Red Hat Product Errata RHSA-2024:0735 - Security Advisory
Issued:
2024-02-13
Updated:
2024-02-13

RHSA-2024:0735 - Security Advisory

Synopsis

Critical: OpenShift Container Platform 4.14.12 bug fix and security update

Type/Severity

Security Advisory: Critical

Topic

Red Hat OpenShift Container Platform release 4.14.12 is now available with
updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container
Platform 4.14.

Red Hat Product Security has rated this update as having a security impact
of Critical. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

Description

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container Platform 4.14.12. See the following advisory for the RPM packages for this release:

https://access.redhat.com/errata/RHBA-2024:0738

Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.14/release_notes/ocp-4-14-release-notes.html

Security Fix(es):

  • go-git: Maliciously crafted Git server replies can lead to path traversal

and RCE on go-git clients (CVE-2023-49569)

  • go-git: Maliciously crafted Git server replies can cause DoS on go-git

clients (CVE-2023-49568)

  • graphql-go: Denial of service via stack overflow panics (CVE-2022-21708)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
All OpenShift Container Platform 4.14 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.14/updating/updating_a_cluster/updating-cluster-cli.html

Solution

For OpenShift Container Platform 4.14 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:

https://docs.openshift.com/container-platform/4.14/release_notes/ocp-4-14-release-notes.html

You may download the oc tool and use it to inspect release image metadata for x86_64, s390x, ppc64le, and aarch64 architectures. The image digests may be found at https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags.

The sha values for the release are

(For x86_64 architecture)
The image digest is sha256:671bc35e8fc2027d6f4c2c756d19909d83d55d1c591e8f9ea790ec8da744d171

(For s390x architecture)
The image digest is sha256:641ac9df3fbc2575922e68cc2e3b0903d7d268faf6862777fca93ac7ed2fe82b

(For ppc64le architecture)
The image digest is sha256:ab24f08a86cb6715e3259153ab44820620d80f21c87781001289bc7ebe13cf02

(For aarch64 architecture)
The image digest is sha256:7f3942d330660112a9220786bd2fb3015f05bda0354002f70cf5735e6386b93b

All OpenShift Container Platform 4.14 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.14/updating/updating_a_cluster/updating-cluster-cli.html

Affected Products

  • Red Hat OpenShift Container Platform 4.14 for RHEL 9 x86_64
  • Red Hat OpenShift Container Platform 4.14 for RHEL 8 x86_64
  • Red Hat OpenShift Container Platform for Power 4.14 for RHEL 9 ppc64le
  • Red Hat OpenShift Container Platform for Power 4.14 for RHEL 8 ppc64le
  • Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.14 for RHEL 9 s390x
  • Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.14 for RHEL 8 s390x
  • Red Hat OpenShift Container Platform for ARM 64 4.14 for RHEL 9 aarch64
  • Red Hat OpenShift Container Platform for ARM 64 4.14 for RHEL 8 aarch64

Fixes

  • BZ - 2045014 - CVE-2022-21708 graphql-go: Denial of service via stack overflow panics
  • BZ - 2258143 - CVE-2023-49569 go-git: Maliciously crafted Git server replies can lead to path traversal and RCE on go-git clients
  • BZ - 2258165 - CVE-2023-49568 go-git: Maliciously crafted Git server replies can cause DoS on go-git clients
  • OCPBUGS-20180 - Dual-Stack Hosted Cluster: IPv6 should not be the default pod/service network IPFamily
  • OCPBUGS-20547 - (backport) Add a network validation to avoid overlapping when you define KAS Advertise Address
  • OCPBUGS-26526 - Explore making that remote write failure less intrusive
  • OCPBUGS-26527 - Explore making that remote write failure less intrusive
  • OCPBUGS-27072 - HCP does not deploy cloud provider kubevirt with configured node selectors
  • OCPBUGS-27157 - [release-4.14] Web Console Shows Non-printable file detected
  • OCPBUGS-27419 - Fix "depreciated" typo
  • OCPBUGS-27773 - [4.14] Ironic inspection fails due to unexpected LLDP packet: Unexpected exception UnicodeDecodeError during processing: 'utf-8' codec can't decode byte 0xf7 in position 13: invalid start byte
  • OCPBUGS-28238 - y-stream upgrade fails because CVO has no Upgradeable condition
  • OCPBUGS-28379 - MachineConfig rollout after Control-Plane Node(s) CPU and Memory update because of nodeStatusUpdateFrequency being updated
  • OCPBUGS-28384 - The MCO should allow users to skip image registry change disruption
  • OCPBUGS-28789 - [4.14] - IPv6 ETP=Local Services broken on LGW
  • OCPBUGS-28823 - EFS CSI performance degradation due to CPU limits
  • OCPBUGS-28871 - oc-mirror requires that the default channel of an operator is mirrored
  • OCPBUGS-28949 - openshift/builder - replace 'coreydaley' with 'sayan-biswas' in OWNERS file
  • OCPBUGS-28950 - openshift/openshift-controller-manager - replace 'coreydaley' with 'sayan-biswas' in OWNERS file
  • OCPBUGS-28951 - openshift/openshift-controller-manager-operator - replace 'coreydaley' with 'sayan-biswas' in OWNERS file
  • OCPBUGS-28952 - openshift/csi-driver-shared-resource - replace 'coreydaley' with 'sayan-biswas' in OWNERS file
  • OCPBUGS-28957 - openshift/csi-driver-shared-resource-operator - replace 'coreydaley' with 'sayan-biswas' in OWNERS file
  • OCPBUGS-29030 - HyperShift KAS config should set ValidatingAdmissionPolicy plugin
  • OCPBUGS-29034 - openshift/origin - replace 'coreydaley' with 'sayan-biswas' in OWNERS file
  • OCPBUGS-7262 - Handle event messages generated when UI is active

aarch64

openshift4/driver-toolkit-rhel9@sha256:05bce6081ebd60260a2dc707855bb4c8c7597d84dc4cec8bf735a492bff2db9c
openshift4/network-tools-rhel8@sha256:392988b33b613ffe4981425bf96ebd72109398f4bd9297fdc74eaed6a0156fa6
openshift4/oc-mirror-plugin-rhel8@sha256:84d480f2763a1db6756f4fe00e42876917672786e25fca03f44cfddaf28082a2
openshift4/ose-aws-ebs-csi-driver-rhel8-operator@sha256:fe6b1c8aea442792d49f21b76198467a70bda5f5b7430c42731c2f20eebc3a55
openshift4/ose-azure-file-csi-driver-operator-rhel8@sha256:db4fa94339f96a72f989900d026f6782fc4032715d7c22e8f590202c3aba9bac
openshift4/ose-cloud-credential-operator@sha256:819a069cd69a7e60e9e27d25ecc45648c9cca2dbf224856745be5cd27a586358
openshift4/ose-cluster-machine-approver@sha256:900f4859257659f4edcbc7fd162cf63ea1fd842a92c7d42d942178d43d379dd4
openshift4/ose-cluster-olm-operator-rhel8@sha256:9a07d7c5d06ba4adaa0a7889d23025aa63c46f6c5056129017172e8589f7ee5a
openshift4/ose-cluster-openshift-controller-manager-operator@sha256:a274d2123b7e0067cacf804102f814fbc4254f3ee46f419e26f48bd3b7af8346
openshift4/ose-cluster-storage-operator@sha256:72d8357a182c757948a5f3ee3b0513f631c2adf69f1c992ba9c0d7b6ec606eca
openshift4/ose-console@sha256:475d8ce51b4627005c1bed354c1d7937deaa3d267e2e2125c7928d1b8bd0004b
openshift4/ose-csi-driver-shared-resource-operator-rhel8@sha256:7e99665eede825a66d181ddb7c213fd6935719d71af825a1a8803b3f259007e3
openshift4/ose-csi-driver-shared-resource-rhel8@sha256:1da28c45c8493d6c7f1fb726fcb883df9d4df64ad4f2d298892fe9696eb8a639
openshift4/ose-csi-driver-shared-resource-webhook-rhel8@sha256:a551850f4b1738ec67c0d8aaa6fc2088f6e1d0c06427ce6ef516314076243e80
openshift4/ose-docker-builder@sha256:6001d0d2d7045cb3bad502aa98e2e956e4f73621b23d1d41e9db49c12c34a86c
openshift4/ose-gcp-pd-csi-driver-operator-rhel8@sha256:01901fb39370d3c61e2fea199c9fbcf32793825dc94d6c1a2bf277e96626cbb2
openshift4/ose-hypershift-rhel8@sha256:b3862632def25374ff8bae43b52b1afdd758cbb862959b719c6654e1707feb20
openshift4/ose-ironic-machine-os-downloader-rhel9@sha256:a73de78411a6ba2c799e5fdca210395a35752634365df4633f83894e032eaa9b
openshift4/ose-ironic-rhel9@sha256:eedacea88e2faac732dad373c9f817e5fc462670d70e6d72040bc75d169db317
openshift4/ose-machine-api-operator@sha256:fcc2afe06b860a7384b2573f8ef4eb172146bfe62bf1a57e09f097e6447be17e
openshift4/ose-machine-api-provider-azure-rhel8@sha256:7e3c1951531e7437ba57ce27b35803e0dd78f7619ed3f05513fc147c01aa622f
openshift4/ose-machine-config-operator@sha256:9e19c0d439935ea5dc414b4acddfe55453def48c7b19380b2fc738052b0ee5c6
openshift4/ose-olm-rukpak-rhel8@sha256:9fef2730ce862c6a192d1fe848a9fd5e53b08627d08a9449d52c82d559693b09
openshift4/ose-openshift-controller-manager-rhel8@sha256:ff60a763ad85c8e2f7c1844e072dd7c1d17d638fcddd8aa5021095eee5f8e355
openshift4/ose-ovn-kubernetes-rhel9@sha256:af1e6bc335def679ce1309279742a8da44ee6d4608324af6a9b45ed260985794
openshift4/ose-ovn-kubernetes@sha256:af1e6bc335def679ce1309279742a8da44ee6d4608324af6a9b45ed260985794
openshift4/ose-ovn-kubernetes-microshift-rhel9@sha256:16082622ef96fd52fa96d3a665d0a69e0f5593a5da0a250628bac215238b8d7a
openshift4/ose-tests@sha256:bcf7a14bd4e84854449980344a40de00ff4ae405d802fabdbee30a89aee161bd

ppc64le

openshift4/driver-toolkit-rhel9@sha256:cfc7d5dc2069294c860fd779531513c23304e8a86f73f376016bb048e070b28d
openshift4/network-tools-rhel8@sha256:fe10793b6a5fe8bca87c08721730af057dc8df54bb32aeb53fb1bbdd443b0ec0
openshift4/oc-mirror-plugin-rhel8@sha256:e7d7087f8c9e1640d6b741207f7b22cbf1ae820c263b0b9fd6bf96c41eeb1b86
openshift4/ose-cloud-credential-operator@sha256:3a82a2f0533422e928fced06677e53a331b94500f49a0230f5b7e652fd789003
openshift4/ose-cluster-machine-approver@sha256:c016ce76a990bf38c387ce52730e3cfc34e5f739ad5389816cdf9ff11278ed97
openshift4/ose-cluster-olm-operator-rhel8@sha256:ea821cd31b9cea6048613fb6134af6b20c38893338c86e4effa43a98e342f38d
openshift4/ose-cluster-openshift-controller-manager-operator@sha256:b7480384322a8cdffac683a5d2956d673749090278b152236961012d7895e335
openshift4/ose-cluster-storage-operator@sha256:af10a7dada886e36002107128cb705da708f08860e3eb947f8cce80a69f81ed3
openshift4/ose-console@sha256:fcc20f5b7ef541c16d70a6f63a11808353306c8f0436987a8d4b599e3cb87b20
openshift4/ose-csi-driver-manila-rhel8-operator@sha256:dcc8a782bbd03e2b35dfebafd85d9e336d24125f17a4299f4359217901bc9c2c
openshift4/ose-csi-driver-shared-resource-operator-rhel8@sha256:6269a0486b760ac10bedce0b26ad195afae2cf55722def84e29ea84f28d8664a
openshift4/ose-csi-driver-shared-resource-rhel8@sha256:8f4d43e57376d5ed9450abb384b51474d14c6a298b654819d56f081dba4f4a71
openshift4/ose-csi-driver-shared-resource-webhook-rhel8@sha256:dbd5138f80b13510a6ad250f6eb600e0cd9f4fd261e8902a19b098a358a1127e
openshift4/ose-docker-builder@sha256:f053c7248211c17af364de7e567bd619abb286463915af9f7acdb1d6ea0525ed
openshift4/ose-gcp-pd-csi-driver-operator-rhel8@sha256:15021374cb8366b34aa8e50afccd6d5de2ca8be23ba0947c6790fd1e9c561f5a
openshift4/ose-hypershift-rhel8@sha256:f3db0686714999f28feab6f575a018ae92a221763eab40a43f1eefe514f2e6b5
openshift4/ose-machine-api-operator@sha256:e81355759a79e21b4759d6502e4c0e159dd8e83cc0afab662f58c48c878ed6e3
openshift4/ose-machine-config-operator@sha256:7e6cf64ac26dae2089acf2aedcf2395a64b54ffa8e2d4820e5287be070e55301
openshift4/ose-olm-rukpak-rhel8@sha256:83c02c5ef6b675cc9c19ff3227c36b463d70607873200bf9a33165b21986f895
openshift4/ose-openshift-controller-manager-rhel8@sha256:1a17af176804a44433c4ddeb73c5bbce87656c37f259834ba2ea960959631cce
openshift4/ose-ovn-kubernetes-rhel9@sha256:f9302c40944a749077ea44c822090a7b7fc24c0ea782f8ecc6319bc933f9de75
openshift4/ose-ovn-kubernetes@sha256:f9302c40944a749077ea44c822090a7b7fc24c0ea782f8ecc6319bc933f9de75
openshift4/ose-ovn-kubernetes-microshift-rhel9@sha256:50e8ae10e81d3a31940b7f09249185158ca79aa36445f650f9793c74f89e5925
openshift4/ose-tests@sha256:fd4a58ec64a4b082b33e71d0c3dd366f748f474caeffe21da49b2d96eb491bfe

s390x

openshift4/driver-toolkit-rhel9@sha256:eb96c150d38135e5828626bbbff07164fa07a01a424ee433b5448f55dae5f0ed
openshift4/network-tools-rhel8@sha256:8a59164de78da22ad6934ecfe1f5aa18b81790c9aa4294e1769154d21c7a8c6c
openshift4/oc-mirror-plugin-rhel8@sha256:b198aea08568e40e3f7f5329d2c1d3763bdb4bcc7a9f323b4704403d68656106
openshift4/ose-cloud-credential-operator@sha256:1a27f1946d3584056f73ff84d5a04294855d57dcfccc0487d9ff72f9de80ba62
openshift4/ose-cluster-machine-approver@sha256:7fbc684130d3167f7c7ffcdedc6a689b771b2c877e7e0f6de0f069be48e5f28c
openshift4/ose-cluster-olm-operator-rhel8@sha256:d80338391a783a1f831746b6905ad8558b9f671c8b898bc56a141d5bd84480fe
openshift4/ose-cluster-openshift-controller-manager-operator@sha256:2911f8a22cca9c18347455dd4f55442e4f85a41f5d7adb286e4029c004295d97
openshift4/ose-cluster-storage-operator@sha256:484a3b8494e1f4a344ab26ef2a676c8fc63724e026fdbed3a73b77cc05b90cec
openshift4/ose-console@sha256:ba1ffa8b24ade1f8027a871206fa169e283bc32e04abd967b0d0bab4d1a38bab
openshift4/ose-csi-driver-shared-resource-operator-rhel8@sha256:281ee21303f1599576ee5d0a6fefcc0614dbbdad482494cff2da2a4ddf909fd4
openshift4/ose-csi-driver-shared-resource-rhel8@sha256:213d6bedae130a35272ef2a07b0c9aa4c8c0b20fe2981c51909b94f81e808842
openshift4/ose-csi-driver-shared-resource-webhook-rhel8@sha256:727b3801c58418900b4489439a83f68cab83cecf8a5ed5a09b77f1a353dccc3c
openshift4/ose-docker-builder@sha256:5654a4ee244d463cc9d75ff6fc2fe69b587752ae36bcc01b6c60141a7c557785
openshift4/ose-hypershift-rhel8@sha256:b58354f9e660a56fe7f063c5dde21def1e2ece254dfcd68c42bdb02f9d6e1bb2
openshift4/ose-ibm-vpc-block-csi-driver-operator-rhel8@sha256:0ce1290358383a8dabda220eb4abfe70e6104984984befd18dedb14dc764ba66
openshift4/ose-machine-api-operator@sha256:38d879f8c691801b31694734c452a5d9c72d1c71ed98a06ad2364be8e0c7ae11
openshift4/ose-machine-config-operator@sha256:52debee18389b1547c7b230b067e2e46413d03aeff34fa857f0078a6ad43180d
openshift4/ose-olm-rukpak-rhel8@sha256:641238eb6dd892a0914419c0b0a471315265cace7c5dbc464a9c30b423fbe157
openshift4/ose-openshift-controller-manager-rhel8@sha256:edb2615c58db46631707ad3d0020e0e4c39b31b3a81d115420ed12d7b622179e
openshift4/ose-ovn-kubernetes-rhel9@sha256:dca8367f6c205cacb47c47d774579fd396d9213ab7b0faeb8d4a26eef71628ab
openshift4/ose-ovn-kubernetes@sha256:dca8367f6c205cacb47c47d774579fd396d9213ab7b0faeb8d4a26eef71628ab
openshift4/ose-ovn-kubernetes-microshift-rhel9@sha256:6383597fedc8078207083d3bf635c318385c8d75d6f32d4d77efd7f25511871c
openshift4/ose-tests@sha256:3443e518976ebe55fc40e96b94848b3d0d838fa8f4097df3ae60c3f509ddb293

x86_64

openshift4/driver-toolkit-rhel9@sha256:242a3c6d3736a6827b16cf403eabbf5b12eb5dd766575a5606b5e48e230bea77
openshift4/network-tools-rhel8@sha256:8242f96538e18eec148d5cf4d26c2f8bc837e0cb2d2b424183ea579803188fd2
openshift4/oc-mirror-plugin-rhel8@sha256:a87e6fdccf969eb1ffa5759542f7482bb76c0ee399111130d9a3579a9fa6fada
openshift4/ose-alibaba-disk-csi-driver-operator-container-rhel8@sha256:c59197fd2b71316b51083010ed266b5dbd2337791c04d812497c716b914ed7d5
openshift4/ose-aws-ebs-csi-driver-rhel8-operator@sha256:7b0d07f44cab631ac47dc168e43d1716f1f332620706055574f9722c29e90296
openshift4/ose-azure-file-csi-driver-operator-rhel8@sha256:ec37033c2244931b1ca85fdd68a63047ad9f7fe6656d50dd311b604de83ef916
openshift4/ose-cloud-credential-operator@sha256:fae618466660ee22e5e79c3f434d3f91bf589201dff6e2b65236f700e8021c41
openshift4/ose-cluster-machine-approver@sha256:b10af2df852f81b391898c2318cf66426aa64ba2930abfd49555b9722cb6125a
openshift4/ose-cluster-olm-operator-rhel8@sha256:c208dbb5014ad7988e4b139c259c63693fd247a5eb6202666434645551461d86
openshift4/ose-cluster-openshift-controller-manager-operator@sha256:449ea5ef5a4e1a333da25f4c877130e001ff95d45f5de3aba0e9730a6265406b
openshift4/ose-cluster-storage-operator@sha256:db0381f98430fb5c0f220ad8efbb1dee33f8b95df335e0546215e5ba2eada230
openshift4/ose-console@sha256:26b0127d10ceec535dd9e58077cfa8b88fcfa5c8ac225f15ffeb96b0a4dd9e12
openshift4/ose-csi-driver-manila-rhel8-operator@sha256:25bafdb6d14dd135b1d5f5fbb1baabf46b136fff3c45ccf11a9d00e821ea9d6e
openshift4/ose-csi-driver-shared-resource-operator-rhel8@sha256:2a319018a950cdacb45e8e20600d15f55351d233b42fc546a305e83ad9ce6c0e
openshift4/ose-csi-driver-shared-resource-rhel8@sha256:7a5bc7864da955b0811c8b3da0e00b3487caa00afeaaa9195e1e0de31a4f0b60
openshift4/ose-csi-driver-shared-resource-webhook-rhel8@sha256:f34e7f27b0184d55df51fc3bac4a3a3d3b266568d6e819f485d1d63e061c156b
openshift4/ose-docker-builder@sha256:f52635c2d191359d7d328542618092f677a0fa8bc357d6f1ab0b75a341fbdb0c
openshift4/ose-gcp-pd-csi-driver-operator-rhel8@sha256:791d60cd6ea7d7ea7514aebbb31031c3fd27115e1a73dcff144fca7dfcb49c8f
openshift4/ose-hypershift-rhel8@sha256:1238409c7503390b1b262e8f03512a920bd6936c93c7a00ced0631079067a72a
openshift4/ose-ibm-vpc-block-csi-driver-operator-rhel8@sha256:3f96e6043c53e7ecdabe381c0a547e7dda69e5bb3b917051ee8d376acdd78a4c
openshift4/ose-ironic-machine-os-downloader-rhel9@sha256:1bf91a55df1f89c0195450219af8890ac8ca49f3da6b2b49fd44e9c7fdfd9ef4
openshift4/ose-ironic-rhel9@sha256:b9f2d3b239aaf4e864b362e9684967bff4acafc1d09538ec09cc14c98b87fb47
openshift4/ose-machine-api-operator@sha256:72a45a8478be18417a23d0eeae441d876d6c4c6f10afadfdc4195c822c43d6e9
openshift4/ose-machine-api-provider-azure-rhel8@sha256:ec2f12f8a879ded7302865200ec36611a038e08996d2b7b4ace364efc3e8590b
openshift4/ose-machine-config-operator@sha256:98007d050a6f6108ef102383f77ea43b6d89c8a73e2d921a13dd7111833575be
openshift4/ose-olm-rukpak-rhel8@sha256:ca0e836bc238a40f9cfa39aa59ef23782d535de2b901adecc3c5761fd30dac72
openshift4/ose-openshift-controller-manager-rhel8@sha256:83ee4ca19d3c9c3e2b8186680ca1d60d8c5885f9b1e259213e24bff438abc3ff
openshift4/ose-ovn-kubernetes-rhel9@sha256:fd9ffb706bebb2b87e4ed4b21c9d4c3d8818133d6e90027ddee1cc524a15e1fc
openshift4/ose-ovn-kubernetes@sha256:fd9ffb706bebb2b87e4ed4b21c9d4c3d8818133d6e90027ddee1cc524a15e1fc
openshift4/ose-ovn-kubernetes-microshift-rhel9@sha256:02d1326daa93e359787adfdb2cbea7ce863e9adea88d31ba3f5c375de1f82036
openshift4/ose-tests@sha256:f9d02b8cbae05f923be47917d0bf466a97751f6fad935011c3801e9cd96d4689

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.