Skip to navigation Skip to main content

Utilities

  • Subscriptions
  • Downloads
  • Containers
  • Support Cases
Red Hat Customer Portal
  • Subscriptions
  • Downloads
  • Containers
  • Support Cases
  • Products & Services

    Products

    Support

    • Production Support
    • Development Support
    • Product Life Cycles

    Services

    • Consulting
    • Technical Account Management
    • Training & Certifications

    Documentation

    • Red Hat Enterprise Linux
    • Red Hat JBoss Enterprise Application Platform
    • Red Hat OpenStack Platform
    • Red Hat OpenShift Container Platform
    All Documentation

    Ecosystem Catalog

    • Red Hat Partner Ecosystem
    • Partner Resources
  • Tools

    Tools

    • Troubleshoot a product issue
    • Packages
    • Errata

    Customer Portal Labs

    • Configuration
    • Deployment
    • Security
    • Troubleshoot
    All labs

    Red Hat Insights

    Increase visibility into IT operations to detect and resolve technical issues before they impact your business.

    Learn More
    Go to Insights
  • Security

    Red Hat Product Security Center

    Engage with our Red Hat Product Security team, access security updates, and ensure your environments are not exposed to any known security vulnerabilities.

    Product Security Center

    Security Updates

    • Security Advisories
    • Red Hat CVE Database
    • Security Labs

    Keep your systems secure with Red Hat's specialized responses to security vulnerabilities.

    View Responses

    Resources

    • Security Blog
    • Security Measurement
    • Severity Ratings
    • Backporting Policies
    • Product Signing (GPG) Keys
  • Community

    Customer Portal Community

    • Discussions
    • Private Groups
    Community Activity

    Customer Events

    • Red Hat Convergence
    • Red Hat Summit

    Stories

    • Red Hat Subscription Value
    • You Asked. We Acted.
    • Open Source Communities
Or troubleshoot an issue.

Select Your Language

  • English
  • 한국어
  • 日本語
  • 中文 (中国)

Infrastructure and Management

  • Red Hat Enterprise Linux
  • Red Hat Virtualization
  • Red Hat Identity Management
  • Red Hat Directory Server
  • Red Hat Certificate System
  • Red Hat Satellite
  • Red Hat Subscription Management
  • Red Hat Update Infrastructure
  • Red Hat Insights
  • Red Hat Ansible Automation Platform

Cloud Computing

  • Red Hat OpenShift
  • Red Hat CloudForms
  • Red Hat OpenStack Platform
  • Red Hat OpenShift Container Platform
  • Red Hat OpenShift Data Science
  • Red Hat OpenShift Online
  • Red Hat OpenShift Dedicated
  • Red Hat Advanced Cluster Security for Kubernetes
  • Red Hat Advanced Cluster Management for Kubernetes
  • Red Hat Quay
  • Red Hat CodeReady Workspaces
  • Red Hat OpenShift Service on AWS

Storage

  • Red Hat Gluster Storage
  • Red Hat Hyperconverged Infrastructure
  • Red Hat Ceph Storage
  • Red Hat OpenShift Data Foundation

Runtimes

  • Red Hat Runtimes
  • Red Hat JBoss Enterprise Application Platform
  • Red Hat Data Grid
  • Red Hat JBoss Web Server
  • Red Hat Single Sign On
  • Red Hat support for Spring Boot
  • Red Hat build of Node.js
  • Red Hat build of Thorntail
  • Red Hat build of Eclipse Vert.x
  • Red Hat build of OpenJDK
  • Red Hat build of Quarkus

Integration and Automation

  • Red Hat Integration
  • Red Hat Fuse
  • Red Hat AMQ
  • Red Hat 3scale API Management
  • Red Hat JBoss Data Virtualization
  • Red Hat Process Automation
  • Red Hat Process Automation Manager
  • Red Hat Decision Manager
All Products
Red Hat Product Errata RHSA-2021:2041 - Security Advisory
Issued:
2021-05-19
Updated:
2021-05-19

RHSA-2021:2041 - Security Advisory

  • Overview
  • Updated Packages

Synopsis

Moderate: Red Hat OpenShift Container Storage 4.7.0 security, bug fix, and enhancement update

Type/Severity

Security Advisory: Moderate

Topic

Updated images which include numerous security fixes, bug fixes, and enhancements are now available for Red Hat OpenShift Container Storage 4.7.0 on Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat OpenShift Container Storage is software-defined storage integrated with and optimized for the Red Hat OpenShift Container Platform. Red Hat OpenShift Container Storage is a highly scalable, production-grade persistent storage for stateful applications running in the Red Hat OpenShift Container Platform. In addition to persistent storage, Red Hat OpenShift Container Storage provisions a multicloud data management service with an S3 compatible API.

Security Fix(es):

  • nodejs-y18n: prototype pollution vulnerability (CVE-2020-7774)
  • kubernetes: Incomplete fix for CVE-2019-11250 allows for token leak in logs when logLevel >= 9 (CVE-2020-8565)
  • jwt-go: access restriction bypass vulnerability (CVE-2020-26160)
  • nodejs-date-and-time: ReDoS in parsing via date.compile (CVE-2020-26289)
  • golang: math/big: panic during recursive division of very large numbers (CVE-2020-28362)
  • golang: crypto/elliptic: incorrect operations on the P-224 curve (CVE-2021-3114)
  • NooBaa: noobaa-operator leaking RPC AuthToken into log files (CVE-2021-3528)
  • nodejs-yargs-parser: prototype pollution vulnerability (CVE-2020-7608)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

This update includes various bug fixes and enhancements. Space precludes documenting all of these changes in this advisory. Users are directed to the Red Hat OpenShift Container Storage Release Notes for information on the most significant of these changes:

https://access.redhat.com/documentation/en-us/red_hat_openshift_container_storage/4.7/html-single/4.7_release_notes/index

All Red Hat OpenShift Container Storage users are advised to upgrade to these updated images.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat OpenShift Data Foundation 4 x86_64
  • Red Hat OpenShift Data Foundation for IBM Power, little endian 4 ppc64le
  • Red Hat OpenShift Data Foundation for IBM Z and LinuxONE 4 s390x

Fixes

  • BZ - 1803849 - [RFE] Include per volume encryption with Vault integration in RHCS 4.1
  • BZ - 1814681 - [RFE] use topologySpreadConstraints to evenly spread OSDs across hosts
  • BZ - 1840004 - CVE-2020-7608 nodejs-yargs-parser: prototype pollution vulnerability
  • BZ - 1850089 - OBC CRD is outdated and leads to missing columns in get queries
  • BZ - 1860594 - Toolbox pod should have toleration for OCS tainted nodes
  • BZ - 1861104 - OCS podDisruptionBudget prevents successful OCP upgrades
  • BZ - 1861878 - [RFE] use appropriate PDB values for OSD
  • BZ - 1866301 - [RHOCS Usability Study][Installation] “Create storage cluster” should be a part of the installation flow or need to be emphasized as a crucial step.
  • BZ - 1869406 - must-gather should include historical pod logs
  • BZ - 1872730 - [RFE][External mode] Re-configure noobaa to use the updated RGW endpoint from the RHCS cluster
  • BZ - 1874367 - "Create Backing Store" page doesn't allow to select already defined k8s secret as target bucket credentials when Google Cloud Storage is selected as a provider
  • BZ - 1883371 - CVE-2020-26160 jwt-go: access restriction bypass vulnerability
  • BZ - 1886112 - log message flood with Reconciling StorageCluster","Request.Namespace":"openshift-storage","Request.Name":"ocs-storagecluster"
  • BZ - 1886416 - Uninstall 4.6: ocs-operator logging regarding noobaa-core PVC needs change
  • BZ - 1886638 - CVE-2020-8565 kubernetes: Incomplete fix for CVE-2019-11250 allows for token leak in logs when logLevel >= 9
  • BZ - 1888839 - Create public route for ceph-rgw service
  • BZ - 1892622 - [GSS] Noobaa management dashboard reporting High number of issues when the cluster is in healthy state
  • BZ - 1893611 - Skip ceph commands collection attempt if must-gather helper pod is not created
  • BZ - 1893613 - must-gather tries to collect ceph commands in external mode when storagecluster already deleted
  • BZ - 1893619 - OCS must-gather: Inspect errors for cephobjectoreUser and few ceph commandd when storage cluster does not exist
  • BZ - 1894412 - [RFE][External] RGW metrics should be made available even if anything else except 9283 is provided as the monitoring-endpoint-port
  • BZ - 1896338 - OCS upgrade from 4.6 to 4.7 build failed
  • BZ - 1897246 - OCS - ceph historical logs collection
  • BZ - 1897635 - CVE-2020-28362 golang: math/big: panic during recursive division of very large numbers
  • BZ - 1898509 - [Tracker][RHV #1899565] Deployment on RHV/oVirt storage class ovirt-csi-sc failing
  • BZ - 1898680 - CVE-2020-7774 nodejs-y18n: prototype pollution vulnerability
  • BZ - 1898808 - Rook-Ceph crash collector pod should not run on non-ocs node
  • BZ - 1900711 - [RFE] Alerting for Namespace buckets and resources
  • BZ - 1900722 - Failed to init upgrade process on noobaa-core-0
  • BZ - 1900749 - Namespace Resource reported as Healthy when target bucket deleted
  • BZ - 1900760 - RPC call for Namespace resource creation allows invalid target bucket names
  • BZ - 1901134 - OCS - ceph historical logs collection
  • BZ - 1902192 - [RFE][External] RGW metrics should be made available even if anything else except 9283 is provided as the monitoring-endpoint-port
  • BZ - 1902685 - Too strict Content-Length header check refuses valid upload requests
  • BZ - 1902711 - Tracker for Bug #1903078 Deleting VolumeSnapshotClass makes VolumeSnapshot not Ready
  • BZ - 1903973 - [Azure][ROKS] Set SSD tuning (tuneFastDeviceClass) as default for OSD devices in Azure/ROKS platform
  • BZ - 1903975 - Add "ceph df detail" for ocs must-gather to enable support to debug compression
  • BZ - 1904302 - [GSS] ceph_daemon label includes references to a replaced OSD that cause a prometheus ruleset to fail
  • BZ - 1904929 - [GSS][RFE]Reduce debug level for logs of Nooba Endpoint pod
  • BZ - 1907318 - Unable to deploy & upgrade to ocs 4.7 - missing postgres image reference
  • BZ - 1908414 - [GSS][VMWare][ROKS] rgw pods are not showing up in OCS 4.5 - due to pg_limit issue
  • BZ - 1908678 - ocs-osd-removal job failed with "Invalid value" error when using multiple ids
  • BZ - 1909268 - OCS 4.7 UI install -All OCS operator pods respin after storagecluster creation
  • BZ - 1909488 - [NooBaa CLI] CLI status command looks for wrong DB PV name
  • BZ - 1909745 - pv-pool backing store name restriction should be at 43 characters
  • BZ - 1910705 - OBCs are stuck in a Pending state
  • BZ - 1911131 - Bucket stats in the NB dashboard are incorrect
  • BZ - 1911266 - Backingstore phase is ready, modecode is INITIALIZING
  • BZ - 1911627 - CVE-2020-26289 nodejs-date-and-time: ReDoS in parsing via date.compile
  • BZ - 1911789 - Data deduplication does not work properly
  • BZ - 1912421 - [RFE] noobaa cli allow the creation of BackingStores with already existing secrets
  • BZ - 1912894 - OCS storagecluster is Progressing state and some noobaa pods missing with latest 4.7 build -4.7.0-223.ci and storagecluster reflected as 4.8.0 instead of 4.7.0
  • BZ - 1913149 - make must-gather backward compatibility for version <4.6
  • BZ - 1913357 - ocs-operator should show error when flexible scaling and arbiter are both enabled at the same time
  • BZ - 1914132 - No metrics available in the Object Service Dashboard in OCS 4.7, logs show "failed to retrieve metrics exporter servicemonitor"
  • BZ - 1914159 - When OCS was deployed using arbiter mode mon's are going into CLBO state, ceph version = 14.2.11-95
  • BZ - 1914215 - must-gather fails to delete the completed state compute-xx-debug pods after successful completion
  • BZ - 1915111 - OCS OSD selection algorithm is making some strange choices.
  • BZ - 1915261 - Deleted MCG CRs are stuck in a 'Deleting' state
  • BZ - 1915445 - Uninstall 4.7: Storagecluster deletion stuck on a partially created KMS enabled OCS cluster + support TLS configuration for KMS
  • BZ - 1915644 - update noobaa db label in must-gather to collect db pod in noobaa dir
  • BZ - 1915698 - There is missing noobaa-core-0 pod after upgrade from OCS 4.6 to OCS 4.7
  • BZ - 1915706 - [Azure][RBD] PV taking longer time ~ 9 minutes to get deleted
  • BZ - 1915730 - [ocs-operator] Create public route for ceph-rgw service
  • BZ - 1915737 - Improve ocs-operator logging during uninstall to be more verbose, to understand reasons for failures - e.g. for Bug 1915445
  • BZ - 1915758 - improve noobaa logging in case of uninstall - logs do not specify clearly the resource on which deletion is stuck
  • BZ - 1915807 - Arbiter: OCS Install failed when used label = topology.kubernetes.io/zone instead of deprecated failureDomain label
  • BZ - 1915851 - OCS PodDisruptionBudget redesign for OSDs to allow multiple nodes to drain in the same failure domain
  • BZ - 1915953 - Must-gather takes hours to complete if the OCS cluster is not fully deployed, delay seen in ceph command collection step
  • BZ - 1916850 - Uninstall 4.7- rook: Storagecluster deletion stuck on a partially created KMS enabled OCS cluster(OSD creation failed)
  • BZ - 1917253 - Restore-pvc creation fails with error "csi-vol-* has unsupported quota"
  • BZ - 1917815 - [IBM Z and Power] OSD pods restarting due to OOM during upgrade test using ocs-ci
  • BZ - 1918360 - collect timestamp for must-gather commands and also the total time taken for must-gather to complete
  • BZ - 1918750 - CVE-2021-3114 golang: crypto/elliptic: incorrect operations on the P-224 curve
  • BZ - 1918925 - noobaa operator pod logs messages for other components - like rook-ceph-mon, csi-pods, new Storageclass, etc
  • BZ - 1918938 - ocs-operator has Error logs with "unable to deploy Prometheus rules"
  • BZ - 1919967 - MCG RPC calls time out and the system is unresponsive
  • BZ - 1920202 - RGW pod did not get created when OCS was deployed using arbiter mode
  • BZ - 1920498 - [IBM Z] OSDs are OOM killed and storage cluster goes into error state during ocs-ci tier1 pvc expansion tests
  • BZ - 1920507 - Creation of cephblockpool with compression failed on timeout
  • BZ - 1921521 - Add support for VAULT_SKIP_VERIFY option in Ceph-CSI
  • BZ - 1921540 - RBD PVC creation fails with error "invalid encryption kms configuration: "POD_NAMESPACE" is not set"
  • BZ - 1921609 - MongoNetworkError messages in noobaa-core logs
  • BZ - 1921625 - 'Not Found: Secret "noobaa-root-master-key" message' in noobaa logs and cli output when kms is configured
  • BZ - 1922064 - uninstall on VMware LSO+ arbiter with 4 OSDs in Pending state: Storagecluster deletion stuck, waiting for cephcluster to be deleted
  • BZ - 1922108 - OCS 4.7 4.7.0-242.ci and beyond: osd pods are not created
  • BZ - 1922113 - noobaa-db pod init container is crashing after OCS upgrade from OCS 4.6 to OCS 4.7
  • BZ - 1922119 - PVC snapshot creation failing on OCP4.6-OCS 4.7 cluster
  • BZ - 1922421 - [ROKS] OCS deployment stuck at mon pod in pending state
  • BZ - 1922954 - [IBM Z] OCS: Failed tests because of osd deviceset restarts
  • BZ - 1924185 - Object Service Dashboard shows alerts related to "system-internal-storage-pool" in OCS 4.7
  • BZ - 1924211 - 4.7.0-249.ci: RGW pod not deployed, rook logs show - failed to create object store "must be no more than 63 characters"
  • BZ - 1924634 - MG terminal logs show `pods "compute-x-debug" not found` even though pods are in Running state
  • BZ - 1924784 - RBD PVC creation fails with error "invalid encryption kms configuration: failed to parse kms configuration"
  • BZ - 1924792 - RBD PVC creation fails with error "invalid encryption kms configuration: failed to parse kms configuration"
  • BZ - 1925055 - OSD pod stuck in Init:CrashLoopBackOff following Node maintenance in OCP upgrade from OCP 4.7 to 4.7 nightly
  • BZ - 1925179 - MG fix [continuation from bug 1893619]: Do not attempt creating helper pod if storagecluster/cephcluster already deleted
  • BZ - 1925249 - KMS resources should be garbage collected when StorageCluster is deleted
  • BZ - 1925533 - [GSS] Unable to install Noobaa in AWS govcloud
  • BZ - 1926182 - [RFE] Support disabling reconciliation of monitoring related resources using a dedicated reconcile strategy flag
  • BZ - 1926617 - osds are in Init:CrashLoopBackOff with rgw in CrashLoopBackOff on KMS enabled cluster
  • BZ - 1926717 - Only one NOOBAA_ROOT_SECRET_PATH key created in vault when the same backend path is used for multiple OCS clusters
  • BZ - 1926831 - [IBM][ROKS] Deploy RGW pods only if IBM COS is not available on platform
  • BZ - 1927128 - [Tracker for BZ #1937088] When Performed add capacity over arbiter mode cluster ceph health reports PG_AVAILABILITY Reduced data availability: 25 pgs inactive, 25 pgs incomplete
  • BZ - 1927138 - must-gather skip collection of ceph in every run
  • BZ - 1927186 - Configure pv-pool as backing store if cos creds secret not found in IBM Cloud
  • BZ - 1927317 - [Arbiter] Storage Cluster installation did not started because ocs-operator was Expecting 8 node found 4
  • BZ - 1927330 - Namespacestore-backed OBCs are stuck on Pending
  • BZ - 1927338 - Uninstall OCS: Include events for major CRs to know the cause of deletion getting stuck
  • BZ - 1927885 - OCS 4.7: ocs operator pod in 1/1 state even when Storagecluster is in Progressing state
  • BZ - 1928063 - For FD: rack: actual osd pod distribution and OSD placement in rack under ceph osd tree output do not match
  • BZ - 1928451 - MCG CLI command of diagnose doesn't work on windows
  • BZ - 1928471 - [Deployment blocker] Ceph OSDs do not register properly in the CRUSH map
  • BZ - 1928487 - MCG CLI - noobaa ui command shows wss instead of https
  • BZ - 1928642 - [IBM Z] rook-ceph-rgw pods restarts continously with ocs version 4.6.3 due to liveness probe failure
  • BZ - 1931191 - Backing/namespacestores are stuck on Creating with credentials errors
  • BZ - 1931810 - LSO deployment(flexibleScaling:true): 100% PGS unknown even though ceph osd tree placement is correct(root cause diff from bug 1928471)
  • BZ - 1931839 - OSD in state init:CrashLoopBackOff with KMS signed certificates
  • BZ - 1932400 - Namespacestore deletion takes 15 minutes
  • BZ - 1933607 - Prevent reconcile of labels on all monitoring resources deployed by ocs-operator
  • BZ - 1933609 - Prevent reconcile of labels on all monitoring resources deployed by rook
  • BZ - 1933736 - Allow shrinking the cluster by removing OSDs
  • BZ - 1934000 - Improve error logging for kv-v2 while using encryption with KMS
  • BZ - 1934990 - Ceph health ERR post node drain on KMS encryption enabled cluster
  • BZ - 1935342 - [RFE] Add OSD flapping alert
  • BZ - 1936545 - [Tracker for BZ #1938669] setuid and setgid file bits are not retained after a OCS CephFS CSI restore
  • BZ - 1936877 - Include at OCS Multi-Cloud Object Gateway core container image the fixes on CVEs from RHEL8 on "nodejs"
  • BZ - 1937070 - Storage cluster cannot be uninstalled when cluster not fully configured
  • BZ - 1937100 - [RGW][notification][kafka]: notification fails with error: pubsub endpoint configuration error: unknown schema in: kafka
  • BZ - 1937245 - csi-cephfsplugin pods CrashLoopBackoff in fresh 4.6 cluster due to conflict with kube-rbac-proxy
  • BZ - 1937768 - OBC with Cache BucketPolicy stuck on pending
  • BZ - 1939026 - ServiceUnavailable when calling the CreateBucket operation (reached max retries: 4): Reduce your request rate
  • BZ - 1939472 - Failure domain set incorrectly to zone if flexible scaling is enabled but there are >= 3 zones
  • BZ - 1939617 - [Arbiter] Mons cannot be failed over in stretch mode
  • BZ - 1940440 - noobaa migration pod is deleted on failure and logs are not available for inspection
  • BZ - 1940476 - Backingstore deletion hangs
  • BZ - 1940957 - Deletion of Rejected NamespaceStore is stuck even when target bucket and bucketclass are deleted
  • BZ - 1941647 - OCS deployment fails when no backend path is specified for cluster wide encryption using KMS
  • BZ - 1941977 - rook-ceph-osd-X gets stuck in initcontainer expand-encrypted-bluefs
  • BZ - 1942344 - No permissions in /etc/passwd leads to fail noobaa-operaor
  • BZ - 1942350 - No permissions in /etc/passwd leads to fail noobaa-operaor
  • BZ - 1942519 - MCG should not use KMS to store encryption keys if cluster wide encryption is not enabled using KMS
  • BZ - 1943275 - OSD pods re-spun after "add capacity" on cluster with KMS
  • BZ - 1943596 - [Tracker for BZ #1944611][Arbiter] When Performed zone(zone=a) Power off and Power On, 3 mon pod(zone=b,c) goes in CLBO after node Power off and 2 Osd(zone=a) goes in CLBO after node Power on
  • BZ - 1944980 - Noobaa deployment fails when no KMS backend path is provided during storagecluster creation
  • BZ - 1946592 - [Arbiter] When both the rgw pod hosting nodes are down, the rgw service is unavailable
  • BZ - 1946837 - OCS 4.7 Arbiter Mode Cluster becomes stuck when entire zone is shutdown
  • BZ - 1955328 - Upgrade of noobaa DB failed when upgrading OCS 4.6 to 4.7
  • BZ - 1955601 - CVE-2021-3528 NooBaa: noobaa-operator leaking RPC AuthToken into log files
  • BZ - 1957187 - Update to RHCS 4.2z1 Ceph container image at OCS 4.7.0
  • BZ - 1957639 - Noobaa migrate job is failing when upgrading OCS 4.6.4 to 4.7 on FIPS environment

CVEs

  • CVE-2020-7608
  • CVE-2020-7774
  • CVE-2020-8565
  • CVE-2020-25678
  • CVE-2020-26160
  • CVE-2020-26289
  • CVE-2020-28362
  • CVE-2021-3114
  • CVE-2021-3139
  • CVE-2021-3449
  • CVE-2021-3450
  • CVE-2021-3528
  • CVE-2021-20305

References

  • https://access.redhat.com/security/updates/classification/#moderate
Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat OpenShift Data Foundation 4

SRPM
x86_64

Red Hat OpenShift Data Foundation for IBM Power, little endian 4

SRPM
ppc64le

Red Hat OpenShift Data Foundation for IBM Z and LinuxONE 4

SRPM
s390x

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Red Hat

Quick Links

  • Downloads
  • Subscriptions
  • Support Cases
  • Customer Service
  • Product Documentation

Help

  • Contact Us
  • Customer Portal FAQ
  • Log-in Assistance

Site Info

  • Trust Red Hat
  • Browser Support Policy
  • Accessibility
  • Awards and Recognition
  • Colophon

Related Sites

  • redhat.com
  • developers.redhat.com
  • connect.redhat.com
  • cloud.redhat.com

About

  • Red Hat Subscription Value
  • About Red Hat
  • Red Hat Jobs
Copyright © 2022 Red Hat, Inc.
  • Privacy Statement
  • Customer Portal Terms of Use
  • All Policies and Guidelines
Red Hat Summit
Twitter