Red Hat Product Errata RHSA-2025:1707 - Security Advisory
Issued:
2025-02-27
Updated:
2025-02-27

RHSA-2025:1707 - Security Advisory

Synopsis

Important: OpenShift Container Platform 4.16.36 bug fix and security update

Type/Severity

Security Advisory: Important

Topic

Red Hat OpenShift Container Platform release 4.16.36 is now available with updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container Platform 4.16.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container Platform 4.16.36. See the following advisory for the RPM packages for this release:

https://access.redhat.com/errata/RHBA-2025:1709

Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.16/release_notes/ocp-4-16-release-notes.html

Security Fix(es):

  • podman: buildah: Container breakout by using --jobs=2 and a race

condition when building a malicious Containerfile (CVE-2024-11218)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

All OpenShift Container Platform 4.16 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.16/updating/updating_a_cluster/updating-cluster-cli.html

Solution

For OpenShift Container Platform 4.16 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:

https://docs.openshift.com/container-platform/4.16/release_notes/ocp-4-16-release-notes.html

You may download the oc tool and use it to inspect release image metadata for x86_64, s390x, ppc64le, and aarch64 architectures. The image digests may be found at https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags.

The sha values for the release are as follows:

(For x86_64 architecture)
The image digest is sha256:efab0026a48c418ff01754238aea813e24097f65ff75962147cef78d785f06f4

(For s390x architecture)
The image digest is sha256:0e508ce16974f094595ce3cef1f2b9c8c637eb4dfbbb7975b116197e1120fbcb

(For ppc64le architecture)
The image digest is sha256:f1cb4b67f7e23609c8e3871eb156949358fec43f031cb0a323240f43a67f3734

(For aarch64 architecture)
The image digest is sha256:7a7711f2aa4ab7424522d44e65cce46e63fb15e8ab125547a099cd11a2e78acf

All OpenShift Container Platform 4.16 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.16/updating/updating_a_cluster/updating-cluster-cli.htmla

Affected Products

  • Red Hat OpenShift Container Platform 4.16 for RHEL 9 x86_64
  • Red Hat OpenShift Container Platform for Power 4.16 for RHEL 9 ppc64le
  • Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.16 for RHEL 9 s390x
  • Red Hat OpenShift Container Platform for ARM 64 4.16 for RHEL 9 aarch64

Fixes

  • BZ - 2326231 - CVE-2024-11218 podman: buildah: Container breakout by using --jobs=2 and a race condition when building a malicious Containerfile
  • OCPBUGS-35394 - Fix console server's sessions pruning
  • OCPBUGS-43469 - Azure Session for Client Certificate Credential Should Set Options to Send Certificate Chain
  • OCPBUGS-43680 - rendered MachineConfig in use not recreated in OpenShift 4.16
  • OCPBUGS-46493 - SDN Pods consume too much RAM during OVN Live migration, It caused the migration failure in OCP with 500 worker nodes
  • OCPBUGS-48082 - [4.16] Update must-gather owners (artificial PR for backports)
  • OCPBUGS-48762 - [4.16] Bootimage bump tracker
  • OCPBUGS-50575 - [release-4.16] Increase waitForFallbackDegradedConditionTimeout of test e2e-sno-disruptive
  • OCPBUGS-50627 - [4.16] Unable to configure nodeSelector and toleration for nmstate-console-plugin
  • OCPBUGS-50862 - MCO doesn't recover pool from degraded state

aarch64

openshift4/network-tools-rhel9@sha256:15e77dc4ab43138792ce5496dc56e4a93c82b54210b40f2c12d37c48847b7f93
openshift4/ose-agent-installer-api-server-rhel9@sha256:fb3c179d48f7ccbaf44ecc41dda17c91d688ec435fcc388d219d2345bc8133d8
openshift4/ose-agent-installer-utils-rhel9@sha256:27fe9028b3774bb94387ed1ed789b6c7c75a6a66ce6ac3dd6da0727299dc56a1
openshift4/ose-baremetal-installer-rhel9@sha256:c5ed7aa597ce57f7e4271515f71f398f2312a8e08de5c6a9946375f360e17c0f
openshift4/ose-cluster-kube-apiserver-rhel9-operator@sha256:af02aaf287c737ca0bb47cf84bbb3f1aa66938e96a5bcdc450eddb59560f4dde
openshift4/ose-cluster-node-tuning-rhel9-operator@sha256:27825496ea4be21b4e454a40817bb8ac0e48659215518c1553893af451254b52
openshift4/ose-console-rhel9@sha256:b6a1a3a5aac3418917b73aba2e931b7483c7ae257f3d081fd2156ca4516628cb
openshift4/ose-docker-registry-rhel9@sha256:1451d945be3e47d75a86538ce725bafcae572dc95661cdb68b81f5cab8575f7c
openshift4/ose-hypershift-rhel9@sha256:27e0721d00ec413afee23edf4266ba5dc194793a16ac444759752d96ecf89846
openshift4/ose-installer-altinfra-rhel9@sha256:6893405ca63ad5eb2957cb6687dd2f52a83bc99512ff8759549c6d403917ed46
openshift4/ose-installer-artifacts-rhel9@sha256:01cc4527ad7824ca20bd38414d77df96b916ddedadcd6106daad27e6f3dd22dc
openshift4/ose-installer-rhel9@sha256:97e6829ff50a1f73e5a08240386790d17a69286a0c09b87ef6eaf6537d064877
openshift4/ose-kube-proxy-rhel9@sha256:e663f6f9ce384766ad57d9734c8f54ecba559eaac3fc6e7b793ac4c84e7bdd97
openshift4/ose-machine-config-rhel9-operator@sha256:f556a8926f499bb8b3ced784cf4a24552cba2c00cd33385c2f5aa84d49e4dd1f
openshift4/ose-machine-os-images-rhel9@sha256:5ab13956e0feb2a64155ba83cf53d1649ce246c6d578ef03055320e4ed95fc3b
openshift4/ose-monitoring-plugin-rhel9@sha256:4328880b686968e35637af95efa481c1253212ffb26e5ad912d291469eb39715
openshift4/ose-must-gather-rhel9@sha256:52549a7cc4fd503d3b55a273a736485ac4e1fba5251878c96afaf4cf5c265fe1
openshift4/ose-networking-console-plugin-rhel9@sha256:a0aba25b3934f4103cb25f1b9bfca002fc31c13fd3692d23acff78ca2fa8f5fa
openshift4/ose-sdn-rhel9@sha256:eb17096caaced08951c2425a9ae8201d6b86c9c0148b17b8fa4976a49636d15e
openshift4/ose-tests-rhel9@sha256:2cb3f4cc86438c6fe315f54a49b7f0528c761802c1a88fe9fe1f11872d447e0e
openshift4/ose-tools-rhel9@sha256:6a64e3a67753701d45867c82e20751ab63a92ad6dc74806b07917e744d31342f

ppc64le

openshift4/network-tools-rhel9@sha256:d07edde8746994faea386f5fd1bd683c3ee1d1733377f8638cbe6d7403b35b24
openshift4/ose-agent-installer-api-server-rhel9@sha256:36f96347320784106ef14e05f1bd9fc920d875a17643e3e6d1c7f06869a3994a
openshift4/ose-agent-installer-utils-rhel9@sha256:a11237b7abcd940a520a9883f2b104b1121fd0912ce54cbc39d924e482c3fe2a
openshift4/ose-baremetal-installer-rhel9@sha256:66b09123e1a0d54f10cc24ca311f316fe9191d0a2307ff816d6707603d1e351f
openshift4/ose-cluster-kube-apiserver-rhel9-operator@sha256:258cbe88e6685db1e9ebb0bf071ab812c49faba486f27f68d1483031c27d5c6a
openshift4/ose-cluster-node-tuning-rhel9-operator@sha256:54507f55a58e474df7d7db19970cce39fb9abb1561b9a2e0bae1938d73fbe444
openshift4/ose-console-rhel9@sha256:d7256c07d5fd2a6a42dda9a3f41fac0c490f1b736470e3bb85dde2f09b7c04e5
openshift4/ose-docker-registry-rhel9@sha256:ce22a310320cf41b48804a7e3fc981411edf3a0be1151c41987f803a84a3502d
openshift4/ose-hypershift-rhel9@sha256:ee9e996c3a6dca6baa2735738c91c1daa5c768d308df0ba9b7d87680678048de
openshift4/ose-installer-altinfra-rhel9@sha256:732f7894ab7cbd1d291a83f6ab3526ca17eb04fbf00228ea308c540cab41a829
openshift4/ose-installer-artifacts-rhel9@sha256:b41f245596302660e7dfc057301bb0dc5bc9565851e3f1b204fe8f9c7593df61
openshift4/ose-installer-rhel9@sha256:572979328d69e17abbf2db503ede631c572572052c83a974c72aa38b4fe06075
openshift4/ose-kube-proxy-rhel9@sha256:2298c6a289ac7a22176ac21ef3504b7a010ac4a14e58d30c41867e0e173ba12d
openshift4/ose-machine-config-rhel9-operator@sha256:aec7843cd1b6183f064064caf5fb6f83e594eb84eed2091cf3fb8ae0ebc2121f
openshift4/ose-machine-os-images-rhel9@sha256:358af12d7b48ece04ae506fbbbc2c12b1c6536881cdcfec8f5ea4921fb5df91c
openshift4/ose-monitoring-plugin-rhel9@sha256:db41cd626311b1e7a8106347c0cc6b98a6ad3bd978a0fe13058c2f37e4353611
openshift4/ose-must-gather-rhel9@sha256:30fe85a7d0425bfe0063f16d4c409c0b214cf480b64313c0727e421c2bc2d79f
openshift4/ose-networking-console-plugin-rhel9@sha256:862ecaa2416f708959191c799526b23066068630f72609923b1921877b212944
openshift4/ose-sdn-rhel9@sha256:def9b54157dc8dfadb575d8122f84f0fed30e1a320fba612eb80af5139131cab
openshift4/ose-tests-rhel9@sha256:6f899536a7708e51dca18daf05c5adf75e22425a5b62bf5af51283a954bb3ac4
openshift4/ose-tools-rhel9@sha256:ac65132c20a09ea74510b6cb83f5c45a563aa7db3ea3d0c952f26a9e1f495700

s390x

openshift4/network-tools-rhel9@sha256:aec2bcae42291b1b2a031a5775742ca7545ffb773b3ce2da994ef97c59d63ee5
openshift4/ose-agent-installer-api-server-rhel9@sha256:d8ff86b5e7d85d2de85ef1bf79b998ad85b0cd210caae2a3b32cfc34ee129f3f
openshift4/ose-agent-installer-utils-rhel9@sha256:2c3847370044724be58946ebb03a424f5eb06559894968f03e8b991da96c6ecb
openshift4/ose-baremetal-installer-rhel9@sha256:7b700d0ca66ff955022ad1ee0b39b9b81ae236db9ee60fa0fd8b1725bb8c986b
openshift4/ose-cluster-kube-apiserver-rhel9-operator@sha256:927dfaf745cedb32c95523d2222603494ce494c70092019635d9ef2190380789
openshift4/ose-cluster-node-tuning-rhel9-operator@sha256:57629943f5905f8fba68e845d33bcebdbb21ccbf58d19732d34902a9490cf049
openshift4/ose-console-rhel9@sha256:b7486d3993df1565a2016025fefde8dd05b82d55da64c5cb9e72588839b7b8b7
openshift4/ose-docker-registry-rhel9@sha256:66e929f2fe35270180f464a97d0ff4e437474c526cd1ac282c0afb4af4bfe158
openshift4/ose-hypershift-rhel9@sha256:1b14250cc1b180eb11ee4541b817d6633d77ade06da21aca1bf017bd855eba31
openshift4/ose-installer-altinfra-rhel9@sha256:f7ee4d106c645922260bea60e5a06138d7bd5db585e94c053ea8fa80428b305b
openshift4/ose-installer-artifacts-rhel9@sha256:1deede76c67e34f22e4d3caee4ab2c9a5efab509f537890f593e9160d87cdf58
openshift4/ose-installer-rhel9@sha256:32cda74611ac2029f0560ed4083733fe40a3fc951711f334643c2ca5bdb30839
openshift4/ose-kube-proxy-rhel9@sha256:e38e0dfb382665d0cd959fd9ec67475a37ac306ca8c0d5db84419fb871611e66
openshift4/ose-machine-config-rhel9-operator@sha256:d810429766f84b6e6b2acdb983b7268fbd7b5b247b0d15952ec3f3ea1df095df
openshift4/ose-machine-os-images-rhel9@sha256:eb570492a0b9401e114dda27726879558ebe66694c4155aeb573f3437d7b79d1
openshift4/ose-monitoring-plugin-rhel9@sha256:f9702fb94c47c1ab342d60adac7837106e39b3ea78eea052bd3fc907403145d7
openshift4/ose-must-gather-rhel9@sha256:f58e9905c4e03a7a10b97e2072a8c6f6e72ae0589ed7ad00176c590032bbcd17
openshift4/ose-networking-console-plugin-rhel9@sha256:cd29b43147bcdbc9fa9403859f2f1195af71c9cb5bf9a308dc0ed089b3c7bed3
openshift4/ose-sdn-rhel9@sha256:0c69796c93d4ba96b8d110862e019f84e35c6a3934c1d325ac873c352c29aab2
openshift4/ose-tests-rhel9@sha256:478bb08570e5a4d896fe8ee3a9ff2d18afc7e1c36d77ac3cba00faf2e715dfb3
openshift4/ose-tools-rhel9@sha256:dd36c9f345eb61c038c17bc3fd47b270e8a7d2be51924feb3248f04df5592d67

x86_64

openshift4/network-tools-rhel9@sha256:b00689cc0254e1c69f1c6b99e2cfb9289f568d16512308a8fa1a2a7dd78a83c5
openshift4/ose-agent-installer-api-server-rhel9@sha256:39de51fd026ef2a3b950bb221fd9a8a6173b294ecc27568b076e9fa751b03aa0
openshift4/ose-agent-installer-utils-rhel9@sha256:4ed7449c7c0a7017a30f2a0f40598b82700193c74dcac237aea34b99f9d9692c
openshift4/ose-baremetal-installer-rhel9@sha256:756779e233f2a58fd30ff48b7a2e9a13ee292b577a0e29a2b5867ccfe14b065d
openshift4/ose-cluster-kube-apiserver-rhel9-operator@sha256:938fb18f9842e71d915df1cb21585ecc6bda987a97821a12c9a2ef194c2d5cd3
openshift4/ose-cluster-node-tuning-rhel9-operator@sha256:77e4b6f932b235cb0dba55f24aef03f097746b6dc5b12b66ac1f80f9d6b0b3ad
openshift4/ose-console-rhel9@sha256:934fbeec918eb8efe825c083ecb8ee63ef3d4ab03d5871203cc76c01b5c7d85e
openshift4/ose-docker-registry-rhel9@sha256:a8987b583cfb9771d9526dd49bd46984d0b1ad6c5d60d081c226b3efff5ff2e9
openshift4/ose-hypershift-rhel9@sha256:725a7619ace585b3d83f54443f43505bcb2b05a4c1e42079871d4f5082a347ec
openshift4/ose-installer-altinfra-rhel9@sha256:160fe83a92c07fa149e5324d2562fc2cd2958ac1f5ccc7693c764274577e0fd1
openshift4/ose-installer-artifacts-rhel9@sha256:a6e6febb4aceff2aed1c7acb74c1650d866c5e08e3b0dfc4ca8b09b5d361918f
openshift4/ose-installer-rhel9@sha256:ec8600ee18b775147c1d7ab177fa1bb35c0005bc6b8ff58f996057bbcb921aba
openshift4/ose-kube-proxy-rhel9@sha256:cb1383e89fb9a7d9c1ca1970b3b93da9b976e91d5cc9e30e132785f7527d6659
openshift4/ose-machine-config-rhel9-operator@sha256:f7979d27d61496655812cea5a26ad3ae8ccefd21e18a7e43572264896f18e3d3
openshift4/ose-machine-os-images-rhel9@sha256:51a4397f8eef64c52e7c488fd2ce62570f8e5f8e71c272fbba14ac5bb95ea40c
openshift4/ose-monitoring-plugin-rhel9@sha256:431c769bf0de38e29c098ab957dacabdcd18371206416b7b5e3ce86692614356
openshift4/ose-must-gather-rhel9@sha256:c413593a46a302b8fab6ffa3f2f993b0110c2c84ced3dd399cedb4c66c0c99f7
openshift4/ose-networking-console-plugin-rhel9@sha256:7e879390476e24a6c48f3aa75c50a751136c66541715f62dd491d9890176495b
openshift4/ose-sdn-rhel9@sha256:542e5e91f0526fc4bbe92e9c3829dd9df23e0ca75657e303f274cc3ec2999c69
openshift4/ose-tests-rhel9@sha256:bc84fbee67336cea661f6e3551737edcd095d081695740f957fa31f215a95b1a
openshift4/ose-tools-rhel9@sha256:7311ede6b813a9438f15c5729f385fc5dfa8a7314651c852a749ca38e9e2b062

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.