Headline
RHSA-2023:2014: Red Hat Security Advisory: OpenShift Container Platform 4.11.39 bug fix and security update
Red Hat OpenShift Container Platform release 4.11.39 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.11. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Related CVEs:
- CVE-2022-21698: A denial of service attack was found in prometheus/client_golang. This flaw allows an attacker to produce a denial of service attack on an HTTP server by exploiting the InstrumentHandlerCounter function in the version below 1.11.1, resulting in a loss of availability.
Skip to navigation Skip to main content
Utilities
- Subscriptions
- Downloads
- Containers
- Support Cases
Infrastructure and Management
- Red Hat Enterprise Linux
- Red Hat Virtualization
- Red Hat Identity Management
- Red Hat Directory Server
- Red Hat Certificate System
- Red Hat Satellite
- Red Hat Subscription Management
- Red Hat Update Infrastructure
- Red Hat Insights
- Red Hat Ansible Automation Platform
Cloud Computing
- Red Hat OpenShift
- Red Hat CloudForms
- Red Hat OpenStack Platform
- Red Hat OpenShift Container Platform
- Red Hat OpenShift Data Science
- Red Hat OpenShift Online
- Red Hat OpenShift Dedicated
- Red Hat Advanced Cluster Security for Kubernetes
- Red Hat Advanced Cluster Management for Kubernetes
- Red Hat Quay
- Red Hat CodeReady Workspaces
- Red Hat OpenShift Service on AWS
Storage
- Red Hat Gluster Storage
- Red Hat Hyperconverged Infrastructure
- Red Hat Ceph Storage
- Red Hat OpenShift Data Foundation
Runtimes
- Red Hat Runtimes
- Red Hat JBoss Enterprise Application Platform
- Red Hat Data Grid
- Red Hat JBoss Web Server
- Red Hat Single Sign On
- Red Hat support for Spring Boot
- Red Hat build of Node.js
- Red Hat build of Thorntail
- Red Hat build of Eclipse Vert.x
- Red Hat build of OpenJDK
- Red Hat build of Quarkus
Integration and Automation
- Red Hat Process Automation
- Red Hat Process Automation Manager
- Red Hat Decision Manager
All Products
Issued:
2023-05-02
Updated:
2023-05-02
RHSA-2023:2014 - Security Advisory
- Overview
- Updated Images
Synopsis
Moderate: OpenShift Container Platform 4.11.39 bug fix and security update
Type/Severity
Security Advisory: Moderate
Topic
Red Hat OpenShift Container Platform release 4.11.39 is now available with
updates to packages and images that fix several bugs and add enhancements.
This release includes a security update for Red Hat OpenShift Container Platform 4.11.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
Description
Red Hat OpenShift Container Platform is Red Hat’s cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.
This advisory contains the container images for Red Hat OpenShift Container Platform 4.11.39. See the following advisory for the RPM packages for this release:
https://access.redhat.com/errata/RHBA-2023:2013
Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes:
https://docs.openshift.com/container-platform/4.11/release_notes/ocp-4-11-release-notes.html
Security Fix(es):
- prometheus/client_golang: Denial of service using
InstrumentHandlerCounter (CVE-2022-21698)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
All OpenShift Container Platform 4.11 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.11/updating/updating-cluster-cli.html
Solution
For OpenShift Container Platform 4.11 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:
https://docs.openshift.com/container-platform/4.11/release_notes/ocp-4-11-release-notes.html
You may download the oc tool and use it to inspect release image metadata for x86_64, s390x, ppc64le, and aarch64 architectures. The image digests may be found at https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags.
The sha values for the release are
(For x86_64 architecture)
The image digest is sha256:3545730c2018e0b092d6132b31068e517cbe99b99c52c54f2a9afad61e051e3d
(For s390x architecture)
The image digest is sha256:03a6e7affe6f462dba408fbb63fe0454932fbbbc712366b2fab73ac2ba4c49db
(For ppc64le architecture)
The image digest is sha256:bf2531fff7f8de59465e33bb01f93b2630cf89938df2dfe2a1485068ba3ded77
(For aarch64 architecture)
The image digest is sha256:32a38600810014118be599f2e50062c82fc68c60e06add25c57fec1da23aa1ab
All OpenShift Container Platform 4.11 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.11/updating/updating-cluster-cli.html
Affected Products
- Red Hat OpenShift Container Platform 4.11 for RHEL 8 x86_64
- Red Hat OpenShift Container Platform for Power 4.11 for RHEL 8 ppc64le
- Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.11 for RHEL 8 s390x
- Red Hat OpenShift Container Platform for ARM 64 4.11 aarch64
Fixes
- BZ - 2045880 - CVE-2022-21698 prometheus/client_golang: Denial of service using InstrumentHandlerCounter
- OCPBUGS-11969 - Console Route is re-generated using appsDomain and not cluster domain
- OCPBUGS-12243 - Bug with Red Hat Integration - 3scale - Managed Application Services causes operator-install-single-namespace.spec.ts to fail
- OCPBUGS-2844 - [OKD/nanokube] Different NPE when using console with a nanokube cluster
- OCPBUGS-6687 - Do not show notification switch for the alert rule which have no alerts associated
- OCPBUGS-8000 - openshift-ingress-operator is failing to update router-certs because “Too long: must have at most 1048576 bytes” message
aarch64
openshift4/driver-toolkit-rhel8@sha256:14eb6756fa68f96b9c6cad424ba36e756045c4c020cd37875d9d03abeb9e7d1f
openshift4/network-tools-rhel8@sha256:f5009afad1bd7fb09ee8bd4c3ff5c5a64fb8e03e2aa28e8b0439293e08884e39
openshift4/ose-cluster-ingress-operator@sha256:4ae544e806f2f65f1fa650494c27fcabd09f6c23c0cc89fc29665f223dcf638d
openshift4/ose-cluster-node-tuning-operator@sha256:8659b64f1aa6c3e3a534a3dd559136d654ec9d6b86f11f8e2d947e7975d4c482
openshift4/ose-console@sha256:a8cdc6d42253459ad4868429d20452353c00ecce3126d016171ca8755489c1f6
openshift4/ose-console-operator@sha256:221a85175eb8ebe2fb0076fe2fbcf7261efc7197f8457c8c93fd57c49e0059ee
openshift4/ose-ironic-machine-os-downloader-rhel8@sha256:715370aa76e4f8426afb8e84f066814ef30e187fb7c95479925124fb2c857fe4
openshift4/ose-ironic-rhel8@sha256:6888952f36f223e6f54424ec9b1441f5530b49f623d58b3f7e78bec3c1f4761c
openshift4/ose-machine-config-operator@sha256:03e3c6d3366b1cfb8afbec8a0e13e1f060ef8586cc14a50a8321e8989852b8ad
openshift4/ose-multus-admission-controller@sha256:ce7b1592296f173c1627e563befc13b0c27fc7ad51cffcb047c02fa7a3fd1c3a
openshift4/ose-tests@sha256:36c242bdd0868571966ef95c2092fb83964b0a7b76cc382c6e8321c723f9d08b
openshift4/ose-tools-rhel8@sha256:a3f7bc8e201e96c73f07e16335869419ed3c67b5b5cc8290e068139212385d03
ppc64le
openshift4/driver-toolkit-rhel8@sha256:3e33e3376b8f924213202b019003e01b67aa701e3f6f70cedec118ed8d86ee87
openshift4/network-tools-rhel8@sha256:23137ddbe6163e5a27d767b9fdfb365de0cf2403d05fb45df68e157fbd17ef8c
openshift4/ose-cluster-ingress-operator@sha256:92d0698b248981fec14af4c89f4afb9e05a187065b8c8e10e206af79dd797120
openshift4/ose-cluster-node-tuning-operator@sha256:8ec345bc19afdb55cc3de2966e85d3023da907ff3a8d0ef9b9b207a31b617574
openshift4/ose-console@sha256:8b7a226789b0d58f02102d1913d6710d4792d38df74448f20a895110a25a1000
openshift4/ose-console-operator@sha256:7930b2273b8aa31e5d669ef3613d722e4e61c86171d2a14473b2577fea238cff
openshift4/ose-kuryr-cni-rhel8@sha256:3b89294b40f489f863abb2c1b03a94faa62f8c0c4f85cfc16e82e63d920e1004
openshift4/ose-kuryr-controller-rhel8@sha256:915b4117fbf7c009d2bbb9ec484e2e81bf35afa335125d14b2f1882ed212a1f1
openshift4/ose-machine-config-operator@sha256:7c011fc474c679eca9210c37da288dbaa90b3f2a9ee805032da0728b4c16b919
openshift4/ose-multus-admission-controller@sha256:b16f96f0d6b20f2691d343ca1470b52a59b75302cf525876915794accf013a37
openshift4/ose-tests@sha256:f139604022dd4fa462c9ba1c7c4f77492f19b6868a92ca349419bd661ef848e3
openshift4/ose-tools-rhel8@sha256:3a42c24754bb8d38b3bb509a7360b493a72697cd9c10f19631846c5597f4b0c2
s390x
openshift4/driver-toolkit-rhel8@sha256:594df772144bbd54bdef8526f8a1db8b9410c4f6a3521198676eb0a2641a9a7e
openshift4/network-tools-rhel8@sha256:3e222da74d25ab71c894e394fed9a4f60559d2af0a541b357bcf521ac97e6d3b
openshift4/ose-cluster-ingress-operator@sha256:2f8732aa24b6f56934c3b639c9b3e4caa445f87972df74a174b03d6fa147b41a
openshift4/ose-cluster-node-tuning-operator@sha256:d99e143a233183ff9d6093071da59453f8c9b7c5bac97fb893368e16cc30f2e9
openshift4/ose-console@sha256:1b368a68f373a66c744ddf44efca65929387c381d0033362ff31bb5c01b41799
openshift4/ose-console-operator@sha256:cd0bba83906b08b129ef82c952d3b2a6bdf35cbc20d35327d7b91f6704a7e1fd
openshift4/ose-machine-config-operator@sha256:ced7f91429179bea95f2569793a3ede7fa4a2b3ebfb1917522994cf194b4a6e9
openshift4/ose-multus-admission-controller@sha256:e7097ed3aa1ad62f4bb2d6354a38358b4c12b84941df3af0ea15f306f72022eb
openshift4/ose-tests@sha256:178cc16090a1cd2d916270e956bf3848006faae71e12911d6807a3220b1212c2
openshift4/ose-tools-rhel8@sha256:9f0aa8b8a5612bf9936c9be8521d713eae72000b3913d7461b5a3315d93676ea
x86_64
openshift4/driver-toolkit-rhel8@sha256:dfed734e35163b1ab8483568780d13b528b4c0f558f8e727538af723b7a41ed4
openshift4/network-tools-rhel8@sha256:5a713a3a1a4ec7b394108042eb32b5c82fbcf9dd482e555bda26419c9afae2a9
openshift4/ose-cluster-ingress-operator@sha256:346c77d98b5b60f432a5773ba7bf982a03bce08260cf6a7bd064332b36c1fc02
openshift4/ose-cluster-node-tuning-operator@sha256:99cf5c7b5460d5dddc2207f4652b424466c79bd35154c1d3ff4127bc4033e012
openshift4/ose-console@sha256:095ea950304f1ac3728eccaf3156509e91777b4eea3f3d698aa9407348387695
openshift4/ose-console-operator@sha256:675d23b3400c8d9cacb802856c92a9c4ca0e7495825b05af25bf2493c70ee13d
openshift4/ose-ironic-machine-os-downloader-rhel8@sha256:e8888207c7ba840fd8769e572b96265db79431b77e7ee08c653e8df8e37c3784
openshift4/ose-ironic-rhel8@sha256:3d8b87ef053d1a4f86ea7691d387fa8785473f55a38dbb5d4bbcb5eb4570444e
openshift4/ose-kuryr-cni-rhel8@sha256:38f411e02bc81db5e351336dcc67d64337c5ccbedcfd016dc20ccf730884587e
openshift4/ose-kuryr-controller-rhel8@sha256:52732ed360938b5fe3b02d486aa1c5bf7268b2c6d316e3bf69abc9cf9b29e101
openshift4/ose-machine-config-operator@sha256:4373784720b05e179234504add8f3c6f336b810d79455fde08b47f622b69c2ae
openshift4/ose-multus-admission-controller@sha256:cb09511dc677fb60676e67d06d2876367760b5533ed292b2e108a7bf3aa13288
openshift4/ose-tests@sha256:18226bf694fa774355559a3f6ad4e2c4bc988ab51fb51b8610f489f36e4d5e2b
openshift4/ose-tools-rhel8@sha256:a9e61d9502a903163aaa4dde8edba9f176abdc837dd4c774897376ecf33ef222
The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.
Related news
Red Hat Security Advisory 2024-4631-03 - Red Hat OpenShift Dev Spaces 3.15 has been released.
OpenShift API for Data Protection (OADP) 1.1.6 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-21698: A denial of service attack was found in prometheus/client_golang. This flaw allows an attacker to produce a denial of service attack on an HTTP server by exploiting the InstrumentHandlerCounter function in the version below 1.11.1, resulting in a loss of availability. * CVE-2022-41723: A flaw was found in golang. A maliciously crafted HTTP/2 stream cou...
Red Hat OpenShift Container Platform release 4.11.31 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.11. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-21698: A denial of service attack was found in prometheus/client_golang. This flaw allows an attacker to produce a denial of service attack on an HTTP server by exploiting the InstrumentHan...
Red Hat Security Advisory 2022-7261-01 - OpenShift API for Data Protection enables you to back up and restore application resources, persistent volume data, and internal container images to external backup storage. OADP enables both file system-based and snapshot-based backups for persistent volumes. Issues addressed include a denial of service vulnerability.
OpenShift API for Data Protection (OADP) 1.0.5 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-21698: prometheus/client_golang: Denial of service using InstrumentHandlerCounter
Red Hat Security Advisory 2022-5068-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2022-5026-01 - This advisory contains the following OpenShift Virtualization 4.10.2 images: RHEL-8-CNV-4.10. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2022-2280-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 3.11.705. Issues addressed include cross site scripting and denial of service vulnerabilities.
Red Hat OpenShift Container Platform release 3.11.705 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 3.11. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-21698: prometheus/client_golang: Denial of service using InstrumentHandlerCounter * CVE-2022-29036: credentials: Stored XSS vulnerabilities in jenkins plugin * CVE-2022-29046: subversion:...
Red Hat OpenShift Virtualization release 4.10.1 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-21698: prometheus/client_golang: Denial of service using InstrumentHandlerCounter
An update for the container-tools:rhel8 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1227: psgo: Privilege escalation in 'podman top' * CVE-2022-21698: prometheus/client_golang: Denial of service using InstrumentHandlerCounter * CVE-2022-27649: podman: Default inheritable capabilities for linux container should be empty * CVE-2022-27650: crun: Default inheritable capabilities for linux container should be empty...
client_golang is the instrumentation library for Go applications in Prometheus, and the promhttp package in client_golang provides tooling around HTTP servers and clients. In client_golang prior to version 1.11.1, HTTP server is susceptible to a Denial of Service through unbounded cardinality, and potential memory exhaustion, when handling requests with non-standard HTTP methods. In order to be affected, an instrumented software must use any of `promhttp.InstrumentHandler*` middleware except `RequestsInFlight`; not filter any specific methods (e.g GET) before middleware; pass metric with `method` label name to our middleware; and not have any firewall/LB/proxy that filters away requests with unknown `method`. client_golang version 1.11.1 contains a patch for this issue. Several workarounds are available, including removing the `method` label name from counter/gauge used in the InstrumentHandler; turning off affected promhttp handlers; adding custom middleware before promhttp handler th...