Red Hat Product Errata RHSA-2023:7687 - Security Advisory
Issued:
2023-12-13
Updated:
2023-12-13

RHSA-2023:7687 - Security Advisory

Synopsis

Important: OpenShift Container Platform 4.13.26 bug fix and security update

Type/Severity

Security Advisory: Important

Topic

Red Hat OpenShift Container Platform release 4.13.26 is now available with updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container Platform 4.13.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container Platform 4.13.26. See the following advisory for the RPM packages for this release:

https://access.redhat.com/errata/RHBA-2023:7689

Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.13/release_notes/ocp-4-13-release-notes.html

Security Fix(es):

  • golang: net/http, x/net/http2: rapid stream resets can cause excessive

work (CVE-2023-44487) (CVE-2023-39325)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
All OpenShift Container Platform 4.13 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.13/updating/updating-cluster-cli.html

Solution

For OpenShift Container Platform 4.13 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:

https://docs.openshift.com/container-platform/4.13/release_notes/ocp-4-13-release-notes.html

You may download the oc tool and use it to inspect release image metadata for x86_64, s390x, ppc64le, and aarch64 architectures. The image digests may be found at https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags.

The sha values for the release are

(For x86_64 architecture)
The image digest is sha256:dece136ed888653cae20c2832b9e94de7c7ab24e34cddf49d5d284f41d7b61b1

(For s390x architecture)
The image digest is sha256:bfbdafa2c6a2802bf2b66c8e1b5bf9fadfe540c9739da8daa666d69a1890c31f

(For ppc64le architecture)
The image digest is sha256:afeb405b91d2e79d752beef15e7f63bc54519e7371d508a47f8570cff34b384c

(For aarch64 architecture)
The image digest is sha256:bfc4eaa2419cc0a214789137cd2ffb56403f35ec14ec11937858e2c88824587d

All OpenShift Container Platform 4.13 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.13/updating/updating-cluster-cli.html

Affected Products

  • Red Hat OpenShift Container Platform 4.13 for RHEL 9 x86_64
  • Red Hat OpenShift Container Platform 4.13 for RHEL 8 x86_64
  • Red Hat OpenShift Container Platform for Power 4.13 for RHEL 9 ppc64le
  • Red Hat OpenShift Container Platform for Power 4.13 for RHEL 8 ppc64le
  • Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.13 for RHEL 9 s390x
  • Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.13 for RHEL 8 s390x
  • Red Hat OpenShift Container Platform for ARM 64 4.13 for RHEL 9 aarch64
  • Red Hat OpenShift Container Platform for ARM 64 4.13 for RHEL 8 aarch64

Fixes

  • BZ - 2243296 - CVE-2023-39325 golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487)
  • OCPBUGS-22997 - [release-4.13] Gather StorageClass Resource
  • OCPBUGS-23497 - Console: Cannot Edit Shipwright Build
  • OCPBUGS-23567 - Bump to kubernetes 1.26.11
  • OCPBUGS-23978 - [4.13] Ironic side of external_http_url (METAL-163) is not wired in correctly
  • OCPBUGS-24240 - Subsequent PipelineRuns should take initial PipelineRun name into account
  • OCPBUGS-24263 - [release-4.13] High CPU usage in the ovs-vswitchd daemon

aarch64

openshift4/network-tools-rhel8@sha256:e09e7d18dbd03548965cf7e2452ab240819a04912c395c307ea7ac83b8234407
openshift4/ose-agent-installer-node-agent-rhel8@sha256:d3a0c24bcb4ce2061d3cf47fa4ea07607610447bdf8719ba31ad96b2867909a6
openshift4/ose-apiserver-network-proxy-rhel8@sha256:0ae007dd4af28973b1beca810365c4d0b958e27d1e6cdd99638ac09b869ee915
openshift4/ose-cluster-node-tuning-rhel9-operator@sha256:24469931fe23b851e812508f683922e3c118127d0bce5fbac28ca4c2305039f6
openshift4/ose-console@sha256:52ee0a106024b1d7868e0dc618d713696cb12b6d3c450933316f2cf01c456649
openshift4/ose-gcp-cloud-controller-manager-rhel8@sha256:9021508b88e4bb0af0f244e7448ff1f014521a9d392b2241745b04a694db2080
openshift4/ose-hyperkube@sha256:625464dbba9d77d4cd210521acae68652a8c6aed28f478ad2f49b903e0d4a827
openshift4/ose-hypershift-rhel8@sha256:d4d524b4f84ebebc9f13805b0a2ad3a5d7280e23188d656265e9f3a95ff85f23
openshift4/ose-insights-rhel8-operator@sha256:dd0ad4071e60e7fc52bd897051acfb0ab4188cd7cbef6da8b0a7ac6dc0274537
openshift4/ose-ironic-rhel9@sha256:6a895c07df45ce45db480647afd64fd2d253ea0f442f1523b4893767e2a418a2
openshift4/ose-machine-api-operator@sha256:cdceceb37ba9ab02983863894030da6e3e6882f4080611a8f3cec1778a7bfdf4
openshift4/ose-machine-config-operator@sha256:836ac1685bf60cf607784380080ca6b777759dd2859d0ed9bc58db454a7b6638
openshift4/ose-multus-whereabouts-ipam-cni-rhel8@sha256:9165401df8300e636b4a25c72d3e88de24c069c3ee4bed36bdd90acf0e143c40
openshift4/ose-openshift-apiserver-rhel8@sha256:4b6374c37dbdd008ff6ae2309237f5fe497974ab257ccf181a4e7db89afa6056
openshift4/ose-ovn-kubernetes-rhel9@sha256:3e7f655cbab67b833482679058a40e243179297888d0b8ad71f57c9f53fa670e
openshift4/ose-ovn-kubernetes@sha256:3e7f655cbab67b833482679058a40e243179297888d0b8ad71f57c9f53fa670e
openshift4/ose-ovn-kubernetes-microshift-rhel9@sha256:0aa20e9635b71a9efa141360d05e9041516faed20bd1a1ff86caf83aea724e8b
openshift4/ose-pod@sha256:22b9320ac9585cbf64323b0a45faddcf9ede05ed9a4e9947577bb973b4da8517

ppc64le

openshift4/network-tools-rhel8@sha256:bd0f5b09a69991141ac453788e1bf82f929755add56ff0b016f59dc5f9ee4069
openshift4/ose-agent-installer-node-agent-rhel8@sha256:eaece5585ade7ea69944930312f4b7316a3cb9efce38336edb53e8d2404e4373
openshift4/ose-apiserver-network-proxy-rhel8@sha256:63735dba9f371806527f425d20c748e6e46b16847cdf5ee2ea95739676c5bd6f
openshift4/ose-cluster-node-tuning-rhel9-operator@sha256:408f99eeea797688f019ae48d1146d2aafdc617f03333f738d965bdf0ccf9f13
openshift4/ose-console@sha256:08c0702b76afcd36918a08363f923cb58306c989e19a220fcf912f064553768d
openshift4/ose-gcp-cloud-controller-manager-rhel8@sha256:8a493115b7fc957bb2cb8f69314a1fe02e484db87abee79ed60d41e79fd82134
openshift4/ose-hyperkube@sha256:37dd7c8c5dcd7844aba30c339460e201eaaa646fb79ad01920ef15870fbc7d2f
openshift4/ose-hypershift-rhel8@sha256:742ae87db576224b11fda66817114232b510aa79edec7e6d2951dafba86015a0
openshift4/ose-ibmcloud-cluster-api-controllers-rhel8@sha256:a34102eedc3c1b80b2cdc1f7dd7a85482769e05a86c69b9ee476c3600a3c5ae3
openshift4/ose-insights-rhel8-operator@sha256:5a1b1237344332a45eb6e7c780dd57c7eb3a5d6bd175960fbe74d8ffc3505993
openshift4/ose-machine-api-operator@sha256:ec0519bfc0d05479184bede2fad3fc059f2f5d18a700707caf7bbd7dde830d6d
openshift4/ose-machine-config-operator@sha256:123622446bd34b57e3f1ee3981faf40e9c988e21e57c3b579a56b088029831fe
openshift4/ose-multus-whereabouts-ipam-cni-rhel8@sha256:6e17de2ba14647ce67c92b3331eafeccb6aefe8874bcaca6e118a4403b058ea2
openshift4/ose-openshift-apiserver-rhel8@sha256:4f51bb291ab9198ee7be8c7edcb93cf0ca91295a41cd5c89aead9dd1046d2c0a
openshift4/ose-ovn-kubernetes-rhel9@sha256:564a94549dad9ff2a0347140a11ecd25dfa4939ba8b7302fcb748f926739ee69
openshift4/ose-ovn-kubernetes@sha256:564a94549dad9ff2a0347140a11ecd25dfa4939ba8b7302fcb748f926739ee69
openshift4/ose-ovn-kubernetes-microshift-rhel9@sha256:8ff987d26336520d84f2e55bd4af2f88a3f660b98fc3b1a5ec8bee7daaa40222
openshift4/ose-pod@sha256:d5a6f0d18580ff16c72c30a8503dbc9eef042f37a1436c5f96cd98eba500b7f4

s390x

openshift4/network-tools-rhel8@sha256:d896d49b3ad7a06348fb4c901a43e57106d8964e6b7a6c41cbc51a591a693ce5
openshift4/ose-agent-installer-node-agent-rhel8@sha256:9111bf8e1272fd77d44db6ca15c4c7c82df530dbd651f6c0b880dc06b2259b15
openshift4/ose-apiserver-network-proxy-rhel8@sha256:02770a527d1b5278a849109640666c8da368f7db0dceb7e71410f17a18d39511
openshift4/ose-cluster-node-tuning-rhel9-operator@sha256:1a569a7bb305680ec918b7155c155ffba2106de5237ca6c8f3f1d0453232633e
openshift4/ose-console@sha256:5b2b23814f522b36dad0538790b4a67674503f6a9b9a07c285ba801da5f6fd6c
openshift4/ose-hyperkube@sha256:171472cbdf0fcbaa145691078ab1905261fba7a24881e5e6ae590ac8165e8e3a
openshift4/ose-hypershift-rhel8@sha256:464fd072dab1e1cf7e87d41c667f31592a64dc2af9b9c7b088d7c8d41055d0b6
openshift4/ose-ibmcloud-cluster-api-controllers-rhel8@sha256:7cfd5caded4ef20ed789ebc8eabe10aae320ac73736125a9c114019491e64448
openshift4/ose-insights-rhel8-operator@sha256:ce89649c894f1d2abfcf00256701810904fcc79b5cdcb7a6d41b8d435639bdc2
openshift4/ose-machine-api-operator@sha256:7e83e03f9316996422b71400e0f56dfffd86f0231f56208dade915a783b34878
openshift4/ose-machine-config-operator@sha256:43c963c0c011dba4c9b84d8eceab0867fd058ab53bfb6b831806fb4ef555fad4
openshift4/ose-multus-whereabouts-ipam-cni-rhel8@sha256:7b346b9a6e2d9c2563fd6d7de10723bb15616b37d313c39851e48837406e1084
openshift4/ose-openshift-apiserver-rhel8@sha256:327ceb866493223f5e184fdd2e468a5474a155c7eb5b68f4ecedb786ff886057
openshift4/ose-ovn-kubernetes-rhel9@sha256:acafceaf8b1ddeb060e5bea312f51eb8243fce95698ef67bc0179e1728aa7bf0
openshift4/ose-ovn-kubernetes@sha256:acafceaf8b1ddeb060e5bea312f51eb8243fce95698ef67bc0179e1728aa7bf0
openshift4/ose-ovn-kubernetes-microshift-rhel9@sha256:a2b8f25c021d0feba692fe04a0e485a3406482c1730dee41b859b2458388067f
openshift4/ose-pod@sha256:5d0c215fdae058d5c885ca413c1a3a1be2a0dd14aa8c8a2f81c58eccb71d97d1

x86_64

openshift4/network-tools-rhel8@sha256:87161107ecf98404c8a16253f70cb1161f912631e7071e9e8a5f23abc8cb1c81
openshift4/ose-agent-installer-node-agent-rhel8@sha256:db2d757db4c605c4f91d949a01b9de771ff4b80005dd46c472d0cb2af56b12e0
openshift4/ose-apiserver-network-proxy-rhel8@sha256:867f3d534eb4a6bcc5677ad1b2dacb9745d945019a2c441c0fdf27332770dd3f
openshift4/ose-cluster-node-tuning-rhel9-operator@sha256:12c05195a2ae13dab2d32fa033233163d312b13f1a52b75525fa36311fdd36ee
openshift4/ose-console@sha256:d8a3620411240d33e8923fa3cfa51bfc7db3c4d87d9bbb1a3460bc68f61f56be
openshift4/ose-gcp-cloud-controller-manager-rhel8@sha256:0a7942473533bff70f8ebda2d93910d63b4dbb4c8d4b75253be06299b0786587
openshift4/ose-hyperkube@sha256:5906942e53bca144c074630ad88c3cc158d521e777f17c95f56ff82e512e399e
openshift4/ose-hypershift-rhel8@sha256:48c9c1b2069a0ecc4a7f5f1bdde41be7b3d8088a5cccca1d843c82e670fa1ba8
openshift4/ose-ibmcloud-cluster-api-controllers-rhel8@sha256:b1bd20717966793032cd8daeb1abe9ada2c0f0b8aafdaf84824cce7e76f44664
openshift4/ose-insights-rhel8-operator@sha256:09c56b2b05e1811607a56ef79f08d363b7d0451c9380b3031085bec6d5899450
openshift4/ose-ironic-rhel9@sha256:45eb7b29c5b97cbe6324d53cea9393fc8a1f30bd761b57e3081f5e7d90324261
openshift4/ose-machine-api-operator@sha256:ff34d701d608be3db216bbb2444a289626b36306fadf5b6a0786dbe06e241119
openshift4/ose-machine-config-operator@sha256:1149bbb24a44601cf9a64879e592eb1559b8626a08fbbc2d855c474b0ab3350b
openshift4/ose-multus-whereabouts-ipam-cni-rhel8@sha256:961ace293bf966e03d432c5fe0f0d3e5b000fea960a755cea11fda1dd2b4a74e
openshift4/ose-openshift-apiserver-rhel8@sha256:527a1f3bcf1cda46a4aa9c5d05e8dbdfd759923eb3675a6141881033e017b869
openshift4/ose-ovn-kubernetes-rhel9@sha256:20f952c6f2a4609340785cf4bb0ba5057df39abe132a158a75aee4d4b1828046
openshift4/ose-ovn-kubernetes@sha256:20f952c6f2a4609340785cf4bb0ba5057df39abe132a158a75aee4d4b1828046
openshift4/ose-ovn-kubernetes-microshift-rhel9@sha256:d092c50790ff61bc56e104b4406a5e22cd9454d12e4f84cabf44bee0c52339ad
openshift4/ose-pod@sha256:4232e65758ca8449e6e2bf9d861e906156c5396ed606aad8732469c7740c827b

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.