RHSA-2023:1816 - Security Advisory

Topic

Updated images that fix several bugs are now available for Red Hat OpenShift Data Foundation 4.12.2 on Red Hat Enterprise Linux 8 from Red Hat Container Registry.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat OpenShift Data Foundation is software-defined storage integrated with and optimized for the Red Hat OpenShift Data Foundation. Red Hat OpenShift Data Foundation is a highly scalable, production-grade persistent storage for stateful applications running in the Red Hat OpenShift Container Platform. In addition to persistent storage, Red Hat OpenShift Data Foundation provisions a multicloud data management service with an S3 compatible API.

Security Fix(es):

• golang: net/http: An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests (CVE-2022-41717)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

• [backport 4.12] s3 sync directory to a bucket fails with Internal Error in between the upload operation (BZ#2170416)
• [4.12 clone] [Noobaa] Secrets are used in env variables (BZ#2171968)
• [Backport to 4.12.z] Placeholder bug to backport the odf changes for Managed services epic RHSTOR-2442 to 4.12.z (BZ#2174335)
• [ODF 4.12] Missing the status-reporter binary causing pods "report-status-to-provider" remain in CreateContainerError on ODF to ODF cluster on ROSA (BZ#2179978)
• [MDR] After upgrade(redhat-operators) on hub from 4.12.1 to 4.12.2 noticed 2 token-exchange-agent pods on managed clusters and one of them on CBLO (BZ#2183198)

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

• Red Hat OpenShift Data Foundation 4 for RHEL 8 x86_64
• Red Hat OpenShift Data Foundation for IBM Power, little endian 4 for RHEL 8 ppc64le
• Red Hat OpenShift Data Foundation for IBM Z and LinuxONE 4 for RHEL 8 s390x

Fixes

• BZ - 2161274 - CVE-2022-41717 golang: net/http: An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests
• BZ - 2171968 - [4.12 clone] [Noobaa] Secrets are used in env variables
• BZ - 2174335 - [Backport to 4.12.z] Placeholder bug to backport the odf changes for Managed services epic RHSTOR-2442 to 4.12.z
• BZ - 2175365 - [4.12.z] Upgrade from 4.12.0 to 4.12.1 doesn't work
• BZ - 2179978 - [ODF 4.12] Missing the status-reporter binary causing pods "report-status-to-provider" remain in CreateContainerError on ODF to ODF cluster on ROSA
• BZ - 2183198 - [MDR] After upgrade(redhat-operators) on hub from 4.12.1 to 4.12.2 noticed 2 token-exchange-agent pods on managed clusters and one of them on CBLO
• BZ - 2186455 - Include at ODF 4.12 container images the RHEL8 CVE fix on "openssl"

CVEs

• CVE-2020-10735
• CVE-2021-28861
• CVE-2022-4304
• CVE-2022-4415
• CVE-2022-4450
• CVE-2022-40897
• CVE-2022-41717
• CVE-2022-45061
• CVE-2022-48303
• CVE-2023-0215
• CVE-2023-0286
• CVE-2023-23916

References

• https://access.redhat.com/security/updates/classification/#moderate