RHSA-2021:4845 - Security Advisory

Topic

An update is now available for Red Hat OpenShift Container Storage 4.8.5 on Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat OpenShift Container Storage is software-defined storage integrated
with and optimized for the Red Hat OpenShift Container Platform.
Red Hat OpenShift Container Storage is highly scalable, production-grade
persistent storage for stateful applications running in the Red Hat
OpenShift Container Platform. In addition to persistent storage, Red Hat
OpenShift Container Storage provides a multicloud data management service
with an S3 compatible API.

Security Fix(es):

• nodejs-ssh2: Command injection by calling vulnerable method with

untrusted input (CVE-2020-26301)

For more details about the security issue(s), including the impact, a
CVSS score, acknowledgments, and other related information, refer to
the CVE page(s) listed in the References section.

Bug Fix(es):

• Previously, when the namespace store target was deleted, no alert was

sent to the namespace bucket because of an issue in calculating the
namespace bucket health. With this update, the issue in calculating the
namespace bucket health is fixed and alerts are triggered as expected.
(BZ#1993873)

• Previously, the Multicloud Object Gateway (MCG) components performed

slowly and there was a lot of pressure on the MCG components due to
non-optimized database queries. With this update the non-optimized
database queries are fixed which reduces the compute resources and time
taken for queries. (BZ#2015939)

Red Hat recommends that all users of OpenShift Container Storage apply this update to fix these issues.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

• Red Hat OpenShift Data Foundation 4 for RHEL 8 x86_64
• Red Hat OpenShift Data Foundation for IBM Power, little endian 4 for RHEL 8 ppc64le
• Red Hat OpenShift Data Foundation for IBM Z and LinuxONE 4 for RHEL 8 s390x

Fixes

• BZ - 1993873 - [4.8.z clone] Alert NooBaaNamespaceBucketErrorState is not triggered when namespacestore's target bucket is deleted
• BZ - 2006958 - CVE-2020-26301 nodejs-ssh2: Command injection by calling vulnerable method with untrusted input

CVEs

• CVE-2019-5827
• CVE-2019-13750
• CVE-2019-13751
• CVE-2019-17594
• CVE-2019-17595
• CVE-2019-18218
• CVE-2019-19603
• CVE-2019-20838
• CVE-2020-8037
• CVE-2020-12762
• CVE-2020-13435
• CVE-2020-14155
• CVE-2020-16135
• CVE-2020-24370
• CVE-2020-26301
• CVE-2020-28493
• CVE-2021-3200
• CVE-2021-3426
• CVE-2021-3445
• CVE-2021-3572
• CVE-2021-3580
• CVE-2021-3778
• CVE-2021-3796
• CVE-2021-3800
• CVE-2021-20095
• CVE-2021-20231
• CVE-2021-20232
• CVE-2021-20266
• CVE-2021-22876
• CVE-2021-22898
• CVE-2021-22925
• CVE-2021-23840
• CVE-2021-23841
• CVE-2021-27645
• CVE-2021-28153
• CVE-2021-28957
• CVE-2021-33560
• CVE-2021-33574
• CVE-2021-35942
• CVE-2021-36084
• CVE-2021-36085
• CVE-2021-36086
• CVE-2021-36087
• CVE-2021-42574
• CVE-2021-42771

References

• https://access.redhat.com/security/updates/classification/#moderate