oc adm release info
quay.io/openshift-release-dev/ocp-release:4.6.20-x86_64

The image digest is
sha256:0a4c44daf1666f069258aa983a66afa2f3998b78ced79faa6174e0a0f438f0a5

(For s390x architecture)

$ oc adm release info
quay.io/openshift-release-dev/ocp-release:4.6.20-s390x

The image digest is
sha256:3fc802aafb72402768bbf1b19ce7c6de95256e5cc50799390e63f40d96cec3cd

(For ppc64le architecture)

$ oc adm release info
quay.io/openshift-release-dev/ocp-release:4.6.20-ppc64le

The image digest is
sha256:5cf6b61198337cd0950e63296be4e48e991721ac17c625f7fd77cf557f08efc7

Solution

For OpenShift Container Platform 4.7 see the following documentation, which
will be updated shortly for this release, for important instructions on how
to upgrade your cluster and fully apply this asynchronous errata update:

https://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-release-notes.html

Details on how to access this content are available at
https://docs.openshift.com/container-platform/4.7/updating/updating-cluster-cli.html.

Affected Products

  • Red Hat OpenShift Container Platform 4.7 for RHEL 8 x86_64
  • Red Hat OpenShift Container Platform for Power 4.7 for RHEL 8 ppc64le
  • Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.7 for RHEL 8 s390x

Fixes

  • BZ - 1917904 - [release-4.7] bump k8s.io/apiserver to 1.20.3
  • BZ - 1919391 - CVE-2021-20206 containernetworking-cni: Arbitrary path injection via type field in CNI configuration
  • BZ - 1921650 - CVE-2021-3121 gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation
  • BZ - 1925792 - "Edit Annotation" are not correctly translated in Chinese
  • BZ - 1927198 - [e2e][automation] Fix pvc string in pvc.view
  • BZ - 1927311 - Performance: Console makes unnecessary requests for en-US messages on load
  • BZ - 1927953 - [sig-network-edge][Conformance][Area:Networking][Feature:Router] The HAProxy router should be able to connect to a service that is idled because a GET on the route will unidle it
  • BZ - 1928151 - Manually misspelled as Manualy
  • BZ - 1928614 - NTO may fail to disable stalld when relying on Tuned '[service]' plugin
  • BZ - 1929118 - Update plugins and Jenkins version to prepare openshift-sync-plugin 1.0.46 release
  • BZ - 1929246 - Missing info for Operational Status, Provisioning status, BMC, Hostname, ID for BMH for OCP deployed with assisted installer
  • BZ - 1929674 - [sig-network] pods should successfully create sandboxes by getting pod
  • BZ - 1931382 - Pipelines shown in edit flow for Workloads created via ContainerImage flow
  • BZ - 1931520 - multicast traffic is not working on ovn-kubernetes
  • BZ - 1931622 - LoadBalancer service check test fails during vsphere upgrade
  • BZ - 1931856 - ServiceAccount Registry Authfiles Do Not Contain Entries for Public Hostnames
  • BZ - 1932268 - ovn-kubernetes endpoint slice controller doesn't run on CI jobs
  • BZ - 1932272 - Items marked as mandatory in KMS Provider form are not enforced
  • BZ - 1932277 - Create new pool with arbiter - wrong replica
  • BZ - 1932806 - release-4.7: e2e: test OAuth API connections in the tests by that name
  • BZ - 1933205 - /usr/lib/dracut/modules.d/30ignition/ignition --version sigsev
  • BZ - 1933665 - Getting Forbidden for image in a container template when creating a sample app
  • BZ - 1934442 - [release-4.7] Gather info about unhealthy SAP pods
  • BZ - 1935070 - (release-4.7) Extend OLM operator gatherer to include Operator/ClusterServiceVersion conditions
  • BZ - 1935180 - [4.7z] IGMP/MLD packets being dropped
  • BZ - 1935605 - [Backport 4.7] Add memory and uptime metadata to IO archive
  • BZ - 1935672 - pipelinerun status icon rendering issue
  • BZ - 1935707 - test: Detect when the master pool is still updating after upgrade
  • BZ - 1936337 - console operator panics in DefaultDeployment with nil cm
  • BZ - 1936802 - (release-4.7) Authentication log gatherer shouldn't scan all the pod logs in the openshift-authentication namespace
  • BZ - 1936975 - VSphereProblemDetectorControllerDegraded: context canceled during upgrade to 4.7.0
  • BZ - 1937089 - cluster DNS experiencing disruptions during cluster upgrade in insights cluster
  • BZ - 1937214 - Ingress operator performs spurious updates in response to API's defaulting of NodePort service's clusterIPs field
  • BZ - 1937356 - Incorrect imagestream is shown as selected in knative service container image edit flow
  • BZ - 1937375 - [release-4.7] When deploying the operator via OLM (after creating the respective catalogsource), the deployment "lost" the `resources` section.
  • BZ - 1938316 - [sig-instrumentation][Late] Alerts shouldn't report any alerts in firing state apart from Watchdog and AlertmanagerReceiversNotConfigured: Prometheus query error
  • BZ - 1938921 - Router HAProxy config file template is slow to render due to repetitive regex compilations
  • BZ - 1938960 - Permissive Egress NetworkPolicy (0.0.0.0/0) is blocking all traffic
  • BZ - 1939061 - [release-4.7] Sap license management logs gatherer 4.7
  • BZ - 1939199 - move to go 1.15 and registry.ci.openshift.org
  • BZ - 1939608 - FilterToolbar component does not handle 'null' value for 'rowFilters' prop
  • BZ - 1940052 - Not all image pulls within OpenShift builds retry
  • BZ - 1940806 - [4.7z] CNO: nodes and masters are upgrading simultaneously
  • BZ - 1940866 - Add BareMetalPlatformType into e2e upgrade service unsupported list
  • BZ - 1941128 - fix co upgradeableFalse status and reason
  • BZ - 1941217 - Bare-metal operator is firing for ClusterOperatorDown for 15m during 4.6 to 4.7 upgrade
  • BZ - 1941246 - Openshift-apiserver CO unavailable during cluster upgrade from 4.6 to 4.7
  • BZ - 1941367 - The containerruntimecontroller doesn't roll back to CR-1 if we delete CR-2
  • BZ - 1941468 - (release-4.7) 'More about Insights' link points to support link
  • BZ - 1941574 - [sig-network-edge][Conformance][Area:Networking][Feature:Router] The HAProxy router should be able to connect to a service that is idled because a GET on the route will unidle it [Suite:openshift/conformance/parallel/minimal]
  • BZ - 1942059 - `oc adm catalog mirror` doesn't work for the air-gapped cluster
  • BZ - 1942068 - [release-4.7] Gahter datahubs.installers.datahub.sap.com resources from SAP clusters
  • BZ - 1943310 - [SCALE] enable OVN DB memory trimming on compaction

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.