Headline
RHSA-2023:1503: Red Hat Security Advisory: OpenShift Container Platform 4.11.34 packages and security update
Red Hat OpenShift Container Platform release 4.11.34 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.11. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Related CVEs:
- CVE-2022-4318: A vulnerability was found in cri-o. This issue allows the addition of arbitrary lines into /etc/passwd by use of a specially crafted environment variable.
Skip to navigation Skip to main content
Utilities
- Subscriptions
- Downloads
- Containers
- Support Cases
Infrastructure and Management
- Red Hat Enterprise Linux
- Red Hat Virtualization
- Red Hat Identity Management
- Red Hat Directory Server
- Red Hat Certificate System
- Red Hat Satellite
- Red Hat Subscription Management
- Red Hat Update Infrastructure
- Red Hat Insights
- Red Hat Ansible Automation Platform
Cloud Computing
- Red Hat OpenShift
- Red Hat CloudForms
- Red Hat OpenStack Platform
- Red Hat OpenShift Container Platform
- Red Hat OpenShift Data Science
- Red Hat OpenShift Online
- Red Hat OpenShift Dedicated
- Red Hat Advanced Cluster Security for Kubernetes
- Red Hat Advanced Cluster Management for Kubernetes
- Red Hat Quay
- OpenShift Dev Spaces
- Red Hat OpenShift Service on AWS
Storage
- Red Hat Gluster Storage
- Red Hat Hyperconverged Infrastructure
- Red Hat Ceph Storage
- Red Hat OpenShift Data Foundation
Runtimes
- Red Hat Runtimes
- Red Hat JBoss Enterprise Application Platform
- Red Hat Data Grid
- Red Hat JBoss Web Server
- Red Hat Single Sign On
- Red Hat support for Spring Boot
- Red Hat build of Node.js
- Red Hat build of Thorntail
- Red Hat build of Eclipse Vert.x
- Red Hat build of OpenJDK
- Red Hat build of Quarkus
Integration and Automation
- Red Hat Process Automation
- Red Hat Process Automation Manager
- Red Hat Decision Manager
All Products
Issued:
2023-04-04
Updated:
2023-04-04
RHSA-2023:1503 - Security Advisory
- Overview
- Updated Packages
Synopsis
Moderate: OpenShift Container Platform 4.11.34 packages and security update
Type/Severity
Security Advisory: Moderate
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
View affected systems
Topic
Red Hat OpenShift Container Platform release 4.11.34 is now available with updates to packages and images that fix several bugs and add enhancements.
This release includes a security update for Red Hat OpenShift Container Platform 4.11.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
Red Hat OpenShift Container Platform is Red Hat’s cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.
This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.11.34. See the following advisory for the container images for this release:
https://access.redhat.com/errata/RHSA-2023:1504
Security Fix(es):
- cri-o: /etc/passwd tampering privesc (CVE-2022-4318)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
All OpenShift Container Platform 4.11 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.11/updating/updating-cluster-cli.html
Affected Products
- Red Hat OpenShift Container Platform 4.11 for RHEL 8 x86_64
- Red Hat OpenShift Container Platform for Power 4.11 for RHEL 8 ppc64le
- Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.11 for RHEL 8 s390x
- Red Hat OpenShift Container Platform for ARM 64 4.11 aarch64
Fixes
- BZ - 2152703 - CVE-2022-4318 cri-o: /etc/passwd tampering privesc
References
- https://access.redhat.com/security/updates/classification/#moderate
- https://docs.openshift.com/container-platform/4.11/release_notes/ocp-4-11-release-notes.html
Red Hat OpenShift Container Platform 4.11 for RHEL 8
SRPM
atomic-openshift-service-idler-4.11.0-202303240327.p0.ga0f9090.assembly.stream.el8.src.rpm
SHA-256: d8bb906d27d8816fb5eded0c65f2e6fe350bf06af01f85699cdcbaa10556da55
cri-o-1.24.4-10.rhaos4.11.git1ed5ac5.el8.src.rpm
SHA-256: 44c1deea2911ce0b10c8f51a5c7c5170774f385e4843a75c97d5ea7dac8e3314
openshift-4.11.0-202303240327.p0.gaf0420d.assembly.stream.el8.src.rpm
SHA-256: 9180855f92439cb2d34e40f685027cd12336d88e44bd88807488f475dc63132c
openshift-ansible-4.11.0-202303240327.p0.gdf73941.assembly.stream.el8.src.rpm
SHA-256: 2669c68757fb97c802f16ba69b148c8af2eb0c31d21c85a0a1b89a2826fe585e
openshift-clients-4.11.0-202303240327.p0.gdea6f47.assembly.stream.el8.src.rpm
SHA-256: 05eb57604b1958afe67ebb13b76d2c87e47714c97a61a3b96ff56798ba44a338
openshift-kuryr-4.11.0-202303240327.p0.g93daed6.assembly.stream.el8.src.rpm
SHA-256: 68e95224aa6585947aee4baa232d543b515018a5827f3ed969f3860283ba1a68
x86_64
atomic-openshift-service-idler-4.11.0-202303240327.p0.ga0f9090.assembly.stream.el8.x86_64.rpm
SHA-256: 201c7a85746a9ff951e018233c7db2cd20681f9c2e8a0ad36561e85f108f2452
cri-o-1.24.4-10.rhaos4.11.git1ed5ac5.el8.x86_64.rpm
SHA-256: bc5221254b3140ce673abc940120b08f4ea903297cf59cce9271c21819e1d592
cri-o-debuginfo-1.24.4-10.rhaos4.11.git1ed5ac5.el8.x86_64.rpm
SHA-256: 4719547ca9a29a65947aa27abfbbc55616c8753f78af7915f16ee2123b93905c
cri-o-debugsource-1.24.4-10.rhaos4.11.git1ed5ac5.el8.x86_64.rpm
SHA-256: 196bda0539d538b7852e55a7d8eddd17c453a46b77f6a68e709ff5208076d35a
openshift-ansible-4.11.0-202303240327.p0.gdf73941.assembly.stream.el8.noarch.rpm
SHA-256: b73ac9e46bbb2b6b3334fd709c87ef85205e52ac877b3f63e82e3151849de2a5
openshift-ansible-test-4.11.0-202303240327.p0.gdf73941.assembly.stream.el8.noarch.rpm
SHA-256: ed2f8301027e1252aea43a7c2f591abe10839523c3159251c4305efa1390857a
openshift-clients-4.11.0-202303240327.p0.gdea6f47.assembly.stream.el8.x86_64.rpm
SHA-256: f6a289171c087a1894bf62be1b5492cae9aff889d6475d51fd78b9b80c601de1
openshift-clients-redistributable-4.11.0-202303240327.p0.gdea6f47.assembly.stream.el8.x86_64.rpm
SHA-256: 8ca86752db33ca3ad4931360913d3bb4623c8dadd9db93106b42b304e026cbde
openshift-hyperkube-4.11.0-202303240327.p0.gaf0420d.assembly.stream.el8.x86_64.rpm
SHA-256: 6869fb2bfe567fcff5e6af104f93e75618654d0bfb13d5ee3ff0419b4e9bb522
openshift-kuryr-cni-4.11.0-202303240327.p0.g93daed6.assembly.stream.el8.noarch.rpm
SHA-256: 6d8c39d8b4396aaa2671bbc7067bc894524a90acd093b5dac6c88f951ba52be9
openshift-kuryr-common-4.11.0-202303240327.p0.g93daed6.assembly.stream.el8.noarch.rpm
SHA-256: 65f8fd754c310aeb54f88b3664ee82f0cd062bf80e7c089a45d9fa2ba77fa47e
openshift-kuryr-controller-4.11.0-202303240327.p0.g93daed6.assembly.stream.el8.noarch.rpm
SHA-256: 0e6795e4ce9dda9e5bcf9b08cfe939569d7645d2a6fc0a5fef0d314e9fef089e
python3-kuryr-kubernetes-4.11.0-202303240327.p0.g93daed6.assembly.stream.el8.noarch.rpm
SHA-256: a9ff0d5a5ef17ada7443e4485afdcba05c5c445d50656d4ae59ab8bd0f5bc5ef
Red Hat OpenShift Container Platform for Power 4.11 for RHEL 8
SRPM
atomic-openshift-service-idler-4.11.0-202303240327.p0.ga0f9090.assembly.stream.el8.src.rpm
SHA-256: d8bb906d27d8816fb5eded0c65f2e6fe350bf06af01f85699cdcbaa10556da55
cri-o-1.24.4-10.rhaos4.11.git1ed5ac5.el8.src.rpm
SHA-256: 44c1deea2911ce0b10c8f51a5c7c5170774f385e4843a75c97d5ea7dac8e3314
openshift-4.11.0-202303240327.p0.gaf0420d.assembly.stream.el8.src.rpm
SHA-256: 9180855f92439cb2d34e40f685027cd12336d88e44bd88807488f475dc63132c
openshift-ansible-4.11.0-202303240327.p0.gdf73941.assembly.stream.el8.src.rpm
SHA-256: 2669c68757fb97c802f16ba69b148c8af2eb0c31d21c85a0a1b89a2826fe585e
openshift-clients-4.11.0-202303240327.p0.gdea6f47.assembly.stream.el8.src.rpm
SHA-256: 05eb57604b1958afe67ebb13b76d2c87e47714c97a61a3b96ff56798ba44a338
openshift-kuryr-4.11.0-202303240327.p0.g93daed6.assembly.stream.el8.src.rpm
SHA-256: 68e95224aa6585947aee4baa232d543b515018a5827f3ed969f3860283ba1a68
ppc64le
atomic-openshift-service-idler-4.11.0-202303240327.p0.ga0f9090.assembly.stream.el8.ppc64le.rpm
SHA-256: ddc7a19d2ee2a75df7b17bc18feeb03f1bf21c4a2644c18bb4b5189e5b439353
cri-o-1.24.4-10.rhaos4.11.git1ed5ac5.el8.ppc64le.rpm
SHA-256: cfa5d9e4cc2e37af230c86433d13c336052b663924dd3eedbe05c9332d01978b
cri-o-debuginfo-1.24.4-10.rhaos4.11.git1ed5ac5.el8.ppc64le.rpm
SHA-256: fc6306cdc5eade8fcabd4768266aa4753d11c4ffa5dbfcf4ab94ae96199536af
cri-o-debugsource-1.24.4-10.rhaos4.11.git1ed5ac5.el8.ppc64le.rpm
SHA-256: 0105054df7496cb45df40e952faf647850bff741a671f062760ca5ceeb16b0a4
openshift-ansible-4.11.0-202303240327.p0.gdf73941.assembly.stream.el8.noarch.rpm
SHA-256: b73ac9e46bbb2b6b3334fd709c87ef85205e52ac877b3f63e82e3151849de2a5
openshift-ansible-test-4.11.0-202303240327.p0.gdf73941.assembly.stream.el8.noarch.rpm
SHA-256: ed2f8301027e1252aea43a7c2f591abe10839523c3159251c4305efa1390857a
openshift-clients-4.11.0-202303240327.p0.gdea6f47.assembly.stream.el8.ppc64le.rpm
SHA-256: c5d16624640bac83586bead3a3aeefc57936eb7955847e21ecfaff1b7cd71d2e
openshift-hyperkube-4.11.0-202303240327.p0.gaf0420d.assembly.stream.el8.ppc64le.rpm
SHA-256: 9e80b8b9c7178f51a352bdc1e2f5bf2792ec932cc25148821773ad72ab31e37b
openshift-kuryr-cni-4.11.0-202303240327.p0.g93daed6.assembly.stream.el8.noarch.rpm
SHA-256: 6d8c39d8b4396aaa2671bbc7067bc894524a90acd093b5dac6c88f951ba52be9
openshift-kuryr-common-4.11.0-202303240327.p0.g93daed6.assembly.stream.el8.noarch.rpm
SHA-256: 65f8fd754c310aeb54f88b3664ee82f0cd062bf80e7c089a45d9fa2ba77fa47e
openshift-kuryr-controller-4.11.0-202303240327.p0.g93daed6.assembly.stream.el8.noarch.rpm
SHA-256: 0e6795e4ce9dda9e5bcf9b08cfe939569d7645d2a6fc0a5fef0d314e9fef089e
python3-kuryr-kubernetes-4.11.0-202303240327.p0.g93daed6.assembly.stream.el8.noarch.rpm
SHA-256: a9ff0d5a5ef17ada7443e4485afdcba05c5c445d50656d4ae59ab8bd0f5bc5ef
Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.11 for RHEL 8
SRPM
atomic-openshift-service-idler-4.11.0-202303240327.p0.ga0f9090.assembly.stream.el8.src.rpm
SHA-256: d8bb906d27d8816fb5eded0c65f2e6fe350bf06af01f85699cdcbaa10556da55
cri-o-1.24.4-10.rhaos4.11.git1ed5ac5.el8.src.rpm
SHA-256: 44c1deea2911ce0b10c8f51a5c7c5170774f385e4843a75c97d5ea7dac8e3314
openshift-4.11.0-202303240327.p0.gaf0420d.assembly.stream.el8.src.rpm
SHA-256: 9180855f92439cb2d34e40f685027cd12336d88e44bd88807488f475dc63132c
openshift-ansible-4.11.0-202303240327.p0.gdf73941.assembly.stream.el8.src.rpm
SHA-256: 2669c68757fb97c802f16ba69b148c8af2eb0c31d21c85a0a1b89a2826fe585e
openshift-clients-4.11.0-202303240327.p0.gdea6f47.assembly.stream.el8.src.rpm
SHA-256: 05eb57604b1958afe67ebb13b76d2c87e47714c97a61a3b96ff56798ba44a338
openshift-kuryr-4.11.0-202303240327.p0.g93daed6.assembly.stream.el8.src.rpm
SHA-256: 68e95224aa6585947aee4baa232d543b515018a5827f3ed969f3860283ba1a68
s390x
atomic-openshift-service-idler-4.11.0-202303240327.p0.ga0f9090.assembly.stream.el8.s390x.rpm
SHA-256: fc88a83be1f04c2404a2b3c1c745a4a8ac98cdaa8167cb24c47664229db70680
cri-o-1.24.4-10.rhaos4.11.git1ed5ac5.el8.s390x.rpm
SHA-256: 99e08b998de1c55d4314da3c4a280262f6d1083c9f3a2c233e6acabfe9e4c601
cri-o-debuginfo-1.24.4-10.rhaos4.11.git1ed5ac5.el8.s390x.rpm
SHA-256: 9961e4110a0aa5c2724303953e5331d25ea8224c3fc12d9099486074a0676086
cri-o-debugsource-1.24.4-10.rhaos4.11.git1ed5ac5.el8.s390x.rpm
SHA-256: b6748bd43e08a903533ceb8965796a0753a36cb08f210b35947b8da25c00d107
openshift-ansible-4.11.0-202303240327.p0.gdf73941.assembly.stream.el8.noarch.rpm
SHA-256: b73ac9e46bbb2b6b3334fd709c87ef85205e52ac877b3f63e82e3151849de2a5
openshift-ansible-test-4.11.0-202303240327.p0.gdf73941.assembly.stream.el8.noarch.rpm
SHA-256: ed2f8301027e1252aea43a7c2f591abe10839523c3159251c4305efa1390857a
openshift-clients-4.11.0-202303240327.p0.gdea6f47.assembly.stream.el8.s390x.rpm
SHA-256: 843f7ab7ed514781b171dc801a3528a41ec395dd9544b52779a4b86459f79216
openshift-hyperkube-4.11.0-202303240327.p0.gaf0420d.assembly.stream.el8.s390x.rpm
SHA-256: 1316f876fffeda0aca34de3b3cde847587caef82092dc07fe9a9b1d614d657d5
openshift-kuryr-cni-4.11.0-202303240327.p0.g93daed6.assembly.stream.el8.noarch.rpm
SHA-256: 6d8c39d8b4396aaa2671bbc7067bc894524a90acd093b5dac6c88f951ba52be9
openshift-kuryr-common-4.11.0-202303240327.p0.g93daed6.assembly.stream.el8.noarch.rpm
SHA-256: 65f8fd754c310aeb54f88b3664ee82f0cd062bf80e7c089a45d9fa2ba77fa47e
openshift-kuryr-controller-4.11.0-202303240327.p0.g93daed6.assembly.stream.el8.noarch.rpm
SHA-256: 0e6795e4ce9dda9e5bcf9b08cfe939569d7645d2a6fc0a5fef0d314e9fef089e
python3-kuryr-kubernetes-4.11.0-202303240327.p0.g93daed6.assembly.stream.el8.noarch.rpm
SHA-256: a9ff0d5a5ef17ada7443e4485afdcba05c5c445d50656d4ae59ab8bd0f5bc5ef
Red Hat OpenShift Container Platform for ARM 64 4.11
SRPM
atomic-openshift-service-idler-4.11.0-202303240327.p0.ga0f9090.assembly.stream.el8.src.rpm
SHA-256: d8bb906d27d8816fb5eded0c65f2e6fe350bf06af01f85699cdcbaa10556da55
cri-o-1.24.4-10.rhaos4.11.git1ed5ac5.el8.src.rpm
SHA-256: 44c1deea2911ce0b10c8f51a5c7c5170774f385e4843a75c97d5ea7dac8e3314
openshift-4.11.0-202303240327.p0.gaf0420d.assembly.stream.el8.src.rpm
SHA-256: 9180855f92439cb2d34e40f685027cd12336d88e44bd88807488f475dc63132c
openshift-ansible-4.11.0-202303240327.p0.gdf73941.assembly.stream.el8.src.rpm
SHA-256: 2669c68757fb97c802f16ba69b148c8af2eb0c31d21c85a0a1b89a2826fe585e
openshift-clients-4.11.0-202303240327.p0.gdea6f47.assembly.stream.el8.src.rpm
SHA-256: 05eb57604b1958afe67ebb13b76d2c87e47714c97a61a3b96ff56798ba44a338
openshift-kuryr-4.11.0-202303240327.p0.g93daed6.assembly.stream.el8.src.rpm
SHA-256: 68e95224aa6585947aee4baa232d543b515018a5827f3ed969f3860283ba1a68
aarch64
atomic-openshift-service-idler-4.11.0-202303240327.p0.ga0f9090.assembly.stream.el8.aarch64.rpm
SHA-256: 854cb22fd26523a737c70c9cbbb3efc75aff78c1a141b6100660c246b801e783
cri-o-1.24.4-10.rhaos4.11.git1ed5ac5.el8.aarch64.rpm
SHA-256: 4049b2e41ffd82622c19ff575f527e8dbea5090cf1a45bb9ee02c2ca5f49dc32
cri-o-debuginfo-1.24.4-10.rhaos4.11.git1ed5ac5.el8.aarch64.rpm
SHA-256: 2a3c0dd1a6a48ab0d64081e70d903b5c0ff13262cb57f44906786c3f4e243e0c
cri-o-debugsource-1.24.4-10.rhaos4.11.git1ed5ac5.el8.aarch64.rpm
SHA-256: 369014ab5e5c4c0bfdcd9c7b0cf1cc17f5bf95a6c72890df704449acb81381a4
openshift-ansible-4.11.0-202303240327.p0.gdf73941.assembly.stream.el8.noarch.rpm
SHA-256: b73ac9e46bbb2b6b3334fd709c87ef85205e52ac877b3f63e82e3151849de2a5
openshift-ansible-test-4.11.0-202303240327.p0.gdf73941.assembly.stream.el8.noarch.rpm
SHA-256: ed2f8301027e1252aea43a7c2f591abe10839523c3159251c4305efa1390857a
openshift-clients-4.11.0-202303240327.p0.gdea6f47.assembly.stream.el8.aarch64.rpm
SHA-256: 494a5ecd24cec9eef6e14b8b255e7a9ea6658416d1c2334ad98a4c85d7378386
openshift-hyperkube-4.11.0-202303240327.p0.gaf0420d.assembly.stream.el8.aarch64.rpm
SHA-256: 05fcd923211233a35556c5f8554b9f1c4e66d4d3e014d79a9d916156077f6343
openshift-kuryr-cni-4.11.0-202303240327.p0.g93daed6.assembly.stream.el8.noarch.rpm
SHA-256: 6d8c39d8b4396aaa2671bbc7067bc894524a90acd093b5dac6c88f951ba52be9
openshift-kuryr-common-4.11.0-202303240327.p0.g93daed6.assembly.stream.el8.noarch.rpm
SHA-256: 65f8fd754c310aeb54f88b3664ee82f0cd062bf80e7c089a45d9fa2ba77fa47e
openshift-kuryr-controller-4.11.0-202303240327.p0.g93daed6.assembly.stream.el8.noarch.rpm
SHA-256: 0e6795e4ce9dda9e5bcf9b08cfe939569d7645d2a6fc0a5fef0d314e9fef089e
python3-kuryr-kubernetes-4.11.0-202303240327.p0.g93daed6.assembly.stream.el8.noarch.rpm
SHA-256: a9ff0d5a5ef17ada7443e4485afdcba05c5c445d50656d4ae59ab8bd0f5bc5ef
The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.
Related news
A vulnerability was found in cri-o. This issue allows the addition of arbitrary lines into /etc/passwd by use of a specially crafted environment variable.
Red Hat Security Advisory 2023-1504-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.11.34.
### Impact It is possible to craft an environment variable with newlines to add entries to a container's /etc/passwd. It is possible to circumvent admission validation of username/UID by adding such an entry. Note: because the pod author is in control of the container's /etc/passwd, this is not considered a new risk factor. However, this advisory is being opened for transparency and as a way of tracking fixes. ### Patches 1.26.0 will have the fix. More patches will be posted as they're available. ### Workarounds Additional security controls like SELinux should prevent any damage a container is able to do with root on the host. Using SELinux is recommended because this class of attack is already possible by manually editing the container's /etc/passwd ### References