Headline
RHSA-2023:4671: Red Hat Security Advisory: OpenShift Container Platform 4.12.30 bug fix and security update
Red Hat OpenShift Container Platform release 4.12.30 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.12. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Related CVEs:
- CVE-2023-25173: A flaw was found in containerd, where supplementary groups are not set up properly inside a container. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases. This issue can allow access to sensitive information or gain the ability to execute code in that container.
Skip to navigation Skip to main content
Utilities
- Subscriptions
- Downloads
- Containers
- Support Cases
Infrastructure and Management
- Red Hat Enterprise Linux
- Red Hat Satellite
- Red Hat Subscription Management
- Red Hat Insights
- Red Hat Ansible Automation Platform
Cloud Computing
- Red Hat OpenShift
- Red Hat OpenStack Platform
- Red Hat OpenShift Container Platform
- Red Hat OpenShift Data Science
- Red Hat OpenShift Dedicated
- Red Hat Advanced Cluster Security for Kubernetes
- Red Hat Advanced Cluster Management for Kubernetes
- Red Hat Quay
- Red Hat CodeReady Workspaces
- Red Hat OpenShift Service on AWS
Storage
- Red Hat Gluster Storage
- Red Hat Hyperconverged Infrastructure
- Red Hat Ceph Storage
- Red Hat OpenShift Data Foundation
Runtimes
- Red Hat Runtimes
- Red Hat JBoss Enterprise Application Platform
- Red Hat Data Grid
- Red Hat JBoss Web Server
- Red Hat Single Sign On
- Red Hat support for Spring Boot
- Red Hat build of Node.js
- Red Hat build of Quarkus
Integration and Automation
All Products
Issued:
2023-08-23
Updated:
2023-08-23
RHSA-2023:4671 - Security Advisory
- Overview
- Updated Images
Synopsis
Moderate: OpenShift Container Platform 4.12.30 bug fix and security update
Type/Severity
Security Advisory: Moderate
Topic
Red Hat OpenShift Container Platform release 4.12.30 is now available with updates to packages and images that fix several bugs and add enhancements.
This release includes a security update for Red Hat OpenShift Container Platform 4.12.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
Red Hat OpenShift Container Platform is Red Hat’s cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.
This advisory contains the container images for Red Hat OpenShift Container Platform 4.12.30. See the following advisory for the RPM packages for this release:
https://access.redhat.com/errata/RHSA-2023:4674
Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes:
https://docs.openshift.com/container-platform/4.12/release_notes/ocp-4-12-release-notes.html
Security Fix(es):
- containerd: Supplementary groups are not set up properly (CVE-2023-25173)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
All OpenShift Container Platform 4.12 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.12/updating/updating-cluster-cli.html
Solution
For OpenShift Container Platform 4.12 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:
https://docs.openshift.com/container-platform/4.12/release_notes/ocp-4-12-release-notes.html
You may download the oc tool and use it to inspect release image metadata for x86_64, s390x, ppc64le, and aarch64 architectures. The image digests may be found at https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags.
The sha values for the release are
(For x86_64 architecture)
The image digest is sha256:86ee723d4dc2a83f836232d1d03f8b4193940c50a2636ee86924acb5d14b0b64
(For s390x architecture)
The image digest is sha256:c6e023eaa4e80a044bbaeaed5b578d18afddf0b52ad12571ee3a42aa0ff5862a
(For ppc64le architecture)
The image digest is sha256:0a1dbd83d0552d0332c327d9bd9b1fce8ed73d89937178208d29a73276b72c1c
(For aarch64 architecture)
The image digest is sha256:21145f1df3c0e88d50de5c697d7fab316f4792f91320a7196ed0dfd94396c0d9
All OpenShift Container Platform 4.12 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.12/updating/updating-cluster-cli.html
Affected Products
- Red Hat OpenShift Container Platform 4.12 for RHEL 9 x86_64
- Red Hat OpenShift Container Platform 4.12 for RHEL 8 x86_64
- Red Hat OpenShift Container Platform for Power 4.12 for RHEL 9 ppc64le
- Red Hat OpenShift Container Platform for Power 4.12 for RHEL 8 ppc64le
- Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.12 for RHEL 9 s390x
- Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.12 for RHEL 8 s390x
- Red Hat OpenShift Container Platform for ARM 64 4.12 for RHEL 9 aarch64
- Red Hat OpenShift Container Platform for ARM 64 4.12 for RHEL 8 aarch64
Fixes
- BZ - 2174485 - CVE-2023-25173 containerd: Supplementary groups are not set up properly
- OCPBUGS-14386 - Update cluster-bootstrap 4.12 dependencies and image
- OCPBUGS-16410 - ensure fixes land for large inodes
- OCPBUGS-16846 - [Openshift Pipelines] Stop option for pipelinerun is not working
- OCPBUGS-17192 - “Duplicate RoleBinding” leads to “Unsupported value” error
- OCPBUGS-17558 - [4.12] Missing Azure File CSI NFS support
References
- https://access.redhat.com/security/updates/classification/#moderate
- https://docs.openshift.com/container-platform/4.12/release_notes/ocp-4-12-release-notes.html
aarch64
openshift4/network-tools-rhel8@sha256:03ada3a0e70f2a72463ead4311cac565ea73582b03d37b92edc3bfe161a669b6
openshift4/ose-agent-installer-api-server-rhel8@sha256:8e094f31ba3c6f02e6360eae92e95b78b9cba419dea6084a40d7f7d078b671fd
openshift4/ose-agent-installer-csr-approver-rhel8@sha256:a495e8ad1305312bb4d763601681e51e85427c82667163a6dfcb3f55ba29ccf6
openshift4/ose-baremetal-installer-rhel8@sha256:4507c2b1b193f7123bf0d1b647b940a0b828160e3df5ef8cabaa4a3061fa5b2e
openshift4/ose-cli@sha256:88b0d2971ed67a8f2e3dbd7885cf248c32cafa57b10a4dbc1e6f36c5190392c7
openshift4/ose-cli-artifacts@sha256:e6089b2a5b66eb7507f209a520da7009ff84fb7bfa1e3624247e709e41b2adf4
openshift4/ose-cluster-bootstrap@sha256:7376fdd05c85be44e1e003ab4e2a10ae0fb2b5a06d000ce57f5894b064270b31
openshift4/ose-console@sha256:04cf1f8f0edb8d3e16b6f8bf8c688871318077869020ac1abe923e6c077c8023
openshift4/ose-deployer@sha256:ab3cefbd3f6873dbf81f255d0403aeef3718fff840ebb68b12cc9c86ecb85791
openshift4/ose-docker-builder@sha256:407af7c4ed12f1bcb72f4ac2ff93d81b1b187af397529fdf05ecb9f031f50ee4
openshift4/ose-installer@sha256:e64da770e4db84e9c68d8fa40dbb7bee521a60c38cec77fa6ba0688a2d43c44b
openshift4/ose-installer-artifacts@sha256:e08405e6518ea0027dd89d2ecee044d13d67a9a2f7eecb63795e5ec7c98c45a6
openshift4/ose-machine-os-images-rhel8@sha256:2715c8f970ee365e6c089515ff94612de342705867d601a680d71e115c1fe2ba
openshift4/ose-must-gather@sha256:0ca34e29a2197b99656f58628f513ff657caa066d8e657fefe226574ded93692
openshift4/ose-operator-lifecycle-manager@sha256:3f28dbfc9105f86e159ebf2d21d4894122ab9f1c6d51b496bed371edbaea3e03
openshift4/ose-operator-registry@sha256:6d4972c77264ad9a34cf7529cefbc899b6c40d0dc92aa42a9bfda6cb5dfa84b0
openshift4/ose-ovn-kubernetes@sha256:04119338b53657564f2a89b6a9e1d1f45decec9745b1d8ac6fbe2fa137a766ba
openshift4/ose-ovn-kubernetes-microshift-rhel8@sha256:3026dcc49b706a68d76bb0b063b61c7c2e1eda1e6c49b6c9c330aed8a5fc5b85
openshift4/ose-tests@sha256:d15eb209d9e0372ef80dbe76635f18ffc8c47b126cd0fe98118e93056e1d155c
openshift4/ose-tools-rhel8@sha256:a4749dc02d3c39b2a35defaaf36c1fa63180a6ebca63f0e49636c62d39e9cd84
ppc64le
openshift4/network-tools-rhel8@sha256:21bf509f0936fbc30894ba6e06a4bc0182741f5bcedfc3d947ca344b2731b0aa
openshift4/ose-agent-installer-api-server-rhel8@sha256:d2948eafa90f6374cc6464e24175a046f9916274fa0ab84bb3bc5494daab3b71
openshift4/ose-agent-installer-csr-approver-rhel8@sha256:873a3c9aa5ce89c09173fe6849f4e1005bce2b667247ab7b9f8ae027f3867ccb
openshift4/ose-baremetal-installer-rhel8@sha256:67424ab04ef29de4afca7898441d64558879a5fb97d8e6f7f1d83fc08ce3baea
openshift4/ose-cli@sha256:8b28fc5d21645b1368f29c610d93ebba192ab8cb76446a858736ae37ac6c8904
openshift4/ose-cli-artifacts@sha256:82cfef9eb01dd30443fd2621faa6fdfcfe6988b4a41e390b0c88c163d168e9f3
openshift4/ose-cluster-bootstrap@sha256:261523d459b823904bee3005b26b9ce56854cfe1a3bdd56fb1d49ead200af872
openshift4/ose-console@sha256:5c19836f63ec6657f39586ebe6abd861a28063820a143bb1ce8b21ee7211cc0b
openshift4/ose-deployer@sha256:eebd86165f498e902e89160bc2515458fa8c874452e69d83dda653d5189b2d90
openshift4/ose-docker-builder@sha256:6fe59ab45153fd2f810e4866c6276cc2d2f0bb0ff6b8311ce75df99e6bb92577
openshift4/ose-installer@sha256:cb4737091142f5c0f63d31632c72cf12ca2aeac6972bf010c2d20dfd0cf1609d
openshift4/ose-installer-artifacts@sha256:429722f489fab3cfb51b7a2b30f42db2fea481085b213644e3534cb95df75276
openshift4/ose-machine-os-images-rhel8@sha256:412ad209a2ae24ec81d2cda77d38910c4e80037d065fdd78710a8d34efeb7d91
openshift4/ose-must-gather@sha256:ae27427b0ac4a4656df1d32badccd3bde1517695a1414b861bae47bb41fa2c8c
openshift4/ose-operator-lifecycle-manager@sha256:b5b7254329899f3a0f3cd62c04f85f92ad8510796e9dd4afdef2dede4e7ba5d9
openshift4/ose-operator-registry@sha256:d128b05e621adc20273207dc43067212e73cdb30b8fcc00e4f35f86c6dd52b6c
openshift4/ose-ovn-kubernetes@sha256:43f28c996c62057a547c0f8ea94d5ff93a62ab893f0a23106a22f161a8eb3039
openshift4/ose-ovn-kubernetes-microshift-rhel8@sha256:e7bdcb4966ec262e02d21873b21fa348fb9545a9b4fc458d75cb94adcab61cc1
openshift4/ose-tests@sha256:4e428376d7346cc2da2646064177446ee5e11e04fdd9b6c63e3334db830e6e24
openshift4/ose-tools-rhel8@sha256:bfd5a90cc1488cfb7f5c93cdabf335acda890bea76e1ccc7d5a3daa80095cb02
s390x
openshift4/network-tools-rhel8@sha256:10994dcbcdccbcdbc7e43eb4603129b35975649738b7628088bca206ecfe57af
openshift4/ose-agent-installer-api-server-rhel8@sha256:6f8f37a510910170c57385e3b51ac0a843c4a5e16f35cc45f56a1733ce10d57f
openshift4/ose-agent-installer-csr-approver-rhel8@sha256:5e59981fb46ac9b3f5d8c9a9e47256f7f003fdc7b2ec6d6f8d848adb8aaa363b
openshift4/ose-baremetal-installer-rhel8@sha256:a6ee7a3c62a4c6b1f075079be236f64dc47883b1910b8b298d31af02e99c0908
openshift4/ose-cli@sha256:d4796bef1bfa60edf7ba9d4839a63e4dbf79384d9f4688aed5e62459d138352d
openshift4/ose-cli-artifacts@sha256:389255f45ee5dc8db1d80e38d33ef1349e551e1f8610cf849498bd4b26d497da
openshift4/ose-cluster-bootstrap@sha256:b5ad8d6b99636aa3ed2ac05b4241ccab3b73d082ee0c1987b0298d43bc396642
openshift4/ose-console@sha256:bd0f127440401b36fc33585100e456b03dd9baa8511c6036f38714538923f441
openshift4/ose-deployer@sha256:798db5769514dc7820c5f9668cfa46e2ee7630628177accf6f92242ea5808803
openshift4/ose-docker-builder@sha256:b1b7d7b20b0d1b65c56c1493fe82258e2d40ea2b07d3c596e178f49f2c0451f1
openshift4/ose-installer@sha256:11fd856ed8839098647588ff5a4d07ba9062703c4f310e139afed28682315088
openshift4/ose-installer-artifacts@sha256:2fd59d1515b63db06ae4c0b01df267ccde90061c2c00f19e43ba443c117a1cae
openshift4/ose-must-gather@sha256:421418f6a2440c85b34462323b7f1a6d02c6c87ba3997c807770b66168222709
openshift4/ose-operator-lifecycle-manager@sha256:00bd39356c489ee069584781259af19672f2030d47f91031c517be27f77fb2bb
openshift4/ose-operator-registry@sha256:f728d57089ab0121f5ec2ec28b6c91e78de5b6dc465a2a08457fce3c2b0abfc2
openshift4/ose-ovn-kubernetes@sha256:3e545da5162d391e396a8e455c029a3b4a2f94e2441ee738c980fdfc7de41e7f
openshift4/ose-ovn-kubernetes-microshift-rhel8@sha256:e90ca104b784d6cc70401136c8ebfaa0f00f2e067bfb8015c9debba6295c6bec
openshift4/ose-tests@sha256:6810e21ea1fe943bf1ff01182e5682e3dbee1be8838fc8593c720d1b963da2e0
openshift4/ose-tools-rhel8@sha256:b14bfb2e2b2c1c360775cc02cb7862578efa21a2f07f3660210b09054077eaf8
x86_64
openshift4/network-tools-rhel8@sha256:fffc2a56fffbbea190312dcaf8b982c3390f008ab7b7b931dd0dac6ffdb3e12b
openshift4/ose-agent-installer-api-server-rhel8@sha256:b5c9fdabc4c9d9c54d544bcdba3de45a6c541468baf24d01839c6c1b32599da8
openshift4/ose-agent-installer-csr-approver-rhel8@sha256:3ba46df16b20320da4435b604d893b003c66708374252b5aabdb271af1722be0
openshift4/ose-baremetal-installer-rhel8@sha256:94d7d93d84e63db2ea61af785ea944e6119ebc1abdbe1078a89e5bb56e0e9dc8
openshift4/ose-cli@sha256:4b3ca71ba8ef8196acbf87d200116479a9b40e8b28158956d7bb18ed8c082c7f
openshift4/ose-cli-artifacts@sha256:f6d37eb88da116502ddfe1a98c4e867f5ce19007c16c6e1a03fdee79e5c7a4da
openshift4/ose-cluster-bootstrap@sha256:be3eb15dcfd3b2d0dc963678bae743a4f175280d0e336d99a3367b13530d5386
openshift4/ose-console@sha256:6f1e8eb4dd630a5915e8a58794f889c601f1bbd2438f6a3b69f1403a1831ec2a
openshift4/ose-deployer@sha256:45e1fabf4b97525043df66943c800d9b96f2b51148a0e42c7a67f9b4ca637eae
openshift4/ose-docker-builder@sha256:d22f773fdc0eed1126237d319166c02d2cdfe48d215dfa1ba52f56f079fc23ca
openshift4/ose-installer@sha256:0e743f9d5f8a45767bcf92cf6482e80d0f76f0463fef88ce14d08db058d4c522
openshift4/ose-installer-artifacts@sha256:bc2dc2433298efd67553b0778e35fa39de113f3268fa969eac2b4107b5fa654c
openshift4/ose-machine-os-images-rhel8@sha256:b09d7393700b16fa2672de89362dd400d7455e235781daf5605434f2353ed4ef
openshift4/ose-must-gather@sha256:cd2ffa9f221e44d8cf1fa927061f474ac81b085c20118c0844d68b41987b58aa
openshift4/ose-operator-lifecycle-manager@sha256:34fe77ef50f0510ba6d41c1491aef4da36cd30cc5dc1f0537ad81f1c3df099eb
openshift4/ose-operator-registry@sha256:d350fc56667fd380e943e2062ccbc5d62804503adf3009bcb25ba65c5c7fbca8
openshift4/ose-ovn-kubernetes@sha256:33aabf17c34ea3e6f27ed56bfd6fc73e1d02d3c5bc508e4c3e23e70e5bfd01a1
openshift4/ose-ovn-kubernetes-microshift-rhel8@sha256:24e07b46e4f6898a5feabf47db7c7977675275fea29ba4c26b6584536447d465
openshift4/ose-tests@sha256:f534e7a95399d77c27d4a6e98e51f3d4e6a96014edf55561ef8eddec3db816e1
openshift4/ose-tools-rhel8@sha256:33607dc738b2496b67ff5c25abb04bff4a9a1d805d11907804cb820c7f88c27e
The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.
Related news
Gentoo Linux Security Advisory 202408-1 - Multiple vulnerabilities have been discovered in containerd, the worst of which could lead to privilege escalation. Versions greater than or equal to 1.6.19 are affected.
Docker Desktop before 4.23.0 allows Access Token theft via a crafted extension icon URL. This issue affects Docker Desktop: before 4.23.0.
OpenShift API for Data Protection (OADP) 1.1.6 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-21698: A denial of service attack was found in prometheus/client_golang. This flaw allows an attacker to produce a denial of service attack on an HTTP server by exploiting the InstrumentHandlerCounter function in the version below 1.11.1, resulting in a loss of availability. * CVE-2022-41723: A flaw was found in golang. A maliciously crafted HTTP/2 stream cou...
Ubuntu Security Notice 6202-1 - David Korczynski and Adam Korczynski discovered that containerd incorrectly processed certain images with large files. An attacker could possibly use this issue to cause containerd to crash, resulting in a denial of service. It was discovered that containerd incorrectly set up supplementary groups inside a container. An attacker with direct access to the container could possibly use this issue to obtain sensitive information or execute code with higher privileges.
Red Hat Security Advisory 2023-2029-01 - The OpenShift Security Profiles Operator v0.7.0 is now available. Issues addressed include a denial of service vulnerability.
An updated Security Profiles Operator image that fixes various bugs is now available for the Red Hat OpenShift Enterprise 4 catalog.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-0475: A flaw was found in the HashiCorp go-getter package. Affected versions of the HashiCorp go-getter package are vulnerable to a denial of service via a malicious compressed archive. * CVE-2023-25173: A flaw was found in containerd, where supplementary groups are not set up properly inside a container. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases. This issue can allow access to sensitive information o...
Red Hat Security Advisory 2023-1372-01 - Red Hat OpenShift support for Windows Containers allows you to deploy Windows container workloads running on Windows Server containers. Issues addressed include a bypass vulnerability.
Red Hat Security Advisory 2023-2107-01 - The Migration Toolkit for Containers (MTC) 1.7.9 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. Issues addressed include a denial of service vulnerability.
In Docker Desktop 4.17.x the Artifactory Integration falls back to sending registry credentials over plain HTTP if the HTTPS health check has failed. A targeted network sniffing attack can lead to a disclosure of sensitive information. Only users who have Access Experimental Features enabled and have logged in to a private registry are affected.
Docker Desktop before 4.17.0 allows an attacker to execute an arbitrary command inside a Dev Environments container during initialization by tricking an user to open a crafted malicious docker-desktop:// URL.
containerd is an open source container runtime. Before versions 1.6.18 and 1.5.18, when importing an OCI image, there was no limit on the number of bytes read for certain files. A maliciously crafted image with a large file where a limit was not applied could cause a denial of service. This bug has been fixed in containerd 1.6.18 and 1.5.18. Users should update to these versions to resolve the issue. As a workaround, ensure that only trusted images are used and that only trusted users have permissions to import images.
containerd is an open source container runtime. A bug was found in containerd prior to versions 1.6.18 and 1.5.18 where supplementary groups are not set up properly inside a container. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases, potentially gaining access to sensitive information or gaining the ability to execute code in that container. Downstream applications that use the containerd client library may be affected as well. This bug has been fixed in containerd v1.6.18 and v.1.5.18. Users should update to these versions and recreate containers to resolve this issue. Users who rely on a downstream application that uses containerd's client library should check that application for a separate advisory and instructions. As a workaround, ensure that the `"USER $USERNAME"` Dockerfile instruction is not used. Instead, set the container ent...
### Impact A bug was found in containerd where supplementary groups are not set up properly inside a container. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases, potentially gaining access to sensitive information or gaining the ability to execute code in that container. Downstream applications that use the containerd client library may be affected as well. ### Patches This bug has been fixed in containerd v1.6.18 and v.1.5.18. Users should update to these versions and recreate containers to resolve this issue. Users who rely on a downstream application that uses containerd's client library should check that application for a separate advisory and instructions. ### Workarounds Ensure that the `"USER $USERNAME"` Dockerfile instruction is not used. Instead, set the container entrypoint to a value similar to `ENTRYPOINT ["su", "-",...