Security
Headlines
HeadlinesLatestCVEs

Headline

RHSA-2023:2138: Red Hat Security Advisory: OpenShift Container Platform 4.13.0 CNF vRAN extras security update

An update for ztp-site-generate-container, topology-aware-lifecycle-manager and bare-metal-event-relay is now available for Red Hat OpenShift Container Platform 4.13. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

Related CVEs:

  • CVE-2020-16251: A flaw was found in Vault and Vault Enterprise (“Vault”). In affected versions of Vault, with the GCP Auth Method configured and under certain circumstances, the values relied upon by Vault to validate Google Compute Engine (GCE) VMs may be manipulated and bypass authentication.
  • CVE-2021-43998: A flaw was found in HashiCorp Vault. In affected versions of HashiCorp Vault and Vault Enterprise, templated ACL policies would always match the first-created entity alias if multiple entity aliases exist for a specified entity and mount combination, potentially resulting in incorrect policy enforcement.
Red Hat Security Data
#vulnerability#mac#google#linux#red_hat#git#kubernetes#auth#ibm

Issued:

2023-05-18

Updated:

2023-05-18

RHSA-2023:2138 - Security Advisory

  • Overview
  • Updated Images

Synopsis

Moderate: OpenShift Container Platform 4.13.0 CNF vRAN extras security update

Type/Severity

Security Advisory: Moderate

Topic

An update for ztp-site-generate-container, topology-aware-lifecycle-manager and bare-metal-event-relay is now available for Red Hat OpenShift Container Platform 4.13.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat OpenShift Container Platform is Red Hat’s cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the extra low-latency container images for Red Hat OpenShift Container Platform 4.13. See the following advisory for the container images for this release:

https://access.redhat.com/errata/RHSA-2023:1326

All OpenShift Container Platform users are advised to upgrade to these updated packages and images.

Security Fix(es):

  • vault: GCP Auth Method Allows Authentication Bypass (CVE-2020-16251)
  • vault: incorrect policy enforcement (CVE-2021-43998)

Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat OpenShift Container Platform 4.13 for RHEL 8 x86_64
  • Red Hat OpenShift Container Platform 4.10 for RHEL 8 x86_64
  • Red Hat OpenShift Container Platform for Power 4.13 for RHEL 8 ppc64le
  • Red Hat OpenShift Container Platform for Power 4.10 for RHEL 8 ppc64le
  • Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.13 for RHEL 8 s390x
  • Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.10 for RHEL 8 s390x
  • Red Hat OpenShift Container Platform for ARM 64 4.13 for RHEL 8 aarch64
  • Red Hat OpenShift Container Platform for ARM 64 4.10 aarch64

Fixes

  • BZ - 2028193 - CVE-2021-43998 vault: incorrect policy enforcement
  • BZ - 2167340 - CVE-2020-16251 vault: GCP Auth Method Allows Authentication Bypass
  • OCPBUGS-6769 - TALM 4.11 pre-cache fails on 4.10 cluster
  • OCPBUGS-9943 - Remove duplicated field macAddress from Siteconfigs
  • OCPBUGS-11890 - TALM keeps spinning with the hub template error when unsupported hub template function is being used in the second policy
  • OCPBUGS-10819 - TALM SNO Backup Fails on Managed Cluster Running CoreOS 9.2
  • OCPBUGS-2336 - dataset_comparison should be G.8275.x in ptpconfig source crs
  • OCPBUGS-3005 - step_threshold should be changed from 0.0 to 2.0 in in ptpconfig source crs
  • OCPBUGS-3047 - TALM spent 42 minutes precaching when there was no precaching work to be done.
  • OCPBUGS-3092 - TALM precaching pulls more content than needed
  • OCPBUGS-3210 - TALM attempting to approve PAO installplan for 4.11 operator upgrade
  • OCPBUGS-3885 - After CGU timed out it got stuck in a loop and kept adding duplicates to status field
  • OCPBUGS-3954 - Precaching status missing for temporarily unavailable clusters
  • OCPBUGS-4197 - CGU pod goes to CrashLoopBackOff when incorrect channel is provided for OCP precaching
  • OCPBUGS-4200 - Segfault from TALM after CGU timeout
  • OCPBUGS-4246 - Precaching spec error due to invalid policy combination reported as precaching/backup failures on spokes
  • OCPBUGS-4329 - Cannot install LVMO through gitops ZTP
  • OCPBUGS-4406 - ptp configs should match reference configs
  • OCPBUGS-4704 - TALM - precache does not begin if catalogsource config policy is Compliant
  • OCPBUGS-4821 - TALM getImageForVersionFromUpdateGraph func making insecure external calls
  • OCPBUGS-5797 - TALM backup CGU only indicates status of one cluster when two clusters are being backed up
  • OCPBUGS-6612 - Default backup timeout too short for large scale upgrade
  • OCPBUGS-6944 - TALM backup - recovery script fails due to unable to find running container even though it is running
  • OCPBUGS-7217 - TALM cli state is not correct when cgu is enabled after backup
  • OCPBUGS-8006 - TALM applies a 5 minute reconciliation loop to monitor cluster readiness and start policy application
  • OCPBUGS-8032 - TALM Fails to Report Low Disk Space during Image Precaching
  • OCPBUGS-8525 - TALM may miss MCP reconcile after change to PerformanceProfile or operator upgrade
  • OCPBUGS-9428 - ignition reports warning at $.systemd.units.22.contents, line 1 col 363575: unit “container-mount-namespace.service” is enabled, but has no install section so enable does nothing
  • OCPBUGS-7464 - Unable to deploy 4.11 spoke using ZTP 4.13 due to new spec added to performanceprofile
  • OCPBUGS-7933 - Image Precaching Fails Due To Missing check_space Script
  • OCPBUGS-7948 - 4.13 bmer build does not include 4.13 sidecar changes
  • OCPBUGS-8414 - BMER - operator upgrade from 4.12 to 4.13 does not work - subs stays at AtLatestKnown and no installplan is created

x86_64

openshift4/bare-metal-event-relay-operator-bundle@sha256:e5aacacba93bce05c7a0b3025a8938bc431547d59c6d7dfc8959c3d3d830994e

openshift4/bare-metal-event-relay-rhel8-operator@sha256:05878d585437063c8098efe5cd8b0ebd67412e51aea21f7abc063f8d046690e6

openshift4/baremetal-hardware-event-proxy-rhel8@sha256:c24fdab236d367bf677f997f8e48ba2c34b922f3816363a8407d4dca8c170819

openshift4/topology-aware-lifecycle-manager-operator-bundle@sha256:6adbc00c12329abfcdb5d30b56162678204a87df6df88933b7a8f08b34118722

openshift4/topology-aware-lifecycle-manager-precache-rhel8@sha256:c92ed15f1540e88f891723e4ae9168462be9597195aaf600be62c422bcdbca65

openshift4/topology-aware-lifecycle-manager-recovery-rhel8@sha256:9e9f24aa00d818b1915362aa9bddf8f504d574e7df43eb894e2d7fdd95948f16

openshift4/topology-aware-lifecycle-manager-rhel8-operator@sha256:3a3a3b6a09934c55325019d249cd064efcacd1140e228a10b566e2ba25e94b0e

openshift4/ztp-site-generate-rhel8@sha256:9d45f3b7e69485083a46433a03f36abfc8728c79384fd6a13b7ca710fc9a967e

The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.

Related news

GHSA-4mp7-2m29-gqxf: HashiCorp Vault Authentication bypass

HashiCorp Vault and Vault Enterprise versions 0.8.3 and newer, when configured with the GCP GCE auth method, may be vulnerable to authentication bypass. Fixed in 1.2.5, 1.3.8, 1.4.4, and 1.5.1.

Red Hat Security Advisory 2023-3742-02

Red Hat Security Advisory 2023-3742-02 - Red Hat OpenShift Data Foundation is software-defined storage integrated with and optimized for the Red Hat OpenShift Container Platform. Red Hat OpenShift Data Foundation is a highly scalable, production-grade persistent storage for stateful applications running in the Red Hat OpenShift Container Platform. Issues addressed include bypass, denial of service, and remote SQL injection vulnerabilities.

RHSA-2023:3742: Red Hat Security Advisory: Red Hat OpenShift Data Foundation 4.13.0 security and bug fix update

Updated images that include numerous enhancements, security, and bug fixes are now available in Red Hat Container Registry for Red Hat OpenShift Data Foundation 4.13.0 on Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-16250: A flaw was found in Vault and Vault Enterprise (“Vault”). In the affected versions of Vault, with the AWS Auth Method configured and under certain circumstances, the values relied upon by Vault to validate AWS IAM ident...

Red Hat Security Advisory 2023-2138-01

Red Hat Security Advisory 2023-2138-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the extra low-latency container images for Red Hat OpenShift Container Platform 4.13. Issues addressed include a bypass vulnerability.

Gentoo Linux Security Advisory 202207-01

Gentoo Linux Security Advisory 202207-1 - Multiple vulnerabilities have been discovered in HashiCorp Vault, the worst of which could result in denial of service. Versions less than 1.10.3 are affected.

CVE-2021-43998: HCSEC-2021-30 - Vault's Templated ACL Policies Matched First-Created Alias Per Entity and Auth Backend

HashiCorp Vault and Vault Enterprise 0.11.0 up to 1.7.5 and 1.8.4 templated ACL policies would always match the first-created entity alias if multiple entity aliases exist for a specified entity and mount combination, potentially resulting in incorrect policy enforcement. Fixed in Vault and Vault Enterprise 1.7.6, 1.8.5, and 1.9.0.