- Issued:
- 2023-10-26
- Updated:
- 2023-10-31
RHSA-2023:6143 - Security Advisory
Synopsis
Important: OpenShift Container Platform 4.14.0 CNF vRAN extras security update
Type/Severity
Security Advisory: Important
Topic
An update for ztp-site-generate-container, topology-aware-lifecycle-manager and bare-metal-event-relay is now available for Red Hat OpenShift Container Platform 4.14.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.
This advisory contains the extra low-latency container images for Red Hat OpenShift Container Platform 4.14.
Security Fix(es):
- golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487) (CVE-2023-39325)
- baremetal-operator: plain-text username and hashed password readable by anyone having a cluster-wide read-access (CVE-2023-30841)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
All OpenShift Container Platform users are advised to upgrade to these updated packages and images.
Solution
For details on how to apply this update, which includes the changes described in this advisory, refer to:
Affected Products
- Red Hat OpenShift Container Platform 4.14 for RHEL 8 x86_64
- Red Hat OpenShift Container Platform for Power 4.14 for RHEL 8 ppc64le
- Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.14 for RHEL 8 s390x
- Red Hat OpenShift Container Platform for ARM 64 4.14 for RHEL 8 aarch64
Fixes
- BZ - 2190116 - CVE-2023-30841 baremetal-operator: plain-text username and hashed password readable by anyone having a cluster-wide read-access
- BZ - 2243296 - CVE-2023-39325 golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487)
- OCPBUGS-11292 - hub side lookup function on managed cluster itself for policy templating should be allowed
- OCPBUGS-11380 - TALM keeps spinning with the hub template error when unsupported hub template function is being used in the second policy
- CNF-7823 - Add crun CR to ZTP
- OCPBUGS-12152 - Misleading backup conditions in CGU when all clusters are already compliant
- CNF-8039 - Extend pre-caching feature to include user-specified images
- OCPBUGS-11769 - TALM does not consider namespace of managed policies
- OCPBUGS-13050 - reference config update 2023Q2
- OCPBUGS-13981 - Reference SiteConfig does not show new method of enabling of workload partioning
- CNF-8518 - Update DefaultCatSrc with Status and add depreciation warning in the rest of the cat sources
- OCPBUGS-11603 - Sync issue on one CR blocks all other site deployments
- OCPBUGS-12966 - warning msg when patching up hub's gitops config
- CNF-8413 - Add annotation identifying use case
- OCPBUGS-13070 - GitOps ZTP operator subscription should not have a starting CSV specified
- OCPBUGS-9413 - Reference configuration for ClusterLogging uses deprecated API
- CNF-8526 - Update TALM to handle new PreCachingConfig CR
- CNF-8619 - Tool to diff content of ACM's Policies with PGT's Polices
- CNF-8527 - Refactor pre-caching pull scripts to pull additional user specified images
- CNF-8672 - Allowing user to exclude builtin CRs in siteconfig and only include custom extra manifest in git
- CNF-7424 - Create ACM policyGenertaor DU-profile example
- CNF-8528 - Check for space usage post pre-caching to alert for kubelet GC
- OCPBUGS-15369 - TALM 4.14 Pre-Caching Pod Create Fails on Startup
- OCPBUGS-15470 - [dpdk] VFS allocated for dpdk Validate NUMA aliment should allocate all the resources on the same NUMA node fails with lspci: -s: Invalid domain number error
- CNF-7818 - Uncomment workloadHints object from ztp/source-crs/PerformanceProfile.yaml
- CNF-8305 - rename DefaultCatsrc.yaml
- OCPBUGS-16094 - Bring back support for manifestsConfigMapRef for backwards compatibility
- OCPBUGS-14921 - Make HTTP+ConfigMap the Default Transport for Events
- CNF-8675 - Modify kuttl-test behaviour for forcing two quick reconciles
- CNF-8908 - Create Reference Design Specification for pre-caching
- OCPBUGS-13634 - Accelerated Startup script is not able to change cpuset in 4.13
- OCPBUGS-15102 - All burstable pods run with the reserved cpu affinity mask when PerformanceProfile is applied
- OCPBUGS-16412 - CGU Deletion Fails when CGU Encounters an invalid Policy or Cluster
- CNF-8851 - Create warning for deprecated field: extraManifestPath
- CNF-9146 - Configuring WPC hardware pins to enable default configuration
- OCPBUGS-13805 - Reference configuration for LocalVolume uses inconsistent path
- OCPBUGS-16358 - BMER HardwareEvent CR rejected when storageType is not specified
- OCPBUGS-16742 - [TALM] ClusterVersion policy fails when using templates
- CNF-9438 - Add operator subscription policy examples in upstream repo
- OCPBUGS-16032 - Upgrade Recovery Fails on etcd Redeployment
- OCPBUGS-17037 - TALM Operator pod selector also selects OpenShift GitOps
- OCPBUGS-17382 - Deleting "ztp-done" label after deleting CGU doesn't trigger reconcile
- OCPBUGS-17699 - PTP GM HW plugin interface placeholder cannot be replaced in user PGT
- OCPBUGS-15790 - TC bug: [dpdk] VFS allocated for dpdk Validate NUMA aliment should allocate all the resources on the same NUMA node
- OCPBUGS-19349 - default holdover required values for e810 plugin are missing in PtpConfigGmWpc.yaml
- OCPBUGS-19066 - reference config update BC clock_class_threshold to 135
- OCPBUGS-19637 - Cluster Backup Fails in upgrade-recovery.sh
- OCPBUGS-18867 - bmer operator bundle ships with a "skipRange" annotation but without the "replaces" property (CSV)
- OCPBUGS-19954 - precaching CRD does not have resources specified
- OCPBUGS-19999 - talm operator bundle ships with a "skipRange" annotation but without the "replaces" property (CSV)
- OCPBUGS-20148 - TALM Cluster Backup Fails When /var/recovery is Not Present
- OCPBUGS-20423 - InvalidPlatformImage Error Behind Proxy
- OCPBUGS-22223 - TALM Backup Fails with Error: no such file or directory
CVEs
x86_64
openshift4/bare-metal-event-relay-operator-bundle@sha256:0b35b3886f9a25e5058d86a70b63f9b0d38058abb71aeda71132cf4be5094cd7 |
openshift4/bare-metal-event-relay-rhel8-operator@sha256:8ffd30964ccff8ffb5cde75379d08dbf1b79f4e15f7096d0cb92f40c0e6d4ba4 |
openshift4/baremetal-hardware-event-proxy-rhel8@sha256:538b97a6eff8d234c1890864b6e24cfa55a756282346f973e9c665ed26bfbd03 |
openshift4/topology-aware-lifecycle-manager-operator-bundle@sha256:7bda597b994f59b42b2cde81f7db508ea9455339a8b67c57faa99fdf7d821b0a |
openshift4/topology-aware-lifecycle-manager-precache-rhel8@sha256:59e1c911cdba45b5a672d9238df1714c9a248f9fc8807da14ebbfe983baffdd3 |
openshift4/topology-aware-lifecycle-manager-recovery-rhel8@sha256:edf4675a849438bef46f73d06e284739686ac6fc99a8dab6884a8a2ff2956931 |
openshift4/topology-aware-lifecycle-manager-rhel8-operator@sha256:1fde5d41157d8ed18330792e8681f10820437dab16c6cf1585a8f5784c569803 |
openshift4/ztp-site-generate-rhel8@sha256:88ff959ff3579be2f80bb7722aa542674f91f57829f3374f770ed124385bde3d |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.