RHSA-2022:5026 - Security Advisory

トピック

Red Hat OpenShift Virtualization release 4.10.2 is now available with updates to packages and images that fix several bugs and add enhancements.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

説明

This advisory contains the following OpenShift Virtualization 4.10.2 images:

RHEL-8-CNV-4.10
===============

virt-artifacts-server-container-v4.10.2-1
kubevirt-template-validator-container-v4.10.2-1
virtio-win-container-v4.10.2-1
node-maintenance-operator-container-v4.10.2-1
hostpath-provisioner-operator-container-v4.10.2-1
virt-handler-container-v4.10.2-1
libguestfs-tools-container-v4.10.2-1
hostpath-csi-driver-container-v4.10.2-1
virt-operator-container-v4.10.2-1
virt-launcher-container-v4.10.2-1
hostpath-provisioner-container-v4.10.2-1
virt-api-container-v4.10.2-1
virt-controller-container-v4.10.2-1
cnv-must-gather-container-v4.10.2-2
kubernetes-nmstate-handler-container-v4.10.2-3
bridge-marker-container-v4.10.2-3
virt-cdi-uploadproxy-container-v4.10.2-3
virt-cdi-uploadserver-container-v4.10.2-3
ovs-cni-marker-container-v4.10.2-3
virt-cdi-operator-container-v4.10.2-3
ovs-cni-plugin-container-v4.10.2-3
kubemacpool-container-v4.10.2-3
virt-cdi-controller-container-v4.10.2-3
kubevirt-ssp-operator-container-v4.10.2-4
cnv-containernetworking-plugins-container-v4.10.2-3
cluster-network-addons-operator-container-v4.10.2-3
virt-cdi-apiserver-container-v4.10.2-3
hyperconverged-cluster-operator-container-v4.10.2-2
hyperconverged-cluster-webhook-container-v4.10.2-2
virt-cdi-cloner-container-v4.10.2-3
virt-cdi-importer-container-v4.10.2-3
hco-bundle-registry-container-v4.10.2-10

Security Fix(es):

• prometheus/client_golang: Denial of service using InstrumentHandlerCounter (CVE-2022-21698)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

解決策

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

影響を受ける製品

• Red Hat Container Native Virtualization 4.10 for RHEL 8 x86_64
• Red Hat Container Native Virtualization 4.10 for RHEL 7 x86_64

修正

• BZ - 2016290 - [Warm] Warm Migration Fails and reporting ambiguous status.
• BZ - 2033346 - [cnv-4.10] Add vm name label to virt-launcher pods
• BZ - 2037605 - Openshift Virtualization alert 50% of the hyperconverged-cluster-operator-metrics/hyperconverged-cluster-operator-metrics targets in openshift-cnv namespace have been unreachable for more than 15 minutes on port 8686
• BZ - 2045880 - CVE-2022-21698 prometheus/client_golang: Denial of service using InstrumentHandlerCounter
• BZ - 2074384 - SAP HANA template - template should be moved to https://github.com/RHsyseng/cnv-supplemental-templates
• BZ - 2080453 - [4.10.z] cluster-network-addons-operator deployment's MULTUS_IMAGE is pointing to brew image
• BZ - 2080918 - Upgrade CNV from 4.10.1 to 4.11 should be blocked if CNV k8s-nmstate is still installed
• BZ - 2083594 - virtctl guestfs incorrectly assumes image name
• BZ - 2085459 - smartclone-controller not started and cloned DataVolumes stuck in SnapshotForSmartCloneInProgress
• BZ - 2086114 - HCO is taking more than 12 minutes to reconcile consolequickstart connect-ext-net-to-vm and customize-a-boot-source
• BZ - 2086541 - NMO CSV dependency to CNV is failing
• BZ - 2088476 - [4.10.z] VMSnapshot restore fails to provision volume with size mismatch error
• BZ - 2088622 - 4.10.2 containers
• BZ - 2089637 - CNAO is blocking upgrade to 4.11 despite standalone nmstate operator is installed
• BZ - 2089658 - SSP Reconcile logging improvement when CR resources are changed
• BZ - 2089661 - [CNV-4.10] HCO Being Unable to Reconcile State

CVE

• CVE-2018-25032
• CVE-2022-1271
• CVE-2022-21698

参考資料

• https://access.redhat.com/security/updates/classification/#moderate