Headline

RHSA-2021:4829: Red Hat Security Advisory: OpenShift Container Platform 4.8.22 security update

Red Hat OpenShift Container Platform release 4.8.22 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

Related CVEs:

CVE-2021-3917: coreos-installer: restrict access permissions on /boot/ignition{,/config.ign}
CVE-2021-21685: jenkins: FilePath#mkdirs does not check permission to create parent directories
CVE-2021-21686: jenkins: File path filters do not canonicalize paths, allowing operations to follow symbolic links to outside allowed directories
CVE-2021-21687: jenkins: FilePath#untar does not check permission to create symbolic links when unarchiving a symbolic link
CVE-2021-21688: jenkins: FilePath#reading(FileVisitor) does not reject any operations allowing users to have unrestricted read access
CVE-2021-21689: jenkins: FilePath#unzip and FilePath#untar were not subject to any access control
CVE-2021-21690: jenkins: Agent processes are able to completely bypass file path filtering by wrapping the file operation in an agent file path
CVE-2021-21691: jenkins: Creating symbolic links is possible without the symlink permission
CVE-2021-21692: jenkins: The operations FilePath#renameTo and FilePath#moveAllChildrenTo only check read permission on the source path
CVE-2021-21693: jenkins: When creating temporary files, permission to create files is only checked after they’ve been created.
CVE-2021-21694: jenkins: FilePath#toURI, FilePath#hasSymlink, FilePath#absolutize, FilePath#isDescendant, and FilePath#get*DiskSpace do not check any permissions
CVE-2021-21695: jenkins: FilePath#listFiles lists files outside directories with agent read access when following symbolic links.
CVE-2021-21696: jenkins: Agent-to-controller access control allowed writing to sensitive directory used by Pipeline: Shared Groovy Libraries Plugin
CVE-2021-21697: jenkins: Agent-to-controller access control allows reading/writing most content of build directories
CVE-2021-21698: jenkins-2-plugins/subversion: does not restrict the name of a file when looking up a subversion key

2 years ago

Red Hat Security Data

Open in Source

#vulnerability #web #linux #red_hat #nodejs #js #git #java #kubernetes

Skip to navigation Skip to main content

Utilities

Subscriptions
Downloads
Containers
Support Cases

Red Hat Customer Portal

Infrastructure and Management

Red Hat Enterprise Linux
Red Hat Virtualization
Red Hat Identity Management
Red Hat Directory Server
Red Hat Certificate System
Red Hat Satellite
Red Hat Subscription Management
Red Hat Update Infrastructure
Red Hat Insights
Red Hat Ansible Automation Platform

Cloud Computing

Red Hat OpenShift
Red Hat CloudForms
Red Hat OpenStack Platform
Red Hat OpenShift Container Platform
Red Hat OpenShift Data Science
Red Hat OpenShift Online
Red Hat OpenShift Dedicated
Red Hat Advanced Cluster Security for Kubernetes
Red Hat Advanced Cluster Management for Kubernetes
Red Hat Quay
Red Hat CodeReady Workspaces
Red Hat OpenShift Service on AWS

Storage

Red Hat Gluster Storage
Red Hat Hyperconverged Infrastructure
Red Hat Ceph Storage
Red Hat Openshift Container Storage

Runtimes

Red Hat Runtimes
Red Hat JBoss Enterprise Application Platform
Red Hat Data Grid
Red Hat JBoss Web Server
Red Hat Single Sign On
Red Hat support for Spring Boot
Red Hat build of Node.js
Red Hat build of Thorntail
Red Hat build of Eclipse Vert.x
Red Hat build of OpenJDK
Red Hat build of Quarkus
Red Hat CodeReady Studio

Integration and Automation

Red Hat Process Automation
Red Hat Process Automation Manager
Red Hat Decision Manager

All Products

Issued:

2021-11-30

Updated:

2021-11-30

RHSA-2021:4829 - Security Advisory

Overview
Updated Packages

Synopsis

Important: OpenShift Container Platform 4.8.22 security update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

Red Hat OpenShift Container Platform release 4.8.22 is now available with updates to packages and images that fix several bugs and add enhancements.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

Description

Red Hat OpenShift Container Platform is Red Hat’s cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.8.22. See the following advisory for the container images for this release:

https://access.redhat.com/errata/RHBA-2021:4830

All OpenShift Container Platform 4.8 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift Console
or the CLI oc command. Instructions for upgrading a cluster are available at
https://docs.openshift.com/container-platform/4.8/updating/updating-cluster-between-minor.html#understanding-upgrade-channels_updating-cluster-between-minor

Security Fix(es):

jenkins-2-plugins/subversion: does not restrict the name of a file when looking up a subversion key (CVE-2021-21698)
jenkins: FilePath#mkdirs does not check permission to create parent directories (CVE-2021-21685)
jenkins: File path filters do not canonicalize paths, allowing operations to follow symbolic links to outside allowed directories (CVE-2021-21686)
jenkins: FilePath#untar does not check permission to create symbolic links when unarchiving a symbolic link (CVE-2021-21687)
jenkins: FilePath#reading(FileVisitor) does not reject any operations allowing users to have unrestricted read access (CVE-2021-21688)
coreos-installer: restrict access permissions on /boot/ignition{,/config.ign} (CVE-2021-3917)
jenkins: FilePath#unzip and FilePath#untar were not subject to any access control (CVE-2021-21689)
jenkins: Agent processes are able to completely bypass file path filtering by wrapping the file operation in an agent file path (CVE-2021-21690)
jenkins: Creating symbolic links is possible without the symlink permission (CVE-2021-21691)
jenkins: The operations FilePath#renameTo and FilePath#moveAllChildrenTo only check read permission on the source path (CVE-2021-21692)
jenkins: When creating temporary files, permission to create files is only checked after they’ve been created. (CVE-2021-21693)
jenkins: FilePath#toURI, FilePath#hasSymlink, FilePath#absolutize, FilePath#isDescendant, and FilePath#get*DiskSpace do not check any permissions (CVE-2021-21694)
jenkins: FilePath#listFiles lists files outside directories with agent read access when following symbolic links. (CVE-2021-21695)
jenkins: Agent-to-controller access control allowed writing to sensitive directory used by Pipeline: Shared Groovy Libraries Plugin (CVE-2021-21696)
jenkins: Agent-to-controller access control allows reading/writing most content of build directories (CVE-2021-21697)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Affected Products

Red Hat OpenShift Container Platform 4.8 for RHEL 8 x86_64
Red Hat OpenShift Container Platform 4.8 for RHEL 7 x86_64
Red Hat OpenShift Container Platform for Power 4.8 for RHEL 8 ppc64le
Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.8 for RHEL 8 s390x

Fixes

BZ - 2018478 - CVE-2021-3917 coreos-installer: restrict access permissions on /boot/ignition{,/config.ign}
BZ - 2020322 - CVE-2021-21685 jenkins: FilePath#mkdirs does not check permission to create parent directories
BZ - 2020323 - CVE-2021-21686 jenkins: File path filters do not canonicalize paths, allowing operations to follow symbolic links to outside allowed directories
BZ - 2020324 - CVE-2021-21687 jenkins: FilePath#untar does not check permission to create symbolic links when unarchiving a symbolic link
BZ - 2020327 - CVE-2021-21688 jenkins: FilePath#reading(FileVisitor) does not reject any operations allowing users to have unrestricted read access
BZ - 2020335 - CVE-2021-21689 jenkins: FilePath#unzip and FilePath#untar were not subject to any access control
BZ - 2020336 - CVE-2021-21690 jenkins: Agent processes are able to completely bypass file path filtering by wrapping the file operation in an agent file path
BZ - 2020338 - CVE-2021-21691 jenkins: Creating symbolic links is possible without the symlink permission
BZ - 2020339 - CVE-2021-21692 jenkins: The operations FilePath#renameTo and FilePath#moveAllChildrenTo only check read permission on the source path
BZ - 2020341 - CVE-2021-21693 jenkins: When creating temporary files, permission to create files is only checked after they’ve been created.
BZ - 2020342 - CVE-2021-21694 jenkins: FilePath#toURI, FilePath#hasSymlink, FilePath#absolutize, FilePath#isDescendant, and FilePath#get*DiskSpace do not check any permissions
BZ - 2020343 - CVE-2021-21695 jenkins: FilePath#listFiles lists files outside directories with agent read access when following symbolic links.
BZ - 2020344 - CVE-2021-21696 jenkins: Agent-to-controller access control allowed writing to sensitive directory used by Pipeline: Shared Groovy Libraries Plugin
BZ - 2020345 - CVE-2021-21697 jenkins: Agent-to-controller access control allows reading/writing most content of build directories
BZ - 2020385 - CVE-2021-21698 jenkins-2-plugins/subversion: does not restrict the name of a file when looking up a subversion key

CVEs

CVE-2021-3917
CVE-2021-21685
CVE-2021-21686
CVE-2021-21687
CVE-2021-21688
CVE-2021-21689
CVE-2021-21690
CVE-2021-21691
CVE-2021-21692
CVE-2021-21693
CVE-2021-21694
CVE-2021-21695
CVE-2021-21696
CVE-2021-21697
CVE-2021-21698

Red Hat OpenShift Container Platform 4.8 for RHEL 8

SRPM

coreos-installer-0.9.0-8.rhaos4.8.el8.src.rpm

SHA-256: f6df356e1d2a0070fa7473efa7fefa8c1e9038e1a7e63868930c8a085532d0ab

cri-o-1.21.4-3.rhaos4.8.git84fa55d.el8.src.rpm

SHA-256: 23483c2371d02d3ea70e972d88df35295798ce1be08d29a71d5a97667201f11d

jenkins-2-plugins-4.8.1637599935-1.el8.src.rpm

SHA-256: d6ea172d6c58d94b02b848fe456e97bbdc1e82672092d153c3019887e19b2c7e

jenkins-2.303.3.1637596565-1.el8.src.rpm

SHA-256: 5e6d09b06376252bbf12cbd12045b706a8e44fc69ccd9f2790f6f9d6d02e069b

openshift-4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.src.rpm

SHA-256: 330d26e39fa6f78222e083cf65e0bf2fe069e88c3826200d4fba139db1122317

openshift-kuryr-4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.src.rpm

SHA-256: 6bc54c7adef7b7cc47ec9833b300558d6b3c5e047ee4f62f661c6c53e296aab2

python-sushy-3.7.4-0.20211119091058.2cc60dc.el8.src.rpm

SHA-256: 79a55357a920f301494417300b32b13ad0588b4de0de3e1fe90d30168c5d4bee

x86_64

coreos-installer-0.9.0-8.rhaos4.8.el8.x86_64.rpm

SHA-256: f9bf9784d8009c586faf836718c0ae6600fb17a09e170567bc6735c6237c3b01

coreos-installer-bootinfra-debuginfo-0.9.0-8.rhaos4.8.el8.x86_64.rpm

SHA-256: cdc6522efb66e3825fd83da40f225f92a90351be44a4a332da866965f27c1433

coreos-installer-debuginfo-0.9.0-8.rhaos4.8.el8.x86_64.rpm

SHA-256: 75afc0210aa40462380b5ac9074519364dfbb6b95d51680f0fd009c7ac23325e

coreos-installer-debugsource-0.9.0-8.rhaos4.8.el8.x86_64.rpm

SHA-256: 7c50d579602f954561e3e863ec33e0f055ef35e90ead7ecf4f3860b10fbedab5

cri-o-1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64.rpm

SHA-256: cf8634e13b00374064006b404678db48fbfe4f7a3b903a6beedc00baff6c68ea

cri-o-debuginfo-1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64.rpm

SHA-256: 6c13edefe6778f27c77e0325e869c78aa3f10b80e3d87d0499ed16936b6b666c

cri-o-debugsource-1.21.4-3.rhaos4.8.git84fa55d.el8.x86_64.rpm

SHA-256: 41a914593d95ea7bdeeeac4da3b915ae0e3057423b6d53293c8ad5f556447b93

jenkins-2-plugins-4.8.1637599935-1.el8.noarch.rpm

SHA-256: 0310449865877db516858c67cc385514a55e19beccddd46c6dc8ea97a06e79b9

jenkins-2.303.3.1637596565-1.el8.noarch.rpm

SHA-256: 7fd7c695bb85e4d3fd0b8ef65b3082906c49952cc4ea16960c323ffd7a42735b

openshift-hyperkube-4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.x86_64.rpm

SHA-256: 0aa548d9703d214587761f114e4ba2ae5918e836330e80bfbdef13c56e5053b0

openshift-kuryr-cni-4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch.rpm

SHA-256: bf64e7e1eba7f003db5edec2df91230176ccd9cf8915ed0aa7806f6b68cb969c

openshift-kuryr-common-4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch.rpm

SHA-256: a8239a11b4d349cd620714a45790b47522bf7894be0499ae2d31c0752514ff19

openshift-kuryr-controller-4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch.rpm

SHA-256: 961429f4fd6d9f921a5905983ffc83989d94e77f74ac473710c66ece3ec6ea01

python3-kuryr-kubernetes-4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.noarch.rpm

SHA-256: f40f57894e02cf05d15937ad5bb7a566719378a33c2807f393fe27b74c03cbf2

python3-sushy-3.7.4-0.20211119091058.2cc60dc.el8.noarch.rpm

SHA-256: d2d76558b99b4b7f987813a757a113a7ae4fc3b18b0f60e8e4081f9a3bf1aac8

python3-sushy-tests-3.7.4-0.20211119091058.2cc60dc.el8.noarch.rpm

SHA-256: c9c263365b8ec56dde36ee038318f8af0bc1080908769cb1abfc85fb822e2868

Red Hat OpenShift Container Platform 4.8 for RHEL 7

SRPM

cri-o-1.21.4-3.rhaos4.8.git84fa55d.el7.src.rpm

SHA-256: 33d303224404fb4354dabc906ee8a6724fb9dee4ad1530970121ccfcdab6880e

openshift-4.8.0-202111221934.p0.g81bc627.assembly.stream.el7.src.rpm

SHA-256: 944ce4eb05641f0e0d5544571ef28e8029f3146c18a416dfe81a4c0325902124

x86_64

cri-o-1.21.4-3.rhaos4.8.git84fa55d.el7.x86_64.rpm

SHA-256: f528ab95d60ef0b0505aad9b3fac5d70eede59307a703e558161d694feb9f673

cri-o-debuginfo-1.21.4-3.rhaos4.8.git84fa55d.el7.x86_64.rpm

SHA-256: d5dc794ed4710974b4af34b1bc8a7ecf2663831031a9dce3b705c2903a1eed0f

openshift-hyperkube-4.8.0-202111221934.p0.g81bc627.assembly.stream.el7.x86_64.rpm

SHA-256: c1cc2bc2ea69413ae156d90c5d23ec01a1c0d7b94e07a3a69d9b606d0c3f4af1

Red Hat OpenShift Container Platform for Power 4.8 for RHEL 8

SRPM

coreos-installer-0.9.0-8.rhaos4.8.el8.src.rpm

SHA-256: f6df356e1d2a0070fa7473efa7fefa8c1e9038e1a7e63868930c8a085532d0ab

cri-o-1.21.4-3.rhaos4.8.git84fa55d.el8.src.rpm

SHA-256: 23483c2371d02d3ea70e972d88df35295798ce1be08d29a71d5a97667201f11d

jenkins-2-plugins-4.8.1637599935-1.el8.src.rpm

SHA-256: d6ea172d6c58d94b02b848fe456e97bbdc1e82672092d153c3019887e19b2c7e

jenkins-2.303.3.1637596565-1.el8.src.rpm

SHA-256: 5e6d09b06376252bbf12cbd12045b706a8e44fc69ccd9f2790f6f9d6d02e069b

openshift-4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.src.rpm

SHA-256: 330d26e39fa6f78222e083cf65e0bf2fe069e88c3826200d4fba139db1122317

openshift-kuryr-4.8.0-202111221627.p0.g43dd2f6.assembly.stream.el8.src.rpm

SHA-256: 6bc54c7adef7b7cc47ec9833b300558d6b3c5e047ee4f62f661c6c53e296aab2

python-sushy-3.7.4-0.20211119091058.2cc60dc.el8.src.rpm

SHA-256: 79a55357a920f301494417300b32b13ad0588b4de0de3e1fe90d30168c5d4bee

ppc64le

coreos-installer-0.9.0-8.rhaos4.8.el8.ppc64le.rpm

SHA-256: 999e5e54793b85fd78cb29c9805018fa7d05a8bb98ff429ffea01ad4c9429335

coreos-installer-bootinfra-0.9.0-8.rhaos4.8.el8.ppc64le.rpm

SHA-256: 7a548df8094ae134397e7e5df6045fe461ad9e50082124949312142176b55450

coreos-installer-bootinfra-debuginfo-0.9.0-8.rhaos4.8.el8.ppc64le.rpm

SHA-256: ba65fb7febd1cbeb7ecf8b955ee287f6529f7454e2d4a8ca05d37ef515191a5c

coreos-installer-debuginfo-0.9.0-8.rhaos4.8.el8.ppc64le.rpm

SHA-256: 6d1e6f258bcb318086d1f438a01184579144213a52bd40f103bfb1811eb71a6f

coreos-installer-debugsource-0.9.0-8.rhaos4.8.el8.ppc64le.rpm

SHA-256: 0121afe38f6d760511d6f4982ee0f17753cb5ce26fc8e5e062c42f53af3f52c4

cri-o-1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le.rpm

SHA-256: d230a8f51d99f41e98168147d7be18ffc490caa647e79908d6a3d36a52ed5c3c

cri-o-debuginfo-1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le.rpm

SHA-256: a17bc731491605f717b8c5bbe7eeb1ad676b874ad61d375c0802f3740f77a31c

cri-o-debugsource-1.21.4-3.rhaos4.8.git84fa55d.el8.ppc64le.rpm

SHA-256: eafb02a54afac4602ba805bb2d9f1c424f96704cdfffedca0c897aba16aa41b0

jenkins-2-plugins-4.8.1637599935-1.el8.noarch.rpm

SHA-256: 0310449865877db516858c67cc385514a55e19beccddd46c6dc8ea97a06e79b9

jenkins-2.303.3.1637596565-1.el8.noarch.rpm

SHA-256: 7fd7c695bb85e4d3fd0b8ef65b3082906c49952cc4ea16960c323ffd7a42735b

openshift-hyperkube-4.8.0-202111221934.p0.g81bc627.assembly.stream.el8.ppc64le.rpm

SHA-256: 3ad2a68c3ea07fcd631a7fffcd20aa0a9730564b3c973864e8a2aa0227f033e5