RHSA-2023:1372 - Security Advisory

Topic

The components for Red Hat OpenShift support for Windows Containers 8.0.0 are now available. This product release includes bug fixes and a moderate security
update for the following packages: windows-machine-config-operator and
windows-machine-config-operator-bundle.
Red Hat Product Security has rated this update as having a security impact of
Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.

Description

Red Hat OpenShift support for Windows Containers allows you to deploy Windows container workloads running on Windows Server containers.

Security Fix(es):

• golang: An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests (CVE-2022-41717)
• containerd: Supplementary groups are not set up properly (CVE-2023-25173)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE page(s)
listed in the References section

Solution

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

• Red Hat OpenShift Container Platform 4.13 for RHEL 9 x86_64

Fixes

• BZ - 2161274 - CVE-2022-41717 golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests
• BZ - 2174485 - CVE-2023-25173 containerd: Supplementary groups are not set up properly
• WINC-942 - OpenShift Branching Day release-4.13 / WMCO 8.0.0
• OCPBUGS-2028 - [WINC] Windows nodes name not matching hostname in GCP
• OCPBUGS-1513 - Check if Windows defender is running doesnt work
• OCPBUGS-5065 - Installation of WMCO in different namespace fails
• OCPBUGS-5732 - Windows nodes do not get drained (deconfigure) during the upgrade process
• WINC-733 - Instance cleanup is done by WICD cleanup command
• OCPBUGS-5354 - WMCO is unable to drain DaemonSet workloads
• WINC-962 - Pick up openshift/kubernetes 1.26 rebase updates
• OCPBUGS-6611 - Hybrid Overlay logfile is in use and cannot be deleted
• WINC-923 - Update pause image to 3.9
• OCPBUGS-6635 - WMCO kubelet version not matching OCP payload's one
• WINC-741 - WICD takes more responsibility of Node configuration
• OCPBUGS-7287 - Kublet logs are not written to the kubelet log file
• WINC-977 - Update kube-proxy submodule to sdn-4.13-kubernetes-1.26.0
• OCPBUGS-4133 - Load Balance service with externalTrafficPolicy="Cluster" for Windows workloads intermittently unavailable in GCP and Azure
• WINC-838 - Use PodOS field in e2e tests, and document it for users
• OCPBUGS-5378 - containerd version is being misreported
• WINC-898 - Containerd is added to windows-services configmap
• OCPBUGS-5887 - Directory deletion errors are being ignored when deconfiguring Windows instances
• OCPBUGS-3506 - Load balancer shows connectivity outage during Windows nodes upgrade
• WINC-736 - WICD controller periodically reconciles the state of Windows services
• OCPBUGS-10416 - Case sensitivity issue when label "openshift.io/cluster-monitoring" set to 'True' on openshift-windows-machine-config-operator namespace
• OCPBUGS-10709 - BYOH upgrade failed Unable to cleanup the Windows instance: error running powershell.exe -NonInteractive -ExecutionPolicy Bypass \"C:\\k\\windows-instance-config-daemon.exe cleanup -
• OCPBUGS-10930 - Windows pods are unable to resolve DNS records for services
• OCPBUGS-11444 - BYOH node upgrade failed when the node not in default namespace: deleting node winhost\nF0402 08:53:43.066039 4740 cleanup.go:56] nodes \"winhost\" is forbidden: User \"system:serviceaccount:winc-namespace-test:windows-instance-config-daemon\"
• OCPBUGS-11735 - oc adm node-logs failing in vSphere CI
• WINC-1001 - Use standard library errors package
• WINC-959 - update GitHub build and testing docs
• WINC-1014 - Enable in-tree storage for vSphere for 4.13

CVEs

• CVE-2022-41717
• CVE-2023-25173

References

• https://access.redhat.com/security/updates/classification/#moderate