Headline
RHSA-2023:5155: Red Hat Security Advisory: [impact]: OpenShift Container Platform 4.13.13 bug fix and security update
Red Hat OpenShift Container Platform release 4.13.13 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.13. Red Hat Product Security has rated this update as having a security impact of [impact]. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Related CVEs:
- CVE-2023-2253: A flaw was found in the
/v2/_catalog
endpoint in distribution/distribution, which accepts a parameter to control the maximum number of records returned (query string:n
). This vulnerability allows a malicious user to submit an unreasonably large value forn,
causing the allocation of a massive string array, possibly causing a denial of service through excessive use of memory.
Skip to navigation Skip to main content
Utilities
- Subscriptions
- Downloads
- Containers
- Support Cases
Infrastructure and Management
- Red Hat Enterprise Linux
- Red Hat Satellite
- Red Hat Subscription Management
- Red Hat Insights
- Red Hat Ansible Automation Platform
Cloud Computing
- Red Hat OpenShift
- Red Hat OpenStack Platform
- Red Hat OpenShift Container Platform
- Red Hat OpenShift Data Science
- Red Hat OpenShift Dedicated
- Red Hat Advanced Cluster Security for Kubernetes
- Red Hat Advanced Cluster Management for Kubernetes
- Red Hat Quay
- OpenShift Dev Spaces
- Red Hat OpenShift Service on AWS
Storage
- Red Hat Gluster Storage
- Red Hat Hyperconverged Infrastructure
- Red Hat Ceph Storage
- Red Hat OpenShift Data Foundation
Runtimes
- Red Hat Runtimes
- Red Hat JBoss Enterprise Application Platform
- Red Hat Data Grid
- Red Hat JBoss Web Server
- Red Hat Single Sign On
- Red Hat support for Spring Boot
- Red Hat build of Node.js
- Red Hat build of Quarkus
Integration and Automation
All Products
Issued:
2023-09-19
Updated:
2023-09-19
RHSA-2023:5155 - Security Advisory
- Overview
- Updated Images
Synopsis
Moderate: [impact]: OpenShift Container Platform 4.13.13 bug fix and security update
Type/Severity
Security Advisory: Moderate
Topic
Red Hat OpenShift Container Platform release 4.13.13 is now available with updates to packages and images that fix several bugs and add enhancements.
This release includes a security update for Red Hat OpenShift Container Platform 4.13.
Red Hat Product Security has rated this update as having a security impact of [impact]. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
Red Hat OpenShift Container Platform is Red Hat’s cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.
This advisory contains the container images for Red Hat OpenShift Container Platform 4.13.13. See the following advisory for the RPM packages for this release:
https://access.redhat.com/errata/RHBA-2023:5158
Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes:
https://docs.openshift.com/container-platform/4.13/release_notes/ocp-4-13-release-notes.html
Security Fix(es):
- distribution/distribution: DoS from malicious API request (CVE-2023-2253)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
All OpenShift Container Platform 4.13 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.13/updating/updating-cluster-cli.html
Solution
For OpenShift Container Platform 4.13 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:
https://docs.openshift.com/container-platform/4.13/release_notes/ocp-4-13-release-notes.html
You may download the oc tool and use it to inspect release image metadata for x86_64, s390x, ppc64le, and aarch64 architectures. The image digests may be found at https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags.
The sha values for the release are
(For x86_64 architecture)
The image digest is sha256:d62495768e335c79a215ba56771ff5ae97e3cbb2bf49ed8fb3f6cefabcdc0f17
(For s390x architecture)
The image digest is sha256:31eed1e1c5cf788c0873d3fde09cf561c7d44d6d33b3abbeed0dcaf99ad4c24b
(For ppc64le architecture)
The image digest is sha256:2759c882d9493791ec8a0491e37e0d6603f48e68d2be34e512f5c64ef8b61dfe
(For aarch64 architecture)
The image digest is sha256:ad2a9a4beb8b0f7be75efca93a5eddb301d0b21b50d4b95685af07b653e9587d
All OpenShift Container Platform 4.13 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.13/updating/updating-cluster-cli.html
Affected Products
- Red Hat OpenShift Container Platform 4.13 for RHEL 9 x86_64
- Red Hat OpenShift Container Platform 4.13 for RHEL 8 x86_64
- Red Hat OpenShift Container Platform for Power 4.13 for RHEL 9 ppc64le
- Red Hat OpenShift Container Platform for Power 4.13 for RHEL 8 ppc64le
- Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.13 for RHEL 9 s390x
- Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.13 for RHEL 8 s390x
- Red Hat OpenShift Container Platform for ARM 64 4.13 for RHEL 9 aarch64
- Red Hat OpenShift Container Platform for ARM 64 4.13 for RHEL 8 aarch64
Fixes
- BZ - 2189886 - CVE-2023-2253 distribution/distribution: DoS from malicious API request
- OCPBUGS-14250 - [4.13] Host can get stuck on inspecting if the network secret is updated
- OCPBUGS-15222 - Hard coded region references remain in installer
- OCPBUGS-15268 - External PKI reconcilation deploys broken due to invalid dependency on additional user ca bundles
- OCPBUGS-16225 - Hypershift does not use probes on openshift-route-controller-manager and openshift-controller-manager
- OCPBUGS-17182 - olm-collect-profiles cronjob pods can’t reach mgmt KAS
- OCPBUGS-17357 - Operator catalogs from 4.12 are used in 4.13 and 4.14 hosted clusters
- OCPBUGS-18192 - Dynamic plugin proxy requests time out after 30 seconds
- OCPBUGS-18332 - Cannot use EgressIP for the vsphere csi driver to access the vcenter api
- OCPBUGS-18502 - On an SNO node one of the CatalogSources gets deleted after multiple reboots
References
- https://access.redhat.com/security/updates/classification/#moderate
- https://docs.openshift.com/container-platform/4.13/release_notes/ocp-4-13-release-notes.html
aarch64
openshift4/driver-toolkit-rhel9@sha256:829ad84428c32c7f7f608040265333450afc9df0925e0b6c0a4d86aa086b7ce6
openshift4/network-tools-rhel8@sha256:05513da962ff88a8cbd06c675f20b0e84842129089f33d1d66f263672d43e2dd
openshift4/ose-baremetal-installer-rhel8@sha256:184431e20b56673804e7cb314abd2b86a237424cb847d75327d92d08532e2420
openshift4/ose-console-operator@sha256:9b085bbdf4dcdae01e42da6713f8e05a0018382010e25ca994a77ed799fa71f1
openshift4/ose-docker-registry@sha256:433ef7a74785884200799978d7019508592c14f516a9f27d7f6c3599c5684e29
openshift4/ose-hyperkube@sha256:d08f89e3d2648d1f535a31dc8740abea60d854d319c9b56a1afbfbbf415235bc
openshift4/ose-hypershift-rhel8@sha256:3608e3b735f78621b89ab4edee94205e79f5b54f09860e6a0fb25a8b7e3939a1
openshift4/ose-image-customization-controller-rhel8@sha256:642bdfb25293c7a43ee5d94d3941647955600866b2b592429a795d4d91d02bc0
openshift4/ose-installer@sha256:d764590d27d76347fe40a426906128393cca110aa19261f4cd3465dab410fc1f
openshift4/ose-installer-artifacts@sha256:ca4ed977299cb3b974e92dbbf7b10fde9fdd9d997b091dae60bba3bf53496baa
openshift4/ose-ironic-machine-os-downloader-rhel9@sha256:da3fab642b6bc267453c390e294cf5dc9f2e0a2c97a12bf26c75609e9ad0cf07
openshift4/ose-machine-os-images-rhel8@sha256:709e226808cf8193cba40679a8fa160578dbf683542bbdefb47129f4d272ecd0
openshift4/ose-operator-marketplace@sha256:73963b4138566baa4a01034c4b7315debf58d69bf6f2d2f0d7bf452b8d5ff3ee
openshift4/ose-ovn-kubernetes@sha256:ad85584e40bba1eeb3a74f3e735ba760051eaaf7b8f47e1d3c6d142a97bab67c
openshift4/ose-ovn-kubernetes-microshift-rhel9@sha256:df380de574ab4feb933c3cb760dad052e5e5cc10cdfba2f71369d91084ca32f1
openshift4/ose-pod@sha256:f91bb5e5a544273fc1508d2da76f9c1394cc8741abbffe3f2dd34f5b17a4bfee
ppc64le
openshift4/driver-toolkit-rhel9@sha256:be6c2ef0c6b6f4938d9f8a0e96f387b7ae3eac55925ea245a9c66e1decdf86a4
openshift4/network-tools-rhel8@sha256:4addd3cfa96adb11fc387191855125ed6c58ce0c53546da369b0ac68b0779dbc
openshift4/ose-baremetal-installer-rhel8@sha256:a7dfa2fafdb54914e70964b92ce7de1d5488f2a0fa36cc80be5ec32e87554e71
openshift4/ose-console-operator@sha256:c9acf1a20b5268cfdb30680cf31431630546d3133fc3cfd0db4a12f37df29da4
openshift4/ose-docker-registry@sha256:5d725df1561501e6bd63fb6c1a04f420c0468a1634a79e0d439ee3d4d9d24b6a
openshift4/ose-hyperkube@sha256:6a1e422373cf6b6f9adacd8e66fb27e0fe3cd6e7783b1367f65670c2eed9494a
openshift4/ose-hypershift-rhel8@sha256:be26f3f8068f62f185c0861586fe96eb65f247560da9c76edd0f7150cfd975fe
openshift4/ose-installer@sha256:901939817c738798d31766f5366fb5ec139d2902b2c2669b6b4e1d4bc37829ce
openshift4/ose-installer-artifacts@sha256:8e3696c4f712e3b5e9446c5ad0520a1391c6141725cfb1124e3559f0273157c1
openshift4/ose-machine-os-images-rhel8@sha256:ad25cb49850a8605587f56256379fc3f9e0e5d38f98a6e26d6249d7d76cb7b75
openshift4/ose-operator-marketplace@sha256:a49962be114137c6550b9540ab4827957603181d50f9936dd617b494445ebfe5
openshift4/ose-ovn-kubernetes@sha256:9f05cd961c450f2ef6766d859ddedacfc287efad1ea36bd34686752b78eea7dd
openshift4/ose-ovn-kubernetes-microshift-rhel9@sha256:7e5ba35ee93e720f7793a11cbb3e8e37e94c98f3a1b26f2f9d0f0b6047ec662a
openshift4/ose-pod@sha256:c6d43d865bc496db1384039f2d34aa786c7e8925137f43ed79b89d6698410b4d
s390x
openshift4/driver-toolkit-rhel9@sha256:dee9446b560384422c7d716ca22c4fba4a6a3188fecd7ccd6e32450cb71e8ff2
openshift4/network-tools-rhel8@sha256:040807ee674540f3254f79cd109868a6219d150405abdf33a5d299374196b425
openshift4/ose-baremetal-installer-rhel8@sha256:cda6c24ff26400e90bdd183558bbf1d1b0049746b2ec5656d926167276a12a06
openshift4/ose-console-operator@sha256:2f972ff616a12e967a1e9695d433469c29fb06785c3305c86583f91d160ce61a
openshift4/ose-docker-registry@sha256:f315989a636887f6142e58dd280c7386e85ff62e46283064a65dbee009d75c14
openshift4/ose-hyperkube@sha256:30660360c6dd6ae1c31b84a18f31d6b6dc423d97378abeb667df64440aaf13cf
openshift4/ose-hypershift-rhel8@sha256:618cb1c833cc08e8ab62a73e67148da1bea9faca0d174a0225d5fb1b1e766fbf
openshift4/ose-installer@sha256:251b004208c8822dd4f4a456a885e970f02dc47aed917ed5f14f0854644fcdfd
openshift4/ose-installer-artifacts@sha256:3514fe16605b987676db0262ef8b2efe3e96612a9013d4bca52cef8fcf05a97d
openshift4/ose-operator-marketplace@sha256:780d71203149c8c3188e9d2f3c2530b85d700384f4e0c29165f124965570f3d6
openshift4/ose-ovn-kubernetes@sha256:0d6c20000ffae48bb3b529c82d6333a529dec2c63c30c565435054884f8a1b9d
openshift4/ose-ovn-kubernetes-microshift-rhel9@sha256:fbd5516e45f9906ed03417e4413288248610601ae0fa86376ed5eb91ff838d98
openshift4/ose-pod@sha256:3eb0334648c6d717a8c07efa84bba72adee9aa91cd150662c7065d35832b58b6
x86_64
openshift4/driver-toolkit-rhel9@sha256:5aa7f59881dc97ff7bbeb04c68370b524008419d2513d4eb90d17d0bfc682696
openshift4/network-tools-rhel8@sha256:5e23799756752e14904862e2c6615b9bb14d1fcb21df8c9b6a9d3d1a36b2bd9e
openshift4/oc-mirror-plugin-rhel8@sha256:18448bf55ebae86cbca9b2edaa518bc7e6cc7416cb5a826d840f1d871a9ed5a2
openshift4/ose-baremetal-installer-rhel8@sha256:3c3fc353f861d5fd82ebbab7f0475fb32d6f3d4f611923bfe18f1645ee4f43cc
openshift4/ose-console-operator@sha256:cf5ad399b71611c74bfdd345e3765f358558b7c7d842af0fad49ec8e825f11d5
openshift4/ose-docker-registry@sha256:0e358e30d1ed97fdfae528b9bde1cc171c16542b9555716a9615aa22b8cd9a1f
openshift4/ose-hyperkube@sha256:077e21015fabc37bd7d2c0ac163a1aa690e44f5f1f57127ce4d0389b7cd4cff9
openshift4/ose-hypershift-rhel8@sha256:0d06938303cd968c1686cbd7812bdd94c9e5d34ba8768f2e47912b6187188b58
openshift4/ose-image-customization-controller-rhel8@sha256:a264cb8baace952116b4e293781e186d2e7b9204c88788e001d3c46dfe405f98
openshift4/ose-installer@sha256:7b6d0dae52cfbb2d9455e09a04fe5d83795ddb240d7aa603df3de957e2e1ba20
openshift4/ose-installer-artifacts@sha256:25fbd856b7c7b44c42d7962c0d1395347fe28e13aa73567ac204dca1cd1d235f
openshift4/ose-ironic-machine-os-downloader-rhel9@sha256:6b5af0cab9265d9cd290a8819b3ead316f5617a5ea8b5c805a666968182f11b8
openshift4/ose-machine-os-images-rhel8@sha256:6326b4e2b2682d58f254eff200f467aea404d3abca32195cf95393e7ad54fa6b
openshift4/ose-operator-marketplace@sha256:19d3efc4d81cb8e1e1d772aea8e45f3d97904cdc72cf6a31fc500b9dedb41f25
openshift4/ose-ovn-kubernetes@sha256:f2a4293bb7ed88265144feeb0a82414967044cb82a95cd239f88b219ef4b95df
openshift4/ose-ovn-kubernetes-microshift-rhel9@sha256:419ddef3e412bb1b2653bc5b5cb011c2ffa6ad08e5fac80ba0a2c9ddcc298c3c
openshift4/ose-pod@sha256:5f2f441026fcd5d2487cee581c14ca80d1cbe9e5ba278e9993f8d0205be0ed88
openshift4/ose-vsphere-csi-driver-operator-rhel8@sha256:649a4597d7935661bfc84946901a199732b652ed6cff5761a290951f0a8ec131
openshift4/ose-vmware-vsphere-csi-driver-operator-rhel8@sha256:649a4597d7935661bfc84946901a199732b652ed6cff5761a290951f0a8ec131
The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.
Related news
Red Hat Security Advisory 2023-5390-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.12.36. Issues addressed include a denial of service vulnerability.
Red Hat OpenShift Container Platform release 4.12.36 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.12. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-2253: A flaw was found in the `/v2/_catalog` endpoint in distribution/distribution, which accepts a parameter to control the maximum number of records returned (query string: `n`). This vul...
Red Hat Security Advisory 2023-5314-01 - OpenShift API for Data Protection enables you to back up and restore application resources, persistent volume data, and internal container images to external backup storage. OADP enables both file system-based and snapshot-based backups for persistent volumes. Issues addressed include a denial of service vulnerability.
OpenShift API for Data Protection (OADP) 1.1.6 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-21698: A denial of service attack was found in prometheus/client_golang. This flaw allows an attacker to produce a denial of service attack on an HTTP server by exploiting the InstrumentHandlerCounter function in the version below 1.11.1, resulting in a loss of availability. * CVE-2022-41723: A flaw was found in golang. A maliciously crafted HTTP/2 stream cou...
Red Hat Security Advisory 2023-5155-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.13.13. Issues addressed include a denial of service vulnerability.
Ubuntu Security Notice 6336-1 - It was discovered that Docker Registry incorrectly handled certain crafted input, A remote attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 16.04 LTS. It was discovered that Docker Registry incorrectly handled certain crafted input. An attacker could possibly use this issue to cause a denial of service.
Red Hat Security Advisory 2023-4091-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.13.5. Issues addressed include a denial of service vulnerability.
Red Hat OpenShift Container Platform release 4.13.5 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.13. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41717: A flaw was found in the net/http library of the golang package. This flaw allows an attacker to cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server c...
A flaw was found in the `/v2/_catalog` endpoint in distribution/distribution, which accepts a parameter to control the maximum number of records returned (query string: `n`). This vulnerability allows a malicious user to submit an unreasonably large value for `n,` causing the allocation of a massive string array, possibly causing a denial of service through excessive use of memory.
Debian Linux Security Advisory 5414-1 - Jose Gomez discovered that the Catalog API endpoint in the Docker registry implementation did not sufficiently enforce limits, which could result in denial of service.
### Impact Systems that run `distribution` built after a specific commit running on memory-restricted environments can suffer from denial of service by a crafted malicious `/v2/_catalog` API endpoint request. ### Patches Upgrade to at least 2.8.2-beta.1 if you are running `v2.8.x` release. If you use the code from the main branch, update at least to the commit after [f55a6552b006a381d9167e328808565dd2bf77dc](https://github.com/distribution/distribution/commit/f55a6552b006a381d9167e328808565dd2bf77dc). ### Workarounds There is no way to work around this issue without patching. Restrict access to the affected API endpoint: see the recommendations section. ### References `/v2/_catalog` endpoint accepts a parameter to control the maximum amount of records returned (query string: `n`). When not given the default `n=100` is used. The server trusts that `n` has an acceptable value, however when using a maliciously large value, it allocates an array/slice of `n` of strings before fi...