Red Hat Product Errata RHSA-2022:0114 - Security Advisory
Issued:
2022-01-19
Updated:
2022-01-19

RHSA-2022:0114 - Security Advisory

Synopsis

Moderate: OpenShift Container Platform 4.7.41 security update

Type/Severity

Security Advisory: Moderate

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

Red Hat OpenShift Container Platform release 4.7.41 is now available with
updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container Platform 4.7.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

Description

Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.

This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.7.41. See the following advisory for the container images for this release:

https://access.redhat.com/errata/RHBA-2022:0117

Security Fix(es):

  • haproxy: an HTTP method name may contain a space followed by the name of

a protected resource (CVE-2021-39241)

  • haproxy: request smuggling attack or response splitting via duplicate

content-length header (CVE-2021-40346)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

All OpenShift Container Platform 4.7 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift Console or the CLI oc command. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.7/updating/updating-cluster-between-minor.html#understanding-upgrade-channels_updating-cluster-between-minor

Solution

For OpenShift Container Platform 4.7 see the following documentation, which
will be updated shortly for this release, for important instructions on how
to upgrade your cluster and fully apply this asynchronous errata update:

https://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-release-notes.html

Details on how to access this content are available at
https://docs.openshift.com/container-platform/4.7/updating/updating-cluster-cli.html

Affected Products

  • Red Hat OpenShift Container Platform 4.7 for RHEL 8 x86_64
  • Red Hat OpenShift Container Platform 4.7 for RHEL 7 x86_64
  • Red Hat OpenShift Container Platform for Power 4.7 for RHEL 8 ppc64le
  • Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.7 for RHEL 8 s390x

Fixes

  • BZ - 1995107 - CVE-2021-39241 haproxy: an HTTP method name may contain a space followed by the name of a protected resource
  • BZ - 2000599 - CVE-2021-40346 haproxy: request smuggling attack or response splitting via duplicate content-length header

Red Hat OpenShift Container Platform 4.7 for RHEL 8

SRPM
atomic-openshift-service-idler-4.7.0-202201082234.p0.g39cfc66.assembly.stream.el8.src.rpm SHA-256: 5345c3763b509decd11d894a9caa9c5bf5a876998515704a18aa559083b373a8
cri-o-1.20.6-5.rhaos4.7.git8594c20.el8.src.rpm SHA-256: 3fc358678dce7725e60f1f1e03bf534a112a8c9b3c6dc22f89b0adfe512562d5
haproxy-2.0.19-2.el8.src.rpm SHA-256: 30ed52e870e479e7a47ff03aafc2e9c4e35d088f5a556167eccb21502d1a211a
openshift-4.7.0-202201082234.p0.ge880017.assembly.stream.el8.src.rpm SHA-256: 063e1ea01278990efd4e3b67ffe8058d46d17a81d72140f2ec76b83bb52ef7c6
openshift-clients-4.7.0-202201082234.p0.g25914b8.assembly.stream.el8.src.rpm SHA-256: 86f1ceda451d897faccacb8a5aed3910fc7b61ddcda396661bae3c06d0a409d1
openshift-kuryr-4.7.0-202201082234.p0.g72de60e.assembly.stream.el8.src.rpm SHA-256: 4ceca5f40cd53798ab3a9593f6b0447208ad0ee227ddd0f6255557b1c51ca361
x86_64
atomic-openshift-service-idler-4.7.0-202201082234.p0.g39cfc66.assembly.stream.el8.x86_64.rpm SHA-256: 7ba49d16325163322de4340478f3a5e189bd939de6097d40eb46e2b884b0d412
cri-o-1.20.6-5.rhaos4.7.git8594c20.el8.x86_64.rpm SHA-256: 077574526f28735dde52d792f8af68a2a328c0b28e01670b6e76f3bcff8152cd
cri-o-debuginfo-1.20.6-5.rhaos4.7.git8594c20.el8.x86_64.rpm SHA-256: 344447a1ea29027b3776dc379182d195dcab79e9aee8cc06d55aeca8af12c724
cri-o-debugsource-1.20.6-5.rhaos4.7.git8594c20.el8.x86_64.rpm SHA-256: ec0e6825d49407f9192b4cb6428fd841d899e16477db8d01880a083659436fdd
haproxy-debugsource-2.0.19-2.el8.x86_64.rpm SHA-256: fdf2e420c7253e71135b41a426e9004f188e7476272a5cc43d673407ff748452
haproxy20-2.0.19-2.el8.x86_64.rpm SHA-256: 52249741d50bbebabceac57b887416f62a98db423aafb790dc30a803087e14c5
haproxy20-debuginfo-2.0.19-2.el8.x86_64.rpm SHA-256: acfa7a7b4d7c730613c3f6a04c21e94bd9a5eba1ed66232df3a1bcced606057e
openshift-clients-4.7.0-202201082234.p0.g25914b8.assembly.stream.el8.x86_64.rpm SHA-256: c990cea149de7a313723c229c6edf263e9e04b498bfb9a86b3d41cb867e7c96f
openshift-clients-redistributable-4.7.0-202201082234.p0.g25914b8.assembly.stream.el8.x86_64.rpm SHA-256: c39615b36931f10e4feac113f40a76f8f4759da39e6558ce15fcb290860509f0
openshift-hyperkube-4.7.0-202201082234.p0.ge880017.assembly.stream.el8.x86_64.rpm SHA-256: a43de69edfb3637d35bd91fb9966f6dc030dbf4643fcfba8b82b2ee39166d263
openshift-kuryr-cni-4.7.0-202201082234.p0.g72de60e.assembly.stream.el8.noarch.rpm SHA-256: d707a3c35a1cab19b61b73f621a7a668b8bef49c7cf6a8616fb0843405bf8e57
openshift-kuryr-common-4.7.0-202201082234.p0.g72de60e.assembly.stream.el8.noarch.rpm SHA-256: 679d0d198c08f7c5c7a01e4ee895d2cdf3223877e13d6472df8835cf77cb6d71
openshift-kuryr-controller-4.7.0-202201082234.p0.g72de60e.assembly.stream.el8.noarch.rpm SHA-256: 18c5b2f5aafa4700e8aad90d5237678fd20061926754cf3eddcf082a393e323d
python3-kuryr-kubernetes-4.7.0-202201082234.p0.g72de60e.assembly.stream.el8.noarch.rpm SHA-256: 7a3479c5231312b37e7f06b171baa3d525a5908793c659f8f057b6025b8cd410

Red Hat OpenShift Container Platform 4.7 for RHEL 7

SRPM
cri-o-1.20.6-5.rhaos4.7.git8594c20.el7.src.rpm SHA-256: 85c8ceac0d2536d1bdad87598e18ed44d2011be76b103fd9ac76e7a12bde863d
haproxy-2.0.19-2.el7.src.rpm SHA-256: c5a6668deef5f351c859a499bfe2abfd8335299a10e0826d9a963564c3105d2f
openshift-4.7.0-202201082234.p0.ge880017.assembly.stream.el7.src.rpm SHA-256: 9bac87ba848fbddf9f7fb2eee5abcb3a1fa5334d0ee02e8dbcd00247195caaf2
openshift-ansible-4.7.0-202201082234.p0.g4a5273a.assembly.stream.el7.src.rpm SHA-256: 696dcc6d09307e608b56fd9d789855b8314503ecfc88e0f63359e1351c24ab79
openshift-clients-4.7.0-202201082234.p0.g25914b8.assembly.stream.el7.src.rpm SHA-256: 5f4c52d61591b3b24d5bb422ed0045ba2bf2b34b6edd7431c95cb23cccd430aa
x86_64
cri-o-1.20.6-5.rhaos4.7.git8594c20.el7.x86_64.rpm SHA-256: 26ec26a93102205f5728ae311a854e72e7c49e78c9614f90a23b377f011c510e
cri-o-debuginfo-1.20.6-5.rhaos4.7.git8594c20.el7.x86_64.rpm SHA-256: 65df310d88b1396502bdb33144bb10cffde5e7c3f39c0d6a5828bd2031db6355
haproxy-debuginfo-2.0.19-2.el7.x86_64.rpm SHA-256: 02859a91ae1c81d56aa82532d92989a9c70c24a69afa44d753233dd871db43e9
haproxy20-2.0.19-2.el7.x86_64.rpm SHA-256: 8154b125afa00cbce0f451fc0a3814186360e85a0fa036a5ad4fb4d739ba77ac
openshift-ansible-4.7.0-202201082234.p0.g4a5273a.assembly.stream.el7.noarch.rpm SHA-256: f38c48e216d85e136e75736a20f0cd8d46d38c0d8c7378a7fcdf077021052234
openshift-ansible-test-4.7.0-202201082234.p0.g4a5273a.assembly.stream.el7.noarch.rpm SHA-256: 1422231d097b5f2528e090c103cdee14ce443781f000dd0fcdd5bac827692e0a
openshift-clients-4.7.0-202201082234.p0.g25914b8.assembly.stream.el7.x86_64.rpm SHA-256: 5ab0cdef3cb7da068f74309d28bb760ca9aaf4ce58889b89df9d159cfeaab6fa
openshift-clients-redistributable-4.7.0-202201082234.p0.g25914b8.assembly.stream.el7.x86_64.rpm SHA-256: 4f42a9856f91c2c9d87fe3ba72b6d08746f88d9916be9aaac0f9e4541c602f92
openshift-hyperkube-4.7.0-202201082234.p0.ge880017.assembly.stream.el7.x86_64.rpm SHA-256: 3bb7a4f996a8916b1a511344a9a8f98a25632f4245235ce64ae6a2c04137ee78

Red Hat OpenShift Container Platform for Power 4.7 for RHEL 8

SRPM
atomic-openshift-service-idler-4.7.0-202201082234.p0.g39cfc66.assembly.stream.el8.src.rpm SHA-256: 5345c3763b509decd11d894a9caa9c5bf5a876998515704a18aa559083b373a8
cri-o-1.20.6-5.rhaos4.7.git8594c20.el8.src.rpm SHA-256: 3fc358678dce7725e60f1f1e03bf534a112a8c9b3c6dc22f89b0adfe512562d5
haproxy-2.0.19-2.el8.src.rpm SHA-256: 30ed52e870e479e7a47ff03aafc2e9c4e35d088f5a556167eccb21502d1a211a
openshift-4.7.0-202201082234.p0.ge880017.assembly.stream.el8.src.rpm SHA-256: 063e1ea01278990efd4e3b67ffe8058d46d17a81d72140f2ec76b83bb52ef7c6
openshift-clients-4.7.0-202201082234.p0.g25914b8.assembly.stream.el8.src.rpm SHA-256: 86f1ceda451d897faccacb8a5aed3910fc7b61ddcda396661bae3c06d0a409d1
openshift-kuryr-4.7.0-202201082234.p0.g72de60e.assembly.stream.el8.src.rpm SHA-256: 4ceca5f40cd53798ab3a9593f6b0447208ad0ee227ddd0f6255557b1c51ca361
ppc64le
atomic-openshift-service-idler-4.7.0-202201082234.p0.g39cfc66.assembly.stream.el8.ppc64le.rpm SHA-256: 00f307561479f7c2c0dbd841688af8ade8e5cc7eb1aae4aba7cc830f8409a4f5
cri-o-1.20.6-5.rhaos4.7.git8594c20.el8.ppc64le.rpm SHA-256: d07074cc9c2804e92709f831aa84acdf2c7ab6ffa5506c62e322ff0b3303b356
cri-o-debuginfo-1.20.6-5.rhaos4.7.git8594c20.el8.ppc64le.rpm SHA-256: 3b7d1f5874f4077f9ae2d3020cb693779d86e59695347ebda932ba805bb2952f
cri-o-debugsource-1.20.6-5.rhaos4.7.git8594c20.el8.ppc64le.rpm SHA-256: 85953bc096ddf31cbe228671b73df811637e2ea034bb5e5196f9c7577de3793d
haproxy-debugsource-2.0.19-2.el8.ppc64le.rpm SHA-256: ffd2da0fb9f5b8cb3bd610f95a20e6c9ada4942386a6ccee1ec0fbaef821d347
haproxy20-2.0.19-2.el8.ppc64le.rpm SHA-256: 452af89d35e545c0b6299ab9dec2f548f3dbb2bb274c547f4b9152c55d04cb93
haproxy20-debuginfo-2.0.19-2.el8.ppc64le.rpm SHA-256: 37c1c3e1563faab1684c3ee8190951955de6ce44e1a9cc0572683301c7e21120
openshift-clients-4.7.0-202201082234.p0.g25914b8.assembly.stream.el8.ppc64le.rpm SHA-256: 962edf30d439dd03e614e24b7cbc49d991eb4ebb1798686a20d07e9eab40e343
openshift-hyperkube-4.7.0-202201082234.p0.ge880017.assembly.stream.el8.ppc64le.rpm SHA-256: 004ebf69c04015419accba35ff8df2667a6990bb4ef61ff6d77f5ee9327f500d
openshift-kuryr-cni-4.7.0-202201082234.p0.g72de60e.assembly.stream.el8.noarch.rpm SHA-256: d707a3c35a1cab19b61b73f621a7a668b8bef49c7cf6a8616fb0843405bf8e57
openshift-kuryr-common-4.7.0-202201082234.p0.g72de60e.assembly.stream.el8.noarch.rpm SHA-256: 679d0d198c08f7c5c7a01e4ee895d2cdf3223877e13d6472df8835cf77cb6d71
openshift-kuryr-controller-4.7.0-202201082234.p0.g72de60e.assembly.stream.el8.noarch.rpm SHA-256: 18c5b2f5aafa4700e8aad90d5237678fd20061926754cf3eddcf082a393e323d
python3-kuryr-kubernetes-4.7.0-202201082234.p0.g72de60e.assembly.stream.el8.noarch.rpm SHA-256: 7a3479c5231312b37e7f06b171baa3d525a5908793c659f8f057b6025b8cd410

Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.7 for RHEL 8

SRPM
atomic-openshift-service-idler-4.7.0-202201082234.p0.g39cfc66.assembly.stream.el8.src.rpm SHA-256: 5345c3763b509decd11d894a9caa9c5bf5a876998515704a18aa559083b373a8
cri-o-1.20.6-5.rhaos4.7.git8594c20.el8.src.rpm SHA-256: 3fc358678dce7725e60f1f1e03bf534a112a8c9b3c6dc22f89b0adfe512562d5
haproxy-2.0.19-2.el8.src.rpm SHA-256: 30ed52e870e479e7a47ff03aafc2e9c4e35d088f5a556167eccb21502d1a211a
openshift-4.7.0-202201082234.p0.ge880017.assembly.stream.el8.src.rpm SHA-256: 063e1ea01278990efd4e3b67ffe8058d46d17a81d72140f2ec76b83bb52ef7c6
openshift-clients-4.7.0-202201082234.p0.g25914b8.assembly.stream.el8.src.rpm SHA-256: 86f1ceda451d897faccacb8a5aed3910fc7b61ddcda396661bae3c06d0a409d1
openshift-kuryr-4.7.0-202201082234.p0.g72de60e.assembly.stream.el8.src.rpm SHA-256: 4ceca5f40cd53798ab3a9593f6b0447208ad0ee227ddd0f6255557b1c51ca361
s390x
atomic-openshift-service-idler-4.7.0-202201082234.p0.g39cfc66.assembly.stream.el8.s390x.rpm SHA-256: 2e389b93a1ed27e14252de3ac156c7de2deaa141cedf59baeff4c36dcb7c978a
cri-o-1.20.6-5.rhaos4.7.git8594c20.el8.s390x.rpm SHA-256: 921db88ed3d6ee87a9221b13a46829fce7eaf080b5e5b38e8249b9c824c14a76
cri-o-debuginfo-1.20.6-5.rhaos4.7.git8594c20.el8.s390x.rpm SHA-256: 4c4edc7f879b413f00233f90f3a2efe96b65d8f2c45dc87104c9500651f34067
cri-o-debugsource-1.20.6-5.rhaos4.7.git8594c20.el8.s390x.rpm SHA-256: bc2e70fe0e776333432126a84613422a57c408a5bea04d0ad179a1028296e502
haproxy-debugsource-2.0.19-2.el8.s390x.rpm SHA-256: 42bb7a235a5ef2bda9881c6fbd7dace1fdbdca32f5131a664fc18fb8e3128b2b
haproxy20-2.0.19-2.el8.s390x.rpm SHA-256: a097926e2321d41cde122a45a3a68ca6ce6eea6569b3f0c4fda4c1a75438f019
haproxy20-debuginfo-2.0.19-2.el8.s390x.rpm SHA-256: 223e146fbfc7affe9f510fa14ea417e3fac725ea66abdfe6a9c25993ffc6faa5
openshift-clients-4.7.0-202201082234.p0.g25914b8.assembly.stream.el8.s390x.rpm SHA-256: 13480ddd9e3dfc2a562351d66e0e10e2285b2c538912c4e358c818a60b8dcdd5
openshift-hyperkube-4.7.0-202201082234.p0.ge880017.assembly.stream.el8.s390x.rpm SHA-256: 89e1c9b88c44d60d615fd9fd388a230c3bb207fc0c4bdba547d94889891d86c0
openshift-kuryr-cni-4.7.0-202201082234.p0.g72de60e.assembly.stream.el8.noarch.rpm SHA-256: d707a3c35a1cab19b61b73f621a7a668b8bef49c7cf6a8616fb0843405bf8e57
openshift-kuryr-common-4.7.0-202201082234.p0.g72de60e.assembly.stream.el8.noarch.rpm SHA-256: 679d0d198c08f7c5c7a01e4ee895d2cdf3223877e13d6472df8835cf77cb6d71
openshift-kuryr-controller-4.7.0-202201082234.p0.g72de60e.assembly.stream.el8.noarch.rpm SHA-256: 18c5b2f5aafa4700e8aad90d5237678fd20061926754cf3eddcf082a393e323d
python3-kuryr-kubernetes-4.7.0-202201082234.p0.g72de60e.assembly.stream.el8.noarch.rpm SHA-256: 7a3479c5231312b37e7f06b171baa3d525a5908793c659f8f057b6025b8cd410

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.