Issued:: 2024-06-11
Updated:: 2024-06-11

RHSA-2024:3801 - Security Advisory

Overview
Updated Images

Synopsis

Moderate: OpenShift Container Platform 4.12.58 CNF vRAN extras security update

Type/Severity

Security Advisory: Moderate

Topic

An update for ztp-site-generate-container, topology-aware-lifecycle-manager and bare-metal-event-relay is now available for Red Hat OpenShift Container Platform 4.12.

This release includes a security update for CVE-2023-30841 topology-aware-lifecycle-manager-operator-container: baremetal-operator: plain-text username and hashed password readable by anyone having a cluster-wide read-access [openshift-4] that was previously fixed but not reported in an errata.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the extra low-latency container images for Red Hat OpenShift Container Platform 4.12. See the following advisory for the container images for this release:

https://access.redhat.com/errata/RHSA-2024:3349

Thos release includes a security update for topology-aware-lifecycle-manager-operator-container: baremetal-operator: plain-text username and hashed password readable by anyone having a cluster-wide read-access (CVE-2023-30841).

All OpenShift Container Platform users are advised to upgrade to these updated packages and images.

Solution

For OpenShift Container Platform 4.12 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:

https://docs.openshift.com/container-platform/4.12/release_notes/ocp-4-12-release-notes.html

Details on how to access this content are available at https://docs.openshift.com/container-platform/4.12/updating/updating-cluster-cli.html.

Affected Products

Red Hat OpenShift Container Platform 4.10 for RHEL 8 x86_64
Red Hat OpenShift Container Platform for Power 4.10 for RHEL 8 ppc64le
Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.10 for RHEL 8 s390x
Red Hat OpenShift Container Platform for ARM 64 4.10 aarch64

Fixes

OCPBUGS-33779 - Customers on 4.12 need the "one-shot time sync on boot" fix from 4.14
OCPBUGS-11986 - TALM logs timestamp needs to match platform
OCPBUGS-17388 - [TALM] ClusterVersion policy fails when using templates
OCPBUGS-20001 - talm operator bundle ships with a "skipRange" annotation but without the "replaces" property (CSV)
OCPBUGS-20425 - InvalidPlatformImage Error Behind Proxy
OCPBUGS-25226 - TALM sometimes generates invalid ConfigurationPolicy names

CVEs

References

https://access.redhat.com/security/updates/classification/#moderate

x86_64

openshift4/topology-aware-lifecycle-manager-operator-bundle@sha256:4466f67dfad7dd6d24dcf159e7a218b66449a6f066b5330eef46d81a52d7f7ce

openshift4/topology-aware-lifecycle-manager-precache-rhel8@sha256:bce1e6008ef98ae71cfb8b539e90887e86eecfe9e309416f31eb5acd11a1f73d

openshift4/topology-aware-lifecycle-manager-recovery-rhel8@sha256:857dd66e50798ce2e24e2cada9a9bf0a5f8ebc7699eb6bb2ef7a23ed1591780c

openshift4/topology-aware-lifecycle-manager-rhel8-operator@sha256:716c90133d0435c8252f87d9ca42bf5def073ed446c684809303df8e610770b4

openshift4/ztp-site-generate-rhel8@sha256:9b3e546531cbde05d943a77ce8a4875fb1375642d5a07e19485f473549e0f562

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

Runtimes

Integration and Automation