Important: Red Hat OpenShift Data Foundation 4.11.0 security, enhancement, & bugfix update

Topic

Updated images that include numerous enhancements, security, and bug fixes are now available for Red Hat OpenShift Data Foundation 4.11.0 on Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat OpenShift Data Foundation is software-defined storage integrated with and optimized for the Red Hat OpenShift Container Platform. Red Hat OpenShift Data Foundation is a highly scalable, production-grade persistent storage for stateful applications running in the Red Hat OpenShift Container Platform. In addition to persistent storage, Red Hat OpenShift Data Foundation provisions a multicloud data management service with an S3 compatible API.

Security Fix(es):

• eventsource: Exposure of Sensitive Information (CVE-2022-1650)
• moment: inefficient parsing algorithm resulting in DoS (CVE-2022-31129)
• nodejs-set-value: type confusion allows bypass of CVE-2019-10747 (CVE-2021-23440)
• nanoid: Information disclosure via valueOf() function (CVE-2021-23566)
• node-fetch: exposure of sensitive information to an unauthorized actor (CVE-2022-0235)
• follow-redirects: Exposure of Sensitive Information via Authorization Header leak (CVE-2022-0536)
• prometheus/client_golang: Denial of service using InstrumentHandlerCounter (CVE-2022-21698)
• golang: math/big: uncontrolled memory consumption due to an unhandled overflow via Rat.SetString (CVE-2022-23772)
• golang: cmd/go: misinterpretation of branch names can lead to incorrect access control (CVE-2022-23773)
• golang: crypto/elliptic: IsOnCurve returns true for invalid field elements (CVE-2022-23806)
• golang: encoding/pem: fix stack overflow in Decode (CVE-2022-24675)
• node-forge: Signature verification leniency in checking `digestAlgorithm` structure can lead to signature forgery (CVE-2022-24771)
• node-forge: Signature verification failing to check tailing garbage bytes can lead to signature forgery (CVE-2022-24772)
• node-forge: Signature verification leniency in checking `DigestInfo` structure (CVE-2022-24773)
• Moment.js: Path traversal in moment.locale (CVE-2022-24785)
• golang: regexp: stack exhaustion via a deeply nested expression (CVE-2022-24921)
• golang: crypto/elliptic: panic caused by oversized scalar (CVE-2022-28327)
• golang: syscall: faccessat checks wrong group (CVE-2022-29526)
• go-getter: writes SSH credentials into logfile, exposing sensitive credentials to local uses (CVE-2022-29810)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

These updated images include numerous enhancements and bug fixes. Space precludes documenting all of these changes in this advisory. Users are directed to the Red Hat OpenShift Data Foundation Release Notes for information on the most significant of these changes:

https://access.redhat.com//documentation/en-us/red_hat_openshift_data_foundation/4.11/html/4.11_release_notes/index

All Red Hat OpenShift Data Foundation users are advised to upgrade to these updated images, which provide numerous bug fixes and enhancements.

Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258

Affected Products

• Red Hat OpenShift Data Foundation 4 x86_64
• Red Hat OpenShift Data Foundation for IBM Power, little endian 4 ppc64le
• Red Hat OpenShift Data Foundation for IBM Z and LinuxONE 4 s390x

Fixes

• BZ - 1937117 - Deletion of StorageCluster doesn't remove ceph toolbox pod
• BZ - 1947482 - The device replacement process when deleting the volume metadata need to be fixed or modified
• BZ - 1973317 - libceph: read_partial_message and bad crc/signature errors
• BZ - 1996829 - Permissions assigned to ceph auth principals when using external storage are too broad
• BZ - 2004944 - CVE-2021-23440 nodejs-set-value: type confusion allows bypass of CVE-2019-10747
• BZ - 2027724 - Warning log for rook-ceph-toolbox in ocs-operator log
• BZ - 2029298 - [GSS] Noobaa is not compatible with aws bucket lifecycle rule creation policies
• BZ - 2044591 - CVE-2022-0235 node-fetch: exposure of sensitive information to an unauthorized actor
• BZ - 2045880 - CVE-2022-21698 prometheus/client_golang: Denial of service using InstrumentHandlerCounter
• BZ - 2047173 - [RFE] Change controller-manager pod name in odf-lvm-operator to more relevant name to lvm
• BZ - 2050853 - CVE-2021-23566 nanoid: Information disclosure via valueOf() function
• BZ - 2050897 - CVE-2022-0235 mcg-core-container: node-fetch: exposure of sensitive information to an unauthorized actor [openshift-data-foundation-4]
• BZ - 2053259 - CVE-2022-0536 follow-redirects: Exposure of Sensitive Information via Authorization Header leak
• BZ - 2053429 - CVE-2022-23806 golang: crypto/elliptic: IsOnCurve returns true for invalid field elements
• BZ - 2053532 - CVE-2022-23772 golang: math/big: uncontrolled memory consumption due to an unhandled overflow via Rat.SetString
• BZ - 2053541 - CVE-2022-23773 golang: cmd/go: misinterpretation of branch names can lead to incorrect access control
• BZ - 2056697 - odf-csi-addons-operator subscription failed while using custom catalog source
• BZ - 2058211 - Add validation for CIDR field in DRPolicy
• BZ - 2060487 - [ODF to ODF MS] Consumer lost connection to provider API if the endpoint node is powered off/replaced
• BZ - 2060790 - ODF under Storage missing for OCP 4.11 + ODF 4.10
• BZ - 2061713 - [KMS] The error message during creation of encrypted PVC mentions the parameter in UPPER_CASE
• BZ - 2063691 - [GSS] [RFE] Add termination policy to s3 route
• BZ - 2064426 - [GSS][External Mode] exporter python script does not support FQDN for RGW endpoint
• BZ - 2064857 - CVE-2022-24921 golang: regexp: stack exhaustion via a deeply nested expression
• BZ - 2066514 - OCS operator to install Ceph prometheus alerts instead of Rook
• BZ - 2067079 - [GSS] [RFE] Add termination policy to ocs-storagecluster-cephobjectstore route
• BZ - 2067387 - CVE-2022-24771 node-forge: Signature verification leniency in checking `digestAlgorithm` structure can lead to signature forgery
• BZ - 2067458 - CVE-2022-24772 node-forge: Signature verification failing to check tailing garbage bytes can lead to signature forgery
• BZ - 2067461 - CVE-2022-24773 node-forge: Signature verification leniency in checking `DigestInfo` structure
• BZ - 2069314 - OCS external mode should allow specifying names for all Ceph auth principals
• BZ - 2069319 - [RFE] OCS CephFS External Mode Multi-tenancy. Add cephfs subvolumegroup and path= caps per cluster.
• BZ - 2069812 - must-gather: rbd_vol_and_snap_info collection is broken
• BZ - 2069815 - must-gather: essential rbd mirror command outputs aren't collected
• BZ - 2070542 - After creating a new storage system it redirects to 404 error page instead of the "StorageSystems" page for OCP 4.11
• BZ - 2071494 - [DR] Applications are not getting deployed
• BZ - 2072009 - CVE-2022-24785 Moment.js: Path traversal in moment.locale
• BZ - 2073920 - rook osd prepare failed with this error - failed to set kek as an environment variable: key encryption key is empty
• BZ - 2074810 - [Tracker for Bug 2074585] MCG standalone deployment page goes blank when the KMS option is enabled
• BZ - 2075426 - 4.10 must gather is not available after GA of 4.10
• BZ - 2075581 - [IBM Z] : ODF 4.11.0-38 deployment leaves the storagecluster in "Progressing" state although all the openshift-storage pods are up and Running
• BZ - 2076457 - After node replacement[provider], connection issue between consumer and provider if the provider node which was referenced MON-endpoint configmap (on consumer) is lost
• BZ - 2077242 - vg-manager missing permissions
• BZ - 2077688 - CVE-2022-24675 golang: encoding/pem: fix stack overflow in Decode
• BZ - 2077689 - CVE-2022-28327 golang: crypto/elliptic: panic caused by oversized scalar
• BZ - 2079866 - [DR] odf-multicluster-console is in CLBO state
• BZ - 2079873 - csi-nfsplugin pods are not coming up after successful patch request to update "ROOK_CSI_ENABLE_NFS": "true"'
• BZ - 2080279 - CVE-2022-29810 go-getter: writes SSH credentials into logfile, exposing sensitive credentials to local uses
• BZ - 2081680 - Add the LVM Operator into the Storage category in OperatorHub
• BZ - 2082028 - UI does not have the option to configure capacity, security and networks,etc. during storagesystem creation
• BZ - 2082078 - OBC's not getting created on primary cluster when manageds3 set as "true" for mirrorPeer
• BZ - 2082497 - Do not filter out removable devices
• BZ - 2083074 - [Tracker for Ceph BZ #2086419] Two Ceph mons crashed in ceph-16.2.7/src/mon/PaxosService.cc: 193: FAILED ceph_assert(have_pending)
• BZ - 2083441 - LVM operator should deploy the volumesnapshotclass resource
• BZ - 2083953 - [Tracker for Ceph BZ #2084579] PVC created with ocs-storagecluster-ceph-nfs storageclass is moving to pending status
• BZ - 2083993 - Add missing pieces for storageclassclaim
• BZ - 2084041 - [Console Migration] Link-able storage system name directs to blank page
• BZ - 2084085 - CVE-2022-29526 golang: syscall: faccessat checks wrong group
• BZ - 2084201 - MCG operator pod is stuck in a CrashLoopBackOff; Panic Attack: [] an empty namespace may not be set when a resource name is provided"
• BZ - 2084503 - CLI falsely flags unique PVPool backingstore secrets as duplicates
• BZ - 2084546 - [Console Migration] Provider details absent under backing store in UI
• BZ - 2084565 - [Console Migration] The creation of new backing store , directs to a blank page
• BZ - 2085307 - CVE-2022-1650 eventsource: Exposure of Sensitive Information
• BZ - 2085351 - [DR] Mirrorpeer failed to create with msg Internal error occurred
• BZ - 2085357 - [DR] When drpolicy is create drcluster resources are getting created under default namespace
• BZ - 2086557 - Thin pool in lvm operator doesn't use all disks
• BZ - 2086675 - [UI]No option to "add capacity" via the Installed Operators tab
• BZ - 2086982 - ODF 4.11 deployment is failing
• BZ - 2086983 - [odf-clone] Mons IP not updated correctly in the rook-ceph-mon-endpoints cm
• BZ - 2087078 - [RDR] [UI] Multiple instances of Object Bucket, Object Bucket Claims and 'Overview' tab is present under Storage section on the Hub cluster when navigated back from the Managed cluster using the Hybrid console dropdown
• BZ - 2087107 - Set default storage class if none is set
• BZ - 2087237 - [UI] After clicking on Create StorageSystem, it navigates to Storage Systems tab but shows an error message
• BZ - 2087675 - ocs-metrics-exporter pod crashes on odf v4.11
• BZ - 2087732 - [Console Migration] Events page missing under new namespace store
• BZ - 2087755 - [Console Migration] Bucket Class details page doesn't have the complete details in UI
• BZ - 2088359 - Send VG Metrics even if storage is being consumed from thinPool alone
• BZ - 2088380 - KMS using vault on standalone MCG cluster is not enabled
• BZ - 2088506 - ceph-external-cluster-details-exporter.py should not accept hostname for rgw-endpoint
• BZ - 2088587 - Removal of external storage system with misconfigured cephobjectstore fails on noobaa webhook
• BZ - 2089296 - [MS v2] Storage cluster in error phase and 'ocs-provider-qe' addon installation failed with ODF 4.10.2
• BZ - 2089342 - prometheus pod goes into OOMKilled state during ocs-osd-controller-manager pod restarts
• BZ - 2089397 - [GSS]OSD pods CLBO after upgrade to 4.10 from 4.9.
• BZ - 2089552 - [MS v2] Cannot create StorageClassClaim
• BZ - 2089567 - [Console Migration] Improve the styling of Various Components
• BZ - 2089786 - [Console Migration] "Attach to deployment" option is missing in kebab menu for Object Bucket Claims .
• BZ - 2089795 - [Console Migration] Yaml and Events page is missing for Object Bucket Claims and Object Bucket.
• BZ - 2089797 - [RDR] rbd image failed to mount with msg rbd error output: rbd: sysfs write failed
• BZ - 2090278 - [LVMO] Some containers are missing resource requirements and limits
• BZ - 2090314 - [LVMO] CSV is missing some useful annotations
• BZ - 2090953 - [MCO] DRCluster created under default namespace
• BZ - 2091487 - [Hybrid Console] Multicluster dashboard is not displaying any metrics
• BZ - 2091638 - [Console Migration] Yaml page is missing for existing and newly created Block pool.
• BZ - 2091641 - MCG operator pod is stuck in a CrashLoopBackOff; MapSecretToNamespaceStores invalid memory address or nil pointer dereference
• BZ - 2091681 - Auto replication policy type detection is not happneing on DRPolicy creation page when ceph cluster is external
• BZ - 2091894 - All backingstores in cluster spontaneously change their own secret
• BZ - 2091951 - [GSS] OCS pods are restarting due to liveness probe failure
• BZ - 2091998 - Volume Snapshots not work with external restricted mode
• BZ - 2092143 - Deleting a CephBlockPool CR does not delete the underlying Ceph pool
• BZ - 2092217 - [External] UI for uploding JSON data for external cluster connection has some strict checks
• BZ - 2092220 - [Tracker for Ceph BZ #2096882] CephNFS is not reaching to Ready state on ODF on IBM Power (ppc64le)
• BZ - 2092349 - Enable zeroing on the thin-pool during creation
• BZ - 2092372 - [MS v2] StorageClassClaim is not reaching Ready Phase
• BZ - 2092400 - [MS v2] StorageClassClaim creation is failing with error "no StorageCluster found"
• BZ - 2093266 - [RDR] When mirroring is enabled rbd mirror daemon restart config should be enabled automatically
• BZ - 2093848 - Note about token for encrypted PVCs should be removed when only cluster wide encryption checkbox is selected
• BZ - 2094179 - MCO fails to create DRClusters when replication mode is synchronous
• BZ - 2094853 - [Console Migration] Description under storage class drop down in add capacity is missing .
• BZ - 2094856 - [KMS] PVC creation using vaulttenantsa method is failing due to token secret missing in serviceaccount
• BZ - 2095155 - Use tool `black` to format the python external script
• BZ - 2096209 - ReclaimSpaceJob fails on OCP 4.11 + ODF 4.10 cluster
• BZ - 2096414 - Compression status for cephblockpool is reported as Enabled and Disabled at the same time
• BZ - 2096509 - [Console Migration] Unable to select Storage Class in Object Bucket Claim creation page
• BZ - 2096513 - Infinite BlockPool tabs get created when the StorageSystem details page is opened
• BZ - 2096823 - After upgrading the cluster from ODF4.10 to ODF4.11, the ROOK_CSI_ENABLE_CEPHFS move to False
• BZ - 2096937 - Storage - Data Foundation: i18n misses
• BZ - 2097216 - Collect StorageClassClaim details in must-gather
• BZ - 2097287 - [UI] Dropdown doesn't close on it's own after arbiter zone selection on 'Capacity and nodes' page
• BZ - 2097305 - Add translations for ODF 4.11
• BZ - 2098121 - Managed ODF not getting detected
• BZ - 2098261 - Remove BlockPools(no use case) and Object(redundat with Overview) tab on the storagesystem page for NooBaa only and remove BlockPools tab for External mode deployment
• BZ - 2098536 - [KMS] PVC creation using vaulttenantsa method is failing due to token secret missing in serviceaccount
• BZ - 2099265 - [KMS] The storagesystem creation page goes blank when KMS is enabled
• BZ - 2099581 - StorageClassClaim with encryption gets into Failed state
• BZ - 2099609 - The red-hat-storage/topolvm release-4.11 needs to be synced with the upstream project
• BZ - 2099646 - Block pool list page kebab action menu is showing empty options
• BZ - 2099660 - OCS dashbaords not appearing unless user clicks on "Overview" Tab
• BZ - 2099724 - S3 secret namespace on the managed cluster doesn't match with the namespace in the s3profile
• BZ - 2099965 - rbd: provide option to disable setting metadata on RBD images
• BZ - 2100326 - [ODF to ODF] Volume snapshot creation failed
• BZ - 2100352 - Make lvmo pod labels more uniform
• BZ - 2100946 - Avoid temporary ceph health alert for new clusters where the insecure global id is allowed longer than necessary
• BZ - 2101139 - [Tracker for OCP BZ #2102782] topolvm-controller get into CrashLoopBackOff few minutes after install
• BZ - 2101380 - Default backingstore is rejected with message INVALID_SCHEMA_PARAMS SERVER account_api#/methods/check_external_connection
• BZ - 2103818 - Restored snapshot don't have any content
• BZ - 2104833 - Need to update configmap for IBM storage odf operator GA
• BZ - 2105075 - CVE-2022-31129 moment: inefficient parsing algorithm resulting in DoS

CVEs

• CVE-2021-23440
• CVE-2021-23566
• CVE-2021-40528
• CVE-2022-0235
• CVE-2022-0536
• CVE-2022-0670
• CVE-2022-1292
• CVE-2022-1586
• CVE-2022-1650
• CVE-2022-1785
• CVE-2022-1897
• CVE-2022-1927
• CVE-2022-2068
• CVE-2022-2097
• CVE-2022-21698
• CVE-2022-22576
• CVE-2022-23772
• CVE-2022-23773
• CVE-2022-23806
• CVE-2022-24675
• CVE-2022-24771
• CVE-2022-24772
• CVE-2022-24773
• CVE-2022-24785
• CVE-2022-24921
• CVE-2022-25313
• CVE-2022-25314
• CVE-2022-27774
• CVE-2022-27776
• CVE-2022-27782
• CVE-2022-28327
• CVE-2022-29526
• CVE-2022-29810
• CVE-2022-29824
• CVE-2022-31129

References

• https://access.redhat.com/security/updates/classification/#important
• https://access.redhat.com//documentation/en-us/red_hat_openshift_data_foundation/4.11/html/4.11_release_notes/index