Red Hat Product Errata RHSA-2022:1025 - Security Advisory
Issued:
2022-03-28
Updated:
2022-03-28

RHSA-2022:1025 - Security Advisory

Synopsis

Important: OpenShift Container Platform 4.10.6 security update

Type/Severity

Security Advisory: Important

Red Hat Lightspeed patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

Red Hat OpenShift Container Platform release 4.10.6 is now available with
updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container Platform 4.10.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

CVE-2022-25181 CVE-2022-25182 CVE-2022-25183 CVE-2022-25176 CVE-2022-25177 CVE-2022-25178 CVE-2022-25179 CVE-2022-25180 CVE-2022-25184

Description

Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.

This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.10.6. See the following advisory for the container images for this release:

https://access.redhat.com/errata/RHBA-2022:1026

Security Fix(es):

  • workflow-cps: OS command execution through crafted SCM contents

(CVE-2022-25173)

  • workflow-cps-global-lib: OS command execution through crafted SCM

contents (CVE-2022-25174)

  • workflow-multibranch: OS command execution through crafted SCM contents

(CVE-2022-25175)

  • workflow-cps-global-lib: Sandbox bypass vulnerability (CVE-2022-25181)
  • workflow-cps-global-lib: Sandbox bypass vulnerability (CVE-2022-25182)
  • workflow-cps-global-lib: Sandbox bypass vulnerability (CVE-2022-25183)
  • workflow-cps: Pipeline-related plugins follow symbolic links or do not

limit path names (CVE-2022-25176)

  • workflow-cps-global-lib: Pipeline-related plugins follow symbolic links

or do not limit path names (CVE-2022-25177)

  • workflow-cps-global-lib: Pipeline-related plugins follow symbolic links

or do not limit path names (CVE-2022-25178)

  • workflow-multibranch: Pipeline-related plugins follow symbolic links or

do not limit path names (CVE-2022-25179)

  • workflow-cps: Password parameters are included from the original build in

replayed builds (CVE-2022-25180)

  • pipeline-build-step: Password parameter default values exposed

(CVE-2022-25184)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

All OpenShift Container Platform 4.10 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift Console or the CLI oc command. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.10/updating/updating-cluster-cli.html

Solution

For OpenShift Container Platform 4.10 see the following documentation,
which will be updated shortly for this release, for important instructions
on how to upgrade your cluster and fully apply this asynchronous errata
update:

https://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html

Details on how to access this content are available at
https://docs.openshift.com/container-platform/4.10/updating/updating-cluster-cli.html

Affected Products

  • Red Hat OpenShift Container Platform 4.10 for RHEL 8 x86_64
  • Red Hat OpenShift Container Platform 4.10 for RHEL 7 x86_64
  • Red Hat OpenShift Container Platform for Power 4.10 for RHEL 8 ppc64le
  • Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.10 for RHEL 8 s390x
  • Red Hat OpenShift Container Platform for ARM 64 4.10 aarch64

Fixes

  • BZ - 2055719 - CVE-2022-25175 workflow-multibranch: OS command execution through crafted SCM contents
  • BZ - 2055733 - CVE-2022-25173 workflow-cps: OS command execution through crafted SCM contents
  • BZ - 2055734 - CVE-2022-25174 workflow-cps-global-lib: OS command execution through crafted SCM contents
  • BZ - 2055787 - CVE-2022-25176 workflow-cps: Pipeline-related plugins follow symbolic links or do not limit path names
  • BZ - 2055788 - CVE-2022-25177 workflow-cps-global-lib: Pipeline-related plugins follow symbolic links or do not limit path names
  • BZ - 2055789 - CVE-2022-25178 workflow-cps-global-lib: Pipeline-related plugins follow symbolic links or do not limit path names
  • BZ - 2055792 - CVE-2022-25179 workflow-multibranch: Pipeline-related plugins follow symbolic links or do not limit path names
  • BZ - 2055795 - CVE-2022-25180 workflow-cps: Password parameters are included from the original build in replayed builds
  • BZ - 2055797 - CVE-2022-25181 workflow-cps-global-lib: Sandbox bypass vulnerability
  • BZ - 2055798 - CVE-2022-25182 workflow-cps-global-lib: Sandbox bypass vulnerability
  • BZ - 2055802 - CVE-2022-25183 workflow-cps-global-lib: Sandbox bypass vulnerability
  • BZ - 2055804 - CVE-2022-25184 pipeline-build-step: Password parameter default values exposed

Red Hat OpenShift Container Platform 4.10 for RHEL 8

SRPM
cri-o-1.23.2-2.rhaos4.10.git071ae78.el8.src.rpm SHA-256: faa59de15b1656b492fabc4d27fd7139dbaeb4461680a5a12717b475128e43b3
jenkins-2-plugins-4.10.1647505461-1.el8.src.rpm SHA-256: cf6e625a848750ee00c27c7bb912613455db6885bfb3ce4232a16cd2864d159b
openshift-4.10.0-202203211237.p0.gb0357ed.assembly.stream.el8.src.rpm SHA-256: 090d76c3db861dfd6d7389afe796e8ea6caa8a4fe3d490f887a59196cac77db6
openshift-clients-4.10.0-202203170916.p0.g6de42bd.assembly.stream.el8.src.rpm SHA-256: 99e676cf3a8d4cb11ecb873b93fdcd6ec4259a5933f436f9e437af849ad3007d
x86_64
cri-o-1.23.2-2.rhaos4.10.git071ae78.el8.x86_64.rpm SHA-256: 11fadf645916dbb89dd98b7979f6767023382412b50158774d392e6e3c936ad0
cri-o-debuginfo-1.23.2-2.rhaos4.10.git071ae78.el8.x86_64.rpm SHA-256: bb3e20b2e4eab1f7abffe1cf8b2b7c1b4a049124a91b4738b86462c80817f52f
cri-o-debugsource-1.23.2-2.rhaos4.10.git071ae78.el8.x86_64.rpm SHA-256: 6457a1a531ba61d3e0f93bffd514c416726f7dcb1fb301c7e33451b75263d56c
jenkins-2-plugins-4.10.1647505461-1.el8.noarch.rpm SHA-256: 09212cdf5b04afc899c87684fa1a5e3fb961d3970d699392544237107fbf6f37
openshift-clients-4.10.0-202203170916.p0.g6de42bd.assembly.stream.el8.x86_64.rpm SHA-256: d5149d1d61f34a7fc9db393f955017312d9501b62c859c4a7c608aedfaa7ac9a
openshift-clients-redistributable-4.10.0-202203170916.p0.g6de42bd.assembly.stream.el8.x86_64.rpm SHA-256: 110500950206fc0de89af74c34005f2e5e9cb0247b290e6fe31c6b0f90b8d366
openshift-hyperkube-4.10.0-202203211237.p0.gb0357ed.assembly.stream.el8.x86_64.rpm SHA-256: e523c256c13b388cd474ba34077ac56d1ecc5c53105d543d353870e5c36a8c8e

Red Hat OpenShift Container Platform 4.10 for RHEL 7

SRPM
openshift-4.10.0-202203211237.p0.gb0357ed.assembly.stream.el7.src.rpm SHA-256: 2ca5dac79616d7eff7edf2446b5d5b22a116c55ed33e09604aa5f87f40d3408d
openshift-clients-4.10.0-202203170916.p0.g6de42bd.assembly.stream.el7.src.rpm SHA-256: 901e08a0edaa41d83a5fec063c60f58e30d909ef21061586c208a329d9c27a15
x86_64
openshift-clients-4.10.0-202203170916.p0.g6de42bd.assembly.stream.el7.x86_64.rpm SHA-256: 11d870566947d00db1e9101baf3344f60e089e9cd299a0ab44f900b72d18302e
openshift-clients-redistributable-4.10.0-202203170916.p0.g6de42bd.assembly.stream.el7.x86_64.rpm SHA-256: 5cd7e2d5f4aa6282d59bb61b87ebf9786f9b638d356495e8e4fc2f1fa0411894
openshift-hyperkube-4.10.0-202203211237.p0.gb0357ed.assembly.stream.el7.x86_64.rpm SHA-256: b661bdeb022e5f273c699035c188c6bb80ba20bbb0cea794b5bba8edff742c63

Red Hat OpenShift Container Platform for Power 4.10 for RHEL 8

SRPM
cri-o-1.23.2-2.rhaos4.10.git071ae78.el8.src.rpm SHA-256: faa59de15b1656b492fabc4d27fd7139dbaeb4461680a5a12717b475128e43b3
jenkins-2-plugins-4.10.1647505461-1.el8.src.rpm SHA-256: cf6e625a848750ee00c27c7bb912613455db6885bfb3ce4232a16cd2864d159b
openshift-4.10.0-202203211237.p0.gb0357ed.assembly.stream.el8.src.rpm SHA-256: 090d76c3db861dfd6d7389afe796e8ea6caa8a4fe3d490f887a59196cac77db6
openshift-clients-4.10.0-202203170916.p0.g6de42bd.assembly.stream.el8.src.rpm SHA-256: 99e676cf3a8d4cb11ecb873b93fdcd6ec4259a5933f436f9e437af849ad3007d
ppc64le
cri-o-1.23.2-2.rhaos4.10.git071ae78.el8.ppc64le.rpm SHA-256: d307a4d6be1b0ec0f3e6857c83b9872866d9c102d2054cc016d99502024e1f7a
cri-o-debuginfo-1.23.2-2.rhaos4.10.git071ae78.el8.ppc64le.rpm SHA-256: 4de28a96cb5606b5970613e6875a5999a96c839f80fafee5ac982e7d75101ad0
cri-o-debugsource-1.23.2-2.rhaos4.10.git071ae78.el8.ppc64le.rpm SHA-256: 3f325124107676562748896e95cfe8aec0118be42b9ca7a0ffa8579b840e89dd
jenkins-2-plugins-4.10.1647505461-1.el8.noarch.rpm SHA-256: 09212cdf5b04afc899c87684fa1a5e3fb961d3970d699392544237107fbf6f37
openshift-clients-4.10.0-202203170916.p0.g6de42bd.assembly.stream.el8.ppc64le.rpm SHA-256: 5cb0289d29298df80a31f2c4e32ea8436f705670a9684b29fd8a86aa4aa76c53
openshift-hyperkube-4.10.0-202203211237.p0.gb0357ed.assembly.stream.el8.ppc64le.rpm SHA-256: 81f6f06dcdc067449b6d33c5248ca64292ef0f2080f44f8dd407a7703191afc5

Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.10 for RHEL 8

SRPM
cri-o-1.23.2-2.rhaos4.10.git071ae78.el8.src.rpm SHA-256: faa59de15b1656b492fabc4d27fd7139dbaeb4461680a5a12717b475128e43b3
jenkins-2-plugins-4.10.1647505461-1.el8.src.rpm SHA-256: cf6e625a848750ee00c27c7bb912613455db6885bfb3ce4232a16cd2864d159b
openshift-4.10.0-202203211237.p0.gb0357ed.assembly.stream.el8.src.rpm SHA-256: 090d76c3db861dfd6d7389afe796e8ea6caa8a4fe3d490f887a59196cac77db6
openshift-clients-4.10.0-202203170916.p0.g6de42bd.assembly.stream.el8.src.rpm SHA-256: 99e676cf3a8d4cb11ecb873b93fdcd6ec4259a5933f436f9e437af849ad3007d
s390x
cri-o-1.23.2-2.rhaos4.10.git071ae78.el8.s390x.rpm SHA-256: 9fa96f7e9badf59c901a21479e39ffb7603d09421c45c960067cd0269dae2c04
cri-o-debuginfo-1.23.2-2.rhaos4.10.git071ae78.el8.s390x.rpm SHA-256: ced1f8311f210790c375fde77fb460b839a91249caf965644890850ce36d4768
cri-o-debugsource-1.23.2-2.rhaos4.10.git071ae78.el8.s390x.rpm SHA-256: 4cfa5d8cb56b5bb6fe7ef174a86ff707afe40f00eccd1def866ced8e1a37f983
jenkins-2-plugins-4.10.1647505461-1.el8.noarch.rpm SHA-256: 09212cdf5b04afc899c87684fa1a5e3fb961d3970d699392544237107fbf6f37
openshift-clients-4.10.0-202203170916.p0.g6de42bd.assembly.stream.el8.s390x.rpm SHA-256: 11ad3f4ba855eb47bb5369eeb669734cc65f26fdb77c95ff2135d31e3bb0fc92
openshift-hyperkube-4.10.0-202203211237.p0.gb0357ed.assembly.stream.el8.s390x.rpm SHA-256: c7b39c3a92a4b3b1343f6b2f131e25f646301ae1edb7362007fbc8b0e9d4a9ab

Red Hat OpenShift Container Platform for ARM 64 4.10

SRPM
cri-o-1.23.2-2.rhaos4.10.git071ae78.el8.src.rpm SHA-256: faa59de15b1656b492fabc4d27fd7139dbaeb4461680a5a12717b475128e43b3
jenkins-2-plugins-4.10.1647505461-1.el8.src.rpm SHA-256: cf6e625a848750ee00c27c7bb912613455db6885bfb3ce4232a16cd2864d159b
openshift-4.10.0-202203211237.p0.gb0357ed.assembly.stream.el8.src.rpm SHA-256: 090d76c3db861dfd6d7389afe796e8ea6caa8a4fe3d490f887a59196cac77db6
openshift-clients-4.10.0-202203170916.p0.g6de42bd.assembly.stream.el8.src.rpm SHA-256: 99e676cf3a8d4cb11ecb873b93fdcd6ec4259a5933f436f9e437af849ad3007d
aarch64
cri-o-1.23.2-2.rhaos4.10.git071ae78.el8.aarch64.rpm SHA-256: 9dc9f72ba68a4af93814ea23769de71ae5f7af34a58ab53736fa783df8aae5e6
cri-o-debuginfo-1.23.2-2.rhaos4.10.git071ae78.el8.aarch64.rpm SHA-256: d3ab0e2379df4def5ca0be0887ed0a7ff89f38dbd465fb5a2db3a73d63ec6bd6
cri-o-debugsource-1.23.2-2.rhaos4.10.git071ae78.el8.aarch64.rpm SHA-256: 016266cd1df3667458f49f8bd0ff57b67b9ff7cee9d6e65eae2f004c08c35f48
jenkins-2-plugins-4.10.1647505461-1.el8.noarch.rpm SHA-256: 09212cdf5b04afc899c87684fa1a5e3fb961d3970d699392544237107fbf6f37
openshift-clients-4.10.0-202203170916.p0.g6de42bd.assembly.stream.el8.aarch64.rpm SHA-256: df049d204aca34fc90550f3be188f5ad2f0cb03651d160b61a41a5c95098c882
openshift-hyperkube-4.10.0-202203211237.p0.gb0357ed.assembly.stream.el8.aarch64.rpm SHA-256: f11f7c551103e864c7352f99559fc1e701b68c81d9db98783f8e36c258a19f89

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.