Red Hat Product Errata RHSA-2021:5086 - Security Advisory
Issued:
2021-12-13
Updated:
2021-12-13

RHSA-2021:5086 - Security Advisory

Synopsis

Moderate: Red Hat OpenShift Data Foundation 4.9.0 enhancement, security, and bug fix update

Type/Severity

Security Advisory: Moderate

Topic

Updated images that include numerous enhancements, security, and bug fixes are now available for Red Hat OpenShift Data Foundation 4.9.0 on Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat OpenShift Data Foundation is software-defined storage integrated
with and optimized for the Red Hat OpenShift Container Platform. Red Hat
OpenShift Data Foundation is a highly scalable, production-grade persistent
storage for stateful applications running in the Red Hat OpenShift
Container Platform. In addition to persistent storage, Red Hat OpenShift
Data Foundation provisions a multicloud data management service with an S3
compatible API.

Security Fix(es):

  • kubernetes: Incomplete fix for CVE-2019-11250 allows for token leak in logs when logLevel >= 9 (CVE-2020-8565)
  • nodejs-tar: Insufficient symlink protection allowing arbitrary file creation and overwrite (CVE-2021-32803)
  • nodejs-tar: Insufficient absolute path sanitization allowing arbitrary file creation and overwrite (CVE-2021-32804)
  • golang: net: lookup functions may return invalid host names (CVE-2021-33195)
  • golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty (CVE-2021-33197)
  • golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents (CVE-2021-33198)
  • golang: crypto/tls: certificate of wrong type is causing TLS client to panic (CVE-2021-34558)
  • nodejs-tar: insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite (CVE-2021-37701)
  • nodejs-tar: insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite (CVE-2021-37712)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information refer to the CVE
page(s) listed in the References section.

These updated images include numerous enhancements and bug fixes. Space precludes documenting all of these changes in this advisory. Users are directed to the Red Hat OpenShift Data Foundation Release Notes for information on the most significant of these changes:

https://access.redhat.com//documentation/en-us/red_hat_openshift_data_foundation/4.9/html/4.9_release_notes/index

All Red Hat OpenShift Data Foundation users are advised to upgrade to
these updated images, which provide numerous bug fixes and enhancements.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat OpenShift Data Foundation 4 for RHEL 8 x86_64
  • Red Hat OpenShift Data Foundation for IBM Power, little endian 4 for RHEL 8 ppc64le
  • Red Hat OpenShift Data Foundation for IBM Z and LinuxONE 4 for RHEL 8 s390x

Fixes

  • BZ - 1810525 - [GSS][RFE] [Tracker for Ceph # BZ # 1910272] Deletion of data is not allowed after the Ceph cluster reaches osd-full-ratio threshold.
  • BZ - 1853638 - [RFE] - Can Force deletion of noobaa-db be automatically handled in case on hosting node shutdown (similar to OSD & MONS)
  • BZ - 1886638 - CVE-2020-8565 kubernetes: Incomplete fix for CVE-2019-11250 allows for token leak in logs when logLevel >= 9
  • BZ - 1890438 - collect rados objects created by cephcsi to store internal mapping
  • BZ - 1890978 - [External] Improve error logging in ocs-operator
  • BZ - 1892709 - NooBaa storage class should be deleted when uninstalling
  • BZ - 1901954 - Allow restoring snapshot to a different pool than parent volume
  • BZ - 1910790 - [AWS 1AZ] [OCP 4.7 / OCS 4.6] ocs-operator stuck in Installing phase, and noobaa-db-0 pod in a Pending state
  • BZ - 1927782 - With graceful mode, storagecluster/cephcluster deletion should be blocked if OBC based on RGW SC still exists
  • BZ - 1929242 - [GSS] [RFE] QoS and limits in Object Bucket Claims in OpenShift for RGW
  • BZ - 1932396 - [TRACKER for BZ #1943619] - RGW does not handle "Expect: 100-continue" answers from http requests not needing it
  • BZ - 1934625 - [must-gather]improve logging and mention all instances in MG terminal log
  • BZ - 1956285 - [must-gather] log collection for some ceph cmd failed with timeout: fork system call failed: Resource temporarily unavailable
  • BZ - 1959793 - [RBD][Thick] PVC restored from a snapshot or cloned from a thick provisioned PVC, is not thick provisioned
  • BZ - 1964083 - [RFE] ocs-must-gather should collect logs for RegionalDR
  • BZ - 1965322 - Error code 500 is used when page not found
  • BZ - 1968510 - OCS uninstall should check for Volumesnapshots before proceeding with graceful Uninstall
  • BZ - 1968606 - OCS CSV Status moves to Failed and Installs again when a StorageCluster is created
  • BZ - 1969216 - Rook may recreate a file system with existing pools
  • BZ - 1973256 - [Tracker for BZ #1975608] [Mon Recovery testing(bz1965768)] After replacing degraded cephfs with new cephfs, the cephfs app-pod created before mon corruption is not accessible
  • BZ - 1975272 - [RFE] [KMS] Add support for auto-detection of the Vault KV version
  • BZ - 1975581 - OCS is still using deprecated api v1beta1
  • BZ - 1979244 - [KMS] Keys are still listed in vault after deleting encrypted PVCs while using kv-v2 secret engine
  • BZ - 1979502 - Multi-Cloud Object Gateway with v4.7 RC5 performs slow compared to v4.6 with mongodb - read flows
  • BZ - 1980818 - RBD Snapshot of encrypted PVC may fail with error "BUG: "xyz" and "xyz" have the same VolID (xyz) set!? Call stack: goroutine 118 [running]:
  • BZ - 1981331 - New namespace OBCs stuck in Pending, even though underlying bucketclass is Ready
  • BZ - 1983596 - CVE-2021-34558 golang: crypto/tls: certificate of wrong type is causing TLS client to panic
  • BZ - 1983756 - [Multus] Deletion of CephBlockPool get stuck and blocks creation of new pools
  • BZ - 1984284 - [GSS] [4.9 clone] Standalone Object Gateway is failing to connect
  • BZ - 1984334 - [RFE] [4.9 clone] VAULT_BACKEND parameter should be added to the csi-kms-connection-details
  • BZ - 1984396 - Failing the only OSD of a node on a 3 node cluster doesn't create blocking PDBs
  • BZ - 1984735 - [External Mode] Monitoring spec is getting reset in CephCluster resource
  • BZ - 1985074 - must-gather is skipping the ceph collection when there are two must-gather-helper pods
  • BZ - 1986444 - Alert NooBaaNamespaceBucketErrorState is not triggered when namespacestore's target bucket is deleted
  • BZ - 1986794 - [Tracker for Ceph BZ #2000434] [RBD][Thick] PVC is not reaching Bound state
  • BZ - 1987806 - [External] External Cluster resources are not updated even after updating the JSON input secret
  • BZ - 1988518 - ocs-metrics-exporter runAsNonRoot error
  • BZ - 1989482 - odf-operator.v4.9.0-43.ci fails to install
  • BZ - 1989564 - CVE-2021-33195 golang: net: lookup functions may return invalid host names
  • BZ - 1989570 - CVE-2021-33197 golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty
  • BZ - 1989575 - CVE-2021-33198 golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents
  • BZ - 1990230 - ocs-operator.v4.9.0-50.ci csv not found
  • BZ - 1990409 - CVE-2021-32804 nodejs-tar: Insufficient absolute path sanitization allowing arbitrary file creation and overwrite
  • BZ - 1990415 - CVE-2021-32803 nodejs-tar: Insufficient symlink protection allowing arbitrary file creation and overwrite
  • BZ - 1991822 - ocs-operator.v4.9.0-53.ci: install strategy failed with "noobaa-operator" is invalid
  • BZ - 1992472 - How to add toleration to OCS pods for any non OCS taints?
  • BZ - 1994261 - odf-operator.v4.9.0-91.ci fails to install with odf-console
  • BZ - 1994577 - openshift-storage namespace is not created automatically when installing odf-operator
  • BZ - 1994584 - ocs-operator is not hidden when installed as a dependency of odf-operator 4.9
  • BZ - 1994602 - Icon for odf-operator is missing during and post installation
  • BZ - 1994606 - Details missing on the card while installing ODF Operator via UI
  • BZ - 1994687 - [vSphere]: csv ocs-registry:4.9.0-91.ci is in Installing phase
  • BZ - 1995009 - Warning to create storage system is missing in odf operator Details page
  • BZ - 1995056 - OCS_CSV_NAME is not correct in odf-operator-manager-config configmap
  • BZ - 1995271 - [GSS] noobaa-db-pg-0 Pod get in stuck CrashLoopBackOff state when enabling hugepages
  • BZ - 1995718 - [External Mode] Script "ceph-external-cluster-details-exporter.py" incompatible with python 2.x
  • BZ - 1997237 - [UI] 404: Page Not Found error when creating storage system
  • BZ - 1997624 - [KMS] PV encryption fails when using vault namespace functionality in ODF 4.9
  • BZ - 1997738 - RBD pvc creation fails on VMware
  • BZ - 1997922 - ODF-Operator installed failed because odf-console pod is in ImagePullBackOff
  • BZ - 1998851 - Disabling Ceph File System also disable Ceph RBD VolumeSnapshotStorageClass
  • BZ - 1999050 - [UI] Storage system link on OpenShift Data Foundation Page is not redirecting to the details page of the particular storage system
  • BZ - 1999731 - CVE-2021-37701 nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite
  • BZ - 1999739 - CVE-2021-37712 nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite
  • BZ - 1999748 - Update OCP CSI sidecar to 4.9
  • BZ - 1999763 - odf-operator.v4.9.0-119.ci failed with version in range: 4.9.0-119.ci for noobaa-operator
  • BZ - 1999767 - [Tracker for Ceph BZ #2002557] Raw capacity is not shown in block pool page
  • BZ - 2000082 - 2 of the odf quick starts guides 'getting started' and 'configuration & management' doesn't disappear from UI on odf-operator uninstallation
  • BZ - 2000098 - ODF operator 4.9.0-120.ci fails to install on s390x due to incompatible ibm-storage-odf-plugin Docker image
  • BZ - 2000143 - OCS 4.8 to ODF 4.9 upgrade failed on OCP 4.9 AWS cluster
  • BZ - 2000190 - Current must-gather doesn't collect some of the odf-operator and storagesystem related logs for odf 4.9
  • BZ - 2000579 - [UI] ODF tab under Storage found missing and appears and then disappears again with 404: Page not found error message on URL reload
  • BZ - 2000588 - Bucket creation is failing from nooba management console
  • BZ - 2000860 - Hide thick provisioning from the UI
  • BZ - 2000865 - Revert the creation of thick provisioned storage class in 4.9
  • BZ - 2001482 - StorageCluster stuck in Progressing state for MCG only deployment
  • BZ - 2001539 - [UI] ODF Overview showing two different status for the same storage system
  • BZ - 2001580 - [UI] Title "OpenShift Data Foundation" should be used instead of "OpenShift Data Foundation Overview"
  • BZ - 2001970 - Openshift Data Foundation navitem missing under "Storage" navsection.
  • BZ - 2002225 - [Tracker for Ceph BZ #2002398] [4.9.0-129.ci]: ceph health in WARN state due to mon.a crashed
  • BZ - 2003444 - [IBM] odf metrics data is not shown in odf-console
  • BZ - 2003904 - odf-operator.v4.9.0-136.ci fails to install with odf-console in ImagePullBackOff
  • BZ - 2004003 - [External Mode] rook TLS certificate was not created
  • BZ - 2004013 - [DR] After performing failover mirroringStatus reports image_health: ERROR
  • BZ - 2004030 - Storagecluster should have a reference under storageSystem
  • BZ - 2004824 - remove ibm-console from the odf-operator
  • BZ - 2005103 - Bucket replication does not work (objects are not replicated)
  • BZ - 2005290 - namespace: openshift-storage label missing for few OCS alerts
  • BZ - 2005812 - [Recovery DOC Tracker 1978769] recover documents when ceph cluster filled up because of CephFS snapshots and clones
  • BZ - 2005838 - [Tracker for Ceph BZ #1981186] [DR] Rbdmirror pod keeps showing unable to find a keyring
  • BZ - 2005843 - [DR] odfmo-controller-manager pod label should be set based on Deployment name
  • BZ - 2005937 - Not able to add toleration for MDS pods via StorageCluster yaml
  • BZ - 2006176 - [DR] token-exchange-agent pod logs flooded with failed to sync and Failed to watch messages
  • BZ - 2006865 - Ceph alerts that are auto-resolved should not be fired
  • BZ - 2007130 - [External Mode] Exporter script fails if multiple monitoring endpoints are provided
  • BZ - 2007202 - VolumeReplication condition "Degraded" never moves to "False" when recovering from a split brain
  • BZ - 2007212 - VolumeReplication condition "Degraded" never moves to "False" when recovering from a split brain
  • BZ - 2007377 - CephObjectStore does not update the RGW configuration period if 'period --commit' fails in the first reconcile
  • BZ - 2007717 - ODF 4.9 is failing to deploy
  • BZ - 2010041 - Backport to 4.9: Inject default label to noobaa_system_reconciler
  • BZ - 2010185 - MirrorPeer status always in ExchangedSecret Phase
  • BZ - 2010188 - [DR] odfmo-controller-manager pod label should be set based on Deployment name
  • BZ - 2010194 - [DR] token-exchange-agent pod logs flooded with failed to sync and Failed to watch messages
  • BZ - 2010202 - Backport to 4.9: Adding the ability to change/add labels in service monitor
  • BZ - 2011225 - NooBaa Operator repo generates invalid CSV

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.