Red Hat Product Errata RHSA-2023:7599 - Security Advisory
Issued:
2023-12-05
Updated:
2023-12-05

RHSA-2023:7599 - Security Advisory

Synopsis

Important: OpenShift Container Platform 4.14.5 bug fix and security update

Type/Severity

Security Advisory: Important

Topic

Red Hat OpenShift Container Platform release 4.14.5 is now available with updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container Platform 4.14.

Red Hat Product Security has rated this update as having a security impact of [impact]. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container Platform 4.14.5. See the following advisory for the RPM packages for this release:

https://access.redhat.com/errata/RHBA-2023:7603

Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.14/release_notes/ocp-4-14-release-notes.html

Security Fix(es):

  • golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487) (CVE-2023-39325)
  • opentelemetry: DoS vulnerability in otelhttp (CVE-2023-45142)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

All OpenShift Container Platform 4.14 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.14/updating/updating_a_cluster/updating-cluster-cli.html

Solution

For OpenShift Container Platform 4.14 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:

https://docs.openshift.com/container-platform/4.14/release_notes/ocp-4-14-release-notes.html

You may download the oc tool and use it to inspect release image metadata for x86_64, s390x, ppc64le, and aarch64 architectures. The image digests may be found at https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags.

The sha values for the release are

(For x86_64 architecture)
The image digest is sha256:0ec9d715c717b2a592d07dd83860013613529fae69bc9eecb4b2d4ace679f6f3

(For s390x architecture)
The image digest is sha256:068a5641d0180d70d48535d01305fb3c3701ca137be08cffa886694ef515ffa9

(For ppc64le architecture)
The image digest is sha256:6f7faaaeedc96b6e262e0d67fe2147022369104eb5a239bb39fb56f2e844d86d

(For aarch64 architecture)
The image digest is sha256:e602f9df03cda6f7a8fd76f21f0d87eac6a5310a6f6dda1b1d70e803191ad482

All OpenShift Container Platform 4.14 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.14/updating/updating_a_cluster/updating-cluster-cli.html

Affected Products

  • Red Hat OpenShift Container Platform 4.14 for RHEL 9 x86_64
  • Red Hat OpenShift Container Platform 4.14 for RHEL 8 x86_64
  • Red Hat OpenShift Container Platform for Power 4.14 for RHEL 9 ppc64le
  • Red Hat OpenShift Container Platform for Power 4.14 for RHEL 8 ppc64le
  • Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.14 for RHEL 9 s390x
  • Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.14 for RHEL 8 s390x
  • Red Hat OpenShift Container Platform for ARM 64 4.14 for RHEL 9 aarch64
  • Red Hat OpenShift Container Platform for ARM 64 4.14 for RHEL 8 aarch64

Fixes

  • BZ - 2243296 - CVE-2023-39325 golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487)
  • BZ - 2245180 - CVE-2023-45142 opentelemetry: DoS vulnerability in otelhttp
  • OCPBUGS-10126 - Update 4.14 ose-cluster-update-keys image to be consistent with ART
  • OCPBUGS-22286 - CNO pod restart in hypershift CI
  • OCPBUGS-22363 - lack of hypershift labels for hcp components ovn,cloud-network-config,multus-admission controllers
  • OCPBUGS-22430 - 4.14: vmware-vsphere-csi-driver-webhook handles HTTP/2 requests
  • OCPBUGS-23426 - The secret/vmware-vsphere-cloud-credentials in ns/openshift-cluster-csi-drivers is not synced correctly when updating secret/vsphere-creds in ns/kube-system
  • OCPBUGS-23490 - When build capability is disabled, ConfigObserver controller does not run
  • OCPBUGS-23751 - update packages in ironic-agent
  • OCPBUGS-23906 - Agent-based install on vSphere with multiple workers fails

aarch64

openshift4/driver-toolkit-rhel9@sha256:013fca7b4f09a62f7353588918cef344aa8c4b2e77fb27d22ccbc76411f1aa7a
openshift4/oc-mirror-plugin-rhel8@sha256:9b07081f827510aac25f1d537a67feb3d9fb0800174bc4de377fd77cbf613816
openshift4/ose-agent-installer-csr-approver-rhel8@sha256:d48367eb54bd3a95eaf44ace2de093d14d8830dbb59e41447d6f77991c730f8e
openshift4/ose-agent-installer-orchestrator-rhel8@sha256:501a79e25d3b708604a3fcb00ea55cf7081b8e6a813ce7ac49a2b6cc7dcfac69
openshift4/ose-aws-ebs-csi-driver-rhel8-operator@sha256:fc143afd94fb37d10ef56f8e486ac20f925726071b3e5a9221f8adecf3eecf2a
openshift4/ose-cloud-credential-operator@sha256:f10ba3fb28c5d070f6944f68c6f37706df9af1880d6e6ee94f5abcf493fa2092
openshift4/ose-cluster-csi-snapshot-controller-rhel8-operator@sha256:7330b82d15b7025e2c3a3cada22382e3588ba13f34b6d78f676785da3549b023
openshift4/ose-cluster-etcd-rhel8-operator@sha256:3d4484b32bd14c03d042eba002731852ff937cd63fab7c990316179836f0af9f
openshift4/ose-cluster-network-operator@sha256:29fc60a99693263d24deb4a735d3ae607f6e1791425c646ded98a43493b8afce
openshift4/ose-cluster-openshift-controller-manager-operator@sha256:428f44c6db3164ee8365c4eeaa83b69892d23a9ddf54c5b3f09f56d4dc575e38
openshift4/ose-cluster-storage-operator@sha256:51dd38a41c49e1bb6493511d416b83ee9ee17625a01cf4d52c574d7bedd3852e
openshift4/ose-cluster-update-keys@sha256:46e76fbcb7935baa76d72b2d1be65ead094904187c81c7c33505c265313e2b28
openshift4/ose-gcp-pd-csi-driver-operator-rhel8@sha256:0d73d9b82592a0aec40157975af498db65e2da6700e337fa4c0545e69c229023
openshift4/ose-hypershift-rhel8@sha256:864b17bf947ce981b7b2c0ab6fe35c2051ed453f5135800860175e48500bdc84
openshift4/ose-ironic-agent-rhel9@sha256:6bb0f4b7ff7d6235292404938488c50c2da044d3081a08c588b442177a527912
openshift4/ose-ironic-machine-os-downloader-rhel9@sha256:aa8b6698e470e5a2d8fdb26b798c25049145c40b5c0aed91577de18c512ecc21
openshift4/ose-multus-networkpolicy-rhel8@sha256:88f76ef779250a44eadc09fb51de8344b32e44d3eaf0b79def51a817ea5d35e7
openshift4/ose-openshift-apiserver-rhel8@sha256:318aece420d351ff67b2c11d308c4cdfb9d4fc994ebc80589f5150dc048e9530
openshift4/ose-operator-lifecycle-manager@sha256:8966e576d0ccc2f9c84d51737ae8e2c550d5f70915527b0a2de4cbf0d2f70447
openshift4/ose-operator-registry@sha256:5f4c359d1235e9e0c5c7c8dd716014eb00f9098a5759baef77172e96748b737c

ppc64le

openshift4/driver-toolkit-rhel9@sha256:4fafc151367baa64d1eb2cbd94ff9a52adda52094db61fc255cd5e57fd982728
openshift4/oc-mirror-plugin-rhel8@sha256:d6be41b385861a76e83fd7230669f64a6bd32c311da2c4a6d078fefdb66856de
openshift4/ose-agent-installer-csr-approver-rhel8@sha256:61dc42691c1e0774687b0264e8a5e280080f3affd45f3de8024150f132e42436
openshift4/ose-agent-installer-orchestrator-rhel8@sha256:c397243c3953c4e2098d7b66042dc942755e6552b45b443da5a15c10d02efc4c
openshift4/ose-cloud-credential-operator@sha256:e6ef5ce6093e298107a4213cec7433ec0bffe1ef4392b136c3c898ee4f936984
openshift4/ose-cluster-csi-snapshot-controller-rhel8-operator@sha256:785f5c3b99a91afc319e1dba8eeb605a0f410202e3451c9db0c3a4bc117ab195
openshift4/ose-cluster-etcd-rhel8-operator@sha256:534330c1f08638dff21532f75742004c916e261fc7f736bad9e00b16af0bf2d6
openshift4/ose-cluster-network-operator@sha256:fa304326497c0aa88e88b92a7ad574129f68e350e1202a762f887934954d94a0
openshift4/ose-cluster-openshift-controller-manager-operator@sha256:cd3bc6ac0032ea5a9c960a6b4a92d0f77116aa58ad8d61f0a741e2fc7de3c3d1
openshift4/ose-cluster-storage-operator@sha256:ba63d436e947899127554bec09091b276c24972232a476143bc457ce27bace49
openshift4/ose-cluster-update-keys@sha256:eed46a0a739e7cad59e218322c7fb7ab18e56ffcac6b4e9e0dd97a019c02ab39
openshift4/ose-gcp-pd-csi-driver-operator-rhel8@sha256:0d9ff51d98ffbbe08df5c9eec6f73d863a58248f6b0fb1fe83c614a7e315e9da
openshift4/ose-hypershift-rhel8@sha256:743668b99761cb578189b25131357864da402f4d95502366c05020923eb57398
openshift4/ose-multus-networkpolicy-rhel8@sha256:c5f3d63d7f95be14bd1b2fc7d6ca93acd39a5b85516e4cecc634d50dc3e71a4c
openshift4/ose-openshift-apiserver-rhel8@sha256:4a2731922b4abe11dcd3fcbe5becbcc786ab839af70515b5955973f15fe255e7
openshift4/ose-operator-lifecycle-manager@sha256:f1fa69f874dbb67ff02e9be02116f5c3793b1a1c5935a565071c90c638e6cb45
openshift4/ose-operator-registry@sha256:d35edc074bcabab730afa8993ca171147cfd7ff0630912e08958fc87dfadc334

s390x

openshift4/driver-toolkit-rhel9@sha256:09a499d3f73ddd66a061b33e6e4d36dea1e4e039dfdf7782ecca699d281de4c8
openshift4/oc-mirror-plugin-rhel8@sha256:34e81e6a9b748ec469c331f736ddcc023ec1bb5138a6123aabb25c51426e3d90
openshift4/ose-agent-installer-csr-approver-rhel8@sha256:462518abb5ec916e4f4f9f6ae1c9c047308369e12d79fe814a1d02c6c4d689eb
openshift4/ose-agent-installer-orchestrator-rhel8@sha256:6e095c7bbae537d0c50b56e851216a43ba6e754f5a1281f7ca911e697e23e000
openshift4/ose-cloud-credential-operator@sha256:60c347a61c0f9b5388bde25256c6b3146b20686598856ed6fa72b97d42e2c0b1
openshift4/ose-cluster-csi-snapshot-controller-rhel8-operator@sha256:0bffe67ca6a6de7dc83fe2cdf467e8710d0f747a247ae2e70b150a42202a84f5
openshift4/ose-cluster-etcd-rhel8-operator@sha256:f5762d4a0b6080650115ace3a64121d82526d81b960e8367a95efcb4d478b210
openshift4/ose-cluster-network-operator@sha256:2d576541b81f2b696b1e44bc72039124b3c1ae4b003d4934b98d8e7cc79af850
openshift4/ose-cluster-openshift-controller-manager-operator@sha256:7216ade89a79113ca9fb6893607d664915e4a9d3f7f71a7c7afaf7a38df6fc5f
openshift4/ose-cluster-storage-operator@sha256:097a66da5237384ee4b10f425578f4544f23028db3bd4dc2873b4ed573b30335
openshift4/ose-cluster-update-keys@sha256:1481734b7e0aec8543bca6c2285703c292a3d8028149ccb5936574c11c966bec
openshift4/ose-hypershift-rhel8@sha256:0733f47a2416001e4471b69489282a0e2ad011cb08e176d54919c6717a6a6df8
openshift4/ose-ibm-vpc-block-csi-driver-operator-rhel8@sha256:d38e108a2566ffe1913134435a02375bdde7fc5f26e7492d98b4ccd0e008d63e
openshift4/ose-multus-networkpolicy-rhel8@sha256:67a2860a93d3faa0f2b7b4b026690e31c6b64504ee338512b086aff7fc993049
openshift4/ose-openshift-apiserver-rhel8@sha256:a8509177f2ca0a5ff73f7b2e73b097cf61c3276d4b2a275cbc5b2724d33318e2
openshift4/ose-operator-lifecycle-manager@sha256:0cba2b98905ae3a21c6234522b4f283f4c5c632f923731b5b9545e91959cf2e1
openshift4/ose-operator-registry@sha256:aa842233df6a08de99b4361994e0f5faca73db19bb5695b152f0f5bba444ec56

x86_64

openshift4/driver-toolkit-rhel9@sha256:3dc0ac6a3702bc31d58a44f756f55b2cfddb8211f160c12cbd0df3d38f921ba4
openshift4/oc-mirror-plugin-rhel8@sha256:8ee7aca747e153a02a3971b0ec106e8fc80ca03a7af89fd63a6578cb43a1edd6
openshift4/ose-agent-installer-csr-approver-rhel8@sha256:9fb7c83d8bde3113b9139cd47e3f8684bcb5a635d4d23db12c52027e7cc0369c
openshift4/ose-agent-installer-orchestrator-rhel8@sha256:8273c7f6bb7455bde86ccec0b12375132295ab11f4a5e6649c9f267005d6afe7
openshift4/ose-alibaba-disk-csi-driver-operator-container-rhel8@sha256:a88ee00b1219561954406cb26c49fbc6d1fc0cd57b3b27741090b8512b25a9d1
openshift4/ose-aws-ebs-csi-driver-rhel8-operator@sha256:95c277eb37b6e5a6af98f03ef5a849d782de5486c7f9fc8592f1feb03a98096a
openshift4/ose-cloud-credential-operator@sha256:1cccbc92c83dd170dea8cb72a09e96facba21f3fdf5e3dd3f3009796c481cd67
openshift4/ose-cluster-csi-snapshot-controller-rhel8-operator@sha256:43a88c3c2db573ff7fe0dfcaf96318913a050a6ae3725632339f60a95b14d253
openshift4/ose-cluster-etcd-rhel8-operator@sha256:807646ab481092d3bb6ee07b4cd5be042edba79c2e8a72c39952daf68d13e990
openshift4/ose-cluster-network-operator@sha256:c97b014b5f9949f0c27f2a8a325620460d32c2806d6184258c4c8c397a048e40
openshift4/ose-cluster-openshift-controller-manager-operator@sha256:05165acac9f97250a92136d161856b40b4126404f3952105e744ddd05a48b961
openshift4/ose-cluster-storage-operator@sha256:c42d889720846fa02d6fa1fbeae5b5a683ae06eeafb09d6019de64a49c3ed81f
openshift4/ose-cluster-update-keys@sha256:d9840d141254fa23c1f7bd7ad0b0a49f59180d2c36b1d8b912e8dc39c51e5275
openshift4/ose-gcp-pd-csi-driver-operator-rhel8@sha256:e03222b979c457c971569fd9e4d06c8bf5158e8571ac8fb45fb2adde393eaef7
openshift4/ose-hypershift-rhel8@sha256:a201b178725764222cd04d88149485dc5007be0e8e72533df44b6f22565a03fe
openshift4/ose-ibm-vpc-block-csi-driver-operator-rhel8@sha256:0da8dd6e527e35571acf815225b0c314c9acbb0dbdaf290aa035120952e5d5e4
openshift4/ose-ironic-agent-rhel9@sha256:237e5d9e16bcfb4808482a9c8035cd8a14a3f983bce3d20c024cd9d2423dbca1
openshift4/ose-ironic-machine-os-downloader-rhel9@sha256:90fb7d4d6cd7811483930ba246a324abfc37c37fd428dd7b4bb8ec03370b12fa
openshift4/ose-multus-networkpolicy-rhel8@sha256:4a510aa3761c47c5214f7d6571c883988b0e55971113250a63402e01ee05c544
openshift4/ose-openshift-apiserver-rhel8@sha256:3bfcac2a8ac637e469c306cb1b2fa8f0352be22cccda1a5f84db559512c63cd3
openshift4/ose-operator-lifecycle-manager@sha256:8af0a4afdd1d4b263f8365a765bbab04fe8b271710a52b394b285dd29497143a
openshift4/ose-operator-registry@sha256:2ebbbc7f05e939be5adfd0220304888d422cedf8a6807b6ac4da531d2ed6e88a
openshift4/ose-vsphere-csi-driver-operator-rhel8@sha256:d647a76196fc7424e4fe89bdeed8fa73f5584ff3436d2657a808a0af0470cf20
openshift4/ose-vmware-vsphere-csi-driver-operator-rhel8@sha256:d647a76196fc7424e4fe89bdeed8fa73f5584ff3436d2657a808a0af0470cf20
openshift4/ose-vsphere-problem-detector-rhel8@sha256:460a61f3051756dc10fcee5922d505ee4be01462ec3d1ef31cf4a2d0db00de78

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.