Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Moderate: OpenShift Container Platform 4.13.1 bug fix and security update

Related Vulnerabilities: CVE-2018-17419   CVE-2021-36157   CVE-2022-25147   CVE-2022-41722   CVE-2022-41723   CVE-2023-25652   CVE-2023-25815   CVE-2023-29007  

Source

Synopsis

Moderate: OpenShift Container Platform 4.13.1 bug fix and security update

Type/Severity

Security Advisory: Moderate

Topic

Red Hat OpenShift Container Platform release 4.13.1 is now available with updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container Platform 4.13.

Red Hat Product Security has rated this update as having a security impact of [impact]. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container Platform 4.13.1. See the following advisory for the RPM packages for this release:

https://access.redhat.com/errata/RHSA-2023:3303

Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.13/release_notes/ocp-4-13-release-notes.html

Security Fix(es):

  • dns: Denial of Service (DoS) (CVE-2018-17419)
  • cortex: Grafana Cortex directory traversal (CVE-2021-36157)
  • golang: path/filepath: path-filepath filepath.Clean path traversal (CVE-2022-41722)
  • net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding (CVE-2022-41723)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. All OpenShift Container Platform 4.13 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.13/updating/updating-cluster-cli.html

Solution

For OpenShift Container Platform 4.13 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:

https://docs.openshift.com/container-platform/4.13/release_notes/ocp-4-13-release-notes.html

You may download the oc tool and use it to inspect release image metadata for x86_64, s390x, ppc64le, and aarch64 architectures. The image digests may be found at https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags.

The sha values for the release are:

(For x86_64 architecture)
The image digest is sha256:9c92b5ec203ee7f81626cc4e9f02086484056a76548961e5895916f136302b1f

(For s390x architecture)
The image digest is sha256:dbc768473b99538c15a35ea1be7ff656a6ac01e5001af4fac117c51f461c6054

(For ppc64le architecture)
The image digest is sha256:dc4bab40680fb4ed84665abc34aefef5e0689eafef1c878776c3685ddaa759d5

(For aarch64 architecture)
The image digest is sha256:5415fb0c33370014b9be83bc3120cc9d35a95922b2e93e218cac603e4179717a

All OpenShift Container Platform 4.13 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.13/updating/updating-cluster-cli.html

Affected Products

  • Red Hat OpenShift Container Platform 4.13 for RHEL 9 x86_64
  • Red Hat OpenShift Container Platform 4.13 for RHEL 8 x86_64
  • Red Hat OpenShift Container Platform for Power 4.13 for RHEL 9 ppc64le
  • Red Hat OpenShift Container Platform for Power 4.13 for RHEL 8 ppc64le
  • Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.13 for RHEL 9 s390x
  • Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.13 for RHEL 8 s390x
  • Red Hat OpenShift Container Platform for ARM 64 4.13 for RHEL 9 aarch64
  • Red Hat OpenShift Container Platform for ARM 64 4.13 for RHEL 8 aarch64

Fixes

  • BZ - 2178358 - CVE-2022-41723 net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding
  • BZ - 2183169 - CVE-2021-36157 cortex: Grafana Cortex directory traversal
  • BZ - 2188523 - CVE-2018-17419 dns: Denial of Service (DoS)
  • BZ - 2203008 - CVE-2022-41722 golang: path/filepath: path-filepath filepath.Clean path traversal
  • OCPBUGS-11294 - [4.13] Missing metric for CSI migration opt-in
  • OCPBUGS-11302 - Incorrect domain resolution by the coredns/Corefile in Vsphere IPI Clusters | openshift-vsphere-infra
  • OCPBUGS-11336 - NTO: PAO e2e: profile update tests are flaky (time out)
  • OCPBUGS-11353 - --external-cloud-volume-plugin for out-of tree providers
  • OCPBUGS-11387 - build regression on 4.13: ERROR: bash-5.0.11-r1.post-install: script exited with error 127
  • OCPBUGS-11432 - hostpath and node-driver-registrar containers are not pinned to mgmt cores - no WLP annotation
  • OCPBUGS-11775 - wait-for command doesn't handle installing-pending-user-action
  • OCPBUGS-12363 - structured logs are borked in BMO
  • OCPBUGS-12461 - Improve telemetry epic (ODC-7171) doesn't work without PrometheusRule (4.13)
  • OCPBUGS-12722 - Wrong cleanup of stale conditions from OCPBUGS-2783
  • OCPBUGS-12770 - Create BuildConfig button in the Devconsole opens the form in default namespace
  • OCPBUGS-13082 - Root device hints should accept by-path device alias
  • OCPBUGS-13083 - Assisted Root device hints should accept by-path device alias
  • OCPBUGS-13085 - hypershift_hostedclusters_failure_conditions metric incorrectly reports multiple clusters for a single cluster
  • OCPBUGS-13086 - Bootstrap on aws should have same metadata service type as on other nodes
  • OCPBUGS-13127 - EgressIP was NOT migrated to correct workers after deleting machine it was assigned in GCP XPN cluster.
  • OCPBUGS-13138 - 4.13.0-RC.6 Enter to Cluster status: error while trying to install cluster with agent base installer
  • OCPBUGS-13150 - EgressNetworkPolicy DNS resolution does not fall back to TCP for truncated responses
  • OCPBUGS-13155 - CNO doesn't handle nodeSelector in HyperShift
  • OCPBUGS-13162 - Rebase vSphere CSI driver to 3.0.1
  • OCPBUGS-13170 - Routes are not restored to new vNIC by hybrid-overlay on Windows nodes
  • OCPBUGS-13222 - NTO profiles not removed when node is removed in hypershift guest cluster
  • OCPBUGS-13312 - Failing test [bz-Machine Config Operator] Nodes should reach OSUpdateStaged in a timely fashion
  • OCPBUGS-13321 - collect-profiles pods causing regular CPU bursts
  • OCPBUGS-13410 - 'vendor' root device hint does not work correctly in ZTP/ABI
  • OCPBUGS-13427 - kuryr-controller crashes on KuryrPort cleanup when subport is already gone: Request requires an ID but none was found
  • OCPBUGS-13497 - kube-apiserver isn't healthy after a cluster comes up
  • OCPBUGS-13531 - AWS VPC endpoint service not cleaned up when access to customer credentials lost
  • OCPBUGS-13563 - [vmware csi driver] vsphere-syncher does not retry populate the CSINodeTopology with topology information when registration fails
  • OCPBUGS-13591 - [TELCO:CASE] Limit the nested repository path while mirroring the images using oc-mirror for those who cant have nested paths in their container registry
  • OCPBUGS-13598 - OSD clusters' Ingress health checks & routes fail after swapping application router between public and private
  • OCPBUGS-13683 - Yum Config Manager Not Found
  • OCPBUGS-13692 - Failed to create STS resources on AWS GovCloud regions using ccoctl
  • OCPBUGS-13731 - unusual error log in cluster-policy-controller
  • OCPBUGS-13742 - [4.13] container_network* metrics fail to report
  • OCPBUGS-13783 - [Hypershift Guest] OperatorHub details page returns error
  • OCPBUGS-13828 - 4.13: aws-ebs-csi-driver-controller-sa ServiceAccount does not include the HCP pull-secret in its imagePullSecrets
  • OCPBUGS-13887 - Verify that upstream gRPC issue #4632 (leak of net.Conn) is fixed in 4.13
  • OCPBUGS-13888 - CPMS?create two replace machines when deleting a master machine on vSphere
  • OCPBUGS-13959 - [CI Watcher]: logs in as 'test' user via htpasswd identity provider: Auth test logs in as 'test' user via htpasswd identity provider
  • OCPBUGS-1598 - Resourse added toast always have text "Deployment created successfully." irrespective of any resource type selected in the form
  • OCPBUGS-2290 - IPI for Power VS: Deploy fails when there is are certain preexisting resources
  • OCPBUGS-3160 - In some directories(under /run/containers/storage/overlay-containers/) on two of the Infra nodes permissions are rw for other user
  • OCPBUGS-3166 - assisted-installer: pod creation fails due to violations of security policies in 4.12
  • OCPBUGS-7147 - [Descheduler] ? The minKubeVersion should be 1.26.0 for descheduler operator

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started