Headline
Red Hat Security Advisory 2023-1329-01
Red Hat Security Advisory 2023-1329-01 - Red Hat build of MicroShift is Red Hat’s light-weight Kubernetes orchestration solution designed for edge device deployments and is built from the edge capabilities of Red Hat OpenShift. MicroShift is an application that is deployed on top of Red Hat Enterprise Linux devices at the edge, providing an efficient way to operate single-node clusters in these low-resource environments. This advisory contains the RPM packages for Red Hat build of MicroShift 4.13.0. Issues addressed include a man-in-the-middle vulnerability.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
====================================================================
Red Hat Security Advisory
Synopsis: Moderate: OpenShift Container Platform 4.13.0 bug fix and security update
Advisory ID: RHSA-2023:1329-01
Product: Red Hat OpenShift Enterprise
Advisory URL: https://access.redhat.com/errata/RHSA-2023:1329
Issue date: 2023-05-18
CVE Names: CVE-2022-41717
====================================================================
- Summary:
Red Hat build of MicroShift release 4.13.0 is now available with updates to
packages and images that fix several bugs.
This release includes a security update for Red Hat build of MicroShift
4.13.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
- Relevant releases/architectures:
Red Hat OpenShift Container Platform 4.13 - aarch64, noarch, x86_64
- Description:
Red Hat build of MicroShift is Red Hat’s light-weight Kubernetes
orchestration solution designed for edge device deployments and is built
from the edge capabilities of Red Hat OpenShift. MicroShift is an
application that is deployed on top of Red Hat Enterprise Linux devices at
the edge, providing an efficient way to operate single-node clusters in
these low-resource environments.
This advisory contains the RPM packages for Red Hat build of MicroShift
4.13.0. Read the following advisory for the container images for this
release:
https://access.redhat.com/errata/RHSA-2023:1326
Security Fix(es):
- golang: net/http: excessive memory growth in a Go server accepting HTTP/2
requests (CVE-2022-41717)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
All of the bug fixes may not be documented in this advisory. Read the
following release notes documentation for details about these changes:
https://access.redhat.com/documentation/en-us/microshift/4.13/html/release_notes/index
All Red Hat build of MicroShift 4.13 users are advised to use these updated
packages and images when they are available in the RPM repository.
- Solution:
For MicroShift 4.13, read the following documentation, which will be
updated shortly for this release, for important instructions on how to
install the latest RPMs and fully apply this asynchronous errata update:
https://access.redhat.com/documentation/en-us/red_hat_build_of_microshift/4.13/html/release_notes/index
- Bugs fixed (https://bugzilla.redhat.com/):
2161274 - CVE-2022-41717 golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests
- JIRA issues fixed (https://issues.jboss.org/):
OCPBUGS-10223 - kubeconfig CA includes all signers
OCPBUGS-10242 - CSI driver ends up in crash loop when host does not have default VG name
OCPBUGS-10243 - sysconfwatch-controller logs excessively
OCPBUGS-10251 - Rebase to 4.13 failed with duplicate metrics registration in ovnk
OCPBUGS-10253 - nats.io doesn’t work on microshift
OCPBUGS-10254 - The router pod is delayed over 5m after reboot
OCPBUGS-10256 - Some pods not coming up after rebooting
OCPBUGS-10617 - Prompt unexpected err="microshift-etcd failed to start when execute ‘microshift-etcd run’
OCPBUGS-10791 - MicroShift pods cannot resolve local host name
OCPBUGS-11295 - e2e: Config v1 client shim for static configuration manifests with read-only operations
OCPBUGS-11412 - build requirements are not available outside of Red Hat
OCPBUGS-11497 - Microshift-etcd doesn’t start up with memoryLimitMB set to 50.
OCPBUGS-11593 - RPM build shows errors from missing jq command
OCPBUGS-11660 - sudo /usr/bin/microshift show-config --mode effective doesn’t show the correct memoryLimitMB value
OCPBUGS-11811 - dependency on openvswitch is not compatible with RHEL 9.2 versions
OCPBUGS-13023 - Update dependency on selinux-policy to match RHEL 9.2 released package version
OCPBUGS-2869 - Don’t observe could not find the requested resource *v1.ClusterResourceQuota
OCPBUGS-3635 - Default for spec.to.weight missing from Route CRD schema
OCPBUGS-4198 - route-controller-manager not creating routes
OCPBUGS-4323 - Route/v1 defaulting for target kind and termination must be sharable between openshift-apiserver and kube-apiserver
OCPBUGS-4577 - [MicroShift] the host and routerCanonicalHostname should use same sub domain name
OCPBUGS-4657 - Route defaulting package from library-go must be available for import by kube-apiserver admission plugins
OCPBUGS-4658 - Use shared library in admission to default Routes served via CRD
OCPBUGS-5537 - MicroShift’s rebase step creates tight coupling with specific branch
OCPBUGS-5858 - MicroShift’s rebase is missing arm64 nightly changes if no new amd64 nightly was produced
OCPBUGS-5908 - Change TopoLVM to use 4.12 released image references
OCPBUGS-6173 - Update 4.13 ovn-kubernetes-microshift image to be consistent with ART
OCPBUGS-6858 - Missing CRI-O version dependency leads to network not starting
OCPBUGS-6860 - service configured with a nodeport can’t be reached until after restart of ovnkube-master
OCPBUGS-6864 - iptables rules can not be restored after removing source and adding it back
OCPBUGS-7444 - Fix firewalld known issue in microshift doc
OCPBUGS-8338 - Add etcd config to Microshift user config
OCPBUGS-8493 - Microshift does not come up if the Hostname of RHEL has an upper case letter
OCPBUGS-8704 - (4.13) microshift-etcd fail to check the version
OCPBUGS-9965 - fails to access APIServer service IP assigned on lo device
OCPBUGS-9999 - malformed manifests are retried indefinitely and cause API server availability issues
- Package List:
Red Hat OpenShift Container Platform 4.13:
Source:
microshift-4.13.0-202305161335.p0.g17cae44.assembly.4.13.0.el9.src.rpm
aarch64:
microshift-4.13.0-202305161335.p0.g17cae44.assembly.4.13.0.el9.aarch64.rpm
microshift-networking-4.13.0-202305161335.p0.g17cae44.assembly.4.13.0.el9.aarch64.rpm
noarch:
microshift-release-info-4.13.0-202305161335.p0.g17cae44.assembly.4.13.0.el9.noarch.rpm
microshift-selinux-4.13.0-202305161335.p0.g17cae44.assembly.4.13.0.el9.noarch.rpm
x86_64:
microshift-4.13.0-202305161335.p0.g17cae44.assembly.4.13.0.el9.x86_64.rpm
microshift-networking-4.13.0-202305161335.p0.g17cae44.assembly.4.13.0.el9.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
- References:
https://access.redhat.com/security/cve/CVE-2022-41717
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/microshift/4.13/html/release_notes/index
- Contact:
The Red Hat security contact is [email protected]. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBZGW+qNzjgjWX9erEAQgKUBAAgJTFwCyw2sDIBX09SpO/DpM0b4EWNDL1
5+cVfhtJ6BitU5yiXrjXocGcgho5yIWY9MRZ+sq7hRuFjE+k0uB0bGy3AfOjcVDG
uOspUjkvW8KzhTRVpKXDDqP9Q6OpYqaXptkYwvYro9vAFQm/QvW7PKw/K60FIpPK
g/K7gjy9xnLghG6C6vG6/XsFXOEvQ8ZOgchYHDFVm2wZK41m1V1irGBHdggaMdA2
bFBpSKadF+zXRjT6gLxBec2GGSxSmBNP0B/2JHTxWvuzNRBVIMXRZt98o6OkLkWo
g2pzIDTgVY6ls83BebJVD0tx8h5k4PYolgk09TxnDgMRrca5ZXQhk3HmWAHD+0t3
DEypXiiI87pzC00QBbb9IJWz+SVsIXbgL30SilBJRFIc+y9gmJKf0G691psP8U7F
vqn5qsH6gCJl27seARkKerVWoN/Swylq+o20I1NfJSNTOg328tejUVaWvAt+vNMC
oQQg9EsoWFtmyzP02wuX7aD5807MeTXy5LrCSMPPPPBwf5AwIkb5AnZOlAnmSmFC
1wjDi6GW+pX7H36Y4SSaj1Nnj4Pzol19WRD9FJX5ywqWmv+tevf92nFXjnIc2Wyl
uxBLNJq5W4GzW9gu1W2UWOaGAPZZ0WB6M4tquznXMF4AbjVgz64GpAgAR2q8xZcx
AlbUjtGBbZM=2NZ9
-----END PGP SIGNATURE-----
–
RHSA-announce mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/rhsa-announce
Related news
Gentoo Linux Security Advisory 202409-29 - Multiple vulnerabilities have been discovered in Docker, the worst of which could result in denial of service. Versions greater than or equal to 25.0.4 are affected.
Gentoo Linux Security Advisory 202311-9 - Multiple vulnerabilities have been discovered in Go, the worst of which could lead to remote code execution. Versions greater than or equal to 1.20.10 are affected.
An update is now available for Red Hat Ansible Automation Platform 2.3 Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41717: A flaw was found in the net/http library of the golang package. This flaw allows an attacker to cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys ca...
Red Hat Security Advisory 2023-3925-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.12.23.
Red Hat Security Advisory 2023-3612-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.13.4. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-3624-01 - The Migration Toolkit for Containers enables you to migrate Kubernetes resources, persistent volume data, and internal container images between OpenShift Container Platform clusters, using the MTC web console or the Kubernetes API. Issues addressed include a denial of service vulnerability.
Updated Red Hat OpenShift Distributed Tracing 2.8 container images are now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41717: A flaw was found in the net/http library of the golang package. This flaw allows an attacker to cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very...
An update for conmon is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41717: A flaw was found in the net/http library of the golang package. This flaw allows an attacker to cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can ...
An update for git-lfs is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1705: A flaw was found in golang. The HTTP/1 client accepted invalid Transfer-Encoding headers indicating "chunked" encoding. This issue could allow request smuggling, but only if combined with an intermediate server that also improperly accepts the header as invalid. * CVE-2022-2880: A flaw was found in the golang package, where requests forwarded by r...
Red Hat Security Advisory 2023-1529-01 - Service Telemetry Framework provides automated collection of measurements and data from remote clients, such as Red Hat OpenStack Platform or third-party nodes. STF then transmits the information to a centralized, receiving Red Hat OpenShift Container Platform deployment for storage, retrieval, and monitoring. Issues addressed include a denial of service vulnerability.
OpenShift Serverless version 1.27.1 contains a moderate security impact. The References section contains CVE links providing detailed severity ratings for each vulnerability. Ratings are based on a Common Vulnerability Scoring System (CVSS) base score.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41717: A flaw was found in the net/http library of the golang package. This flaw allows an attacker to cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.
Red Hat Security Advisory 2023-0930-01 - Update information for Logging Subsystem 5.5.8 in Red Hat OpenShift. Red Hat Product Security has rated this update as having a security impact of Moderate.
Red Hat OpenShift Container Platform release 4.10.53 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.10. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-4238: A flaw was found in goutils where randomly generated alphanumeric strings contain significantly less entropy than expected. Both the `RandomAlphaNumeric` and `CryptoRandomAlphaNumeri...
Red Hat Security Advisory 2023-0728-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.12.3.
Red Hat Security Advisory 2023-0632-01 - Logging Subsystem 5.4.11 - Red Hat OpenShift.
An update is now available for the Logging subsystem for Red Hat OpenShift 5.4. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-30123: A flaw was found in ruby gem-rack. This flaw allows a malicious actor to craft requests that can cause shell escape sequences to be written to the terminal via rack's `Lint` middleware and `CommonLogger` middleware. This issue can leverage these escape sequences to execute commands in the victim's terminal. * CVE-2022-41717: A flaw was f...