Important: Red Hat OpenShift Data Foundation 4.13.0 security and bug fix update

Topic

Updated images that include numerous enhancements, security, and bug fixes are now available in Red Hat Container Registry for Red Hat OpenShift Data Foundation 4.13.0 on Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat OpenShift Data Foundation is software-defined storage integrated with and optimized for the Red Hat OpenShift Container Platform. Red Hat OpenShift Data Foundation is a highly scalable, production-grade persistent storage for stateful applications running in the Red Hat OpenShift Container Platform. In addition to persistent storage, Red Hat OpenShift Data Foundation provisions a multicloud data management service with an S3 compatible API.

Security Fix(es):

• goutils: RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as random as they should be (CVE-2021-4238)
• decode-uri-component: improper input validation resulting in DoS (CVE-2022-38900)
• vault: Hashicorp Vault AWS IAM Integration Authentication Bypass (CVE-2020-16250)
• vault: GCP Auth Method Allows Authentication Bypass (CVE-2020-16251)
• nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (CVE-2021-3807)
• go-yaml: Denial of Service in go-yaml (CVE-2021-4235)
• vault: incorrect policy enforcement (CVE-2021-43998)
• nodejs: Improper handling of URI Subject Alternative Names (CVE-2021-44531)
• nodejs: Certificate Verification Bypass via String Injection (CVE-2021-44532)
• nodejs: Incorrect handling of certificate subject and issuer fields (CVE-2021-44533)
• golang: archive/tar: unbounded memory consumption when reading headers (CVE-2022-2879)
• golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters (CVE-2022-2880)
• nodejs-minimatch: ReDoS via the braceExpand function (CVE-2022-3517)
• jsonwebtoken: Insecure default algorithm in jwt.verify() could lead to signature validation bypass (CVE-2022-23540)
• jsonwebtoken: Insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC (CVE-2022-23541)
• golang: net/http: handle server errors after sending GOAWAY (CVE-2022-27664)
• golang: encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635)
• golang: net/url: JoinPath does not strip relative path components in all circumstances (CVE-2022-32190)
• consul: Consul Template May Expose Vault Secrets When Processing Invalid Input (CVE-2022-38149)
• vault: insufficient certificate revocation list checking (CVE-2022-41316)
• golang: regexp/syntax: limit memory used by parsing regexps (CVE-2022-41715)
• golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests (CVE-2022-41717)
• net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding (CVE-2022-41723)
• golang: crypto/tls: large handshake records may cause panics (CVE-2022-41724)
• golang: net/http, mime/multipart: denial of service from excessive resource consumption (CVE-2022-41725)
• json5: Prototype Pollution in JSON5 via Parse Method (CVE-2022-46175)
• vault: Vault’s Microsoft SQL Database Storage Backend Vulnerable to SQL Injection Via Configuration File (CVE-2023-0620)
• hashicorp/vault: Vault’s PKI Issuer Endpoint Did Not Correctly Authorize Access to Issuer Metadata (CVE-2023-0665)
• Hashicorp/vault: Vault Fails to Verify if Approle SecretID Belongs to Role During a Destroy Operation (CVE-2023-24999)
• hashicorp/vault: Cache-Timing Attacks During Seal and Unseal Operations (CVE-2023-25000)
• validator: Inefficient Regular Expression Complexity in Validator.js (CVE-2021-3765)
• nodejs: Prototype pollution via console.table properties (CVE-2022-21824)
• golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service (CVE-2022-32189)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

These updated images include numerous enhancements and bug fixes. Space precludes documenting all of these changes in this advisory. Users are directed to the Red Hat OpenShift Data Foundation Release Notes for information on the most significant of these changes:

https://access.redhat.com/documentation/en-us/red_hat_openshift_data_foundation/4.13/html/4.13_release_notes/index

All Red Hat OpenShift Data Foundation users are advised to upgrade to these updated images that provide numerous bug fixes and enhancements.

Affected Products

• Red Hat OpenShift Data Foundation 4 for RHEL 9 x86_64
• Red Hat OpenShift Data Foundation for IBM Power, little endian 4 for RHEL 9 ppc64le
• Red Hat OpenShift Data Foundation for IBM Z and LinuxONE 4 for RHEL 9 s390x
• Red Hat OpenShift Data Foundation for RHEL 9 ARM 4 aarch64

Fixes

• BZ - 1786696 - UI->Dashboards->Overview->Alerts shows MON components are at different versions, though they are NOT
• BZ - 1855339 - Wrong version of ocs-storagecluster
• BZ - 1943137 - [Tracker for BZ #1945618] rbd: Storage is not reclaimed after persistentvolumeclaim and job that utilized it are deleted
• BZ - 1944687 - [RFE] KMS server connection lost alert
• BZ - 1989088 - [4.8][Multus] UX experience issues and enhancements
• BZ - 2005040 - Uninstallation of ODF StorageSystem via OCP Console fails, gets stuck in Terminating state
• BZ - 2005830 - [DR] DRPolicy resource should not be editable after creation
• BZ - 2007557 - CVE-2021-3807 nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes
• BZ - 2028193 - CVE-2021-43998 vault: incorrect policy enforcement
• BZ - 2040839 - CVE-2021-44531 nodejs: Improper handling of URI Subject Alternative Names
• BZ - 2040846 - CVE-2021-44532 nodejs: Certificate Verification Bypass via String Injection
• BZ - 2040856 - CVE-2021-44533 nodejs: Incorrect handling of certificate subject and issuer fields
• BZ - 2040862 - CVE-2022-21824 nodejs: Prototype pollution via console.table properties
• BZ - 2042914 - [Tracker for BZ #2013109] [UI] Refreshing web console from the pop-up is taking to Install Operator page.
• BZ - 2052252 - CVE-2021-44531 CVE-2021-44532 CVE-2021-44533 CVE-2022-21824 [CVE] nodejs: various flaws [openshift-data-foundation-4]
• BZ - 2101497 - ceph_mon_metadata metrics are not collected properly
• BZ - 2101916 - must-gather is not collecting ceph logs or coredumps
• BZ - 2102304 - [GSS] Remove the entry of removed node from Storagecluster under Node Topology
• BZ - 2104148 - route ocs-storagecluster-cephobjectstore misconfigured to use http and https on same http route in haproxy.config
• BZ - 2107388 - CVE-2022-30635 golang: encoding/gob: stack exhaustion in Decoder.Decode
• BZ - 2113814 - CVE-2022-32189 golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service
• BZ - 2115020 - [RDR] Sync schedule is not removed from mirrorpeer yaml after DR Policy is deleted
• BZ - 2115616 - [GSS] failing to change ownership of the NFS based PVC for PostgreSQL pod by using kube_pv_chown utility
• BZ - 2119551 - CVE-2022-38149 consul: Consul Template May Expose Vault Secrets When Processing Invalid Input
• BZ - 2120098 - [RDR] Even before an action gets fully completed, PeerReady and Available are reported as True in the DRPC yaml
• BZ - 2120944 - Large Omap objects found in pool 'ocs-storagecluster-cephfilesystem-metadata'
• BZ - 2124668 - CVE-2022-32190 golang: net/url: JoinPath does not strip relative path components in all circumstances
• BZ - 2124669 - CVE-2022-27664 golang: net/http: handle server errors after sending GOAWAY
• BZ - 2126299 - CVE-2021-3765 validator: Inefficient Regular Expression Complexity in Validator.js
• BZ - 2132867 - CVE-2022-2879 golang: archive/tar: unbounded memory consumption when reading headers
• BZ - 2132868 - CVE-2022-2880 golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters
• BZ - 2132872 - CVE-2022-41715 golang: regexp/syntax: limit memory used by parsing regexps
• BZ - 2134609 - CVE-2022-3517 nodejs-minimatch: ReDoS via the braceExpand function
• BZ - 2135339 - CVE-2022-41316 vault: insufficient certificate revocation list checking
• BZ - 2139037 - [cee/sd]Unable to access s3 via RGW route ocs-storagecluster-cephobjectstore
• BZ - 2141095 - [RDR] Storage System page on ACM Hub is visible even when data observability is not enabled
• BZ - 2142651 - RFE: OSDs need ability to bind to a service IP instead of the pod IP to support RBD mirroring in OCP clusters
• BZ - 2142894 - Credentials are ignored when creating a Backing/Namespace store after prompted to enter a name for the resource
• BZ - 2142941 - RGW cloud Transition. HEAD/GET requests to MCG are failing with 403 error
• BZ - 2143944 - [GSS] unknown parameter name "FORCE_OSD_REMOVAL"
• BZ - 2144256 - [RDR] [UI] DR Application applied to a single DRPolicy starts showing connected to multiple policies due to console flickering
• BZ - 2151903 - [MCG] Azure bs/ns creation fails with target bucket does not exists
• BZ - 2152143 - [Noobaa Clone] Secrets are used in env variables
• BZ - 2154250 - NooBaa Bucket Quota alerts are not working
• BZ - 2155507 - RBD reclaimspace job fails when the PVC is not mounted
• BZ - 2155743 - ODF Dashboard fails to load
• BZ - 2156067 - [RDR] [UI] When Peer Ready isn't True, UI doesn't reset the error message even when no subscription group is selected
• BZ - 2156069 - [UI] Instances of OCS can be seen on BlockPool action modals
• BZ - 2156263 - CVE-2022-46175 json5: Prototype Pollution in JSON5 via Parse Method
• BZ - 2156519 - 4.13: odf-csi-addons-operator failed with OwnNamespace InstallModeType not supported
• BZ - 2156727 - CVE-2021-4235 go-yaml: Denial of Service in go-yaml
• BZ - 2156729 - CVE-2021-4238 goutils: RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as random as they should be
• BZ - 2157876 - [OCP Tracker] [UI] When OCP and ODF are upgraded, refresh web console pop-up doesn't appear after ODF upgrade resulting in dashboard crash
• BZ - 2158922 - Namespace store fails to get created via the ODF UI
• BZ - 2159676 - rbd-mirror logs are rotated very frequently, increase the default maxlogsize for rbd-mirror
• BZ - 2161274 - CVE-2022-41717 golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests
• BZ - 2161879 - logging issue when deleting webhook resources
• BZ - 2161937 - collect kernel and journal logs from all worker nodes
• BZ - 2162257 - [RDR][CEPHFS] sync/replication is getting stopped for some pvc
• BZ - 2164617 - Unable to expand ocs-storagecluster-ceph-rbd PVCs provisioned in Filesystem mode
• BZ - 2165495 - Placement scheduler is using too much resources
• BZ - 2165504 - Sizer sharing link is broken
• BZ - 2165929 - [RFE] ODF bluewash introduction in 4.12.x
• BZ - 2165938 - ocs-operator CSV is missing disconnected env annotation.
• BZ - 2165984 - [RDR] Replication stopped for images is represented with incorrect color
• BZ - 2166222 - CSV is missing disconnected env annotation and relatedImages spec
• BZ - 2166234 - Application user unable to invoke Failover and Relocate actions
• BZ - 2166869 - Match the version of consoleplugin to odf operator
• BZ - 2167299 - [RFE] ODF bluewash introduction in 4.12.x
• BZ - 2167308 - [mcg-clone] Security and VA issues with ODF operator
• BZ - 2167337 - CVE-2020-16250 vault: Hashicorp Vault AWS IAM Integration Authentication Bypass
• BZ - 2167340 - CVE-2020-16251 vault: GCP Auth Method Allows Authentication Bypass
• BZ - 2167946 - CSV is missing disconnected env annotation and relatedImages spec
• BZ - 2168113 - [Ceph Tracker BZ #2141110] [cee/sd][Bluestore] Newly deployed bluestore OSD's showing high fragmentation score
• BZ - 2168635 - fix redirect link to operator details page (OCS dashboard)
• BZ - 2168840 - [Fusion-aaS][ODF 4.13]Within 'prometheus-ceph-rules' the namespace for 'rook-ceph-mgr' jobs should be configurable.
• BZ - 2168849 - Must-gather doesn't collect coredump logs crucial for OSD crash events
• BZ - 2169375 - CVE-2022-23541 jsonwebtoken: Insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC
• BZ - 2169378 - CVE-2022-23540 jsonwebtoken: Insecure default algorithm in jwt.verify() could lead to signature validation bypass
• BZ - 2169779 - [vSphere]: rook-ceph-mon-* pvc are in pending state
• BZ - 2170644 - CVE-2022-38900 decode-uri-component: improper input validation resulting in DoS
• BZ - 2170673 - [RDR] Different replication states of PVC images aren't correctly distinguished and representated on UI
• BZ - 2172089 - [Tracker for Ceph BZ 2174461] rook-ceph-nfs pod is stuck at status 'CreateContainerError' after enabling NFS in ODF 4.13
• BZ - 2172365 - [csi-addons] odf-csi-addons-operator oomkilled with fresh installation 4.12
• BZ - 2172521 - No OSD pods are created for 4.13 LSO deployment
• BZ - 2173161 - ODF-console can not start when you disable IPv6 on Node with kernel parameter.
• BZ - 2173528 - Creation of OCS operator tag automatically for verified commits
• BZ - 2173534 - When on StorageSystem details click on History back btn it shows blank body
• BZ - 2173926 - [RFE] Include changes in MCG for new Ceph RGW transition headers
• BZ - 2175612 - noobaa-core-0 crashing and storagecluster not getting to ready state during ODF deployment with FIPS enabled in 4.13cluster
• BZ - 2175685 - RGW OBC creation via the UI is blocked by "Address form errors to proceed" error
• BZ - 2175714 - UI fix- capitalization
• BZ - 2175867 - Rook sets cephfs kernel mount options even when mon is using v1 port
• BZ - 2176080 - odf must-gather should collect output of oc get hpa -n openshift-storage
• BZ - 2176456 - [RDR] ramen-hub-operator and ramen-dr-cluster-operator is going into CLBO post deployment
• BZ - 2176739 - [UI] CSI Addons operator icon is broken
• BZ - 2176776 - Enable save options only when the protected apps has labels for manage DRPolicy
• BZ - 2176798 - [IBM Z ] Multi Cluster Orchestrator operator is not available in the Operator Hub
• BZ - 2176809 - [IBM Z ] DR operator is not available in the Operator Hub
• BZ - 2177134 - Next button if disabled for storage system deployment flow for IBM Ceph Storage security and network step when there is no OCS installed already
• BZ - 2177221 - Enable DR dashboard only when ACM observability is enabled
• BZ - 2177325 - Noobaa-db pod is taking longer time to start up in ODF 4.13
• BZ - 2177695 - DR dashbaord showing incorrect RPO data
• BZ - 2177844 - CVE-2023-24999 Hashicorp/vault: Vault Fails to Verify if Approle SecretID Belongs to Role During a Destroy Operation
• BZ - 2178033 - node topology warnings tab doesn't show pod warnings
• BZ - 2178358 - CVE-2022-41723 net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding
• BZ - 2178488 - CVE-2022-41725 golang: net/http, mime/multipart: denial of service from excessive resource consumption
• BZ - 2178492 - CVE-2022-41724 golang: crypto/tls: large handshake records may cause panics
• BZ - 2178588 - No rack names on ODF Topology
• BZ - 2178619 - odf-operator failing to resolve its sub-dependencies leaving the ocs-consumer/provider addon in a failed and halted state
• BZ - 2178682 - [GSS] Add the valid AWS GovCloud regions in OCS UI.
• BZ - 2179133 - [UI] A blank page appears while selecting Storage Pool for creating Encrypted Storage Class
• BZ - 2179337 - Invalid storage system href link on the ODF multicluster dashboard
• BZ - 2179403 - (4.13) Mons are failing to start when msgr2 is required with RHCS 6.1
• BZ - 2179846 - [IBM Z] In RHCS external mode Cephobjectstore creation fails as it reports that the "object store name cannot be longer than 38 characters"
• BZ - 2179860 - [MCG] Bucket replication with deletion sync isn't complete
• BZ - 2179976 - [ODF 4.13] Missing the status-reporter binary causing pods "report-status-to-provider" remain in CreateContainerError on ODF to ODF cluster on ROSA
• BZ - 2179981 - ODF Topology search bar mistakes to find searched node/pod
• BZ - 2179997 - Topology. Exit full screen does not appear in Full screen mode
• BZ - 2180211 - StorageCluster stuck in progressing state for Thales KMS deployment
• BZ - 2180397 - Last sync time is missing on application set's disaster recovery status popover
• BZ - 2180440 - odf-monitoring-tool. YAML file misjudged as corrupted
• BZ - 2180921 - Deployment with external cluster in ODF 4.13 with unable to use cephfs as backing store for image_registry
• BZ - 2181112 - [RDR] [UI] Hide disable DR functionality as it would be un-tested in 4.13
• BZ - 2181133 - CI: backport E2E job improvements
• BZ - 2181446 - [KMS][UI] PVC provisioning failed in case of vault kubernetes authentication is configured.
• BZ - 2181535 - [GSS] Object storage in degraded state
• BZ - 2181551 - Build: move to 'dependencies' the ones required for running a build
• BZ - 2181832 - Create OBC via UI, placeholder on StorageClass dropped
• BZ - 2181949 - [ODF Tracker] [RFE] Catch MDS damage to the dentry's first snapid
• BZ - 2182041 - OCS-Operator expects NooBaa CRDs to be present on the cluster when installed directly without ODF Operator
• BZ - 2182296 - [Fusion-aaS][ODF 4.13]must-gather does not collect relevant logs when storage cluster is not in openshift-storage namespace
• BZ - 2182375 - [MDR] Not able to fence DR clusters
• BZ - 2182644 - [IBM Z] MDR policy creation fails unless the ocs-operator pod is restarted on the managed clusters
• BZ - 2182664 - Topology view should hide the sidebar when changing levels
• BZ - 2182703 - [RDR] After upgrading from 4.12.2 to 4.13.0 version.odf.openshift.io cr is not getting updated with latest ODF version
• BZ - 2182972 - CVE-2023-25000 hashicorp/vault: Cache-Timing Attacks During Seal and Unseal Operations
• BZ - 2182981 - CVE-2023-0665 hashicorp/vault: Vault?s PKI Issuer Endpoint Did Not Correctly Authorize Access to Issuer Metadata
• BZ - 2183155 - failed to mount the the cephfs subvolume as subvolumegroup name is not sent in the GetStorageConfig RPC call
• BZ - 2183196 - [Fusion-aaS] Collect Must-gather logs from the managed-fusion agent namesapce
• BZ - 2183266 - [Fusion aaS Rook ODF 4.13]] Rook-ceph-operator pod should allow OBC CRDs to be optional instead of causing a crash when not present
• BZ - 2183457 - [RDR] when running any ceph cmd we see error 2023-03-31T08:25:31.844+0000 7f8deaffd640 -1 monclient(hunting): handle_auth_bad_method server allowed_methods [2] but i only support [2,1]
• BZ - 2183478 - [MDR][UI] Cannot relocate subscription based apps, Appset based apps are possible to relocate
• BZ - 2183520 - [Fusion-aaS] csi-cephfs-plugin pods are not created after installing ocs-client-operator
• BZ - 2184068 - [Fusion-aaS] Failed to mount CephFS volumes while creating pods
• BZ - 2184605 - [ODF 4.13][Fusion-aaS] OpenShift Data Foundation Client operator is listed in OperatorHub and installable from UI
• BZ - 2184663 - CVE-2023-0620 vault: Vault?s Microsoft SQL Database Storage Backend Vulnerable to SQL Injection Via Configuration File
• BZ - 2184769 - {Fusion-aaS][ODF 4.13]Remove storageclassclaim cr and create new cr storageclass request cr
• BZ - 2184773 - multicluster-orchestrator should not reset spec.network.multiClusterService.Enabled field added by user
• BZ - 2184892 - Don't pass encryption options to ceph cluster in odf external mode to provider/consumer cluster
• BZ - 2184984 - Topology Sidebar alerts panel: alerts accordion does not toggle when clicking on alert severity text
• BZ - 2185164 - [KMS][VAULT] PVC provisioning is failing when the Vault (HCP) Kubernetes authentication is set.
• BZ - 2185188 - Fix storagecluster watch request for OCSInitialization
• BZ - 2185757 - add NFS dashboard
• BZ - 2185871 - [MDR][ACM-Tracker] Deleting an Appset based application does not delete its placement
• BZ - 2186171 - [GSS] "disableLoadBalancerService: true" config is reconciled after modifying the number of NooBaa endpoints
• BZ - 2186225 - [RDR] when running any ceph cmd we see error 2023-03-31T08:25:31.844+0000 7f8deaffd640 -1 monclient(hunting): handle_auth_bad_method server allowed_methods [2] but i only support [2,1]
• BZ - 2186475 - handle different network connection spec & Pass appropriate options for all the cases of Network Spec
• BZ - 2186752 - [translations] add translations for 4.13
• BZ - 2187251 - sync ocs and odf with the latest rook
• BZ - 2187296 - [MCG] Can't opt out of deletions sync once log-based replication with deletions sync is set
• BZ - 2187736 - [RDR] Replication history graph is showing incorrect value
• BZ - 2187952 - When cluster controller is cancelled frequently, multiple simultaneous controllers cause issues since need to wait for shutdown before continuing new controller
• BZ - 2187969 - [ODFMS-Migration ] [OCS Client Operator] csi-rbdplugin stuck in ImagePullBackOff on consumer clusters after Migration
• BZ - 2187986 - [MDR] ramen-dr-cluster-operator pod is in CLBO after assigning dr policy to an appset based app
• BZ - 2188053 - ocs-metrics-exporter cannot list/watch StorageCluster, StorageClass, CephBlockPool and other resources
• BZ - 2188238 - [RDR] Avoid using the terminologies "SLA" in DR dashbaord
• BZ - 2188303 - [RDR] Maintenance mode is not enabled after initiating failover action
• BZ - 2188427 - [External mode upgrade]: Upgrade from 4.12 -> 4.13 external mode is failing because rook-ceph-operator is not reaching clean state
• BZ - 2188666 - wrong label in new storageclassrequest cr
• BZ - 2189483 - After upgrade noobaa-db-pg-0 pod using old image in one of container
• BZ - 2189929 - [RDR/MDR] [UI] Dashboard fon size are very uneven
• BZ - 2189982 - [RDR] ocs_rbd_client_blocklisted datapoints and the corresponding alert is not getting generated
• BZ - 2189984 - [KMS][VAULT] Storage cluster remains in 'Progressing' state during deployment with storage class encryption, despite all pods being up and running.
• BZ - 2190129 - OCS Provider Server logs are incorrect
• BZ - 2190241 - nfs metric details are unavailable and server health is displaying as "Degraded" under Network file system tab in UI
• BZ - 2192088 - [IBM P] rbd_default_map_options value not set to ms_mode=secure in in-transit encryption enabled ODF cluster
• BZ - 2192670 - Details tab for nodes inside Topology throws "Something went wrong" on IBM Power platform
• BZ - 2192824 - [4.13] Fix Multisite in external cluster
• BZ - 2192875 - Enable ceph-exporter in rook
• BZ - 2193114 - MCG replication is failing due to OC binary incompatible on Power platform
• BZ - 2193220 - [Stretch cluster] CephCluster is updated frequently due to changing ordering of zones
• BZ - 2196176 - MULTUS UI, There is no option to change the multus configuration after we configure the params
• BZ - 2196236 - [RDR] With ACM 2.8 User is not able to apply Drpolicy to subscription workload
• BZ - 2196298 - [RDR] DRPolicy doesn't show connected application when subscription based workloads are deployed via CLI
• BZ - 2203795 - ODF Monitoring is missing some of the ceph_* metric values
• BZ - 2208029 - nfs server health is always displaying as "Degraded" under Network file system tab in UI.
• BZ - 2208079 - rbd mirror daemon is commonly not upgraded
• BZ - 2208269 - [RHCS Tracker] After add capacity the rebalance does not complete, and we see 2 PGs in active+clean+scrubbing and 1 active+clean+scrubbing+deep
• BZ - 2208558 - [MDR] ramen-dr-cluster-operator pod crashes during failover
• BZ - 2208962 - [UI] ODF Topology. Degraded cluster don't show red canvas on cluster level
• BZ - 2209364 - ODF dashboard crashes when OCP and ODF are upgraded
• BZ - 2209643 - Multus, Cephobjectstore stuck on Progressing state because " failed to create or retrieve rgw admin ops user"
• BZ - 2209695 - When collecting Must-gather logs shows /usr/bin/gather_ceph_resources: line 341: jq: command not found
• BZ - 2210964 - [UI][MDR] After hub recovery in overview tab of data policies Application set apps count is not showing
• BZ - 2211334 - The replication history graph is very unclear
• BZ - 2211343 - [MCG-Only]: upgrade failed from 4.12 to 4.13 due to missing CSI_ENABLE_READ_AFFINITY in ConfigMap openshift-storage/ocs-operator-config
• BZ - 2211704 - Multipart uploads fail to a Azure namespace bucket when user MD is sent as part of the upload

CVEs

• CVE-2015-20107
• CVE-2018-25032
• CVE-2020-10735
• CVE-2020-16250
• CVE-2020-16251
• CVE-2020-17049
• CVE-2021-3765
• CVE-2021-3807
• CVE-2021-4231
• CVE-2021-4235
• CVE-2021-4238
• CVE-2021-28861
• CVE-2021-43519
• CVE-2021-43998
• CVE-2021-44531
• CVE-2021-44532
• CVE-2021-44533
• CVE-2021-44964
• CVE-2021-46828
• CVE-2021-46848
• CVE-2022-0670
• CVE-2022-1271
• CVE-2022-1304
• CVE-2022-1348
• CVE-2022-1586
• CVE-2022-1587
• CVE-2022-2309
• CVE-2022-2509
• CVE-2022-2795
• CVE-2022-2879
• CVE-2022-2880
• CVE-2022-3094
• CVE-2022-3358
• CVE-2022-3515
• CVE-2022-3517
• CVE-2022-3715
• CVE-2022-3736
• CVE-2022-3821
• CVE-2022-3924
• CVE-2022-4415
• CVE-2022-21824
• CVE-2022-23540
• CVE-2022-23541
• CVE-2022-24903
• CVE-2022-26280
• CVE-2022-27664
• CVE-2022-28805
• CVE-2022-29154
• CVE-2022-30635
• CVE-2022-31129
• CVE-2022-32189
• CVE-2022-32190
• CVE-2022-33099
• CVE-2022-34903
• CVE-2022-35737
• CVE-2022-36227
• CVE-2022-37434
• CVE-2022-38149
• CVE-2022-38900
• CVE-2022-40023
• CVE-2022-40303
• CVE-2022-40304
• CVE-2022-40897
• CVE-2022-41316
• CVE-2022-41715
• CVE-2022-41717
• CVE-2022-41723
• CVE-2022-41724
• CVE-2022-41725
• CVE-2022-42010
• CVE-2022-42011
• CVE-2022-42012
• CVE-2022-42898
• CVE-2022-42919
• CVE-2022-43680
• CVE-2022-45061
• CVE-2022-45873
• CVE-2022-46175
• CVE-2022-47024
• CVE-2022-47629
• CVE-2022-48303
• CVE-2022-48337
• CVE-2022-48338
• CVE-2022-48339
• CVE-2023-0361
• CVE-2023-0620
• CVE-2023-0665
• CVE-2023-2491
• CVE-2023-22809
• CVE-2023-24329
• CVE-2023-24999
• CVE-2023-25000
• CVE-2023-25136

References

• https://access.redhat.com/security/updates/classification/#important
• https://access.redhat.com/documentation/en-us/red_hat_openshift_data_foundation/4.13/html/4.13_release_notes/index