Red Hat Product Errata RHSA-2023:4025 - Security Advisory
Issued:
2023-07-18
Updated:
2023-07-18

RHSA-2023:4025 - Security Advisory

Synopsis

Low: Red Hat OpenShift support for Windows Containers 7.1.0 [security update]

Type/Severity

Security Advisory: Low

Topic

The components for Red Hat OpenShift support for Windows Containers 7.1.0 are now available. This product release includes bug fixes and security updates for the following packages: windows-machine-config-operator and windows-machine-config-operator-bundle.

Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat OpenShift support for Windows Containers allows you to deploy Windows container workloads running on Windows Server containers.

Security Fix(es):

  • containerd: Supplementary groups are not set up properly (CVE-2023-25173)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat OpenShift Container Platform 4.12 for RHEL 8 x86_64

Fixes

  • BZ - 2174485 - CVE-2023-25173 containerd: Supplementary groups are not set up properly
  • WINC-981 - Red Hat OpenShift support for Windows Containers 7.0.1 Post Release
  • OCPBUGS-7336 - WMCO kubelet version not matching OCP payload's one
  • OCPBUGS-7843 - containerd version is being misreported
  • WINC-983 - [e2e] Ensure required log files are non-empty
  • OCPBUGS-8085 - Hybrid Overlay logfile is in use and cannot be deleted
  • OCPBUGS-8056 - WMCO is unable to drain DaemonSet workloads
  • OCPBUGS-8037 - Directory deletion errors are being ignored when deconfiguring Windows instances
  • OCPBUGS-10417 - Case sensitivity issue when label "openshift.io/cluster-monitoring" set to 'True' on openshift-windows-machine-config-operator namespace
  • OCPBUGS-10935 - Windows pods are unable to resolve DNS records for services
  • OCPBUGS-10784 - In-tree storage for azure-file and vSphere is disabled
  • OCPBUGS-10933 - BYOH upgrade failed Unable to cleanup the Windows instance: error running powershell.exe -NonInteractive -ExecutionPolicy Bypass \"C:\\k\\windows-instance-config-daemon.exe cleanup -
  • OCPBUGS-11785 - oc adm node-logs failing in vSphere CI
  • OCPBUGS-11667 - BYOH node upgrade failed when the node not in default namespace: deleting node winhost\nF0402 08:53:43.066039 4740 cleanup.go:56] nodes \"winhost\" is forbidden: User \"system:serviceaccount:winc-namespace-test:windows-instance-config-daemon\"
  • OCPBUGS-13790 - Segmentation Violation found in WMCO .ensureWICDSecretContent
  • OCPBUGS-14445 - Instance configurations fails on Windows Server 2019 without the container feature
  • WINC-1037 - Windows Server 2019 CI coverage
  • OCPBUGS-14260 - Upgrade from WMCO 7.0.1 to 7.1.0 not working on Windows BYOH nodes: error waiting for proper windowsmachineconfig.openshift.io/version annotation for node
  • OCPBUGS-4862 - Deletion of BYOH Windows node hangs in Ready,SchedulingDisabled

x86_64

openshift4-wincw/windows-machine-config-operator-bundle@sha256:5623b1b97c1423e31ba92d1fcf5bc73a90d7a08a08c941b883c139035deeb7c5
openshift4-wincw/windows-machine-config-rhel8-operator@sha256:7057aa220818c452c1edfbe8d049a74807ee24162e32f1ffe2e5116e9b508336

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.