- Issued:
- 2023-07-27
- Updated:
- 2023-07-27
RHSA-2023:4290 - Security Advisory
Synopsis
Moderate: OpenShift sandboxed containers 1.4.1 security update
Type/Severity
Security Advisory: Moderate
Topic
OpenShift sandboxed containers 1.4.1 is now available.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
Description
OpenShift sandboxed containers support for OpenShift Container Platform
provides users with built-in support for running Kata containers as an
additional, optional runtime.
This advisory contains a security update for OpenShift sandboxed containers, as well as bug fixes.
Security fix:
- A compliance problem was found in the Red Hat OpenShift Container Platform. Red Hat discovered that when FIPS mode was enabled, not all of the cryptographic modules in use were FIPS-validated. (CVE-2023-3089)
For more information about the additional fixes in this release, see the Release Notes documentation:
Solution
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
Affected Products
- Red Hat OpenShift Container Platform 4.12 for RHEL 9 x86_64
Fixes
- BZ - 2212085 - CVE-2023-3089 openshift: OCP & FIPS mode
- KATA-2212 - operator, must-gather, and cloud-api-adapter dockerfiles use ubi8 base images
- OCPBUGS-15175 - [Major Incident] CVE-2023-3089 osc-operator-container: openshift: OCP & FIPS mode [rhosc-1-4]
- KATA-2121 - taints/tolerations from kata-monitor daemonset removed by reconciliation
- KATA-2299 - 1.4.1 build showing 1.4.0 version
CVEs
- CVE-2020-24736
- CVE-2021-46848
- CVE-2022-1271
- CVE-2022-1304
- CVE-2022-2509
- CVE-2022-3715
- CVE-2022-28805
- CVE-2022-34903
- CVE-2022-35737
- CVE-2022-36227
- CVE-2022-40303
- CVE-2022-40304
- CVE-2022-47629
- CVE-2023-0464
- CVE-2023-0465
- CVE-2023-0466
- CVE-2023-1255
- CVE-2023-1667
- CVE-2023-2283
- CVE-2023-2650
- CVE-2023-3089
- CVE-2023-24329
- CVE-2023-26604
x86_64
openshift-sandboxed-containers/osc-cloud-api-adaptor-rhel9@sha256:dddb09a228b578d122dc7e2418b0f7e7012706ec98e6660753b926a305a1d99d |
openshift-sandboxed-containers/osc-cloud-api-adaptor-webhook-rhel9@sha256:128fec3b462e781635876b4e43dec3dc2ef787e6128ad245ed78f2196a4a798e |
openshift-sandboxed-containers/osc-monitor-rhel9@sha256:77fb428dfbf4d2dfa993cae7b005d69d5b35feaa585ffd25d34062998403462e |
openshift-sandboxed-containers/osc-must-gather-rhel9@sha256:66fd690e92a853bfd9a4d03a64e0b7b75ef142c3c9f570b404fb93c0e58385b7 |
openshift-sandboxed-containers/osc-operator-bundle@sha256:7a28671f1fe44e66ef519c8540d709969c7b3ff291e0c8ea8547588cf0e1bd6e |
openshift-sandboxed-containers/osc-podvm-payload-rhel9@sha256:365893d3bc80f43bdebfb2f34898a8531a80aa63d9c43bdb6dd33eb2ac6505bd |
openshift-sandboxed-containers/osc-rhel9-operator@sha256:65337250abfb5347dcf5b8bf8e1113ffbda214da990c958bcb2d7bb69c99fb53 |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.