Important: Secondary Scheduler Operator for Red Hat OpenShift 1.1.0 security update

Topic

Secondary Scheduler Operator for Red Hat OpenShift 1.1.0

Red Hat Product Security has rated this update as having a security impact of
Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a
detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.

Description

Secondary Scheduler Operator for Red Hat OpenShift 1.1.0

Security Fix(es):

• golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)
• golang: net/http: improper sanitization of Transfer-Encoding header (CVE-2022-1705)
• golang: go/parser: stack exhaustion in all Parse* functions (CVE-2022-1962)
• golang: encoding/pem: fix stack overflow in Decode (CVE-2022-24675)
• golang: encoding/xml: stack exhaustion in Decoder.Skip (CVE-2022-28131)
• golang: crypto/elliptic: panic caused by oversized scalar (CVE-2022-28327)
• golang: io/fs: stack exhaustion in Glob (CVE-2022-30630)
• golang: path/filepath: stack exhaustion in Glob (CVE-2022-30632)
• golang: encoding/xml: stack exhaustion in Unmarshal (CVE-2022-30633)
• golang: encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635)
• golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working (CVE-2022-32148)
• golang: crypto/tls: session tickets lack random ticket_age_add (CVE-2022-30629)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE page(s)
listed in the References section.

Solution

For Secondary Scheduler Operator 1.1.0 see the following documentation, which
will be updated shortly, for detailed release notes:

For more information on Secondary Scheduler Operator for Red Hat OpenShift
1.1.0, see the following release notes:

https://docs.openshift.com/container-platform/4.11/nodes/scheduling/secondary_scheduler/nodes-secondary-scheduler-release-notes.html#secondary-scheduler-operator-release-notes-1.1.0

Affected Products

• Secondary Scheduler Operator for Red Hat OpenShift (OSSO) 1.0 x86_64

Fixes

• BZ - 2077688 - CVE-2022-24675 golang: encoding/pem: fix stack overflow in Decode
• BZ - 2077689 - CVE-2022-28327 golang: crypto/elliptic: panic caused by oversized scalar
• BZ - 2092793 - CVE-2022-30629 golang: crypto/tls: session tickets lack random ticket_age_add
• BZ - 2105001 - [SSO] Secondary scheduler version is shown as unknown in the operator logs
• BZ - 2107342 - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read
• BZ - 2107371 - CVE-2022-30630 golang: io/fs: stack exhaustion in Glob
• BZ - 2107374 - CVE-2022-1705 golang: net/http: improper sanitization of Transfer-Encoding header
• BZ - 2107376 - CVE-2022-1962 golang: go/parser: stack exhaustion in all Parse* functions
• BZ - 2107383 - CVE-2022-32148 golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working
• BZ - 2107386 - CVE-2022-30632 golang: path/filepath: stack exhaustion in Glob
• BZ - 2107388 - CVE-2022-30635 golang: encoding/gob: stack exhaustion in Decoder.Decode
• BZ - 2107390 - CVE-2022-28131 golang: encoding/xml: stack exhaustion in Decoder.Skip
• BZ - 2107392 - CVE-2022-30633 golang: encoding/xml: stack exhaustion in Unmarshal
• WRKLDS-466 - Secondary Scheduler Operator for Red Hat OpenShift 1.1 release

CVEs

• CVE-2022-1705
• CVE-2022-1962
• CVE-2022-24675
• CVE-2022-28131
• CVE-2022-28327
• CVE-2022-30629
• CVE-2022-30630
• CVE-2022-30631
• CVE-2022-30632
• CVE-2022-30633
• CVE-2022-30635
• CVE-2022-32148

References

• https://access.redhat.com/security/updates/classification/#important