Headline
RHSA-2022:4965: Red Hat Security Advisory: OpenShift Container Platform 4.7.53 packages and security update
Red Hat OpenShift Container Platform release 4.7.53 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Related CVEs:
- CVE-2022-1708: cri-o: memory exhaustion on the node when access to the kube api
Skip to navigation Skip to main content
Utilities
- Subscriptions
- Downloads
- Containers
- Support Cases
Infrastructure and Management
- Red Hat Enterprise Linux
- Red Hat Virtualization
- Red Hat Identity Management
- Red Hat Directory Server
- Red Hat Certificate System
- Red Hat Satellite
- Red Hat Subscription Management
- Red Hat Update Infrastructure
- Red Hat Insights
- Red Hat Ansible Automation Platform
Cloud Computing
- Red Hat OpenShift
- Red Hat CloudForms
- Red Hat OpenStack Platform
- Red Hat OpenShift Container Platform
- Red Hat OpenShift Data Science
- Red Hat OpenShift Online
- Red Hat OpenShift Dedicated
- Red Hat Advanced Cluster Security for Kubernetes
- Red Hat Advanced Cluster Management for Kubernetes
- Red Hat Quay
- Red Hat CodeReady Workspaces
- Red Hat OpenShift Service on AWS
Storage
- Red Hat Gluster Storage
- Red Hat Hyperconverged Infrastructure
- Red Hat Ceph Storage
- Red Hat OpenShift Data Foundation
Runtimes
- Red Hat Runtimes
- Red Hat JBoss Enterprise Application Platform
- Red Hat Data Grid
- Red Hat JBoss Web Server
- Red Hat Single Sign On
- Red Hat support for Spring Boot
- Red Hat build of Node.js
- Red Hat build of Thorntail
- Red Hat build of Eclipse Vert.x
- Red Hat build of OpenJDK
- Red Hat build of Quarkus
Integration and Automation
- Red Hat Process Automation
- Red Hat Process Automation Manager
- Red Hat Decision Manager
All Products
发布:
2022-06-16
已更新:
2022-06-16
RHSA-2022:4965 - Security Advisory
- 概述
- 更新的软件包
概述
Moderate: OpenShift Container Platform 4.7.53 packages and security update
类型/严重性
Security Advisory: Moderate
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
View affected systems
标题
Red Hat OpenShift Container Platform release 4.7.53 is now available with
updates to packages and images that fix several bugs and add enhancements.
This release includes a security update for Red Hat OpenShift Container Platform 4.7.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
描述
Red Hat OpenShift Container Platform is Red Hat’s cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.
This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.7.53. There are no images for this advisory.
Security Fix(es):
- cri-o: memory exhaustion on the node when access to the kube api
(CVE-2022-1708)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
All OpenShift Container Platform 4.7 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift Console or the CLI oc command. Instructions for upgrading a cluster are available
at https://docs.openshift.com/container-platform/4.7/updating/updating-cluster-cli.html
受影响的产品
- Red Hat OpenShift Container Platform 4.7 for RHEL 8 x86_64
- Red Hat OpenShift Container Platform 4.7 for RHEL 7 x86_64
- Red Hat OpenShift Container Platform for Power 4.7 for RHEL 8 ppc64le
- Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.7 for RHEL 8 s390x
修复
- BZ - 2085361 - CVE-2022-1708 cri-o: memory exhaustion on the node when access to the kube api
参考
- https://access.redhat.com/security/updates/classification/#moderate
Red Hat OpenShift Container Platform 4.7 for RHEL 8
SRPM
conmon-2.0.29-3.rhaos4.7.el8.src.rpm
SHA-256: 51b84cf5581bbdc2b4da8ad2ec37fa411327c993c0c1d925f66b3eea07b3f75d
cri-o-1.20.8-3.rhaos4.7.gitb9df556.el8.src.rpm
SHA-256: cdfa822035f2697dd73d55afb6d6c123716411200561ae9d860279f54db398a7
cri-tools-1.20.0-4.el8.src.rpm
SHA-256: e3812a990ca9c28f70bd4bb6f860ae5f36a5cc45d344ee4144b7099776244ac3
ignition-2.9.0-5.rhaos4.7.git1d56dc8.el8.src.rpm
SHA-256: e6b48f3974769d0494e5d6c825cccfea10fb700b1673ee9363841304d4e17152
x86_64
conmon-2.0.29-3.rhaos4.7.el8.x86_64.rpm
SHA-256: 1918c1dc7286b38def6d0c26d76d33e94f8f5a053f0c5536f70ac3d2ae6c8589
conmon-debuginfo-2.0.29-3.rhaos4.7.el8.x86_64.rpm
SHA-256: 9466a86d5f195226d9db60f77f1815cf9b4b9adce3ed5e8e297ba84d6077b0cf
conmon-debugsource-2.0.29-3.rhaos4.7.el8.x86_64.rpm
SHA-256: d2c3e10badd754884575b561a4d1f9b2f0e2696605006c61bf80d22fe6263e22
cri-o-1.20.8-3.rhaos4.7.gitb9df556.el8.x86_64.rpm
SHA-256: 86905115d9c9d6b0b339349878028753e591c8cf4a0b1844b5bccf5966f55f07
cri-o-debuginfo-1.20.8-3.rhaos4.7.gitb9df556.el8.x86_64.rpm
SHA-256: e339898065913601fa65022532f3678cc2cee157d1c498d56a6dcf1596fa1bc5
cri-o-debugsource-1.20.8-3.rhaos4.7.gitb9df556.el8.x86_64.rpm
SHA-256: 446f372440329440b8b6094916a856f49e86333e57df1ecdcd8bd4c5c75817a5
cri-tools-1.20.0-4.el8.x86_64.rpm
SHA-256: 34fd4955f4431aae45d1c009436df1aa0f02af50d4cbbc40a3929e44bba3e0b1
cri-tools-debuginfo-1.20.0-4.el8.x86_64.rpm
SHA-256: 40ff6b732eb70f24507063dd15e202b23a9f4832bae9df28ff527f4f572f33aa
cri-tools-debugsource-1.20.0-4.el8.x86_64.rpm
SHA-256: 626e6adc2add8e494dfcec3b378f9f0df887ed79ecd01ca6c7a2ce6df8bd10c8
ignition-2.9.0-5.rhaos4.7.git1d56dc8.el8.x86_64.rpm
SHA-256: 5e38ee5522182d44548f1744e6de378427b384606543346b3bbdffae622355b4
ignition-debuginfo-2.9.0-5.rhaos4.7.git1d56dc8.el8.x86_64.rpm
SHA-256: 8d2ab23656b76ca81417ac02b6b39274858a12105e6e76b53665937f773032de
ignition-debugsource-2.9.0-5.rhaos4.7.git1d56dc8.el8.x86_64.rpm
SHA-256: 5036639dd3a6cc24cc18735ce53805af40efcb928c789f371685df086315a5f6
ignition-validate-2.9.0-5.rhaos4.7.git1d56dc8.el8.x86_64.rpm
SHA-256: fbedd707571000f6c17a46d46bfb98bb217ddbfa6e4ba6deb9574206846d20a8
ignition-validate-debuginfo-2.9.0-5.rhaos4.7.git1d56dc8.el8.x86_64.rpm
SHA-256: e3d19c6c9c3ed3f6e88707617ac181b320e50bcf3c79f739f602f254828aa4fa
Red Hat OpenShift Container Platform 4.7 for RHEL 7
SRPM
conmon-2.0.29-3.rhaos4.7.el7.src.rpm
SHA-256: c4d19f0b453a7fc5b7431e6bed3060a7c68e1a62b61224c43cd9bbb6956990e3
cri-o-1.20.8-3.rhaos4.7.gitb9df556.el7.src.rpm
SHA-256: 4256947ba066fd41073ab199cdb640e923ccf08a60879d09852ecdb05efcc11d
x86_64
conmon-2.0.29-3.rhaos4.7.el7.x86_64.rpm
SHA-256: 6f32bc2a5cec25bb7e981b4d7f5bee171c0a8a89cd593b29e7a19568b1f8a06d
conmon-debuginfo-2.0.29-3.rhaos4.7.el7.x86_64.rpm
SHA-256: b094e419f0e2ed691eaaa1780606c22c93a6121d1e269fcf6871f20b18ffca09
cri-o-1.20.8-3.rhaos4.7.gitb9df556.el7.x86_64.rpm
SHA-256: 5d61a3d1c5d3b00e5ad7052ba1f6b4f74b5160a9cfbfe8053e5d46ea92a2ec80
cri-o-debuginfo-1.20.8-3.rhaos4.7.gitb9df556.el7.x86_64.rpm
SHA-256: d6517fba74db24f63afba414c56288d03274a7a2912674d2d392b080724b081b
Red Hat OpenShift Container Platform for Power 4.7 for RHEL 8
SRPM
conmon-2.0.29-3.rhaos4.7.el8.src.rpm
SHA-256: 51b84cf5581bbdc2b4da8ad2ec37fa411327c993c0c1d925f66b3eea07b3f75d
cri-o-1.20.8-3.rhaos4.7.gitb9df556.el8.src.rpm
SHA-256: cdfa822035f2697dd73d55afb6d6c123716411200561ae9d860279f54db398a7
cri-tools-1.20.0-4.el8.src.rpm
SHA-256: e3812a990ca9c28f70bd4bb6f860ae5f36a5cc45d344ee4144b7099776244ac3
ignition-2.9.0-5.rhaos4.7.git1d56dc8.el8.src.rpm
SHA-256: e6b48f3974769d0494e5d6c825cccfea10fb700b1673ee9363841304d4e17152
ppc64le
conmon-2.0.29-3.rhaos4.7.el8.ppc64le.rpm
SHA-256: e464d0fd2a7ce383d1fb28e96673b217e2c54674ded65a019064e8510d5e1bca
conmon-debuginfo-2.0.29-3.rhaos4.7.el8.ppc64le.rpm
SHA-256: 0265e580e7a32712daf647ad82b1634f1b4d28bc56d169e7110f8058e53d79c9
conmon-debugsource-2.0.29-3.rhaos4.7.el8.ppc64le.rpm
SHA-256: 4cb590c5b747e5163b0f1511859bb40fe50ac571326b196ee1462d92463c2142
cri-o-1.20.8-3.rhaos4.7.gitb9df556.el8.ppc64le.rpm
SHA-256: fe33e1c4696462bf8a6d7d550c9709e46d0d3cee177c041d187aa57ded956d7c
cri-o-debuginfo-1.20.8-3.rhaos4.7.gitb9df556.el8.ppc64le.rpm
SHA-256: 40c885053ffd06f28e9967ae5ec4006d8ed72a04448b34052758d14f513b030c
cri-o-debugsource-1.20.8-3.rhaos4.7.gitb9df556.el8.ppc64le.rpm
SHA-256: 1711f658f86d04bafd383f34968077549abf1ae6dfa569372f74ab39dc5dbb17
cri-tools-1.20.0-4.el8.ppc64le.rpm
SHA-256: 4a4884553d8810b325cf3aa23caac566b8a08a206c5e57323a7fff619cd42038
cri-tools-debuginfo-1.20.0-4.el8.ppc64le.rpm
SHA-256: 8376fe838e80530639d70e2214b09ae2e0e95356645ab9faece4c4b6d53d1297
cri-tools-debugsource-1.20.0-4.el8.ppc64le.rpm
SHA-256: 0915b44f5ed0199ef241c6388e184d82fa88a6253108f9b2cbe5e76125db3113
ignition-2.9.0-5.rhaos4.7.git1d56dc8.el8.ppc64le.rpm
SHA-256: e93e86c232af7c2c7e1526e2cb40321dfeee9de0e4e0291e86dedfac2cff79d1
ignition-debuginfo-2.9.0-5.rhaos4.7.git1d56dc8.el8.ppc64le.rpm
SHA-256: 9534feda14944951bcc78ee0196acbbb235c6784cb41d1be4be6698005c4ccd5
ignition-debugsource-2.9.0-5.rhaos4.7.git1d56dc8.el8.ppc64le.rpm
SHA-256: 64dd160cab586508448b65a03ea288370f7180675dfa4da7e8f50e6033217609
ignition-validate-2.9.0-5.rhaos4.7.git1d56dc8.el8.ppc64le.rpm
SHA-256: 76df52c936115b10a78243954b18da342910c709b764c4d3280e058369e39ef8
ignition-validate-debuginfo-2.9.0-5.rhaos4.7.git1d56dc8.el8.ppc64le.rpm
SHA-256: 5aa4db8646a4b6e585bab418eec76cdd2d53b81c329ea4e595011e25f5d35378
Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.7 for RHEL 8
SRPM
conmon-2.0.29-3.rhaos4.7.el8.src.rpm
SHA-256: 51b84cf5581bbdc2b4da8ad2ec37fa411327c993c0c1d925f66b3eea07b3f75d
cri-o-1.20.8-3.rhaos4.7.gitb9df556.el8.src.rpm
SHA-256: cdfa822035f2697dd73d55afb6d6c123716411200561ae9d860279f54db398a7
cri-tools-1.20.0-4.el8.src.rpm
SHA-256: e3812a990ca9c28f70bd4bb6f860ae5f36a5cc45d344ee4144b7099776244ac3
ignition-2.9.0-5.rhaos4.7.git1d56dc8.el8.src.rpm
SHA-256: e6b48f3974769d0494e5d6c825cccfea10fb700b1673ee9363841304d4e17152
s390x
conmon-2.0.29-3.rhaos4.7.el8.s390x.rpm
SHA-256: da1fd9ad6e098f2c16c6eaf3ca355195beae91f10e49694ff10f2f38200232e6
conmon-debuginfo-2.0.29-3.rhaos4.7.el8.s390x.rpm
SHA-256: 07c833ae047844fb605365229b78ca8695654624d706153ada32d003a6f8cdc4
conmon-debugsource-2.0.29-3.rhaos4.7.el8.s390x.rpm
SHA-256: e314c65049e6eecdbd64b098931878ba43cbd3c7d953e4ecf56a473d9d5d0e3d
cri-o-1.20.8-3.rhaos4.7.gitb9df556.el8.s390x.rpm
SHA-256: 080d78e7aaae16c0afb216743246ba3bde677479cef2d981bc3281ac3ae2bed1
cri-o-debuginfo-1.20.8-3.rhaos4.7.gitb9df556.el8.s390x.rpm
SHA-256: fb8cc50f222b0297ee37b0d15deb1f319cf277c08812295350f2a646314016d9
cri-o-debugsource-1.20.8-3.rhaos4.7.gitb9df556.el8.s390x.rpm
SHA-256: 9154a0c67b6ee71ae9076938aa3a2be3d9178fbdecc4aef8923917845b1b906b
cri-tools-1.20.0-4.el8.s390x.rpm
SHA-256: 349aeb4cac8408629a1e0d5718519d5a1985602b39af3befbf9e4c117528aa5c
cri-tools-debuginfo-1.20.0-4.el8.s390x.rpm
SHA-256: 853ab04ec16850aa16939ad9d8836c5d7710af84306f924ececb6581b262cd25
cri-tools-debugsource-1.20.0-4.el8.s390x.rpm
SHA-256: 3ff8a89188e01009ce1d7bfe74018b68bdad65afcf38ec4c46376cdcb7196d0c
ignition-2.9.0-5.rhaos4.7.git1d56dc8.el8.s390x.rpm
SHA-256: 060ec1d259fe4d3b611dbfd1a967bb84bcf3bb50e75d0216a8d7e06c3f9d2aca
ignition-debuginfo-2.9.0-5.rhaos4.7.git1d56dc8.el8.s390x.rpm
SHA-256: 9d3760845d8784f9c9afadd13b575dbddf14adaf4f9dd6c2df79abad25bf1198
ignition-debugsource-2.9.0-5.rhaos4.7.git1d56dc8.el8.s390x.rpm
SHA-256: 50fc8d6a31d36dd73630dceeb40768b1c16d9b78cd223d479f2720ddfe17f89f
ignition-validate-2.9.0-5.rhaos4.7.git1d56dc8.el8.s390x.rpm
SHA-256: 0c2eb514d86a19b0bb2281a65c1b275a44df9d85976f63e2013cbfa97997ef89
ignition-validate-debuginfo-2.9.0-5.rhaos4.7.git1d56dc8.el8.s390x.rpm
SHA-256: cf38ced4495298d49d9798769354d66082a02d03aa9122b30cd0c4f23c298b84
Red Hat 安全团队联络方式为 [email protected]。 更多联络细节请参考 https://access.redhat.com/security/team/contact/。
Related news
Red Hat Security Advisory 2022-7529-01 - The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc. Issues addressed include denial of service and memory exhaustion vulnerabilities.
An update for the container-tools:4.0 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1708: cri-o: memory exhaustion on the node when access to the kube api * CVE-2022-27191: golang: crash in a golang.org/x/crypto/ssh server * CVE-2022-29162: runc: incorrect handling of inheritable capabilities
An update for the container-tools:rhel8 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-36221: golang: net/http/httputil: panic due to racy read of persistConn after handler panic * CVE-2021-41190: opencontainers: OCI manifest and index parsing confusion * CVE-2022-1708: cri-o: memory exhaustion on the node when access to the kube api * CVE-2022-2990: buildah: possible information disclosure and modification * CVE-...
Red Hat Security Advisory 2022-5392-01 - Red Hat Advanced Cluster Management for Kubernetes 2.3.11 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console—with security policy built in. This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which resolve security issues and fix several bugs. Issues addressed include a traversal vulnerability.
Red Hat Advanced Cluster Management for Kubernetes 2.3.11 general availability release images, which provide security updates and bug fixes. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-0235: node-fetch: exposure of sensitive information to an unauthorized actor * CVE-2022-0536: follow-redirects: Exposure of Sensitive Information via Authorization Header leak * CVE-2022-21803: nconf: Prototype pollution in memory store * CVE-2022-23806: golang: crypto/elliptic IsOnCurv...
Red Hat Security Advisory 2022-4999-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 3.11.715. Issues addressed include a memory exhaustion vulnerability.
Red Hat OpenShift Container Platform release 3.11.715 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 3.11. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1708: cri-o: memory exhaustion on the node when access to the kube api
Red Hat Security Advisory 2022-4947-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.6.59. Issues addressed include cross site scripting and memory exhaustion vulnerabilities.
Red Hat Security Advisory 2022-4951-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.8.43. Issues addressed include a memory exhaustion vulnerability.
Red Hat Security Advisory 2022-4965-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.7.53. There are no images for this advisory. Issues addressed include a memory exhaustion vulnerability.
Red Hat Security Advisory 2022-4943-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.10.18. Issues addressed include a memory exhaustion vulnerability.
Red Hat Security Advisory 2022-4972-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.9.38. Issues addressed include a memory exhaustion vulnerability.
Red Hat OpenShift Container Platform release 4.6.59 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1708: cri-o: memory exhaustion on the node when access to the kube api * CVE-2022-29036: credentials: Stored XSS vulnerabilities in jenkins plugin * CVE-2022-29046: subversion: Stored XSS vu...
Red Hat OpenShift Container Platform release 4.8.43 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1708: cri-o: memory exhaustion on the node when access to the kube api
Red Hat OpenShift Container Platform release 4.9.38 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1708: cri-o: memory exhaustion on the node when access to the kube api
Red Hat OpenShift Container Platform release 4.10.18 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.10. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1708: cri-o: memory exhaustion on the node when access to the kube api
A vulnerability was found in CRI-O that causes memory or disk space exhaustion on the node for anyone with access to the Kube API. The ExecSync request runs commands in a container and logs the output of the command. This output is then read by CRI-O after command execution, and it is read in a manner where the entire file corresponding to the output of the command is read in. Thus, if the output of the command is large it is possible to exhaust the memory or the disk space of the node when CRI-O reads the output of the command. The highest threat from this vulnerability is system availability.
### Description An ExecSync request runs a command in a container and returns the output to the Kubelet. It is used for readiness and liveness probes within a pod. The way CRI-O runs ExecSync commands is through conmon. CRI-O asks conmon to start the process, and conmon writes the output to disk. CRI-O then reads the output and returns it to the Kubelet. If the output of the command is large enough, it is possible to exhaust the memory (or disk usage) of the node. The following deployment is an example yaml file that will output around 8GB of ‘A’ characters, which would be written to disk by conmon and read by CRI-O. ```yaml apiVersion: apps/v1 kind: Deployment metadata: name: nginx-deployment100 spec: selector: matchLabels: app: nginx replicas: 2 template: metadata: labels: app: nginx spec: containers: - name: nginx image: nginx:1.14.2 lifecycle: postStart: exec: command: ["/bin/s...