Important: Node Maintenance Operator 4.11.1 security update

标题

An update for node-maintenance-must-gather-container, node-maintenance-operator-bundle-container, and node-maintenance-operator-container is now available for Node Maintenance Operator 4.11 for RHEL 8. This Operator is delivered by Red Hat Workload Availability.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

描述

This is an updated release of the Node Maintenance Operator. The Node Maintenance Operator cordons off nodes from the rest of the cluster and drains all the pods from the nodes. By placing nodes under maintenance, administrators can proactively power down nodes, move workloads to other parts of the cluster, and ensure that workloads do not get interrupted.

Security Fix(es):

• golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)
• golang: net/http: improper sanitization of Transfer-Encoding header (CVE-2022-1705)
• golang: go/parser: stack exhaustion in all Parse* functions (CVE-2022-1962)
• golang: encoding/xml: stack exhaustion in Decoder.Skip (CVE-2022-28131)
• golang: io/fs: stack exhaustion in Glob (CVE-2022-30630)
• golang: path/filepath: stack exhaustion in Glob (CVE-2022-30632)
• golang: encoding/xml: stack exhaustion in Unmarshal (CVE-2022-30633)
• golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working (CVE-2022-32148)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, see the CVE page(s) listed in the References section.

解决方案

For details on how to apply this update, which includes the changes described in this advisory, see:

https://access.redhat.com/articles/11258

受影响的产品

• Red Hat OpenShift Workload Availability 1 x86_64

修复

• BZ - 2107342 - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read
• BZ - 2107371 - CVE-2022-30630 golang: io/fs: stack exhaustion in Glob
• BZ - 2107374 - CVE-2022-1705 golang: net/http: improper sanitization of Transfer-Encoding header
• BZ - 2107376 - CVE-2022-1962 golang: go/parser: stack exhaustion in all Parse* functions
• BZ - 2107383 - CVE-2022-32148 golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working
• BZ - 2107386 - CVE-2022-30632 golang: path/filepath: stack exhaustion in Glob
• BZ - 2107390 - CVE-2022-28131 golang: encoding/xml: stack exhaustion in Decoder.Skip
• BZ - 2107392 - CVE-2022-30633 golang: encoding/xml: stack exhaustion in Unmarshal

CVE

• CVE-2022-1292
• CVE-2022-1586
• CVE-2022-1705
• CVE-2022-1962
• CVE-2022-2068
• CVE-2022-2097
• CVE-2022-28131
• CVE-2022-30630
• CVE-2022-30631
• CVE-2022-30632
• CVE-2022-30633
• CVE-2022-32148

参考

• https://access.redhat.com/security/updates/classification/#important