Issued:: 2021-12-01
Updated:: 2021-12-01

RHSA-2021:4801 - Security Advisory

Overview
Updated Packages

Synopsis

Important: OpenShift Container Platform 4.7.38 security update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

Red Hat OpenShift Container Platform release 4.7.38 is now available with updates to packages and images that fix several bugs and add enhancements.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.

This advisory contains the RPM packages for Red Hat OpenShift Container
Platform 4.7.38. See the following advisory for the container images for
this release:

https://access.redhat.com/errata/RHBA-2021:4802

All OpenShift Container Platform 4.7 users are advised to upgrade to these
updated packages and images when they are available in the appropriate
release channel. To check for available updates, use the OpenShift Console
or the CLI oc command. Instructions for upgrading a cluster are available
at
https://docs.openshift.com/container-platform/4.7/updating/updating-cluster-between-minor.html#understanding-upgrade-channels_updating-cluster-between-minor Security Fix(es):

jenkins-2-plugins/subversion: does not restrict the name of a file when

looking up a subversion key (CVE-2021-21698)

jenkins: FilePath#mkdirs does not check permission to create parent

directories (CVE-2021-21685)

jenkins: File path filters do not canonicalize paths, allowing operations

to follow symbolic links to outside allowed directories (CVE-2021-21686)

jenkins: FilePath#untar does not check permission to create symbolic

links when unarchiving a symbolic link (CVE-2021-21687)

jenkins: FilePath#reading(FileVisitor) does not reject any operations

allowing users to have unrestricted read access (CVE-2021-21688)

jenkins: FilePath#unzip and FilePath#untar were not subject to any access

control (CVE-2021-21689)

jenkins: Agent processes are able to completely bypass file path

filtering by wrapping the file operation in an agent file path
(CVE-2021-21690)

jenkins: Creating symbolic links is possible without the symlink

permission (CVE-2021-21691)

jenkins: The operations FilePath#renameTo and FilePath#moveAllChildrenTo

only check read permission on the source path (CVE-2021-21692)

jenkins: When creating temporary files, permission to create files is

only checked after they’ve been created. (CVE-2021-21693)

jenkins: FilePath#toURI, FilePath#hasSymlink, FilePath#absolutize,

FilePath#isDescendant, and FilePath#get*DiskSpace do not check any
permissions (CVE-2021-21694)

jenkins: FilePath#listFiles lists files outside directories with agent

read access when following symbolic links. (CVE-2021-21695)

jenkins: Agent-to-controller access control allowed writing to sensitive

directory used by Pipeline: Shared Groovy Libraries Plugin (CVE-2021-21696)

jenkins: Agent-to-controller access control allows reading/writing most

content of build directories (CVE-2021-21697)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s)
listed in the References section.

Solution

For OpenShift Container Platform 4.7 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:

https://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-release-notes.html

Details on how to access this content are available at
https://docs.openshift.com/container-platform/4.7/updating/updating-cluster-cli.html

Affected Products

Red Hat OpenShift Container Platform 4.7 for RHEL 8 x86_64
Red Hat OpenShift Container Platform 4.7 for RHEL 7 x86_64
Red Hat OpenShift Container Platform for Power 4.7 for RHEL 8 ppc64le
Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.7 for RHEL 8 s390x

Fixes

BZ - 2020322 - CVE-2021-21685 jenkins: FilePath#mkdirs does not check permission to create parent directories
BZ - 2020323 - CVE-2021-21686 jenkins: File path filters do not canonicalize paths, allowing operations to follow symbolic links to outside allowed directories
BZ - 2020324 - CVE-2021-21687 jenkins: FilePath#untar does not check permission to create symbolic links when unarchiving a symbolic link
BZ - 2020327 - CVE-2021-21688 jenkins: FilePath#reading(FileVisitor) does not reject any operations allowing users to have unrestricted read access
BZ - 2020335 - CVE-2021-21689 jenkins: FilePath#unzip and FilePath#untar were not subject to any access control
BZ - 2020336 - CVE-2021-21690 jenkins: Agent processes are able to completely bypass file path filtering by wrapping the file operation in an agent file path
BZ - 2020338 - CVE-2021-21691 jenkins: Creating symbolic links is possible without the symlink permission
BZ - 2020339 - CVE-2021-21692 jenkins: The operations FilePath#renameTo and FilePath#moveAllChildrenTo only check read permission on the source path
BZ - 2020341 - CVE-2021-21693 jenkins: When creating temporary files, permission to create files is only checked after they’ve been created.
BZ - 2020342 - CVE-2021-21694 jenkins: FilePath#toURI, FilePath#hasSymlink, FilePath#absolutize, FilePath#isDescendant, and FilePath#get*DiskSpace do not check any permissions
BZ - 2020343 - CVE-2021-21695 jenkins: FilePath#listFiles lists files outside directories with agent read access when following symbolic links.
BZ - 2020344 - CVE-2021-21696 jenkins: Agent-to-controller access control allowed writing to sensitive directory used by Pipeline: Shared Groovy Libraries Plugin
BZ - 2020345 - CVE-2021-21697 jenkins: Agent-to-controller access control allows reading/writing most content of build directories
BZ - 2020385 - CVE-2021-21698 jenkins-2-plugins/subversion: does not restrict the name of a file when looking up a subversion key

CVEs

References

https://access.redhat.com/security/updates/classification/#important

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat OpenShift Container Platform 4.7 for RHEL 8

SRPM
cri-o-1.20.6-3.rhaos4.7.git4603183.el8.src.rpm	SHA-256: c1d1293c47731a298e110edb28a72e07800d1156514e45ff7d1d9b342d975f76
jenkins-2-plugins-4.7.1637600997-1.el8.src.rpm	SHA-256: 7e80b123752e2b07d34003d5a80ee6548b853c8b17d4104253b99bc94c81220e
jenkins-2.303.3.1637597018-1.el8.src.rpm	SHA-256: ddd0603f4b381e096231f9a8e462f11c87573d3a5576c6537e98996d2aab0e44
openshift-4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.src.rpm	SHA-256: 5dd55765b1c2810e3a1477032ba52e7604be2e5cd51c858cb978c7bef3b63377
x86_64
cri-o-1.20.6-3.rhaos4.7.git4603183.el8.x86_64.rpm	SHA-256: 1497b4635a9cddec4b07e1578d115a68a382ac50b91f2bf92330f2af7ab978e1
cri-o-debuginfo-1.20.6-3.rhaos4.7.git4603183.el8.x86_64.rpm	SHA-256: b4afc0b140f885568221d68e83f32d708b68d52aa21d3735bb691b45809b9756
cri-o-debugsource-1.20.6-3.rhaos4.7.git4603183.el8.x86_64.rpm	SHA-256: da98d51a26392625fce3f6b76d25a76ec40a028c3317ef7fdc69702a0a34adb9
jenkins-2-plugins-4.7.1637600997-1.el8.noarch.rpm	SHA-256: 505545ca69ab7d8ab38150b788bc0968842ce43c4f31b3d8b57cba9922369538
jenkins-2.303.3.1637597018-1.el8.noarch.rpm	SHA-256: 92df366670ded31115b0dd800627e3cfa27b8716256e1b51741b0bc9ae616c0f
openshift-hyperkube-4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.x86_64.rpm	SHA-256: 18ca3eca61760d38c9f2b47fc799c94c813d6b741ac78ec72f0e0d07c16ad6a2

Red Hat OpenShift Container Platform 4.7 for RHEL 7

SRPM
cri-o-1.20.6-3.rhaos4.7.git4603183.el7.src.rpm	SHA-256: 6c645171e68571f1394edf48b73aa6d8c307ecc7795836df66afeea8677a1251
openshift-4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7.src.rpm	SHA-256: 373d057b309aac91d35b0d8af30b43cf4224a76db75392de977c4161fa6f7749
x86_64
cri-o-1.20.6-3.rhaos4.7.git4603183.el7.x86_64.rpm	SHA-256: a2e77d402bf6313b60ae6bd751dfdc4650508aae49be1bea86a527ea4597e0eb
cri-o-debuginfo-1.20.6-3.rhaos4.7.git4603183.el7.x86_64.rpm	SHA-256: c44f76a8c325593c1053b30af467d59f1ee5fa20e94851ac7632319a25e4fb0f
openshift-hyperkube-4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7.x86_64.rpm	SHA-256: 12396c6d0e47d833da1cbb12e06dca62b1ed987dc616d15ddf80c83e75197902

Red Hat OpenShift Container Platform for Power 4.7 for RHEL 8

SRPM
cri-o-1.20.6-3.rhaos4.7.git4603183.el8.src.rpm	SHA-256: c1d1293c47731a298e110edb28a72e07800d1156514e45ff7d1d9b342d975f76
jenkins-2-plugins-4.7.1637600997-1.el8.src.rpm	SHA-256: 7e80b123752e2b07d34003d5a80ee6548b853c8b17d4104253b99bc94c81220e
jenkins-2.303.3.1637597018-1.el8.src.rpm	SHA-256: ddd0603f4b381e096231f9a8e462f11c87573d3a5576c6537e98996d2aab0e44
openshift-4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.src.rpm	SHA-256: 5dd55765b1c2810e3a1477032ba52e7604be2e5cd51c858cb978c7bef3b63377
ppc64le
cri-o-1.20.6-3.rhaos4.7.git4603183.el8.ppc64le.rpm	SHA-256: a62768089af41ec0389c9fc7a25e59fc77aba099feb7d9d6dc7a0c37ca90c5b0
cri-o-debuginfo-1.20.6-3.rhaos4.7.git4603183.el8.ppc64le.rpm	SHA-256: 83e8f763400f9b150d60bfc31491ee1d89781f133354a906b1e5a3cbf3f2ef64
cri-o-debugsource-1.20.6-3.rhaos4.7.git4603183.el8.ppc64le.rpm	SHA-256: 7141dee52eeba9abc04d49f861d5bebf3122a5c6e352e1d9f229e6a1f69169b9
jenkins-2-plugins-4.7.1637600997-1.el8.noarch.rpm	SHA-256: 505545ca69ab7d8ab38150b788bc0968842ce43c4f31b3d8b57cba9922369538
jenkins-2.303.3.1637597018-1.el8.noarch.rpm	SHA-256: 92df366670ded31115b0dd800627e3cfa27b8716256e1b51741b0bc9ae616c0f
openshift-hyperkube-4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.ppc64le.rpm	SHA-256: 3c98987a9605f75f2c9ef46fd512336c17f8de4b9017c15252082f0b716d5bdb

Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.7 for RHEL 8

SRPM
cri-o-1.20.6-3.rhaos4.7.git4603183.el8.src.rpm	SHA-256: c1d1293c47731a298e110edb28a72e07800d1156514e45ff7d1d9b342d975f76
jenkins-2-plugins-4.7.1637600997-1.el8.src.rpm	SHA-256: 7e80b123752e2b07d34003d5a80ee6548b853c8b17d4104253b99bc94c81220e
jenkins-2.303.3.1637597018-1.el8.src.rpm	SHA-256: ddd0603f4b381e096231f9a8e462f11c87573d3a5576c6537e98996d2aab0e44
openshift-4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.src.rpm	SHA-256: 5dd55765b1c2810e3a1477032ba52e7604be2e5cd51c858cb978c7bef3b63377
s390x
cri-o-1.20.6-3.rhaos4.7.git4603183.el8.s390x.rpm	SHA-256: 924ecec211f201178f462257a6a3b84f5075155189dd6827bc5cf3321f4462bc
cri-o-debuginfo-1.20.6-3.rhaos4.7.git4603183.el8.s390x.rpm	SHA-256: 245b4daf5cb1a89a3570b6ae9ea910766b630c57058c4b62914d80240a675038
cri-o-debugsource-1.20.6-3.rhaos4.7.git4603183.el8.s390x.rpm	SHA-256: 552a32a7af957d8731b602d75f81c7a52f612ca506ed9784a2a09a0a90a28680
jenkins-2-plugins-4.7.1637600997-1.el8.noarch.rpm	SHA-256: 505545ca69ab7d8ab38150b788bc0968842ce43c4f31b3d8b57cba9922369538
jenkins-2.303.3.1637597018-1.el8.noarch.rpm	SHA-256: 92df366670ded31115b0dd800627e3cfa27b8716256e1b51741b0bc9ae616c0f
openshift-hyperkube-4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.s390x.rpm	SHA-256: 7d42409b17b34e9d9205820d2a88b74482d384fdfbeba6c3c1260baf86211361

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

Runtimes

Integration and Automation