RHSA-2023:7515 - Security Advisory

Topic

The components for Red Hat OpenShift for Windows Containers 9.0.0 are now available. This product release includes bug fixes and security updates for the following packages: windows-machine-config-operator and windows-machine-config-operator-bundle.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat OpenShift for Windows Containers allows you to deploy Windows container workloads running on Windows Server nodes.

Security Fix(es):

• golang: net/http, x/net/http2: rapid stream resets can cause excessive work (Rapid Reset Attack) (CVE-2023-39325)

A Red Hat Security Bulletin which addresses further details about the Rapid Reset flaw is available in the References section.

• kubernetes: Insufficient input sanitization on Windows nodes leads to privilege escalation (CVE-2023-3676) (CVE-2023-3955)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

• Red Hat OpenShift Container Platform 4.14 for RHEL 9 x86_64

Fixes

• BZ - 2227126 - CVE-2023-3676 kubernetes: Insufficient input sanitization on Windows nodes leads to privilege escalation
• BZ - 2227128 - CVE-2023-3955 kubernetes: Insufficient input sanitization on Windows nodes leads to privilege escalation
• BZ - 2243296 - CVE-2023-39325 golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487)
• WINC-952 - OpenShift Branching Day release-4.14 / WMCO 9.0.0
• OCPBUGS-10222 - Case sensitivity issue when label "openshift.io/cluster-monitoring" set to 'True' on openshift-windows-machine-config-operator namespace
• WINC-959 - update GitHub build and testing docs
• OCPBUGS-10572 - BYOH upgrade failed Unable to cleanup the Windows instance: error running powershell.exe -NonInteractive -ExecutionPolicy Bypass \"C:\\k\\windows-instance-config-daemon.exe cleanup -
• OCPBUGS-10437 - Windows pods are unable to resolve DNS records for services
• OCPBUGS-11259 - BYOH node upgrade failed when the node not in default namespace: deleting node winhost\nF0402 08:53:43.066039 4740 cleanup.go:56] nodes \"winhost\" is forbidden: User \"system:serviceaccount:winc-namespace-test:windows-instance-config-daemon\"
• OCPBUGS-11306 - oc adm node-logs failing in vSphere CI
• WINC-1001 - Use standard library errors package
• WINC-1010 - Upgrade containerd to 1.7.0
• WINC-1040 - Use the Version annotation instead of DesiredVersion for service cleanup
• WINC-561 - React to setting kubelet priority flag
• WINC-1033 - Use new WICD binary and stop WICD service before node cleanup
• WINC-1035 - [VENDOR] Support Windows Containers on Nutanix
• WINC-948 - WICD uses a kubeconfig to authenticate
• WINC-635 - Ensure vSphere BYOH machineset is cleaned up at end of e2e tests
• OCPBUGS-12971 - Routes are not restored to new vNIC by hybrid-overlay on Windows nodes
• WINC-1025 - CSI Proxy runs as a Windows service on Windows nodes
• WINC-805 - Add Support for Windows Server 2022 in AWS
• WINC-1037 - Windows Server 2019 CI coverage
• WINC-1003 - Pick up openshift/kubernetes 1.27 rebase updates
• WINC-860 - Automate updating of operator and OCP versions in WMCO github
• WINC-999 - WMCO manages new trusted CA ConfigMap
• OCPBUGS-13244 - Instance configurations fails on Windows Server 2019 without the container feature
• OCPBUGS-13780 - Modifying Windows node's annotation windowsmachineconfig.openshift.io/version ends up in Ready,SchedulingDisabled
• OCPBUGS-14700 - BYOH node failed to upgrade: Cannot remove item C:\\var\\log\\containerd\\containerd.log: The process cannot access the file \r\n'containerd.log' because it is being used by another process
• WINC-1004 - Update kube-proxy submodule to sdn-4.14-kubernetes-1.27.0
• OCPBUGS-15461 - Cannot get latest services ConfigMap from custom namespace
• WINC-637 - Set cluster-wide proxy environment variables on Windows instance
• WINC-863 - Automate updating of operator version in dist-git bundle image repo
• WINC-950 - [e2e] Create a CI job that tests WMCO upgrades triggered by an OCP upgrade
• WINC-1023 - Remove WICD RBAC permissions to delete node
• WINC-945 - Automate updating of operator and OCP versions in Gitlab midstream
• WINC-633 - Copy additional CA cert bundle to Windows instances
• WINC-1092 - Drop AWS support in WMCO 5.x/4.10
• WINC-861 - Automate updating of errata fields in Gitlab CEE
• WINC-998 - Clear proxy variables from Windows nodes
• WINC-1043 - Test in-tree to CSI volume upgrades in CI
• WINC-1090 - Import custom CA certificates into Windows node system store
• OCPBUGS-19040 - BYOH node on AWS server 2022 reconciliation is failing: Unable to connect to the remote server\r\nAt line:1 char:1\r\n+ Invoke-RestMethod -UseBasicParsing -Uri http://169.254.169.254
• WINC-1098 - Block WMCO upgrades if in-tree volumes cannot be migrated
• OCPBUGS-19949 - Windows machine config operator: hybrid nodes have permissions error setting annotations
• OCPBUGS-20054 - Enable proxy cert test run in CI
• OCPBUGS-20067 - WMCO does not wait for instance to reboot properly
• OCPBUGS-20191 - error removing %s HNS network when cleaning up BYOH proxy nodes
• OCPBUGS-20664 - WMCO should not copy /payload/azure-cloud-node-manager.exe for non Azure platform
• OCPBUGS-22328 - Enable proxy removal test in CI
• OCPBUGS-22711 - Node drain does not work correctly with local-data pods
• WINC-688 - Clear proxy certs from Windows nodes during deconfiguration

CVEs

• CVE-2023-3676
• CVE-2023-3955
• CVE-2023-39325

References

• https://access.redhat.com/security/updates/classification/#important
• https://access.redhat.com/security/vulnerabilities/RHSB-2023-003