Red Hat Product Errata RHSA-2023:6143 - Security Advisory
Issued:
2023-10-26
Updated:
2023-10-31

RHSA-2023:6143 - Security Advisory

Synopsis

Important: OpenShift Container Platform 4.14.0 CNF vRAN extras security update

Type/Severity

Security Advisory: Important

Topic

An update for ztp-site-generate-container, topology-aware-lifecycle-manager and bare-metal-event-relay is now available for Red Hat OpenShift Container Platform 4.14.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the extra low-latency container images for Red Hat OpenShift Container Platform 4.14.

Security Fix(es):

  • golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487) (CVE-2023-39325)
  • baremetal-operator: plain-text username and hashed password readable by anyone having a cluster-wide read-access (CVE-2023-30841)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

All OpenShift Container Platform users are advised to upgrade to these updated packages and images.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat OpenShift Container Platform 4.14 for RHEL 8 x86_64
  • Red Hat OpenShift Container Platform for Power 4.14 for RHEL 8 ppc64le
  • Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.14 for RHEL 8 s390x
  • Red Hat OpenShift Container Platform for ARM 64 4.14 for RHEL 8 aarch64

Fixes

  • BZ - 2190116 - CVE-2023-30841 baremetal-operator: plain-text username and hashed password readable by anyone having a cluster-wide read-access
  • BZ - 2243296 - CVE-2023-39325 golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487)
  • OCPBUGS-11292 - hub side lookup function on managed cluster itself for policy templating should be allowed
  • OCPBUGS-11380 - TALM keeps spinning with the hub template error when unsupported hub template function is being used in the second policy
  • CNF-7823 - Add crun CR to ZTP
  • OCPBUGS-12152 - Misleading backup conditions in CGU when all clusters are already compliant
  • CNF-8039 - Extend pre-caching feature to include user-specified images
  • OCPBUGS-11769 - TALM does not consider namespace of managed policies
  • OCPBUGS-13050 - reference config update 2023Q2
  • OCPBUGS-13981 - Reference SiteConfig does not show new method of enabling of workload partioning
  • CNF-8518 - Update DefaultCatSrc with Status and add depreciation warning in the rest of the cat sources
  • OCPBUGS-11603 - Sync issue on one CR blocks all other site deployments
  • OCPBUGS-12966 - warning msg when patching up hub's gitops config
  • CNF-8413 - Add annotation identifying use case
  • OCPBUGS-13070 - GitOps ZTP operator subscription should not have a starting CSV specified
  • OCPBUGS-9413 - Reference configuration for ClusterLogging uses deprecated API
  • CNF-8526 - Update TALM to handle new PreCachingConfig CR
  • CNF-8619 - Tool to diff content of ACM's Policies with PGT's Polices
  • CNF-8527 - Refactor pre-caching pull scripts to pull additional user specified images
  • CNF-8672 - Allowing user to exclude builtin CRs in siteconfig and only include custom extra manifest in git
  • CNF-7424 - Create ACM policyGenertaor DU-profile example
  • CNF-8528 - Check for space usage post pre-caching to alert for kubelet GC
  • OCPBUGS-15369 - TALM 4.14 Pre-Caching Pod Create Fails on Startup
  • OCPBUGS-15470 - [dpdk] VFS allocated for dpdk Validate NUMA aliment should allocate all the resources on the same NUMA node fails with lspci: -s: Invalid domain number error
  • CNF-7818 - Uncomment workloadHints object from ztp/source-crs/PerformanceProfile.yaml
  • CNF-8305 - rename DefaultCatsrc.yaml
  • OCPBUGS-16094 - Bring back support for manifestsConfigMapRef for backwards compatibility
  • OCPBUGS-14921 - Make HTTP+ConfigMap the Default Transport for Events
  • CNF-8675 - Modify kuttl-test behaviour for forcing two quick reconciles
  • CNF-8908 - Create Reference Design Specification for pre-caching
  • OCPBUGS-13634 - Accelerated Startup script is not able to change cpuset in 4.13
  • OCPBUGS-15102 - All burstable pods run with the reserved cpu affinity mask when PerformanceProfile is applied
  • OCPBUGS-16412 - CGU Deletion Fails when CGU Encounters an invalid Policy or Cluster
  • CNF-8851 - Create warning for deprecated field: extraManifestPath
  • CNF-9146 - Configuring WPC hardware pins to enable default configuration
  • OCPBUGS-13805 - Reference configuration for LocalVolume uses inconsistent path
  • OCPBUGS-16358 - BMER HardwareEvent CR rejected when storageType is not specified
  • OCPBUGS-16742 - [TALM] ClusterVersion policy fails when using templates
  • CNF-9438 - Add operator subscription policy examples in upstream repo
  • OCPBUGS-16032 - Upgrade Recovery Fails on etcd Redeployment
  • OCPBUGS-17037 - TALM Operator pod selector also selects OpenShift GitOps
  • OCPBUGS-17382 - Deleting "ztp-done" label after deleting CGU doesn't trigger reconcile
  • OCPBUGS-17699 - PTP GM HW plugin interface placeholder cannot be replaced in user PGT
  • OCPBUGS-15790 - TC bug: [dpdk] VFS allocated for dpdk Validate NUMA aliment should allocate all the resources on the same NUMA node
  • OCPBUGS-19349 - default holdover required values for e810 plugin are missing in PtpConfigGmWpc.yaml
  • OCPBUGS-19066 - reference config update BC clock_class_threshold to 135
  • OCPBUGS-19637 - Cluster Backup Fails in upgrade-recovery.sh
  • OCPBUGS-18867 - bmer operator bundle ships with a "skipRange" annotation but without the "replaces" property (CSV)
  • OCPBUGS-19954 - precaching CRD does not have resources specified
  • OCPBUGS-19999 - talm operator bundle ships with a "skipRange" annotation but without the "replaces" property (CSV)
  • OCPBUGS-20148 - TALM Cluster Backup Fails When /var/recovery is Not Present
  • OCPBUGS-20423 - InvalidPlatformImage Error Behind Proxy
  • OCPBUGS-22223 - TALM Backup Fails with Error: no such file or directory

x86_64

openshift4/bare-metal-event-relay-operator-bundle@sha256:0b35b3886f9a25e5058d86a70b63f9b0d38058abb71aeda71132cf4be5094cd7
openshift4/bare-metal-event-relay-rhel8-operator@sha256:8ffd30964ccff8ffb5cde75379d08dbf1b79f4e15f7096d0cb92f40c0e6d4ba4
openshift4/baremetal-hardware-event-proxy-rhel8@sha256:538b97a6eff8d234c1890864b6e24cfa55a756282346f973e9c665ed26bfbd03
openshift4/topology-aware-lifecycle-manager-operator-bundle@sha256:7bda597b994f59b42b2cde81f7db508ea9455339a8b67c57faa99fdf7d821b0a
openshift4/topology-aware-lifecycle-manager-precache-rhel8@sha256:59e1c911cdba45b5a672d9238df1714c9a248f9fc8807da14ebbfe983baffdd3
openshift4/topology-aware-lifecycle-manager-recovery-rhel8@sha256:edf4675a849438bef46f73d06e284739686ac6fc99a8dab6884a8a2ff2956931
openshift4/topology-aware-lifecycle-manager-rhel8-operator@sha256:1fde5d41157d8ed18330792e8681f10820437dab16c6cf1585a8f5784c569803
openshift4/ztp-site-generate-rhel8@sha256:88ff959ff3579be2f80bb7722aa542674f91f57829f3374f770ed124385bde3d

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.