Important: OpenShift Container Platform 4.14.2 bug fix and security update

Topic

Red Hat OpenShift Container Platform release 4.14.2 is now available with updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container Platform 4.14.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container Platform 4.14.2. See the following advisory for the RPM packages for this release:

https://access.redhat.com/errata/RHSA-2023:6840

Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.14/release_notes/ocp-4-14-release-notes.html

Security Fix(es):

• golang: net/http, x/net/http2: rapid stream resets can cause excessive

work (CVE-2023-44487) (CVE-2023-39325)

• golang.org/x/net/html: Cross site scripting (CVE-2023-3978)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

All OpenShift Container Platform 4.14 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.14/updating/updating_a_cluster/updating-cluster-cli.html

Solution

For OpenShift Container Platform 4.14 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:

https://docs.openshift.com/container-platform/4.14/release_notes/ocp-4-14-release-notes.html

You may download the oc tool and use it to inspect release image metadata for x86_64, s390x, ppc64le, and aarch64 architectures. The image digests may be found at https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags.

The sha values for the release are

(For x86_64 architecture)
The image digest is sha256:45a396b169974dcbd8aae481c647bf55bcf9f0f8f6222483d407d7cec450928d

(For s390x architecture)
The image digest is sha256:e14fde23bc01efad56da144b7caf348abb379a87b68bd037b6b4e0191649b3c5

(For ppc64le architecture)
The image digest is sha256:5ca043db92ab39595e4827b2450e4dd369feba122a11fc562d78793196af2eef

(For aarch64 architecture)
The image digest is sha256:a6fc0b3c4774a57efb059238bb3aab2638383ae3f2745220dd1e14e08e36e9f5

All OpenShift Container Platform 4.14 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.14/updating/updating_a_cluster/updating-cluster-cli.html

Affected Products

• Red Hat OpenShift Container Platform 4.14 for RHEL 9 x86_64
• Red Hat OpenShift Container Platform 4.14 for RHEL 8 x86_64
• Red Hat OpenShift Container Platform for Power 4.14 for RHEL 9 ppc64le
• Red Hat OpenShift Container Platform for Power 4.14 for RHEL 8 ppc64le
• Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.14 for RHEL 9 s390x
• Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.14 for RHEL 8 s390x
• Red Hat OpenShift Container Platform for ARM 64 4.14 for RHEL 9 aarch64
• Red Hat OpenShift Container Platform for ARM 64 4.14 for RHEL 8 aarch64

Fixes

• BZ - 2228689 - CVE-2023-3978 golang.org/x/net/html: Cross site scripting
• BZ - 2242803 - CVE-2023-44487 HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack)
• BZ - 2243296 - CVE-2023-39325 golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487)
• OCPBUGS-11689 - [4.14] Add support to skip tests based on Jira or BZ status
• OCPBUGS-13926 - OCM-o does not support obtaining verbosity through OpenShiftControllerManager.operatorLogLevel objec
• OCPBUGS-14439 - 4.14.z: [Clone of OCPBugs-8287] SNO 4.10: Power cycle node and MAC address of NIC not available when VDU application starts on Intel E810-C Nic
• OCPBUGS-15044 - [performance] Checking IRQBalance settings Verify GloballyDisableIrqLoadBalancing Spec field [test_id:36150] Verify that IRQ load balancing is enabled/disabled correctly
• OCPBUGS-15791 - TC bug: VFS allocated for dpdk Validate HugePages should allocate the amount of hugepages requested
• OCPBUGS-15809 - [4.14.x] Downstream OLM PSA plug-in is disabled
• OCPBUGS-16145 - Dual stack deployment only reports the primary IP in the node.status.addresses
• OCPBUGS-16267 - [release-4.14] MetalLB controller doesn't preserve internal state after reboot
• OCPBUGS-16341 - Cypress integration tests from "app/auth-multiuser-login" are failing on OCP 4.14.0 cluster
• OCPBUGS-16409 - Verify multi-node WLP enablement when feature is GA
• OCPBUGS-18650 - [4.14] Minor Memory manager e2e test cases fixes
• OCPBUGS-19371 - Upgrade DomainMapping CRD to API version v1beta1
• OCPBUGS-20418 - /sysroot mountpoint failed to resize automatically on new nodes during machineset scaleup
• OCPBUGS-20480 - SNO failed upgrade (4.13-> 4.14) because console operator is not available
• OCPBUGS-20495 - concurrent map reading master offset map in linuxptpdaemon
• OCPBUGS-20508 - Regenerating the machine config operator certificates can panic on vSphere
• OCPBUGS-20522 - [4.14] AgentClusterInstall changes on load aren't respected
• OCPBUGS-20552 - [alibabacloud] IPI installation on Alibabacloud cannot succeed, and zero control-plane node ready
• OCPBUGS-21653 - [gcp] please clarify what's wrong with the userLabel key "a"
• OCPBUGS-21785 - [Azure] EgressIP cannot be applied to the egress node on Azure private cluster
• OCPBUGS-21859 - remove username & password config options
• OCPBUGS-21926 - Azure CCM unable to manage Load Balancer in Azure Managed Identity Installs
• OCPBUGS-22127 - Azure Image Registry Operator Making too Many Storage Account List Calls
• OCPBUGS-22172 - network-tools throwing errors on --help
• OCPBUGS-22177 - Channel page shows "Required" message for the default name when navigate to create channel page
• OCPBUGS-22187 - [azure] missing instance type validation check under defaultMachinePlatform
• OCPBUGS-22208 - [release-4.14] Machine API pull-secret is not updated if the global pull-secret changes as a Day-2 operation.
• OCPBUGS-22257 - Remove wildfly docker.io samples
• OCPBUGS-22651 - Ccoctl create Azure Workload Identity resource does not work properly in eastus region because the storage account does not allow Public access.
• OCPBUGS-22690 - etcd restore should use the same snapshot for all replicas
• OCPBUGS-22702 - Flaky debug pod return code
• OCPBUGS-22718 - previously disabled cluster capability Console unintentionally enabled during an upgrade
• OCPBUGS-22727 - [4.14] Rebase openshift/etcd to 3.5.10
• OCPBUGS-22758 - [4.14] Bootimage bump tracker
• OCPBUGS-22898 - HostedCluster with ControlPlaneEndpoint: 443 also exposes on 6443
• OCPBUGS-23006 - Inline Dockerbuild type doesn't preserve file modified timestamp
• OCPBUGS-9959 - Fix cnf compute tests to check scheduler settings under /sys/kernel/debug/sched/
• OCPBUGS-19789 - Creating an OperatorGroup with "name: cluster" breaks the whole cluster
• OCPBUGS-19845 - Mock apis of git repo for "test serverless function" tests
• OCPBUGS-19897 - CA bundles for hosted cluster monitoring not created
• OCPBUGS-19922 - [4.14] Skip agent-tui on OCI
• OCPBUGS-20051 - MCO does not create duplicated kernel arguments
• OCPBUGS-20222 - EtcdCertSignerController reconciliation failed) when stable-4.13 upgrade to 4.14
• OCPBUGS-22314 - Techpreview CAPI: out of date manifests for Azure
• OCPBUGS-22377 - admission web hook probe error when deploy sample KSVC based app and then modifying icon
• OCPBUGS-22379 - [HyperShift] Runtime zero namespaces are not excluded from pod security in guest cluster
• OCPBUGS-22391 - worker CSR are pending, so no worker nodes available
• OCPBUGS-22400 - ptp4l process restarted unexpected with dual NIC boundary clocks configured

CVEs

• CVE-2022-27672
• CVE-2022-40982
• CVE-2023-3609
• CVE-2023-3812
• CVE-2023-3978
• CVE-2023-4128
• CVE-2023-4206
• CVE-2023-4207
• CVE-2023-4208
• CVE-2023-5178
• CVE-2023-28321
• CVE-2023-29406
• CVE-2023-29409
• CVE-2023-38546
• CVE-2023-39318
• CVE-2023-39319
• CVE-2023-39321
• CVE-2023-39322
• CVE-2023-39325
• CVE-2023-42753
• CVE-2023-44487

References

• https://access.redhat.com/security/updates/classification/#important
• https://access.redhat.com/security/vulnerabilities/RHSB-2023-003