RHSA-2021:2983 - Security Advisory

Topic

Red Hat OpenShift Container Platform release 4.8.4 is now available with
updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container Platform 4.8.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

Description

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container Platform 4.8.4. See the following advisory for the RPM packages for this release:

https://access.redhat.com/errata/RHSA-2021:2984

Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html

Security Fix(es):

• golang: net/http: panic in ReadRequest and ReadResponse when reading a very large header (CVE-2021-31525)
• golang: net: lookup functions may return invalid host names (CVE-2021-33195)
• golang: archive/zip: Malformed archive may cause panic or memory exhaustion (CVE-2021-33196)
• golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty (CVE-2021-33197)
• golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents (CVE-2021-33198)
• golang: crypto/tls: certificate of wrong type is causing TLS client to panic (CVE-2021-34558)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

You may download the oc tool and use it to inspect release image metadata as follows:

(For x86_64 architecture)

$ oc adm release info quay.io/openshift-release-dev/ocp-release:4.8.4-x86_64

The image digest is sha256:841535acc09ca8412cd17e8f7702eceda1cac688ccc281278f108675c30de270

(For s390x architecture)

$ oc adm release info quay.io/openshift-release-dev/ocp-release:4.8.4-s390x

The image digest is sha256:78945f4ccc4c1c7fa57762f49e63b1b0e004a0026f6efa85c0a459c777fcead1

(For ppc64le architecture)

$ oc adm release info quay.io/openshift-release-dev/ocp-release:4.8.4-ppc64le

The image digest is sha256:ad3da79ce274c6460a3b50551c54a1eb32562c5a5cec5129cb76c018b8b4dcbb

All OpenShift Container Platform 4.8 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift Console or the CLI oc command. Instructions for upgrading a cluster are available
at https://docs.openshift.com/container-platform/4.8/updating/updating-cluster-between-minor.html#understanding-upgrade-channels_updating-cluster-between-minor

Solution

For OpenShift Container Platform 4.8 see the following documentation, which
will be updated shortly for this release, for important instructions on how
to upgrade your cluster and fully apply this asynchronous errata update:

https://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html

Details on how to access this content are available at
https://docs.openshift.com/container-platform/4.8/updating/updating-cluster-cli.html

Affected Products

• Red Hat OpenShift Container Platform 4.8 for RHEL 8 x86_64
• Red Hat OpenShift Container Platform for Power 4.8 for RHEL 8 ppc64le
• Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.8 for RHEL 8 s390x

Fixes

• BZ - 1938967 - Updating baremetal-machine-controller builder & base images to be consistent with ART
• BZ - 1943565 - ThanosSidecarUnhealthy
• BZ - 1947809 - Upgrade tests should skip disruption tests on single node clusters
• BZ - 1948021 - e2e should fail if operators set unexpected Upgradeable post install
• BZ - 1948629 - Add "none" / "minimal" upgrade test suites to skip disruption tests
• BZ - 1957222 - Add internal option for registry info
• BZ - 1957512 - minor regression in openshift-tests command-line options
• BZ - 1958341 - CVE-2021-31525 golang: net/http: panic in ReadRequest and ReadResponse when reading a very large header
• BZ - 1960446 - nmstate operator doesn't handle nodes with taints
• BZ - 1961057 - [Driver: Gluster] tests failing in IPv6 and IPv4v6
• BZ - 1965503 - CVE-2021-33196 golang: archive/zip: malformed archive may cause panic or memory exhaustion
• BZ - 1967949 - (release-4.8) records data size is incorrectly growing when obfuscation is enabled or when there are duplicated records
• BZ - 1971730 - 503 Error page contains license for a vulnerable release of Bootstrap
• BZ - 1972478 - OLM: Failure alert message for copied CSV not helpful
• BZ - 1973662 - Image pruner does not use custom tolerations
• BZ - 1974812 - In customize create vm wizard, a warning "no registred model"
• BZ - 1975559 - typo in operators available
• BZ - 1976008 - Get invalid date when edit custom time range on monitoring dashboards
• BZ - 1976349 - Missing policy-group label on the openshift-console namespace manifest
• BZ - 1978043 - Monitoring dashboard 'Logging/Elasticsearch' isn't accessible on OCP 4.8.
• BZ - 1979303 - [release-4.8] CI update from 4.7 to 4.8 sticks on: EncryptionMigrationController_Error: EncryptionMigrationControllerDegraded: etcdserver: request timed out
• BZ - 1980136 - Binary secret data isn't properly uploaded by ui
• BZ - 1980302 - VNC console stays in Connecting state.
• BZ - 1981770 - Problematic Deployment creates infinite number Replicasets causing etcd to reach quota limit
• BZ - 1982221 - If loading dynamic plugin times out, the UI throws a syntax error
• BZ - 1982246 - Accessibility (and cypress test) issue with empty category on Operator Hub page
• BZ - 1982294 - OLM fails with 'ResolutionFailed' found multiple channel heads
• BZ - 1983247 - (release-4.8] Operator operation is not set when updating status
• BZ - 1983596 - CVE-2021-34558 golang: crypto/tls: certificate of wrong type is causing TLS client to panic
• BZ - 1984565 - Ipv6 IP addresses are not accepted for whitelisting
• BZ - 1984978 - [4.8z] External gateway fails to add duplicate OVN ECMP route
• BZ - 1985514 - allow-from-router feature doesn't work on v6 only single stack cluster
• BZ - 1986026 - Manila CSI driver is not in must-gather
• BZ - 1986573 - [4.8z] Services sync causes too many ovn load balancer deletes
• BZ - 1986576 - inspect on the tuning cluster operator does not gather all tuned CRs
• BZ - 1986955 - CRD extensions.ConsoleNotification CRD.displays YAML editor for modifying the location of ConsoleNotification instance
• BZ - 1987182 - Allow Cluster-api-provider-ovirt using auto pinning new namings
• BZ - 1989564 - CVE-2021-33195 golang: net: lookup functions may return invalid host names
• BZ - 1989570 - CVE-2021-33197 golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty
• BZ - 1989575 - CVE-2021-33198 golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents

CVEs

• CVE-2021-31525
• CVE-2021-33195
• CVE-2021-33196
• CVE-2021-33197
• CVE-2021-33198
• CVE-2021-34558

References

• https://access.redhat.com/security/updates/classification/#moderate