RHSA-2022:5673 - Security Advisory

Topic

Red Hat OpenStack Platform 16.2 (Train) director operator containers, with several Important security fixes, are available for technology preview.

Description

Release osp-director-operator images

Security Fix(es):

• go-getter: unsafe download (issue 1 of 3) [Important] (CVE-2022-30321)
• go-getter: unsafe download (issue 2 of 3) [Important] (CVE-2022-30322)
• go-getter: unsafe download (issue 3 of 3) [Important] (CVE-2022-30323)
• go-getter: command injection vulnerability [Important] (CVE-2022-26945)
• golang.org/x/crypto: empty plaintext packet causes panic [Moderate] (CVE-2021-43565)
• containerd: insufficiently restricted permissions on container root and plugin directories [Moderate] (CVE-2021-41103)

Solution

OSP 16.2 Release - OSP Director Operator Containers tech preview

Affected Products

• Red Hat OpenStack 16.2 x86_64

Fixes

• BZ - 2011007 - CVE-2021-41103 containerd: insufficiently restricted permissions on container root and plugin directories
• BZ - 2030787 - CVE-2021-43565 golang.org/x/crypto: empty plaintext packet causes panic
• BZ - 2092918 - CVE-2022-30321 go-getter: unsafe download (issue 1 of 3)
• BZ - 2092923 - CVE-2022-30322 go-getter: unsafe download (issue 2 of 3)
• BZ - 2092925 - CVE-2022-30323 go-getter: unsafe download (issue 3 of 3)
• BZ - 2092928 - CVE-2022-26945 go-getter: command injection vulnerability

CVEs

• CVE-2021-3634
• CVE-2021-3737
• CVE-2021-4189
• CVE-2021-40528
• CVE-2021-41103
• CVE-2021-43565
• CVE-2022-1271
• CVE-2022-1621
• CVE-2022-1629
• CVE-2022-22576
• CVE-2022-25313
• CVE-2022-25314
• CVE-2022-26945
• CVE-2022-27774
• CVE-2022-27776
• CVE-2022-27782
• CVE-2022-29824
• CVE-2022-30321
• CVE-2022-30322
• CVE-2022-30323

References

• https://access.redhat.com/security/updates/classification/#important
• https://access.redhat.com/errata/RHSA-2022:4991
• https://access.redhat.com/containers