Headline
Red Hat Security Advisory 2023-2138-01
Red Hat Security Advisory 2023-2138-01 - Red Hat OpenShift Container Platform is Red Hat’s cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the extra low-latency container images for Red Hat OpenShift Container Platform 4.13. Issues addressed include a bypass vulnerability.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
====================================================================
Red Hat Security Advisory
Synopsis: Moderate: OpenShift Container Platform 4.13.0 CNF vRAN extras security update
Advisory ID: RHSA-2023:2138-01
Product: Red Hat OpenShift Enterprise
Advisory URL: https://access.redhat.com/errata/RHSA-2023:2138
Issue date: 2023-05-18
CVE Names: CVE-2020-16251 CVE-2021-43998
====================================================================
- Summary:
An update for ztp-site-generate-container, topology-aware-lifecycle-manager
and bare-metal-event-relay is now available for Red Hat OpenShift Container
Platform 4.13.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
- Description:
Red Hat OpenShift Container Platform is Red Hat’s cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.
This advisory contains the extra low-latency container images for Red Hat
OpenShift Container Platform 4.13. See the following advisory for the
container images for this release:
https://access.redhat.com/errata/RHSA-2023:1326
All OpenShift Container Platform users are advised to upgrade to these
updated packages and images.
Security Fix(es):
- vault: GCP Auth Method Allows Authentication Bypass (CVE-2020-16251)
- vault: incorrect policy enforcement (CVE-2021-43998)
- Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
- Bugs fixed (https://bugzilla.redhat.com/):
2028193 - CVE-2021-43998 vault: incorrect policy enforcement
2167340 - CVE-2020-16251 vault: GCP Auth Method Allows Authentication Bypass
- JIRA issues fixed (https://issues.jboss.org/):
OCPBUGS-10819 - TALM SNO Backup Fails on Managed Cluster Running CoreOS 9.2
OCPBUGS-11890 - TALM keeps spinning with the hub template error when unsupported hub template function is being used in the second policy
OCPBUGS-2336 - dataset_comparison should be G.8275.x in ptpconfig source crs
OCPBUGS-3005 - step_threshold should be changed from 0.0 to 2.0 in in ptpconfig source crs
OCPBUGS-3047 - TALM spent 42 minutes precaching when there was no precaching work to be done.
OCPBUGS-3092 - TALM precaching pulls more content than needed
OCPBUGS-3210 - TALM attempting to approve PAO installplan for 4.11 operator upgrade
OCPBUGS-3885 - After CGU timed out it got stuck in a loop and kept adding duplicates to status field
OCPBUGS-3954 - Precaching status missing for temporarily unavailable clusters
OCPBUGS-4197 - CGU pod goes to CrashLoopBackOff when incorrect channel is provided for OCP precaching
OCPBUGS-4200 - Segfault from TALM after CGU timeout
OCPBUGS-4246 - Precaching spec error due to invalid policy combination reported as precaching/backup failures on spokes
OCPBUGS-4329 - Cannot install LVMO through gitops ZTP
OCPBUGS-4406 - ptp configs should match reference configs
OCPBUGS-4704 - TALM - precache does not begin if catalogsource config policy is Compliant
OCPBUGS-4821 - TALM getImageForVersionFromUpdateGraph func making insecure external calls
OCPBUGS-5797 - TALM backup CGU only indicates status of one cluster when two clusters are being backed up
OCPBUGS-6612 - Default backup timeout too short for large scale upgrade
OCPBUGS-6769 - TALM 4.11 pre-cache fails on 4.10 cluster
OCPBUGS-6944 - TALM backup - recovery script fails due to unable to find running container even though it is running
OCPBUGS-7217 - TALM cli state is not correct when cgu is enabled after backup
OCPBUGS-7464 - Unable to deploy 4.11 spoke using ZTP 4.13 due to new spec added to performanceprofile
OCPBUGS-7933 - Image Precaching Fails Due To Missing check_space Script
OCPBUGS-7948 - 4.13 bmer build does not include 4.13 sidecar changes
OCPBUGS-8006 - TALM applies a 5 minute reconciliation loop to monitor cluster readiness and start policy application
OCPBUGS-8032 - TALM Fails to Report Low Disk Space during Image Precaching
OCPBUGS-8414 - BMER - operator upgrade from 4.12 to 4.13 does not work - subs stays at AtLatestKnown and no installplan is created
OCPBUGS-8525 - TALM may miss MCP reconcile after change to PerformanceProfile or operator upgrade
OCPBUGS-9428 - ignition reports warning at $.systemd.units.22.contents, line 1 col 363575: unit “container-mount-namespace.service” is enabled, but has no install section so enable does nothing
OCPBUGS-9943 - Remove duplicated field macAddress from Siteconfigs
- References:
https://access.redhat.com/security/cve/CVE-2020-16251
https://access.redhat.com/security/cve/CVE-2021-43998
https://access.redhat.com/security/updates/classification/#moderate
- Contact:
The Red Hat security contact is [email protected]. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBZGW9UdzjgjWX9erEAQi5/A/+KKaHyRl+23u8Wj3rxjrnEcz9KPFU+ZUc
UUW1MvuqmFqCX+0Sb98agk5faDIQfhAPuE4ShcwduR8w39ftxFAQWEaDfBqZBuul
1Nptw0Ammrh0btDaQnjXF5vLTcF1sv5GWtkICpoTXg6qcVnIsibw9f1G/hBidiG2
u35ThWipKMp0N9DMDTSBr8Fy0Mffw5+ny05QU18DegHRVFupt1XF8SnW4lh/UlhD
LiR9iJ2K1xnfvDr+BdMhFWiqH7xZzZHMX0s2FEcBvUMW6/DYYLzaiUSFbh6TYiIK
5fwCXQKXLlls0+oUbBquoYG64beXOMxSgYEiI4B+bFblqfzTN4ev+vJOqCfjt7ye
BG1B7350xgMhHxBV8stMoY5mQMLoYjZHzBvQ9KU672ze0gLlIspTLjzlN2fhUr3/
bfiVsX8T9pJJOszDmbyrRXaFHbgEtR1SYJVMC/0G49koPrSX6JwasGHq/b5yMSIH
v+cLWsQ7YTRdC7zUc54j2ILP75VeLxxm4Rxm4pWTHvUo0h48GFn92AYWbW4Vt9Yn
6ZVcEuNSJK1iVd67L9P9Y+hX3nlrt/PBkbMYO0IcTFhCf97Xo76O84iqovuRHGRX
rst63r8Zjx0GfT2OA8ewcxBMf5hCs3zBO8Psr6Wx8oMccd6brME9RdzqgNpo9pEW
TXwdOxzzbkIYDl
-----END PGP SIGNATURE-----
–
RHSA-announce mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/rhsa-announce
Related news
HashiCorp Vault and Vault Enterprise versions 0.8.3 and newer, when configured with the GCP GCE auth method, may be vulnerable to authentication bypass. Fixed in 1.2.5, 1.3.8, 1.4.4, and 1.5.1.
Red Hat Security Advisory 2023-3742-02 - Red Hat OpenShift Data Foundation is software-defined storage integrated with and optimized for the Red Hat OpenShift Container Platform. Red Hat OpenShift Data Foundation is a highly scalable, production-grade persistent storage for stateful applications running in the Red Hat OpenShift Container Platform. Issues addressed include bypass, denial of service, and remote SQL injection vulnerabilities.
Updated images that include numerous enhancements, security, and bug fixes are now available in Red Hat Container Registry for Red Hat OpenShift Data Foundation 4.13.0 on Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-16250: A flaw was found in Vault and Vault Enterprise (“Vault”). In the affected versions of Vault, with the AWS Auth Method configured and under certain circumstances, the values relied upon by Vault to validate AWS IAM ident...
An update for ztp-site-generate-container, topology-aware-lifecycle-manager and bare-metal-event-relay is now available for Red Hat OpenShift Container Platform 4.13. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-16251: A flaw was found in Vault and Vault Enterprise (“Vault”). In affected versions of Vault, with the GCP Auth Method configured and under certain circumstances, the values relied upon by Vault to validate Google Compute Engine (GCE) VMs may be manipulated...
An update for ztp-site-generate-container, topology-aware-lifecycle-manager and bare-metal-event-relay is now available for Red Hat OpenShift Container Platform 4.13. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-16251: A flaw was found in Vault and Vault Enterprise (“Vault”). In affected versions of Vault, with the GCP Auth Method configured and under certain circumstances, the values relied upon by Vault to validate Google Compute Engine (GCE) VMs may be manipulated...
Gentoo Linux Security Advisory 202207-1 - Multiple vulnerabilities have been discovered in HashiCorp Vault, the worst of which could result in denial of service. Versions less than 1.10.3 are affected.
HashiCorp Vault and Vault Enterprise 0.11.0 up to 1.7.5 and 1.8.4 templated ACL policies would always match the first-created entity alias if multiple entity aliases exist for a specified entity and mount combination, potentially resulting in incorrect policy enforcement. Fixed in Vault and Vault Enterprise 1.7.6, 1.8.5, and 1.9.0.