RHSA-2023:2138: Red Hat Security Advisory: OpenShift Container Platform 4.13.0 CNF vRAN extras security update

Issued:

2023-05-18

Updated:

2023-05-18

RHSA-2023:2138 - Security Advisory

• Overview
• Updated Images

Synopsis

Moderate: OpenShift Container Platform 4.13.0 CNF vRAN extras security update

Type/Severity

Security Advisory: Moderate

Topic

An update for ztp-site-generate-container, topology-aware-lifecycle-manager and bare-metal-event-relay is now available for Red Hat OpenShift Container Platform 4.13.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat OpenShift Container Platform is Red Hat’s cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the extra low-latency container images for Red Hat OpenShift Container Platform 4.13. See the following advisory for the container images for this release:

https://access.redhat.com/errata/RHSA-2023:1326

All OpenShift Container Platform users are advised to upgrade to these updated packages and images.

Security Fix(es):

• vault: GCP Auth Method Allows Authentication Bypass (CVE-2020-16251)
• vault: incorrect policy enforcement (CVE-2021-43998)

Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

• Red Hat OpenShift Container Platform 4.13 for RHEL 8 x86_64
• Red Hat OpenShift Container Platform 4.10 for RHEL 8 x86_64
• Red Hat OpenShift Container Platform for Power 4.13 for RHEL 8 ppc64le
• Red Hat OpenShift Container Platform for Power 4.10 for RHEL 8 ppc64le
• Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.13 for RHEL 8 s390x
• Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.10 for RHEL 8 s390x
• Red Hat OpenShift Container Platform for ARM 64 4.13 for RHEL 8 aarch64
• Red Hat OpenShift Container Platform for ARM 64 4.10 aarch64

Fixes

• BZ - 2028193 - CVE-2021-43998 vault: incorrect policy enforcement
• BZ - 2167340 - CVE-2020-16251 vault: GCP Auth Method Allows Authentication Bypass
• OCPBUGS-6769 - TALM 4.11 pre-cache fails on 4.10 cluster
• OCPBUGS-9943 - Remove duplicated field macAddress from Siteconfigs
• OCPBUGS-11890 - TALM keeps spinning with the hub template error when unsupported hub template function is being used in the second policy
• OCPBUGS-10819 - TALM SNO Backup Fails on Managed Cluster Running CoreOS 9.2
• OCPBUGS-2336 - dataset_comparison should be G.8275.x in ptpconfig source crs
• OCPBUGS-3005 - step_threshold should be changed from 0.0 to 2.0 in in ptpconfig source crs
• OCPBUGS-3047 - TALM spent 42 minutes precaching when there was no precaching work to be done.
• OCPBUGS-3092 - TALM precaching pulls more content than needed
• OCPBUGS-3210 - TALM attempting to approve PAO installplan for 4.11 operator upgrade
• OCPBUGS-3885 - After CGU timed out it got stuck in a loop and kept adding duplicates to status field
• OCPBUGS-3954 - Precaching status missing for temporarily unavailable clusters
• OCPBUGS-4197 - CGU pod goes to CrashLoopBackOff when incorrect channel is provided for OCP precaching
• OCPBUGS-4200 - Segfault from TALM after CGU timeout
• OCPBUGS-4246 - Precaching spec error due to invalid policy combination reported as precaching/backup failures on spokes
• OCPBUGS-4329 - Cannot install LVMO through gitops ZTP
• OCPBUGS-4406 - ptp configs should match reference configs
• OCPBUGS-4704 - TALM - precache does not begin if catalogsource config policy is Compliant
• OCPBUGS-4821 - TALM getImageForVersionFromUpdateGraph func making insecure external calls
• OCPBUGS-5797 - TALM backup CGU only indicates status of one cluster when two clusters are being backed up
• OCPBUGS-6612 - Default backup timeout too short for large scale upgrade
• OCPBUGS-6944 - TALM backup - recovery script fails due to unable to find running container even though it is running
• OCPBUGS-7217 - TALM cli state is not correct when cgu is enabled after backup
• OCPBUGS-8006 - TALM applies a 5 minute reconciliation loop to monitor cluster readiness and start policy application
• OCPBUGS-8032 - TALM Fails to Report Low Disk Space during Image Precaching
• OCPBUGS-8525 - TALM may miss MCP reconcile after change to PerformanceProfile or operator upgrade
• OCPBUGS-9428 - ignition reports warning at $.systemd.units.22.contents, line 1 col 363575: unit “container-mount-namespace.service” is enabled, but has no install section so enable does nothing
• OCPBUGS-7464 - Unable to deploy 4.11 spoke using ZTP 4.13 due to new spec added to performanceprofile
• OCPBUGS-7933 - Image Precaching Fails Due To Missing check_space Script
• OCPBUGS-7948 - 4.13 bmer build does not include 4.13 sidecar changes
• OCPBUGS-8414 - BMER - operator upgrade from 4.12 to 4.13 does not work - subs stays at AtLatestKnown and no installplan is created

x86_64

openshift4/bare-metal-event-relay-operator-bundle@sha256:e5aacacba93bce05c7a0b3025a8938bc431547d59c6d7dfc8959c3d3d830994e

openshift4/bare-metal-event-relay-rhel8-operator@sha256:05878d585437063c8098efe5cd8b0ebd67412e51aea21f7abc063f8d046690e6

openshift4/baremetal-hardware-event-proxy-rhel8@sha256:c24fdab236d367bf677f997f8e48ba2c34b922f3816363a8407d4dca8c170819

openshift4/topology-aware-lifecycle-manager-operator-bundle@sha256:6adbc00c12329abfcdb5d30b56162678204a87df6df88933b7a8f08b34118722

openshift4/topology-aware-lifecycle-manager-precache-rhel8@sha256:c92ed15f1540e88f891723e4ae9168462be9597195aaf600be62c422bcdbca65

openshift4/topology-aware-lifecycle-manager-recovery-rhel8@sha256:9e9f24aa00d818b1915362aa9bddf8f504d574e7df43eb894e2d7fdd95948f16

openshift4/topology-aware-lifecycle-manager-rhel8-operator@sha256:3a3a3b6a09934c55325019d249cd064efcacd1140e228a10b566e2ba25e94b0e

openshift4/ztp-site-generate-rhel8@sha256:9d45f3b7e69485083a46433a03f36abfc8728c79384fd6a13b7ca710fc9a967e

The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.