RHSA-2023:5008 - Security Advisory

Topic

Red Hat build of MicroShift release 4.14.0 is now available with updates to packages and images that fix several bugs and add enhancements.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat build of MicroShift is Red Hat's light-weight Kubernetes orchestration solution designed for edge device deployments and is built from the edge capabilities of Red Hat OpenShift. MicroShift is an application that is deployed on top of Red Hat Enterprise Linux devices at the edge, providing an efficient way to operate single-node clusters in these low-resource environments.

This advisory contains the RPM packages for Red Hat build of MicroShift 4.14.0. Read the following advisory for the container images for this release:

https://access.redhat.com/errata/RHSA-2023:5006

All of the bug fixes may not be documented in this advisory. Read the following release notes documentation for details about these changes:

https://access.redhat.com/documentation/en-us/red_hat_build_of_microshift/4.14/html/release_notes/index

Security Fix(es):

• kube-apiserver: PrivEsc (CVE-2023-1260)
• kube-apiserver: Bypassing policies imposed by the ImagePolicyWebhook admission plugin (CVE-2023-2727)
• kube-apiserver: Bypassing enforce mountable secrets policy imposed by the ServiceAccount admission plugin (CVE-2023-2728)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

• Red Hat OpenShift Container Platform 4.14 for RHEL 9 x86_64
• Red Hat OpenShift Container Platform for ARM 64 4.14 for RHEL 9 aarch64

Fixes

• BZ - 2176267 - CVE-2023-1260 kube-apiserver: PrivEsc
• BZ - 2211322 - CVE-2023-2727 kube-apiserver: Bypassing policies imposed by the ImagePolicyWebhook admission plugin
• BZ - 2211348 - CVE-2023-2728 kube-apiserver: Bypassing enforce mountable secrets policy imposed by the ServiceAccount admission plugin
• OCPBUGS-10201 - Update 4.14 ovn-kubernetes-microshift image to be consistent with ART
• OCPBUGS-10226 - Prompt unexpected err="microshift-etcd failed to start when execute 'microshift-etcd run'
• OCPBUGS-10766 - MicroShift pods cannot resolve local host name
• OCPBUGS-11296 - 4:14: e2e: Config v1 client shim for static configuration manifests with read-only operations
• OCPBUGS-11374 - build requirements are not available outside of Red Hat
• OCPBUGS-11421 - Update dependency on selinux-policy to match RHEL 9.2 released package version
• OCPBUGS-11512 - RPM build shows errors from missing jq command
• OCPBUGS-11538 - dependency on openvswitch is not compatible with RHEL 9.2 versions
• OCPBUGS-11592 - Microshift-etcd doesn't start up with memoryLimitMB set to 50.
• OCPBUGS-11734 - sudo /usr/bin/microshift show-config --mode effective doesn't show the correct memoryLimitMB value
• OCPBUGS-11967 - ovnk fails to run on a disconnected MicroShift instance (no default route)
• OCPBUGS-12736 - microshift-etcd doesn't handle any signals - becomes defunct requiring microshift restart
• OCPBUGS-12744 - search for kustomization files needs to be more flexible
• OCPBUGS-12977 - when CSI driver is disabled, log message is garbled
• OCPBUGS-13078 - config flag externalGatewayInterface shall be removed
• OCPBUGS-13221 - microshift show-config command is confusing
• OCPBUGS-14364 - MicroShift 4.14 fails to build after bumping Kubernetes
• OCPBUGS-15740 - Old kubeaadmin cert not get deleted when host IP changed in microshift
• OCPBUGS-16339 - MicroShift uses newer dependencies when older base package is requested
• OCPBUGS-6861 - Some pods not coming up after rebooting
• OCPBUGS-7535 - MicroShift ISO boots without a network connection when static IP configuration is used in kickstart
• OCPBUGS-7779 - The router pod is delayed over 5m after reboot
• OCPBUGS-7791 - microshift-etcd fail to check the version
• OCPBUGS-7874 - nats.io doesn't work on microshift
• OCPBUGS-8277 - fails to access APIServer service IP assigned on lo device
• OCPBUGS-8278 - Rebase to 4.13 failed with duplicate metrics registration in ovnk
• OCPBUGS-8301 - kubeconfig CA includes all signers
• OCPBUGS-8329 - sysconfwatch-controller logs excessively
• OCPBUGS-8411 - Microshift does not come up if the Hostname of RHEL has an upper case letter
• OCPBUGS-9996 - CSI driver ends up in crash loop when host does not have default VG name
• OCPBUGS-14678 - When stopping microshift.service, microshift-etcd shuts down independently of microshift and before kube-apiserver
• OCPBUGS-18773 - MicroShift's KAS and KCM are not shutting down
• OCPBUGS-12146 - Update 4.14 ovn-kubernetes-microshift image to be consistent with ART
• OCPBUGS-16392 - Sos reports contains greenboot logs only in bulk journal file
• OCPBUGS-19423 - Test harness: migrate from envsubst to gomplate
• OCPBUGS-19518 - Ingress rules not checked in tests
• OCPBUGS-19638 - MicroShift doesn't print its version at the start
• OCPBUGS-8516 - systemd.mount getting spammed of mount/unmount messages while cluster is idle
• OCPBUGS-19646 - cannot upgrade microshift 4.14 ec4 to rc1
• OCPBUGS-19772 - Missing sos wrapper
• OCPBUGS-19872 - mDNS resolution not working when retrieving logs
• OCPBUGS-19939 - Need to pull busybox image from quay.io repo
• OCPBUGS-20059 - Upgrade over unhealthy system leads to data loss
• OCPBUGS-20174 - Greenboot health check logs do not belong to the unit
• OCPBUGS-11829 - route controller manager exits after losing leader election and prevents MicroShift from stopping cleanly
• OCPBUGS-15397 - microshift: OVN-K wants CRD AdminPolicyBasedExternalRoute
• OCPBUGS-15948 - openvswitch 3.1.2 fails to start, causing MicroShift to fail to start
• OCPBUGS-18696 - After reboot Microshift does not come up.
• OCPBUGS-19339 - Microshift config files are not collected in sos_report

CVEs

• CVE-2023-1260
• CVE-2023-2727
• CVE-2023-2728
• CVE-2023-39318
• CVE-2023-39319
• CVE-2023-39321
• CVE-2023-39322

References

• https://access.redhat.com/security/updates/classification/#important