Security
Headlines
HeadlinesLatestCVEs

Headline

RHSA-2022:4951: Red Hat Security Advisory: OpenShift Container Platform 4.8.43 packages and security update

Red Hat OpenShift Container Platform release 4.8.43 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

Related CVEs:

  • CVE-2022-1708: cri-o: memory exhaustion on the node when access to the kube api
Red Hat Security Data
#vulnerability#web#linux#red_hat#redis#nodejs#js#git#java#kubernetes#aws#ibm#rpm

Skip to navigation Skip to main content

Utilities

  • Subscriptions
  • Downloads
  • Containers
  • Support Cases

Infrastructure and Management

  • Red Hat Enterprise Linux
  • Red Hat Virtualization
  • Red Hat Identity Management
  • Red Hat Directory Server
  • Red Hat Certificate System
  • Red Hat Satellite
  • Red Hat Subscription Management
  • Red Hat Update Infrastructure
  • Red Hat Insights
  • Red Hat Ansible Automation Platform

Cloud Computing

  • Red Hat OpenShift
  • Red Hat CloudForms
  • Red Hat OpenStack Platform
  • Red Hat OpenShift Container Platform
  • Red Hat OpenShift Data Science
  • Red Hat OpenShift Online
  • Red Hat OpenShift Dedicated
  • Red Hat Advanced Cluster Security for Kubernetes
  • Red Hat Advanced Cluster Management for Kubernetes
  • Red Hat Quay
  • Red Hat CodeReady Workspaces
  • Red Hat OpenShift Service on AWS

Storage

  • Red Hat Gluster Storage
  • Red Hat Hyperconverged Infrastructure
  • Red Hat Ceph Storage
  • Red Hat OpenShift Data Foundation

Runtimes

  • Red Hat Runtimes
  • Red Hat JBoss Enterprise Application Platform
  • Red Hat Data Grid
  • Red Hat JBoss Web Server
  • Red Hat Single Sign On
  • Red Hat support for Spring Boot
  • Red Hat build of Node.js
  • Red Hat build of Thorntail
  • Red Hat build of Eclipse Vert.x
  • Red Hat build of OpenJDK
  • Red Hat build of Quarkus

Integration and Automation

  • Red Hat Process Automation
  • Red Hat Process Automation Manager
  • Red Hat Decision Manager

All Products

Issued:

2022-06-16

Updated:

2022-06-16

RHSA-2022:4951 - Security Advisory

  • Overview
  • Updated Packages

Synopsis

Moderate: OpenShift Container Platform 4.8.43 packages and security update

Type/Severity

Security Advisory: Moderate

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

Red Hat OpenShift Container Platform release 4.8.43 is now available with
updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container Platform 4.8.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

Description

Red Hat OpenShift Container Platform is Red Hat’s cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.

This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.8.43. See the following advisory for the container images for this release:

https://access.redhat.com/errata/RHBA-2022:4952

Security Fix(es):

  • cri-o: memory exhaustion on the node when access to the kube api

(CVE-2022-1708)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s)
listed in the References section.

All OpenShift Container Platform 4.8 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift Console or the CLI oc command. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.8/updating/updating-cluster-cli.html

Affected Products

  • Red Hat OpenShift Container Platform 4.8 for RHEL 8 x86_64
  • Red Hat OpenShift Container Platform 4.8 for RHEL 7 x86_64
  • Red Hat OpenShift Container Platform for Power 4.8 for RHEL 8 ppc64le
  • Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.8 for RHEL 8 s390x

Fixes

  • BZ - 2085361 - CVE-2022-1708 cri-o: memory exhaustion on the node when access to the kube api

Red Hat OpenShift Container Platform 4.8 for RHEL 8

SRPM

conmon-2.0.29-3.rhaos4.8.el8.src.rpm

SHA-256: e33b0c4966333f3c12cec4998b4652ee3d94b7871a509adf0b56c9118fdb54af

cri-o-1.21.8-3.rhaos4.8.gitd7fbb0d.el8.src.rpm

SHA-256: 6d8ceb97c4af05ef87426d135304067a86088e088b62c4642d9edc1c0162b2cc

openshift-clients-4.8.0-202206010726.p0.g7c3760e.assembly.stream.el8.src.rpm

SHA-256: adc3087fc3f2c2b12c1a567ddf9b6ade59bb7b62d9469cc16313cdd24a45365e

x86_64

conmon-2.0.29-3.rhaos4.8.el8.x86_64.rpm

SHA-256: 764d7651fe081711a11dca01a9c4c68507a11bc8733893b1f8b12370cd89f27a

conmon-debuginfo-2.0.29-3.rhaos4.8.el8.x86_64.rpm

SHA-256: c2d1b43d20945a83078621ab99b1c7bf1496f2745183ba405c88b56438196907

conmon-debugsource-2.0.29-3.rhaos4.8.el8.x86_64.rpm

SHA-256: 19d9913cc8c47ddeac7348c7c5a51e7a4858811b385bcb4dd8700adc1e06c6ed

cri-o-1.21.8-3.rhaos4.8.gitd7fbb0d.el8.x86_64.rpm

SHA-256: 4ef7e2136d6445ebd06c6d4ded7bb7bcdf35e6738d22b7f275b1bbc6ee5235cc

cri-o-debuginfo-1.21.8-3.rhaos4.8.gitd7fbb0d.el8.x86_64.rpm

SHA-256: 231005534f50a513b1dc51538f18f81f999ed2d507da5f0f9ada611af4708be4

cri-o-debugsource-1.21.8-3.rhaos4.8.gitd7fbb0d.el8.x86_64.rpm

SHA-256: 179f7d61720c7b952fa6677477561f710b8adb5fd8520e32d8bdeda6d0564714

openshift-clients-4.8.0-202206010726.p0.g7c3760e.assembly.stream.el8.x86_64.rpm

SHA-256: 5c46edb202a4ae846ecae3ca378cd37865b28998eac28aa4c03b8d0b7be75d47

openshift-clients-redistributable-4.8.0-202206010726.p0.g7c3760e.assembly.stream.el8.x86_64.rpm

SHA-256: 312af709837ad80467db0f9b8c9b3354b1de5f13f57c8f4ddc94a5e770ccd7ec

Red Hat OpenShift Container Platform 4.8 for RHEL 7

SRPM

conmon-2.0.29-3.rhaos4.8.el7.src.rpm

SHA-256: 7e12dc3cc07f56fce60164b7e2d99da0c26ae7ca69c3db1a63cce0a6595ac913

cri-o-1.21.8-3.rhaos4.8.gitd7fbb0d.el7.src.rpm

SHA-256: 325ca84c0ddebc1b864f76dee1fa42e8f9034aef465cd686f2f2998e8eeafba1

openshift-clients-4.8.0-202206010726.p0.g7c3760e.assembly.stream.el7.src.rpm

SHA-256: 3da5682019f31b9539073c13f34cc10b4e5cf7d94ce1fc5f4345338d984d7caa

x86_64

conmon-2.0.29-3.rhaos4.8.el7.x86_64.rpm

SHA-256: 9c7f2d80d56b8a315ac52eb5ced8f2e91d0d989abb9f23183fa6a555426cd9cc

conmon-debuginfo-2.0.29-3.rhaos4.8.el7.x86_64.rpm

SHA-256: bed13acc54249ee73c399e91e0b8c162c9a0cfa132ea15e6d24ebe1f19346eda

cri-o-1.21.8-3.rhaos4.8.gitd7fbb0d.el7.x86_64.rpm

SHA-256: 9994971d43711a5fca135d0309c3d8c2e1b083202ba51ab6ab8e2d96b9114b77

cri-o-debuginfo-1.21.8-3.rhaos4.8.gitd7fbb0d.el7.x86_64.rpm

SHA-256: 19cb22e166e325b715d2627e264c5e72875661b180ab32532b1032c03889daf7

openshift-clients-4.8.0-202206010726.p0.g7c3760e.assembly.stream.el7.x86_64.rpm

SHA-256: 1b53644c548e2fa082afd1b5832dba3c26de83f07c56233987181f720225a58b

openshift-clients-redistributable-4.8.0-202206010726.p0.g7c3760e.assembly.stream.el7.x86_64.rpm

SHA-256: e3848c4fc9435f531bee7d2924ad9f3b6165c12a637f703520975f47e54eacfe

Red Hat OpenShift Container Platform for Power 4.8 for RHEL 8

SRPM

conmon-2.0.29-3.rhaos4.8.el8.src.rpm

SHA-256: e33b0c4966333f3c12cec4998b4652ee3d94b7871a509adf0b56c9118fdb54af

cri-o-1.21.8-3.rhaos4.8.gitd7fbb0d.el8.src.rpm

SHA-256: 6d8ceb97c4af05ef87426d135304067a86088e088b62c4642d9edc1c0162b2cc

openshift-clients-4.8.0-202206010726.p0.g7c3760e.assembly.stream.el8.src.rpm

SHA-256: adc3087fc3f2c2b12c1a567ddf9b6ade59bb7b62d9469cc16313cdd24a45365e

ppc64le

conmon-2.0.29-3.rhaos4.8.el8.ppc64le.rpm

SHA-256: 6afa9b52dda2724f70650548ddaf60e6449ddf3d05ca3ef6e2b93491ec7d34a0

conmon-debuginfo-2.0.29-3.rhaos4.8.el8.ppc64le.rpm

SHA-256: 6c6a9ca8ddeed1a00139957fcf6873699882c4459885c7579650d5e13c20ac1e

conmon-debugsource-2.0.29-3.rhaos4.8.el8.ppc64le.rpm

SHA-256: b98f77f02935c92ccc540e432e11422538909bab6cc61f9a3393f305474514d9

cri-o-1.21.8-3.rhaos4.8.gitd7fbb0d.el8.ppc64le.rpm

SHA-256: 12e7a11aade6bca78819e3250517f2a32cbc4fa1bb19b3c01f5c1db5507782e4

cri-o-debuginfo-1.21.8-3.rhaos4.8.gitd7fbb0d.el8.ppc64le.rpm

SHA-256: 3776fce79e8df828da4295c9b91b0f7da4a910f056f7270f7ec97a7b22c094ae

cri-o-debugsource-1.21.8-3.rhaos4.8.gitd7fbb0d.el8.ppc64le.rpm

SHA-256: 95214fea0bb6015f3acc1df66254ecc450dac3a382026daf3597d2decd9f1fc3

openshift-clients-4.8.0-202206010726.p0.g7c3760e.assembly.stream.el8.ppc64le.rpm

SHA-256: 3fe2709c7d3161deb0ed9861c1dda0102b3563142876292b1f8c244c7d86a7c7

Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.8 for RHEL 8

SRPM

conmon-2.0.29-3.rhaos4.8.el8.src.rpm

SHA-256: e33b0c4966333f3c12cec4998b4652ee3d94b7871a509adf0b56c9118fdb54af

cri-o-1.21.8-3.rhaos4.8.gitd7fbb0d.el8.src.rpm

SHA-256: 6d8ceb97c4af05ef87426d135304067a86088e088b62c4642d9edc1c0162b2cc

openshift-clients-4.8.0-202206010726.p0.g7c3760e.assembly.stream.el8.src.rpm

SHA-256: adc3087fc3f2c2b12c1a567ddf9b6ade59bb7b62d9469cc16313cdd24a45365e

s390x

conmon-2.0.29-3.rhaos4.8.el8.s390x.rpm

SHA-256: 91d72f4e3ac2d1e728aef7cf548fae455c2c13c5868d730d79f0895e53428112

conmon-debuginfo-2.0.29-3.rhaos4.8.el8.s390x.rpm

SHA-256: aa09131a1b0afa70eb4bbd3763af5a352a63e5fc49aca017e1748a3123e4e791

conmon-debugsource-2.0.29-3.rhaos4.8.el8.s390x.rpm

SHA-256: 567b430f4f1819df43ce06b2076675e4ebce1ea308db7d29bd94979f09e2728a

cri-o-1.21.8-3.rhaos4.8.gitd7fbb0d.el8.s390x.rpm

SHA-256: 600a97f02da631da4f77b73a3cbb9948e3eb1d6a2437bb0aab8d0d10cd63c864

cri-o-debuginfo-1.21.8-3.rhaos4.8.gitd7fbb0d.el8.s390x.rpm

SHA-256: c74fed558bf1323566181793a343cc69948493d4f88c98d11d58f341403f7556

cri-o-debugsource-1.21.8-3.rhaos4.8.gitd7fbb0d.el8.s390x.rpm

SHA-256: 4fff88bf88d271670e1c34611b5dfefdcc683592d092dd444abd683154e0d235

openshift-clients-4.8.0-202206010726.p0.g7c3760e.assembly.stream.el8.s390x.rpm

SHA-256: 02bf8f8d022a62bc9932a082301f59730ab81ba664e959a74abdcb7bee40d8e9

The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.

Related news

Red Hat Security Advisory 2022-7457-01

Red Hat Security Advisory 2022-7457-01 - The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc. Issues addressed include information leakage and memory exhaustion vulnerabilities.

Red Hat Security Advisory 2022-7529-01

Red Hat Security Advisory 2022-7529-01 - The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc. Issues addressed include denial of service and memory exhaustion vulnerabilities.

RHSA-2022:7469: Red Hat Security Advisory: container-tools:4.0 security and bug fix update

An update for the container-tools:4.0 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1708: cri-o: memory exhaustion on the node when access to the kube api * CVE-2022-27191: golang: crash in a golang.org/x/crypto/ssh server * CVE-2022-29162: runc: incorrect handling of inheritable capabilities

RHSA-2022:5392: Red Hat Security Advisory: Red Hat Advanced Cluster Management 2.3.11 security updates and bug fixes

Red Hat Advanced Cluster Management for Kubernetes 2.3.11 general availability release images, which provide security updates and bug fixes. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-0235: node-fetch: exposure of sensitive information to an unauthorized actor * CVE-2022-0536: follow-redirects: Exposure of Sensitive Information via Authorization Header leak * CVE-2022-21803: nconf: Prototype pollution in memory store * CVE-2022-23806: golang: crypto/elliptic IsOnCurv...

Red Hat Security Advisory 2022-4999-01

Red Hat Security Advisory 2022-4999-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 3.11.715. Issues addressed include a memory exhaustion vulnerability.

Red Hat Security Advisory 2022-4947-01

Red Hat Security Advisory 2022-4947-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.6.59. Issues addressed include cross site scripting and memory exhaustion vulnerabilities.

Red Hat Security Advisory 2022-4951-01

Red Hat Security Advisory 2022-4951-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.8.43. Issues addressed include a memory exhaustion vulnerability.

Red Hat Security Advisory 2022-4965-01

Red Hat Security Advisory 2022-4965-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.7.53. There are no images for this advisory. Issues addressed include a memory exhaustion vulnerability.

Red Hat Security Advisory 2022-4943-01

Red Hat Security Advisory 2022-4943-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.10.18. Issues addressed include a memory exhaustion vulnerability.

Red Hat Security Advisory 2022-4972-01

Red Hat Security Advisory 2022-4972-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.9.38. Issues addressed include a memory exhaustion vulnerability.

RHSA-2022:4947: Red Hat Security Advisory: OpenShift Container Platform 4.6.59 security update

Red Hat OpenShift Container Platform release 4.6.59 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1708: cri-o: memory exhaustion on the node when access to the kube api * CVE-2022-29036: credentials: Stored XSS vulnerabilities in jenkins plugin * CVE-2022-29046: subversion: Stored XSS vu...

RHSA-2022:4965: Red Hat Security Advisory: OpenShift Container Platform 4.7.53 packages and security update

Red Hat OpenShift Container Platform release 4.7.53 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1708: cri-o: memory exhaustion on the node when access to the kube api

RHSA-2022:4972: Red Hat Security Advisory: OpenShift Container Platform 4.9.38 packages and security update

Red Hat OpenShift Container Platform release 4.9.38 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1708: cri-o: memory exhaustion on the node when access to the kube api

RHSA-2022:4943: Red Hat Security Advisory: OpenShift Container Platform 4.10.18 packages and security update

Red Hat OpenShift Container Platform release 4.10.18 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.10. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1708: cri-o: memory exhaustion on the node when access to the kube api

CVE-2022-1708: Merge pull request from GHSA-fcm2-6c3h-pg6j · cri-o/cri-o@f032cf6

A vulnerability was found in CRI-O that causes memory or disk space exhaustion on the node for anyone with access to the Kube API. The ExecSync request runs commands in a container and logs the output of the command. This output is then read by CRI-O after command execution, and it is read in a manner where the entire file corresponding to the output of the command is read in. Thus, if the output of the command is large it is possible to exhaust the memory or the disk space of the node when CRI-O reads the output of the command. The highest threat from this vulnerability is system availability.

GHSA-fcm2-6c3h-pg6j: Node DOS by way of memory exhaustion through ExecSync request in CRI-O

### Description An ExecSync request runs a command in a container and returns the output to the Kubelet. It is used for readiness and liveness probes within a pod. The way CRI-O runs ExecSync commands is through conmon. CRI-O asks conmon to start the process, and conmon writes the output to disk. CRI-O then reads the output and returns it to the Kubelet. If the output of the command is large enough, it is possible to exhaust the memory (or disk usage) of the node. The following deployment is an example yaml file that will output around 8GB of ‘A’ characters, which would be written to disk by conmon and read by CRI-O. ```yaml apiVersion: apps/v1 kind: Deployment metadata: name: nginx-deployment100 spec: selector: matchLabels: app: nginx replicas: 2 template: metadata: labels: app: nginx spec: containers: - name: nginx image: nginx:1.14.2 lifecycle: postStart: exec: command: ["/bin/s...