Red Hat Product Errata RHSA-2024:0043 - Security Advisory
Issued:
2024-06-27
Updated:
2024-06-27

RHSA-2024:0043 - Security Advisory

Synopsis

Important: Red Hat build of MicroShift 4.16.0 security update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

Red Hat build of MicroShift release 4.16.0 is now available with updates to packages and images that include a security update.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat build of MicroShift is Red Hat's light-weight Kubernetes orchestration solution designed for edge device deployments and is built from the edge capabilities of Red Hat OpenShift Container Platform. MicroShift is an application that is deployed on top of Red Hat Enterprise Linux devices at the edge, providing an efficient way to operate single-node clusters in these low-resource environments.

This advisory contains the RPM packages for Red Hat build of MicroShift 4.16.0. Read the following advisory for the container images for this release:

https://access.redhat.com/errata/RHSA-2024:0041

All Red Hat build of MicroShift 4.16 users are advised to use these updated packages and images when they are available in the RPM repository.

Security Fix(es):

  • golang-protobuf: encoding/protojson, internal/encoding/json: infinite

loop in protojson.Unmarshal when unmarshaling certain forms of invalid JSON
(CVE-2024-24786)

  • kubernetes: kube-apiserver: bypassing mountable secrets policy imposed by

the ServiceAccount admission plugin (CVE-2024-3177)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For MicroShift 4.16, read the following documentation, which will be
updated shortly for this release, for important instructions on how to
install the latest RPMs and fully apply this asynchronous errata update:

https://access.redhat.com/documentation/en-us/red_hat_build_of_microshift/4.16/html/release_notes/index

Affected Products

  • Red Hat OpenShift Container Platform 4.16 for RHEL 9 x86_64
  • Red Hat OpenShift Container Platform for Power 4.16 for RHEL 9 ppc64le
  • Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.16 for RHEL 9 s390x
  • Red Hat OpenShift Container Platform for ARM 64 4.16 for RHEL 9 aarch64

Fixes

  • BZ - 2268046 - CVE-2024-24786 golang-protobuf: encoding/protojson, internal/encoding/json: infinite loop in protojson.Unmarshal when unmarshaling certain forms of invalid JSON
  • BZ - 2274118 - CVE-2024-3177 kubernetes: kube-apiserver: bypassing mountable secrets policy imposed by the ServiceAccount admission plugin
  • OCPBUGS-24444 - MicroShift greenboot reports RED when no volume groups exist
  • OCPBUGS-24689 - MicroShift's cleanup script should stop and delete all (including user's) Pods
  • OCPBUGS-25784 - MicroShift OLM RPM is missing its release info file
  • OCPBUGS-21901 - [MicroShift] SERVFAIL due to "[ERROR] plugin/errors: dns: overflowing header size"
  • OCPBUGS-23336 - Setting the advertiseAddress in the microshift config.yaml file leads to CrashLoopBackOff for the ovnkube-master pod
  • OCPBUGS-25030 - Update 4.16 ovn-kubernetes-microshift-container image to be consistent with ART
  • OCPBUGS-27849 - microshift-olm-release-info RPM is missing
  • OCPBUGS-29037 - SSL Medium Strength Cipher Suites Supported for kube-controller-manager, kube-scheduler, kubelet
  • OCPBUGS-29847 - Pod security of openshift-marketplace namespace is too restrictive (should be "baseline")
  • OCPBUGS-30807 - microshift-etcd unclean shutdown can cause start failures
  • OCPBUGS-30833 - built-in load balancer conflicts with metallb
  • OCPBUGS-31739 - MicroShift OVN pods should not write to the /opt/cni/bin host directory
  • OCPBUGS-32946 - After running OCP-73203, host ip on ovn-k8s-mp0 was present in the load balancer ips
  • OCPBUGS-30039 - The openssl image used in MicroShift is pulled from an unauthenticated registry
  • OCPBUGS-33588 - Upgrade to openvswitch 3.3 for 4.16

Red Hat OpenShift Container Platform 4.16 for RHEL 9

SRPM
microshift-4.16.0-202406260523.p0.gc5a37df.assembly.4.16.0.el9.src.rpm SHA-256: 1d70434c37a23ecec3846047905b78dd1f4920219ec625f453df8d8deb6a82e4
x86_64
microshift-4.16.0-202406260523.p0.gc5a37df.assembly.4.16.0.el9.x86_64.rpm SHA-256: 79453efc75ac80efcb76b0cc130c178ad7ed8aa56caaf12b5c3320dbb89a91c1
microshift-greenboot-4.16.0-202406260523.p0.gc5a37df.assembly.4.16.0.el9.noarch.rpm SHA-256: 0a4d927e1c70bb28ec89e3a808d47ef564d8a07f1d94e83d50b9beea8eceef00
microshift-multus-4.16.0-202406260523.p0.gc5a37df.assembly.4.16.0.el9.x86_64.rpm SHA-256: 1669a9d00691a862c62165de1e7cf8b43d3ac53bdde63ac4c1bf6ef9fc0db832
microshift-multus-release-info-4.16.0-202406260523.p0.gc5a37df.assembly.4.16.0.el9.noarch.rpm SHA-256: f2cc8d703d1b22153ce4474d769dbe7fa5a0c55fc491d837fd81f62d77f22129
microshift-networking-4.16.0-202406260523.p0.gc5a37df.assembly.4.16.0.el9.x86_64.rpm SHA-256: 28d6ab9dd684cd7bae567c7dff85397dedd81f91086007b004fdffef430c0619
microshift-olm-4.16.0-202406260523.p0.gc5a37df.assembly.4.16.0.el9.x86_64.rpm SHA-256: ff9acc02974171f113b2a417ff46c4ba65c0f9ed0da3c271e461e56e3f7c4aa0
microshift-olm-release-info-4.16.0-202406260523.p0.gc5a37df.assembly.4.16.0.el9.noarch.rpm SHA-256: b38aee7cd3987ff75b0e43d400172f22da337ba1c42b3a219042cf2a3a21d1fe
microshift-release-info-4.16.0-202406260523.p0.gc5a37df.assembly.4.16.0.el9.noarch.rpm SHA-256: 7d30e9a82b44eb4c820ffdc047a86bf3ac5cfc9888799a69782c54b622396cc4
microshift-selinux-4.16.0-202406260523.p0.gc5a37df.assembly.4.16.0.el9.noarch.rpm SHA-256: 4ef487346c1706168bc0af7d4c8e19a257651d575fc8db636d7960aaae381746

Red Hat OpenShift Container Platform for Power 4.16 for RHEL 9

SRPM
microshift-4.16.0-202406260523.p0.gc5a37df.assembly.4.16.0.el9.src.rpm SHA-256: 1d70434c37a23ecec3846047905b78dd1f4920219ec625f453df8d8deb6a82e4
ppc64le
microshift-greenboot-4.16.0-202406260523.p0.gc5a37df.assembly.4.16.0.el9.noarch.rpm SHA-256: 0a4d927e1c70bb28ec89e3a808d47ef564d8a07f1d94e83d50b9beea8eceef00
microshift-release-info-4.16.0-202406260523.p0.gc5a37df.assembly.4.16.0.el9.noarch.rpm SHA-256: 7d30e9a82b44eb4c820ffdc047a86bf3ac5cfc9888799a69782c54b622396cc4
microshift-selinux-4.16.0-202406260523.p0.gc5a37df.assembly.4.16.0.el9.noarch.rpm SHA-256: 4ef487346c1706168bc0af7d4c8e19a257651d575fc8db636d7960aaae381746

Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.16 for RHEL 9

SRPM
microshift-4.16.0-202406260523.p0.gc5a37df.assembly.4.16.0.el9.src.rpm SHA-256: 1d70434c37a23ecec3846047905b78dd1f4920219ec625f453df8d8deb6a82e4
s390x
microshift-greenboot-4.16.0-202406260523.p0.gc5a37df.assembly.4.16.0.el9.noarch.rpm SHA-256: 0a4d927e1c70bb28ec89e3a808d47ef564d8a07f1d94e83d50b9beea8eceef00
microshift-release-info-4.16.0-202406260523.p0.gc5a37df.assembly.4.16.0.el9.noarch.rpm SHA-256: 7d30e9a82b44eb4c820ffdc047a86bf3ac5cfc9888799a69782c54b622396cc4
microshift-selinux-4.16.0-202406260523.p0.gc5a37df.assembly.4.16.0.el9.noarch.rpm SHA-256: 4ef487346c1706168bc0af7d4c8e19a257651d575fc8db636d7960aaae381746

Red Hat OpenShift Container Platform for ARM 64 4.16 for RHEL 9

SRPM
microshift-4.16.0-202406260523.p0.gc5a37df.assembly.4.16.0.el9.src.rpm SHA-256: 1d70434c37a23ecec3846047905b78dd1f4920219ec625f453df8d8deb6a82e4
aarch64
microshift-4.16.0-202406260523.p0.gc5a37df.assembly.4.16.0.el9.aarch64.rpm SHA-256: a57961a380fb3184686380c3773996c8e3f6f662ca0734f69b4e843667073c3d
microshift-greenboot-4.16.0-202406260523.p0.gc5a37df.assembly.4.16.0.el9.noarch.rpm SHA-256: 0a4d927e1c70bb28ec89e3a808d47ef564d8a07f1d94e83d50b9beea8eceef00
microshift-multus-4.16.0-202406260523.p0.gc5a37df.assembly.4.16.0.el9.aarch64.rpm SHA-256: f2e0c0b000ce0d821347f5592a6a285d1bf88655f54a61c1d0385a4ffb3a64e2
microshift-multus-release-info-4.16.0-202406260523.p0.gc5a37df.assembly.4.16.0.el9.noarch.rpm SHA-256: f2cc8d703d1b22153ce4474d769dbe7fa5a0c55fc491d837fd81f62d77f22129
microshift-networking-4.16.0-202406260523.p0.gc5a37df.assembly.4.16.0.el9.aarch64.rpm SHA-256: a20147b39f86c3cf2d9ecc4954881ea23f28c69a6337d763b155c7e7db428f69
microshift-olm-4.16.0-202406260523.p0.gc5a37df.assembly.4.16.0.el9.aarch64.rpm SHA-256: 56ab992f6d90aae6e1232a636a03752f035a1039332cece492bdba7b9b165ca4
microshift-olm-release-info-4.16.0-202406260523.p0.gc5a37df.assembly.4.16.0.el9.noarch.rpm SHA-256: b38aee7cd3987ff75b0e43d400172f22da337ba1c42b3a219042cf2a3a21d1fe
microshift-release-info-4.16.0-202406260523.p0.gc5a37df.assembly.4.16.0.el9.noarch.rpm SHA-256: 7d30e9a82b44eb4c820ffdc047a86bf3ac5cfc9888799a69782c54b622396cc4
microshift-selinux-4.16.0-202406260523.p0.gc5a37df.assembly.4.16.0.el9.noarch.rpm SHA-256: 4ef487346c1706168bc0af7d4c8e19a257651d575fc8db636d7960aaae381746

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.