Red Hat Security Advisory 2023-2138-01

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================
Red Hat Security Advisory

Synopsis: Moderate: OpenShift Container Platform 4.13.0 CNF vRAN extras security update
Advisory ID: RHSA-2023:2138-01
Product: Red Hat OpenShift Enterprise
Advisory URL: https://access.redhat.com/errata/RHSA-2023:2138
Issue date: 2023-05-18
CVE Names: CVE-2020-16251 CVE-2021-43998
====================================================================

1. Summary:

An update for ztp-site-generate-container, topology-aware-lifecycle-manager
and bare-metal-event-relay is now available for Red Hat OpenShift Container
Platform 4.13.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Container Platform is Red Hat’s cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.

This advisory contains the extra low-latency container images for Red Hat
OpenShift Container Platform 4.13. See the following advisory for the
container images for this release:

https://access.redhat.com/errata/RHSA-2023:1326

All OpenShift Container Platform users are advised to upgrade to these
updated packages and images.

Security Fix(es):

• vault: GCP Auth Method Allows Authentication Bypass (CVE-2020-16251)
• vault: incorrect policy enforcement (CVE-2021-43998)

3. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2028193 - CVE-2021-43998 vault: incorrect policy enforcement
2167340 - CVE-2020-16251 vault: GCP Auth Method Allows Authentication Bypass

5. JIRA issues fixed (https://issues.jboss.org/):

OCPBUGS-10819 - TALM SNO Backup Fails on Managed Cluster Running CoreOS 9.2
OCPBUGS-11890 - TALM keeps spinning with the hub template error when unsupported hub template function is being used in the second policy
OCPBUGS-2336 - dataset_comparison should be G.8275.x in ptpconfig source crs
OCPBUGS-3005 - step_threshold should be changed from 0.0 to 2.0 in in ptpconfig source crs
OCPBUGS-3047 - TALM spent 42 minutes precaching when there was no precaching work to be done.
OCPBUGS-3092 - TALM precaching pulls more content than needed
OCPBUGS-3210 - TALM attempting to approve PAO installplan for 4.11 operator upgrade
OCPBUGS-3885 - After CGU timed out it got stuck in a loop and kept adding duplicates to status field
OCPBUGS-3954 - Precaching status missing for temporarily unavailable clusters
OCPBUGS-4197 - CGU pod goes to CrashLoopBackOff when incorrect channel is provided for OCP precaching
OCPBUGS-4200 - Segfault from TALM after CGU timeout
OCPBUGS-4246 - Precaching spec error due to invalid policy combination reported as precaching/backup failures on spokes
OCPBUGS-4329 - Cannot install LVMO through gitops ZTP
OCPBUGS-4406 - ptp configs should match reference configs
OCPBUGS-4704 - TALM - precache does not begin if catalogsource config policy is Compliant
OCPBUGS-4821 - TALM getImageForVersionFromUpdateGraph func making insecure external calls
OCPBUGS-5797 - TALM backup CGU only indicates status of one cluster when two clusters are being backed up
OCPBUGS-6612 - Default backup timeout too short for large scale upgrade
OCPBUGS-6769 - TALM 4.11 pre-cache fails on 4.10 cluster
OCPBUGS-6944 - TALM backup - recovery script fails due to unable to find running container even though it is running
OCPBUGS-7217 - TALM cli state is not correct when cgu is enabled after backup
OCPBUGS-7464 - Unable to deploy 4.11 spoke using ZTP 4.13 due to new spec added to performanceprofile
OCPBUGS-7933 - Image Precaching Fails Due To Missing check_space Script
OCPBUGS-7948 - 4.13 bmer build does not include 4.13 sidecar changes
OCPBUGS-8006 - TALM applies a 5 minute reconciliation loop to monitor cluster readiness and start policy application
OCPBUGS-8032 - TALM Fails to Report Low Disk Space during Image Precaching
OCPBUGS-8414 - BMER - operator upgrade from 4.12 to 4.13 does not work - subs stays at AtLatestKnown and no installplan is created
OCPBUGS-8525 - TALM may miss MCP reconcile after change to PerformanceProfile or operator upgrade
OCPBUGS-9428 - ignition reports warning at $.systemd.units.22.contents, line 1 col 363575: unit “container-mount-namespace.service” is enabled, but has no install section so enable does nothing
OCPBUGS-9943 - Remove duplicated field macAddress from Siteconfigs

6. References:

https://access.redhat.com/security/cve/CVE-2020-16251
https://access.redhat.com/security/cve/CVE-2021-43998
https://access.redhat.com/security/updates/classification/#moderate

7. Contact:

The Red Hat security contact is [email protected]. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBZGW9UdzjgjWX9erEAQi5/A/+KKaHyRl+23u8Wj3rxjrnEcz9KPFU+ZUc
UUW1MvuqmFqCX+0Sb98agk5faDIQfhAPuE4ShcwduR8w39ftxFAQWEaDfBqZBuul
1Nptw0Ammrh0btDaQnjXF5vLTcF1sv5GWtkICpoTXg6qcVnIsibw9f1G/hBidiG2
u35ThWipKMp0N9DMDTSBr8Fy0Mffw5+ny05QU18DegHRVFupt1XF8SnW4lh/UlhD
LiR9iJ2K1xnfvDr+BdMhFWiqH7xZzZHMX0s2FEcBvUMW6/DYYLzaiUSFbh6TYiIK
5fwCXQKXLlls0+oUbBquoYG64beXOMxSgYEiI4B+bFblqfzTN4ev+vJOqCfjt7ye
BG1B7350xgMhHxBV8stMoY5mQMLoYjZHzBvQ9KU672ze0gLlIspTLjzlN2fhUr3/
bfiVsX8T9pJJOszDmbyrRXaFHbgEtR1SYJVMC/0G49koPrSX6JwasGHq/b5yMSIH
v+cLWsQ7YTRdC7zUc54j2ILP75VeLxxm4Rxm4pWTHvUo0h48GFn92AYWbW4Vt9Yn
6ZVcEuNSJK1iVd67L9P9Y+hX3nlrt/PBkbMYO0IcTFhCf97Xo76O84iqovuRHGRX
rst63r8Zjx0GfT2OA8ewcxBMf5hCs3zBO8Psr6Wx8oMccd6brME9RdzqgNpo9pEW
TXwdOxzzbkIYDl
-----END PGP SIGNATURE-----
–
RHSA-announce mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/rhsa-announce