Skip to navigation Skip to main content

Utilities

  • Subscriptions
  • Downloads
  • Red Hat Console
  • Get Support
Red Hat Customer Portal
  • Subscriptions
  • Downloads
  • Red Hat Console
  • Get Support
  • Products

    Top Products

    • Red Hat Enterprise Linux
    • Red Hat OpenShift
    • Red Hat Ansible Automation Platform
    All Products

    Downloads and Containers

    • Downloads
    • Packages
    • Containers

    Top Resources

    • Documentation
    • Product Life Cycles
    • Product Compliance
    • Errata
  • Knowledge

    Red Hat Knowledge Center

    • Knowledgebase Solutions
    • Knowledgebase Articles
    • Customer Portal Labs
    • Errata

    Top Product Docs

    • Red Hat Enterprise Linux
    • Red Hat OpenShift
    • Red Hat Ansible Automation Platform
    All Product Docs

    Training and Certification

    • About
    • Course Index
    • Certification Index
    • Skill Assessment
  • Security

    Red Hat Product Security Center

    • Security Updates
    • Security Advisories
    • Red Hat CVE Database
    • Errata

    References

    • Security Bulletins
    • Security Measurement
    • Severity Ratings
    • Security Data

    Top Resources

    • Security Labs
    • Backporting Policies
    • Security Blog
  • Support

    Red Hat Support

    • Support Cases
    • Troubleshoot
    • Get Support
    • Contact Red Hat Support

    Red Hat Community Support

    • Customer Portal Community
    • Community Discussions
    • Red Hat Accelerator Program

    Top Resources

    • Product Life Cycles
    • Customer Portal Labs
    • Red Hat JBoss Supported Configurations
    • Red Hat Insights
Or troubleshoot an issue.

Select Your Language

  • English
  • Français
  • 한국어
  • 日本語
  • 中文 (中国)

Infrastructure and Management

  • Red Hat Enterprise Linux
  • Red Hat Satellite
  • Red Hat Subscription Management
  • Red Hat Insights
  • Red Hat Ansible Automation Platform

Cloud Computing

  • Red Hat OpenShift
  • Red Hat OpenStack Platform
  • Red Hat OpenShift
  • Red Hat OpenShift AI
  • Red Hat OpenShift Dedicated
  • Red Hat Advanced Cluster Security for Kubernetes
  • Red Hat Advanced Cluster Management for Kubernetes
  • Red Hat Quay
  • Red Hat OpenShift Dev Spaces
  • Red Hat OpenShift Service on AWS

Storage

  • Red Hat Gluster Storage
  • Red Hat Hyperconverged Infrastructure
  • Red Hat Ceph Storage
  • Red Hat OpenShift Data Foundation

Runtimes

  • Red Hat Runtimes
  • Red Hat JBoss Enterprise Application Platform
  • Red Hat Data Grid
  • Red Hat JBoss Web Server
  • Red Hat build of Keycloak
  • Red Hat support for Spring Boot
  • Red Hat build of Node.js
  • Red Hat build of Quarkus

Integration and Automation

  • Red Hat Application Foundations
  • Red Hat Fuse
  • Red Hat AMQ
  • Red Hat 3scale API Management
All Products
Red Hat Product Errata RHSA-2021:4801 - Security Advisory
Issued:
2021-12-01
Updated:
2021-12-01

RHSA-2021:4801 - Security Advisory

  • Overview
  • Updated Packages

Synopsis

Important: OpenShift Container Platform 4.7.38 security update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

Red Hat OpenShift Container Platform release 4.7.38 is now available with updates to packages and images that fix several bugs and add enhancements.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.

This advisory contains the RPM packages for Red Hat OpenShift Container
Platform 4.7.38. See the following advisory for the container images for
this release:

https://access.redhat.com/errata/RHBA-2021:4802

All OpenShift Container Platform 4.7 users are advised to upgrade to these
updated packages and images when they are available in the appropriate
release channel. To check for available updates, use the OpenShift Console
or the CLI oc command. Instructions for upgrading a cluster are available
at
https://docs.openshift.com/container-platform/4.7/updating/updating-cluster-between-minor.html#understanding-upgrade-channels_updating-cluster-between-minor Security Fix(es):

  • jenkins-2-plugins/subversion: does not restrict the name of a file when

looking up a subversion key (CVE-2021-21698)

  • jenkins: FilePath#mkdirs does not check permission to create parent

directories (CVE-2021-21685)

  • jenkins: File path filters do not canonicalize paths, allowing operations

to follow symbolic links to outside allowed directories (CVE-2021-21686)

  • jenkins: FilePath#untar does not check permission to create symbolic

links when unarchiving a symbolic link (CVE-2021-21687)

  • jenkins: FilePath#reading(FileVisitor) does not reject any operations

allowing users to have unrestricted read access (CVE-2021-21688)

  • jenkins: FilePath#unzip and FilePath#untar were not subject to any access

control (CVE-2021-21689)

  • jenkins: Agent processes are able to completely bypass file path

filtering by wrapping the file operation in an agent file path
(CVE-2021-21690)

  • jenkins: Creating symbolic links is possible without the symlink

permission (CVE-2021-21691)

  • jenkins: The operations FilePath#renameTo and FilePath#moveAllChildrenTo

only check read permission on the source path (CVE-2021-21692)

  • jenkins: When creating temporary files, permission to create files is

only checked after they’ve been created. (CVE-2021-21693)

  • jenkins: FilePath#toURI, FilePath#hasSymlink, FilePath#absolutize,

FilePath#isDescendant, and FilePath#get*DiskSpace do not check any
permissions (CVE-2021-21694)

  • jenkins: FilePath#listFiles lists files outside directories with agent

read access when following symbolic links. (CVE-2021-21695)

  • jenkins: Agent-to-controller access control allowed writing to sensitive

directory used by Pipeline: Shared Groovy Libraries Plugin (CVE-2021-21696)

  • jenkins: Agent-to-controller access control allows reading/writing most

content of build directories (CVE-2021-21697)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s)
listed in the References section.

Solution

For OpenShift Container Platform 4.7 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:

https://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-release-notes.html

Details on how to access this content are available at
https://docs.openshift.com/container-platform/4.7/updating/updating-cluster-cli.html

Affected Products

  • Red Hat OpenShift Container Platform 4.7 for RHEL 8 x86_64
  • Red Hat OpenShift Container Platform 4.7 for RHEL 7 x86_64
  • Red Hat OpenShift Container Platform for Power 4.7 for RHEL 8 ppc64le
  • Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.7 for RHEL 8 s390x

Fixes

  • BZ - 2020322 - CVE-2021-21685 jenkins: FilePath#mkdirs does not check permission to create parent directories
  • BZ - 2020323 - CVE-2021-21686 jenkins: File path filters do not canonicalize paths, allowing operations to follow symbolic links to outside allowed directories
  • BZ - 2020324 - CVE-2021-21687 jenkins: FilePath#untar does not check permission to create symbolic links when unarchiving a symbolic link
  • BZ - 2020327 - CVE-2021-21688 jenkins: FilePath#reading(FileVisitor) does not reject any operations allowing users to have unrestricted read access
  • BZ - 2020335 - CVE-2021-21689 jenkins: FilePath#unzip and FilePath#untar were not subject to any access control
  • BZ - 2020336 - CVE-2021-21690 jenkins: Agent processes are able to completely bypass file path filtering by wrapping the file operation in an agent file path
  • BZ - 2020338 - CVE-2021-21691 jenkins: Creating symbolic links is possible without the symlink permission
  • BZ - 2020339 - CVE-2021-21692 jenkins: The operations FilePath#renameTo and FilePath#moveAllChildrenTo only check read permission on the source path
  • BZ - 2020341 - CVE-2021-21693 jenkins: When creating temporary files, permission to create files is only checked after they’ve been created.
  • BZ - 2020342 - CVE-2021-21694 jenkins: FilePath#toURI, FilePath#hasSymlink, FilePath#absolutize, FilePath#isDescendant, and FilePath#get*DiskSpace do not check any permissions
  • BZ - 2020343 - CVE-2021-21695 jenkins: FilePath#listFiles lists files outside directories with agent read access when following symbolic links.
  • BZ - 2020344 - CVE-2021-21696 jenkins: Agent-to-controller access control allowed writing to sensitive directory used by Pipeline: Shared Groovy Libraries Plugin
  • BZ - 2020345 - CVE-2021-21697 jenkins: Agent-to-controller access control allows reading/writing most content of build directories
  • BZ - 2020385 - CVE-2021-21698 jenkins-2-plugins/subversion: does not restrict the name of a file when looking up a subversion key

CVEs

  • CVE-2021-21685
  • CVE-2021-21686
  • CVE-2021-21687
  • CVE-2021-21688
  • CVE-2021-21689
  • CVE-2021-21690
  • CVE-2021-21691
  • CVE-2021-21692
  • CVE-2021-21693
  • CVE-2021-21694
  • CVE-2021-21695
  • CVE-2021-21696
  • CVE-2021-21697
  • CVE-2021-21698

References

  • https://access.redhat.com/security/updates/classification/#important
Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat OpenShift Container Platform 4.7 for RHEL 8

SRPM
cri-o-1.20.6-3.rhaos4.7.git4603183.el8.src.rpm SHA-256: c1d1293c47731a298e110edb28a72e07800d1156514e45ff7d1d9b342d975f76
jenkins-2-plugins-4.7.1637600997-1.el8.src.rpm SHA-256: 7e80b123752e2b07d34003d5a80ee6548b853c8b17d4104253b99bc94c81220e
jenkins-2.303.3.1637597018-1.el8.src.rpm SHA-256: ddd0603f4b381e096231f9a8e462f11c87573d3a5576c6537e98996d2aab0e44
openshift-4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.src.rpm SHA-256: 5dd55765b1c2810e3a1477032ba52e7604be2e5cd51c858cb978c7bef3b63377
x86_64
cri-o-1.20.6-3.rhaos4.7.git4603183.el8.x86_64.rpm SHA-256: 1497b4635a9cddec4b07e1578d115a68a382ac50b91f2bf92330f2af7ab978e1
cri-o-debuginfo-1.20.6-3.rhaos4.7.git4603183.el8.x86_64.rpm SHA-256: b4afc0b140f885568221d68e83f32d708b68d52aa21d3735bb691b45809b9756
cri-o-debugsource-1.20.6-3.rhaos4.7.git4603183.el8.x86_64.rpm SHA-256: da98d51a26392625fce3f6b76d25a76ec40a028c3317ef7fdc69702a0a34adb9
jenkins-2-plugins-4.7.1637600997-1.el8.noarch.rpm SHA-256: 505545ca69ab7d8ab38150b788bc0968842ce43c4f31b3d8b57cba9922369538
jenkins-2.303.3.1637597018-1.el8.noarch.rpm SHA-256: 92df366670ded31115b0dd800627e3cfa27b8716256e1b51741b0bc9ae616c0f
openshift-hyperkube-4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.x86_64.rpm SHA-256: 18ca3eca61760d38c9f2b47fc799c94c813d6b741ac78ec72f0e0d07c16ad6a2

Red Hat OpenShift Container Platform 4.7 for RHEL 7

SRPM
cri-o-1.20.6-3.rhaos4.7.git4603183.el7.src.rpm SHA-256: 6c645171e68571f1394edf48b73aa6d8c307ecc7795836df66afeea8677a1251
openshift-4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7.src.rpm SHA-256: 373d057b309aac91d35b0d8af30b43cf4224a76db75392de977c4161fa6f7749
x86_64
cri-o-1.20.6-3.rhaos4.7.git4603183.el7.x86_64.rpm SHA-256: a2e77d402bf6313b60ae6bd751dfdc4650508aae49be1bea86a527ea4597e0eb
cri-o-debuginfo-1.20.6-3.rhaos4.7.git4603183.el7.x86_64.rpm SHA-256: c44f76a8c325593c1053b30af467d59f1ee5fa20e94851ac7632319a25e4fb0f
openshift-hyperkube-4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7.x86_64.rpm SHA-256: 12396c6d0e47d833da1cbb12e06dca62b1ed987dc616d15ddf80c83e75197902

Red Hat OpenShift Container Platform for Power 4.7 for RHEL 8

SRPM
cri-o-1.20.6-3.rhaos4.7.git4603183.el8.src.rpm SHA-256: c1d1293c47731a298e110edb28a72e07800d1156514e45ff7d1d9b342d975f76
jenkins-2-plugins-4.7.1637600997-1.el8.src.rpm SHA-256: 7e80b123752e2b07d34003d5a80ee6548b853c8b17d4104253b99bc94c81220e
jenkins-2.303.3.1637597018-1.el8.src.rpm SHA-256: ddd0603f4b381e096231f9a8e462f11c87573d3a5576c6537e98996d2aab0e44
openshift-4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.src.rpm SHA-256: 5dd55765b1c2810e3a1477032ba52e7604be2e5cd51c858cb978c7bef3b63377
ppc64le
cri-o-1.20.6-3.rhaos4.7.git4603183.el8.ppc64le.rpm SHA-256: a62768089af41ec0389c9fc7a25e59fc77aba099feb7d9d6dc7a0c37ca90c5b0
cri-o-debuginfo-1.20.6-3.rhaos4.7.git4603183.el8.ppc64le.rpm SHA-256: 83e8f763400f9b150d60bfc31491ee1d89781f133354a906b1e5a3cbf3f2ef64
cri-o-debugsource-1.20.6-3.rhaos4.7.git4603183.el8.ppc64le.rpm SHA-256: 7141dee52eeba9abc04d49f861d5bebf3122a5c6e352e1d9f229e6a1f69169b9
jenkins-2-plugins-4.7.1637600997-1.el8.noarch.rpm SHA-256: 505545ca69ab7d8ab38150b788bc0968842ce43c4f31b3d8b57cba9922369538
jenkins-2.303.3.1637597018-1.el8.noarch.rpm SHA-256: 92df366670ded31115b0dd800627e3cfa27b8716256e1b51741b0bc9ae616c0f
openshift-hyperkube-4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.ppc64le.rpm SHA-256: 3c98987a9605f75f2c9ef46fd512336c17f8de4b9017c15252082f0b716d5bdb

Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.7 for RHEL 8

SRPM
cri-o-1.20.6-3.rhaos4.7.git4603183.el8.src.rpm SHA-256: c1d1293c47731a298e110edb28a72e07800d1156514e45ff7d1d9b342d975f76
jenkins-2-plugins-4.7.1637600997-1.el8.src.rpm SHA-256: 7e80b123752e2b07d34003d5a80ee6548b853c8b17d4104253b99bc94c81220e
jenkins-2.303.3.1637597018-1.el8.src.rpm SHA-256: ddd0603f4b381e096231f9a8e462f11c87573d3a5576c6537e98996d2aab0e44
openshift-4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.src.rpm SHA-256: 5dd55765b1c2810e3a1477032ba52e7604be2e5cd51c858cb978c7bef3b63377
s390x
cri-o-1.20.6-3.rhaos4.7.git4603183.el8.s390x.rpm SHA-256: 924ecec211f201178f462257a6a3b84f5075155189dd6827bc5cf3321f4462bc
cri-o-debuginfo-1.20.6-3.rhaos4.7.git4603183.el8.s390x.rpm SHA-256: 245b4daf5cb1a89a3570b6ae9ea910766b630c57058c4b62914d80240a675038
cri-o-debugsource-1.20.6-3.rhaos4.7.git4603183.el8.s390x.rpm SHA-256: 552a32a7af957d8731b602d75f81c7a52f612ca506ed9784a2a09a0a90a28680
jenkins-2-plugins-4.7.1637600997-1.el8.noarch.rpm SHA-256: 505545ca69ab7d8ab38150b788bc0968842ce43c4f31b3d8b57cba9922369538
jenkins-2.303.3.1637597018-1.el8.noarch.rpm SHA-256: 92df366670ded31115b0dd800627e3cfa27b8716256e1b51741b0bc9ae616c0f
openshift-hyperkube-4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.s390x.rpm SHA-256: 7d42409b17b34e9d9205820d2a88b74482d384fdfbeba6c3c1260baf86211361

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Red Hat LinkedIn YouTube Facebook X, formerly Twitter

Quick Links

  • Downloads
  • Subscriptions
  • Support Cases
  • Customer Service
  • Product Documentation

Help

  • Contact Us
  • Customer Portal FAQ
  • Log-in Assistance

Site Info

  • Trust Red Hat
  • Browser Support Policy
  • Accessibility
  • Awards and Recognition
  • Colophon

Related Sites

  • redhat.com
  • developers.redhat.com
  • connect.redhat.com
  • cloud.redhat.com

Red Hat legal and privacy links

  • About Red Hat
  • Jobs
  • Events
  • Locations
  • Contact Red Hat
  • Red Hat Blog
  • Inclusion at Red Hat
  • Cool Stuff Store
  • Red Hat Summit
© 2025 Red Hat

Red Hat legal and privacy links

  • Privacy statement
  • Terms of use
  • All policies and guidelines
  • Digital accessibility