Red Hat Product Errata RHSA-2022:9096 - Security Advisory
Issued:
2023-01-30
Updated:
2023-01-30

RHSA-2022:9096 - Security Advisory

Synopsis

Moderate: Red Hat OpenShift support for Windows Containers 7.0.0 [security update]

Type/Severity

Security Advisory: Moderate

Topic

The components for Red Hat OpenShift support for Windows Container 7.0.0 are now
available. This product release includes bug fixes and a moderate security
update for the following packages: windows-machine-config-operator and
windows-machine-config-operator-bundle.

Red Hat Product Security has rated this update as having a security impact of
Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a
detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.

Description

Red Hat OpenShift support for Windows Containers allows you to deploy Windows container workloads running on Windows Server containers.

Security Fix(es):

  • prometheus/client_golang: Denial of service using InstrumentHandlerCounter (CVE-2022-21698)
  • golang: crash in a golang.org/x/crypto/ssh server (CVE-2022-27191)
  • kubelet: runAsNonRoot logic bypass for Windows containers (CVE-2021-25749)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE page(s)
listed in the References section.

Solution

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat OpenShift Container Platform 4.12 for RHEL 8 x86_64

Fixes

  • BZ - 2045880 - CVE-2022-21698 prometheus/client_golang: Denial of service using InstrumentHandlerCounter
  • BZ - 2064702 - CVE-2022-27191 golang: crash in a golang.org/x/crypto/ssh server
  • BZ - 2107261 - [WMCO] WMCO endpoints missing after WMCO restart in vSphere
  • BZ - 2127808 - CVE-2021-25749 kubelet: runAsNonRoot logic bypass for Windows containers
  • WINC-740 - Configure kube-proxy through WICD
  • WINC-830 - Use valid Windows Server 2022 image in platform=none job
  • WINC-738 - Kubelet service is described in services ConfigMap
  • WINC-888 - WMCO?s user data secret in GCP does not include tags
  • WINC-739 - Configure azure node manager through WICD
  • OCPBUGS-3509 - [WINC] Windows nodes name not matching hostname in GCP
  • WINC-732 - Nodes are bootstrapped with WICD bootstrap command
  • WINC-949 - Rename powershellVariablesInCommand
  • OCPBUGS-4092 - Load balancer shows connectivity outage during Windows nodes upgrade
  • OCPBUGS-3573 - Check if Windows defender is running doesnt work
  • WINC-713 - Implement WICD bootstrap command
  • WINC-718 - WICD cleanup command (happy path)
  • WINC-731 - Run WICD service on Windows instances
  • WINC-737 - Move hybrid-overlay configuration to WICD
  • WINC-815 - GCP support for Windows Server 2022
  • WINC-848 - Windows exporter is configured by WICD
  • WINC-873 - Upgrade to go 1.19
  • WINC-874 - Pick up openshift/kubernetes 1.25 rebase updates
  • WINC-927 - Stop dependent services before stopping a service in WICD
  • WINC-941 - Use IMDSv1 to get hostname in AWS
  • OCPBUGS-5803 - Windows nodes do not get drained (deconfigure) during the upgrade process
  • OCPBUGS-5749 - Installation of WMCO in different namespace fails
  • WINC-957 - Update containerd to 1.6.15

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.