Headline
RHSA-2021:4801: Red Hat Security Advisory: OpenShift Container Platform 4.7.38 security update
Red Hat OpenShift Container Platform release 4.7.38 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Related CVEs:
- CVE-2021-21685: jenkins: FilePath#mkdirs does not check permission to create parent directories
- CVE-2021-21686: jenkins: File path filters do not canonicalize paths, allowing operations to follow symbolic links to outside allowed directories
- CVE-2021-21687: jenkins: FilePath#untar does not check permission to create symbolic links when unarchiving a symbolic link
- CVE-2021-21688: jenkins: FilePath#reading(FileVisitor) does not reject any operations allowing users to have unrestricted read access
- CVE-2021-21689: jenkins: FilePath#unzip and FilePath#untar were not subject to any access control
- CVE-2021-21690: jenkins: Agent processes are able to completely bypass file path filtering by wrapping the file operation in an agent file path
- CVE-2021-21691: jenkins: Creating symbolic links is possible without the symlink permission
- CVE-2021-21692: jenkins: The operations FilePath#renameTo and FilePath#moveAllChildrenTo only check read permission on the source path
- CVE-2021-21693: jenkins: When creating temporary files, permission to create files is only checked after they’ve been created.
- CVE-2021-21694: jenkins: FilePath#toURI, FilePath#hasSymlink, FilePath#absolutize, FilePath#isDescendant, and FilePath#get*DiskSpace do not check any permissions
- CVE-2021-21695: jenkins: FilePath#listFiles lists files outside directories with agent read access when following symbolic links.
- CVE-2021-21696: jenkins: Agent-to-controller access control allowed writing to sensitive directory used by Pipeline: Shared Groovy Libraries Plugin
- CVE-2021-21697: jenkins: Agent-to-controller access control allows reading/writing most content of build directories
- CVE-2021-21698: jenkins-2-plugins/subversion: does not restrict the name of a file when looking up a subversion key
Skip to navigation Skip to main content
Utilities
- Subscriptions
- Downloads
- Containers
- Support Cases
Infrastructure and Management
- Red Hat Enterprise Linux
- Red Hat Virtualization
- Red Hat Identity Management
- Red Hat Directory Server
- Red Hat Certificate System
- Red Hat Satellite
- Red Hat Subscription Management
- Red Hat Update Infrastructure
- Red Hat Insights
- Red Hat Ansible Automation Platform
Cloud Computing
- Red Hat OpenShift
- Red Hat CloudForms
- Red Hat OpenStack Platform
- Red Hat OpenShift Container Platform
- Red Hat OpenShift Data Science
- Red Hat OpenShift Online
- Red Hat OpenShift Dedicated
- Red Hat Advanced Cluster Security for Kubernetes
- Red Hat Advanced Cluster Management for Kubernetes
- Red Hat Quay
- Red Hat CodeReady Workspaces
- Red Hat OpenShift Service on AWS
Storage
- Red Hat Gluster Storage
- Red Hat Hyperconverged Infrastructure
- Red Hat Ceph Storage
- Red Hat Openshift Container Storage
Runtimes
- Red Hat Runtimes
- Red Hat JBoss Enterprise Application Platform
- Red Hat Data Grid
- Red Hat JBoss Web Server
- Red Hat Single Sign On
- Red Hat support for Spring Boot
- Red Hat build of Node.js
- Red Hat build of Thorntail
- Red Hat build of Eclipse Vert.x
- Red Hat build of OpenJDK
- Red Hat build of Quarkus
- Red Hat CodeReady Studio
Integration and Automation
- Red Hat Process Automation
- Red Hat Process Automation Manager
- Red Hat Decision Manager
All Products
Issued:
2021-12-01
Updated:
2021-12-01
RHSA-2021:4801 - Security Advisory
- Overview
- Updated Packages
Synopsis
Important: OpenShift Container Platform 4.7.38 security update
Type/Severity
Security Advisory: Important
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
View affected systems
Topic
Red Hat OpenShift Container Platform release 4.7.38 is now available with updates to packages and images that fix several bugs and add enhancements.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
Red Hat OpenShift Container Platform is Red Hat’s cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.
This advisory contains the RPM packages for Red Hat OpenShift Container
Platform 4.7.38. See the following advisory for the container images for
this release:
https://access.redhat.com/errata/RHBA-2021:4802
All OpenShift Container Platform 4.7 users are advised to upgrade to these
updated packages and images when they are available in the appropriate
release channel. To check for available updates, use the OpenShift Console
or the CLI oc command. Instructions for upgrading a cluster are available
at
https://docs.openshift.com/container-platform/4.7/updating/updating-cluster-between-minor.html#understanding-upgrade-channels_updating-cluster-between-minor Security Fix(es):
- jenkins-2-plugins/subversion: does not restrict the name of a file when
looking up a subversion key (CVE-2021-21698)
- jenkins: FilePath#mkdirs does not check permission to create parent
directories (CVE-2021-21685)
- jenkins: File path filters do not canonicalize paths, allowing operations
to follow symbolic links to outside allowed directories (CVE-2021-21686)
- jenkins: FilePath#untar does not check permission to create symbolic
links when unarchiving a symbolic link (CVE-2021-21687)
- jenkins: FilePath#reading(FileVisitor) does not reject any operations
allowing users to have unrestricted read access (CVE-2021-21688)
- jenkins: FilePath#unzip and FilePath#untar were not subject to any access
control (CVE-2021-21689)
- jenkins: Agent processes are able to completely bypass file path
filtering by wrapping the file operation in an agent file path
(CVE-2021-21690)
- jenkins: Creating symbolic links is possible without the symlink
permission (CVE-2021-21691)
- jenkins: The operations FilePath#renameTo and FilePath#moveAllChildrenTo
only check read permission on the source path (CVE-2021-21692)
- jenkins: When creating temporary files, permission to create files is
only checked after they’ve been created. (CVE-2021-21693)
- jenkins: FilePath#toURI, FilePath#hasSymlink, FilePath#absolutize,
FilePath#isDescendant, and FilePath#get*DiskSpace do not check any
permissions (CVE-2021-21694)
- jenkins: FilePath#listFiles lists files outside directories with agent
read access when following symbolic links. (CVE-2021-21695)
- jenkins: Agent-to-controller access control allowed writing to sensitive
directory used by Pipeline: Shared Groovy Libraries Plugin (CVE-2021-21696)
- jenkins: Agent-to-controller access control allows reading/writing most
content of build directories (CVE-2021-21697)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s)
listed in the References section.
Affected Products
- Red Hat OpenShift Container Platform 4.7 for RHEL 8 x86_64
- Red Hat OpenShift Container Platform 4.7 for RHEL 7 x86_64
- Red Hat OpenShift Container Platform for Power 4.7 for RHEL 8 ppc64le
- Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.7 for RHEL 8 s390x
Fixes
- BZ - 2020322 - CVE-2021-21685 jenkins: FilePath#mkdirs does not check permission to create parent directories
- BZ - 2020323 - CVE-2021-21686 jenkins: File path filters do not canonicalize paths, allowing operations to follow symbolic links to outside allowed directories
- BZ - 2020324 - CVE-2021-21687 jenkins: FilePath#untar does not check permission to create symbolic links when unarchiving a symbolic link
- BZ - 2020327 - CVE-2021-21688 jenkins: FilePath#reading(FileVisitor) does not reject any operations allowing users to have unrestricted read access
- BZ - 2020335 - CVE-2021-21689 jenkins: FilePath#unzip and FilePath#untar were not subject to any access control
- BZ - 2020336 - CVE-2021-21690 jenkins: Agent processes are able to completely bypass file path filtering by wrapping the file operation in an agent file path
- BZ - 2020338 - CVE-2021-21691 jenkins: Creating symbolic links is possible without the symlink permission
- BZ - 2020339 - CVE-2021-21692 jenkins: The operations FilePath#renameTo and FilePath#moveAllChildrenTo only check read permission on the source path
- BZ - 2020341 - CVE-2021-21693 jenkins: When creating temporary files, permission to create files is only checked after they’ve been created.
- BZ - 2020342 - CVE-2021-21694 jenkins: FilePath#toURI, FilePath#hasSymlink, FilePath#absolutize, FilePath#isDescendant, and FilePath#get*DiskSpace do not check any permissions
- BZ - 2020343 - CVE-2021-21695 jenkins: FilePath#listFiles lists files outside directories with agent read access when following symbolic links.
- BZ - 2020344 - CVE-2021-21696 jenkins: Agent-to-controller access control allowed writing to sensitive directory used by Pipeline: Shared Groovy Libraries Plugin
- BZ - 2020345 - CVE-2021-21697 jenkins: Agent-to-controller access control allows reading/writing most content of build directories
- BZ - 2020385 - CVE-2021-21698 jenkins-2-plugins/subversion: does not restrict the name of a file when looking up a subversion key
CVEs
- CVE-2021-21685
- CVE-2021-21686
- CVE-2021-21687
- CVE-2021-21688
- CVE-2021-21689
- CVE-2021-21690
- CVE-2021-21691
- CVE-2021-21692
- CVE-2021-21693
- CVE-2021-21694
- CVE-2021-21695
- CVE-2021-21696
- CVE-2021-21697
- CVE-2021-21698
Red Hat OpenShift Container Platform 4.7 for RHEL 8
SRPM
cri-o-1.20.6-3.rhaos4.7.git4603183.el8.src.rpm
SHA-256: c1d1293c47731a298e110edb28a72e07800d1156514e45ff7d1d9b342d975f76
jenkins-2-plugins-4.7.1637600997-1.el8.src.rpm
SHA-256: 7e80b123752e2b07d34003d5a80ee6548b853c8b17d4104253b99bc94c81220e
jenkins-2.303.3.1637597018-1.el8.src.rpm
SHA-256: ddd0603f4b381e096231f9a8e462f11c87573d3a5576c6537e98996d2aab0e44
openshift-4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.src.rpm
SHA-256: 5dd55765b1c2810e3a1477032ba52e7604be2e5cd51c858cb978c7bef3b63377
x86_64
cri-o-1.20.6-3.rhaos4.7.git4603183.el8.x86_64.rpm
SHA-256: 1497b4635a9cddec4b07e1578d115a68a382ac50b91f2bf92330f2af7ab978e1
cri-o-debuginfo-1.20.6-3.rhaos4.7.git4603183.el8.x86_64.rpm
SHA-256: b4afc0b140f885568221d68e83f32d708b68d52aa21d3735bb691b45809b9756
cri-o-debugsource-1.20.6-3.rhaos4.7.git4603183.el8.x86_64.rpm
SHA-256: da98d51a26392625fce3f6b76d25a76ec40a028c3317ef7fdc69702a0a34adb9
jenkins-2-plugins-4.7.1637600997-1.el8.noarch.rpm
SHA-256: 505545ca69ab7d8ab38150b788bc0968842ce43c4f31b3d8b57cba9922369538
jenkins-2.303.3.1637597018-1.el8.noarch.rpm
SHA-256: 92df366670ded31115b0dd800627e3cfa27b8716256e1b51741b0bc9ae616c0f
openshift-hyperkube-4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.x86_64.rpm
SHA-256: 18ca3eca61760d38c9f2b47fc799c94c813d6b741ac78ec72f0e0d07c16ad6a2
Red Hat OpenShift Container Platform 4.7 for RHEL 7
SRPM
cri-o-1.20.6-3.rhaos4.7.git4603183.el7.src.rpm
SHA-256: 6c645171e68571f1394edf48b73aa6d8c307ecc7795836df66afeea8677a1251
openshift-4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7.src.rpm
SHA-256: 373d057b309aac91d35b0d8af30b43cf4224a76db75392de977c4161fa6f7749
x86_64
cri-o-1.20.6-3.rhaos4.7.git4603183.el7.x86_64.rpm
SHA-256: a2e77d402bf6313b60ae6bd751dfdc4650508aae49be1bea86a527ea4597e0eb
cri-o-debuginfo-1.20.6-3.rhaos4.7.git4603183.el7.x86_64.rpm
SHA-256: c44f76a8c325593c1053b30af467d59f1ee5fa20e94851ac7632319a25e4fb0f
openshift-hyperkube-4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7.x86_64.rpm
SHA-256: 12396c6d0e47d833da1cbb12e06dca62b1ed987dc616d15ddf80c83e75197902
Red Hat OpenShift Container Platform for Power 4.7 for RHEL 8
SRPM
cri-o-1.20.6-3.rhaos4.7.git4603183.el8.src.rpm
SHA-256: c1d1293c47731a298e110edb28a72e07800d1156514e45ff7d1d9b342d975f76
jenkins-2-plugins-4.7.1637600997-1.el8.src.rpm
SHA-256: 7e80b123752e2b07d34003d5a80ee6548b853c8b17d4104253b99bc94c81220e
jenkins-2.303.3.1637597018-1.el8.src.rpm
SHA-256: ddd0603f4b381e096231f9a8e462f11c87573d3a5576c6537e98996d2aab0e44
openshift-4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.src.rpm
SHA-256: 5dd55765b1c2810e3a1477032ba52e7604be2e5cd51c858cb978c7bef3b63377
ppc64le
cri-o-1.20.6-3.rhaos4.7.git4603183.el8.ppc64le.rpm
SHA-256: a62768089af41ec0389c9fc7a25e59fc77aba099feb7d9d6dc7a0c37ca90c5b0
cri-o-debuginfo-1.20.6-3.rhaos4.7.git4603183.el8.ppc64le.rpm
SHA-256: 83e8f763400f9b150d60bfc31491ee1d89781f133354a906b1e5a3cbf3f2ef64
cri-o-debugsource-1.20.6-3.rhaos4.7.git4603183.el8.ppc64le.rpm
SHA-256: 7141dee52eeba9abc04d49f861d5bebf3122a5c6e352e1d9f229e6a1f69169b9
jenkins-2-plugins-4.7.1637600997-1.el8.noarch.rpm
SHA-256: 505545ca69ab7d8ab38150b788bc0968842ce43c4f31b3d8b57cba9922369538
jenkins-2.303.3.1637597018-1.el8.noarch.rpm
SHA-256: 92df366670ded31115b0dd800627e3cfa27b8716256e1b51741b0bc9ae616c0f
openshift-hyperkube-4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.ppc64le.rpm
SHA-256: 3c98987a9605f75f2c9ef46fd512336c17f8de4b9017c15252082f0b716d5bdb
Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.7 for RHEL 8
SRPM
cri-o-1.20.6-3.rhaos4.7.git4603183.el8.src.rpm
SHA-256: c1d1293c47731a298e110edb28a72e07800d1156514e45ff7d1d9b342d975f76
jenkins-2-plugins-4.7.1637600997-1.el8.src.rpm
SHA-256: 7e80b123752e2b07d34003d5a80ee6548b853c8b17d4104253b99bc94c81220e
jenkins-2.303.3.1637597018-1.el8.src.rpm
SHA-256: ddd0603f4b381e096231f9a8e462f11c87573d3a5576c6537e98996d2aab0e44
openshift-4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.src.rpm
SHA-256: 5dd55765b1c2810e3a1477032ba52e7604be2e5cd51c858cb978c7bef3b63377
s390x
cri-o-1.20.6-3.rhaos4.7.git4603183.el8.s390x.rpm
SHA-256: 924ecec211f201178f462257a6a3b84f5075155189dd6827bc5cf3321f4462bc
cri-o-debuginfo-1.20.6-3.rhaos4.7.git4603183.el8.s390x.rpm
SHA-256: 245b4daf5cb1a89a3570b6ae9ea910766b630c57058c4b62914d80240a675038
cri-o-debugsource-1.20.6-3.rhaos4.7.git4603183.el8.s390x.rpm
SHA-256: 552a32a7af957d8731b602d75f81c7a52f612ca506ed9784a2a09a0a90a28680
jenkins-2-plugins-4.7.1637600997-1.el8.noarch.rpm
SHA-256: 505545ca69ab7d8ab38150b788bc0968842ce43c4f31b3d8b57cba9922369538
jenkins-2.303.3.1637597018-1.el8.noarch.rpm
SHA-256: 92df366670ded31115b0dd800627e3cfa27b8716256e1b51741b0bc9ae616c0f
openshift-hyperkube-4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.s390x.rpm
SHA-256: 7d42409b17b34e9d9205820d2a88b74482d384fdfbeba6c3c1260baf86211361
The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.