RHSA-2023:2138 - Security Advisory

Topic

An update for ztp-site-generate-container, topology-aware-lifecycle-manager and bare-metal-event-relay is now available for Red Hat OpenShift Container Platform 4.13.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the extra low-latency container images for Red Hat OpenShift Container Platform 4.13. See the following advisory for the container images for this release:

https://access.redhat.com/errata/RHSA-2023:1326

All OpenShift Container Platform users are advised to upgrade to these updated packages and images.

Security Fix(es):

• vault: GCP Auth Method Allows Authentication Bypass (CVE-2020-16251)
• vault: incorrect policy enforcement (CVE-2021-43998)

Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

• Red Hat OpenShift Container Platform 4.13 for RHEL 8 x86_64
• Red Hat OpenShift Container Platform 4.10 for RHEL 8 x86_64
• Red Hat OpenShift Container Platform for Power 4.13 for RHEL 8 ppc64le
• Red Hat OpenShift Container Platform for Power 4.10 for RHEL 8 ppc64le
• Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.13 for RHEL 8 s390x
• Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.10 for RHEL 8 s390x
• Red Hat OpenShift Container Platform for ARM 64 4.13 for RHEL 8 aarch64
• Red Hat OpenShift Container Platform for ARM 64 4.10 aarch64

Fixes

• BZ - 2028193 - CVE-2021-43998 vault: incorrect policy enforcement
• BZ - 2167340 - CVE-2020-16251 vault: GCP Auth Method Allows Authentication Bypass
• OCPBUGS-6769 - TALM 4.11 pre-cache fails on 4.10 cluster
• OCPBUGS-9943 - Remove duplicated field macAddress from Siteconfigs
• OCPBUGS-11890 - TALM keeps spinning with the hub template error when unsupported hub template function is being used in the second policy
• OCPBUGS-10819 - TALM SNO Backup Fails on Managed Cluster Running CoreOS 9.2
• OCPBUGS-2336 - dataset_comparison should be G.8275.x in ptpconfig source crs
• OCPBUGS-3005 - step_threshold should be changed from 0.0 to 2.0 in in ptpconfig source crs
• OCPBUGS-3047 - TALM spent 42 minutes precaching when there was no precaching work to be done.
• OCPBUGS-3092 - TALM precaching pulls more content than needed
• OCPBUGS-3210 - TALM attempting to approve PAO installplan for 4.11 operator upgrade
• OCPBUGS-3885 - After CGU timed out it got stuck in a loop and kept adding duplicates to status field
• OCPBUGS-3954 - Precaching status missing for temporarily unavailable clusters
• OCPBUGS-4197 - CGU pod goes to CrashLoopBackOff when incorrect channel is provided for OCP precaching
• OCPBUGS-4200 - Segfault from TALM after CGU timeout
• OCPBUGS-4246 - Precaching spec error due to invalid policy combination reported as precaching/backup failures on spokes
• OCPBUGS-4329 - Cannot install LVMO through gitops ZTP
• OCPBUGS-4406 - ptp configs should match reference configs
• OCPBUGS-4704 - TALM - precache does not begin if catalogsource config policy is Compliant
• OCPBUGS-4821 - TALM getImageForVersionFromUpdateGraph func making insecure external calls
• OCPBUGS-5797 - TALM backup CGU only indicates status of one cluster when two clusters are being backed up
• OCPBUGS-6612 - Default backup timeout too short for large scale upgrade
• OCPBUGS-6944 - TALM backup - recovery script fails due to unable to find running container even though it is running
• OCPBUGS-7217 - TALM cli state is not correct when cgu is enabled after backup
• OCPBUGS-8006 - TALM applies a 5 minute reconciliation loop to monitor cluster readiness and start policy application
• OCPBUGS-8032 - TALM Fails to Report Low Disk Space during Image Precaching
• OCPBUGS-8525 - TALM may miss MCP reconcile after change to PerformanceProfile or operator upgrade
• OCPBUGS-9428 - ignition reports warning at $.systemd.units.22.contents, line 1 col 363575: unit "container-mount-namespace.service" is enabled, but has no install section so enable does nothing
• OCPBUGS-7464 - Unable to deploy 4.11 spoke using ZTP 4.13 due to new spec added to performanceprofile
• OCPBUGS-7933 - Image Precaching Fails Due To Missing check_space Script
• OCPBUGS-7948 - 4.13 bmer build does not include 4.13 sidecar changes
• OCPBUGS-8414 - BMER - operator upgrade from 4.12 to 4.13 does not work - subs stays at AtLatestKnown and no installplan is created

CVEs

• CVE-2020-16251
• CVE-2021-43998

References

• https://access.redhat.com/security/updates/classification/#moderate