Security
Headlines
HeadlinesLatestCVEs

Headline

RHSA-2022:4972: Red Hat Security Advisory: OpenShift Container Platform 4.9.38 packages and security update

Red Hat OpenShift Container Platform release 4.9.38 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

Related CVEs:

  • CVE-2022-1708: cri-o: memory exhaustion on the node when access to the kube api
Red Hat Security Data
#vulnerability#web#linux#red_hat#nodejs#js#git#java#kubernetes#aws#ibm#rpm

Skip to navigation Skip to main content

Utilities

  • Subscriptions
  • Downloads
  • Containers
  • Support Cases

Infrastructure and Management

  • Red Hat Enterprise Linux
  • Red Hat Virtualization
  • Red Hat Identity Management
  • Red Hat Directory Server
  • Red Hat Certificate System
  • Red Hat Satellite
  • Red Hat Subscription Management
  • Red Hat Update Infrastructure
  • Red Hat Insights
  • Red Hat Ansible Automation Platform

Cloud Computing

  • Red Hat OpenShift
  • Red Hat CloudForms
  • Red Hat OpenStack Platform
  • Red Hat OpenShift Container Platform
  • Red Hat OpenShift Data Science
  • Red Hat OpenShift Online
  • Red Hat OpenShift Dedicated
  • Red Hat Advanced Cluster Security for Kubernetes
  • Red Hat Advanced Cluster Management for Kubernetes
  • Red Hat Quay
  • Red Hat CodeReady Workspaces
  • Red Hat OpenShift Service on AWS

Storage

  • Red Hat Gluster Storage
  • Red Hat Hyperconverged Infrastructure
  • Red Hat Ceph Storage
  • Red Hat OpenShift Data Foundation

Runtimes

  • Red Hat Runtimes
  • Red Hat JBoss Enterprise Application Platform
  • Red Hat Data Grid
  • Red Hat JBoss Web Server
  • Red Hat Single Sign On
  • Red Hat support for Spring Boot
  • Red Hat build of Node.js
  • Red Hat build of Thorntail
  • Red Hat build of Eclipse Vert.x
  • Red Hat build of OpenJDK
  • Red Hat build of Quarkus

Integration and Automation

  • Red Hat Process Automation
  • Red Hat Process Automation Manager
  • Red Hat Decision Manager

All Products

Issued:

2022-06-14

Updated:

2022-06-14

RHSA-2022:4972 - Security Advisory

  • Overview
  • Updated Packages

Synopsis

Moderate: OpenShift Container Platform 4.9.38 packages and security update

Type/Severity

Security Advisory: Moderate

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

Red Hat OpenShift Container Platform release 4.9.38 is now available with
updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container
Platform 4.9.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

Description

Red Hat OpenShift Container Platform is Red Hat’s cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.

This advisory contains the RPM packages for Red Hat OpenShift Container
Platform 4.9.38. See the following advisory for the container images for
this release:

https://access.redhat.com/errata/RHBA-2022:4973

Security Fix(es):

  • cri-o: memory exhaustion on the node when access to the kube api

(CVE-2022-1708)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s)
listed in the References section.

All OpenShift Container Platform 4.9 users are advised to upgrade to these
updated packages and images when they are available in the appropriate
release channel. To check for available updates, use the OpenShift Console
or the CLI oc command. Instructions for upgrading a cluster are available
at
https://docs.openshift.com/container-platform/4.9/updating/updating-cluster-cli.html

Affected Products

  • Red Hat OpenShift Container Platform 4.9 for RHEL 8 x86_64
  • Red Hat OpenShift Container Platform 4.9 for RHEL 7 x86_64
  • Red Hat OpenShift Container Platform for Power 4.9 for RHEL 8 ppc64le
  • Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.9 for RHEL 8 s390x
  • Red Hat OpenShift Container Platform for ARM 64 4.9 aarch64

Fixes

  • BZ - 2085361 - CVE-2022-1708 cri-o: memory exhaustion on the node when access to the kube api

Red Hat OpenShift Container Platform 4.9 for RHEL 8

SRPM

conmon-2.0.29-3.rhaos4.9.el8.src.rpm

SHA-256: c700c39eab907389652d9974681e48299856ff199f9b77aadadff834c3ccfc53

cri-o-1.22.5-3.rhaos4.9.gitb6d3a87.el8.src.rpm

SHA-256: d22e79308816bec13e6bd38747f445a87016581eaff56ce56c77375bf3556911

x86_64

conmon-2.0.29-3.rhaos4.9.el8.x86_64.rpm

SHA-256: 9b2cbf963ba78f1d51803958c85b2e23b98fdea8d9ba45d51c29dba843b0773d

conmon-debuginfo-2.0.29-3.rhaos4.9.el8.x86_64.rpm

SHA-256: 0e984446f7ce07d810aab62facd1e141a12c9daa6032fe6a662dea4a3927af1b

conmon-debugsource-2.0.29-3.rhaos4.9.el8.x86_64.rpm

SHA-256: cdbefdc4b3adff4a9f116600eef0d62cbd72c3c588793be27f58bb064e9bbb05

cri-o-1.22.5-3.rhaos4.9.gitb6d3a87.el8.x86_64.rpm

SHA-256: 0c8084055bf87cc168402f676b0e661d401b4ad757e3db7fc597dd6410dd512e

cri-o-debuginfo-1.22.5-3.rhaos4.9.gitb6d3a87.el8.x86_64.rpm

SHA-256: d327061a5a2d54bf2db8e80a988b7e2ff7f74db2595ad805ff99dbe22b0e8dec

cri-o-debugsource-1.22.5-3.rhaos4.9.gitb6d3a87.el8.x86_64.rpm

SHA-256: 802d45a12263835802b5cf500813ae9d6cf2a0c5691de88c7e2db51c5b2a757e

Red Hat OpenShift Container Platform 4.9 for RHEL 7

SRPM

conmon-2.0.29-3.rhaos4.9.el7.src.rpm

SHA-256: edad9c6a19f854eb4533d7cc4628e8da7c7e6b3fee0946904a89af14c4c25ee3

cri-o-1.22.5-3.rhaos4.9.gitb6d3a87.el7.src.rpm

SHA-256: 562dca34df92bf5a6033a14d3aa6a3558c60be40579ebe20a9cf71d95235ec56

x86_64

conmon-2.0.29-3.rhaos4.9.el7.x86_64.rpm

SHA-256: 954034a208b5907841988d83a80fded5ca0d5dd380be917979e8bfa818011fb0

conmon-debuginfo-2.0.29-3.rhaos4.9.el7.x86_64.rpm

SHA-256: 0286bb5dccf11e977bbd9650994ae346234e8c79b1b74732c433d06d6cf9e6a2

cri-o-1.22.5-3.rhaos4.9.gitb6d3a87.el7.x86_64.rpm

SHA-256: 429ac685edd00db0fdd195871ce9e1cb34d2d56e7206c4834386a4d923ffb531

cri-o-debuginfo-1.22.5-3.rhaos4.9.gitb6d3a87.el7.x86_64.rpm

SHA-256: a7f7b6eb1e96ff173305ea70b2e02aae9322dca76ce847ba0ca54e8b93c3223a

Red Hat OpenShift Container Platform for Power 4.9 for RHEL 8

SRPM

conmon-2.0.29-3.rhaos4.9.el8.src.rpm

SHA-256: c700c39eab907389652d9974681e48299856ff199f9b77aadadff834c3ccfc53

cri-o-1.22.5-3.rhaos4.9.gitb6d3a87.el8.src.rpm

SHA-256: d22e79308816bec13e6bd38747f445a87016581eaff56ce56c77375bf3556911

ppc64le

conmon-2.0.29-3.rhaos4.9.el8.ppc64le.rpm

SHA-256: 4538e6b4c5c386f0ca5ac20a62523b4cfca3e42119a4e5d1d7760dbc751d376a

conmon-debuginfo-2.0.29-3.rhaos4.9.el8.ppc64le.rpm

SHA-256: ba955a4563aba99e838ddd9446cb0572ce4e6566c738755c07fdca07ae8351da

conmon-debugsource-2.0.29-3.rhaos4.9.el8.ppc64le.rpm

SHA-256: 9c75c31a0395ee7befe4b4e1c58b9079ee93721b115d7d0521925b4a5db81d2d

cri-o-1.22.5-3.rhaos4.9.gitb6d3a87.el8.ppc64le.rpm

SHA-256: 9bd6d2207c3db9d0fa82da8b80ca296c0f18d2fe83220c4b9c887458dbf5dd1b

cri-o-debuginfo-1.22.5-3.rhaos4.9.gitb6d3a87.el8.ppc64le.rpm

SHA-256: 31dd1942fd8f65a89856821f3eb46397857ec52021089cbacfe32ebb19c53d20

cri-o-debugsource-1.22.5-3.rhaos4.9.gitb6d3a87.el8.ppc64le.rpm

SHA-256: 21eca076808270b24231a8095132ed573535885f0fca9b618bca16c0bce68285

Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.9 for RHEL 8

SRPM

conmon-2.0.29-3.rhaos4.9.el8.src.rpm

SHA-256: c700c39eab907389652d9974681e48299856ff199f9b77aadadff834c3ccfc53

cri-o-1.22.5-3.rhaos4.9.gitb6d3a87.el8.src.rpm

SHA-256: d22e79308816bec13e6bd38747f445a87016581eaff56ce56c77375bf3556911

s390x

conmon-2.0.29-3.rhaos4.9.el8.s390x.rpm

SHA-256: 34efc63e223aa6e590b7b46257d30b812f97de2ca44b4f6bda2602bc2ad61654

conmon-debuginfo-2.0.29-3.rhaos4.9.el8.s390x.rpm

SHA-256: 797c513f20fcfa73804479c6528117a97adc13f8e04b82daf87fbbc4d9983762

conmon-debugsource-2.0.29-3.rhaos4.9.el8.s390x.rpm

SHA-256: b5b36b0070d592db78c611f78cf7bd23f5b9f2deef9904ca313d5d3a394985d0

cri-o-1.22.5-3.rhaos4.9.gitb6d3a87.el8.s390x.rpm

SHA-256: d9c63319eca18105ca7efbb90c2fbf9f872d2cc00822b8b0c5eab7509d22f3c0

cri-o-debuginfo-1.22.5-3.rhaos4.9.gitb6d3a87.el8.s390x.rpm

SHA-256: 624ab9fc2477e1733025124a32732015dcb0299f5a436698db63ac915493ff9a

cri-o-debugsource-1.22.5-3.rhaos4.9.gitb6d3a87.el8.s390x.rpm

SHA-256: de9cf39296c681efc12a8b71165389fdf513eb735841a4d478f8fd63af89a560

Red Hat OpenShift Container Platform for ARM 64 4.9

SRPM

conmon-2.0.29-3.rhaos4.9.el8.src.rpm

SHA-256: c700c39eab907389652d9974681e48299856ff199f9b77aadadff834c3ccfc53

cri-o-1.22.5-3.rhaos4.9.gitb6d3a87.el8.src.rpm

SHA-256: d22e79308816bec13e6bd38747f445a87016581eaff56ce56c77375bf3556911

aarch64

conmon-2.0.29-3.rhaos4.9.el8.aarch64.rpm

SHA-256: b451ac2d1c66e4a3a20d1bb345ef76e4ef8c73511ff6c3b9ecf59a3231f09527

conmon-debuginfo-2.0.29-3.rhaos4.9.el8.aarch64.rpm

SHA-256: 668a32576825b4fb7f4d754d7c10e6694baf9ec28eb1259c8c1e6529ec397f36

conmon-debugsource-2.0.29-3.rhaos4.9.el8.aarch64.rpm

SHA-256: 6bcfef91fbb03cffb2e5ea4bf4b0ba4bb07ffa231434fd96478629055cc8b4ce

cri-o-1.22.5-3.rhaos4.9.gitb6d3a87.el8.aarch64.rpm

SHA-256: 637189af16a0a4866a20be2022b49e72a7ec65ad7c31e8d40d703095d1c77968

cri-o-debuginfo-1.22.5-3.rhaos4.9.gitb6d3a87.el8.aarch64.rpm

SHA-256: 1d5999fae8989f95e1967a35c636e55bb966dea73cae2fe1a7306e1f35356c7b

cri-o-debugsource-1.22.5-3.rhaos4.9.gitb6d3a87.el8.aarch64.rpm

SHA-256: f353b55a61c90342ec5df5e954e19926567655e001677af27050d6b5ed71ec07

The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.

Related news

Red Hat Security Advisory 2022-7457-01

Red Hat Security Advisory 2022-7457-01 - The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc. Issues addressed include information leakage and memory exhaustion vulnerabilities.

Red Hat Security Advisory 2022-7529-01

Red Hat Security Advisory 2022-7529-01 - The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc. Issues addressed include denial of service and memory exhaustion vulnerabilities.

RHSA-2022:7469: Red Hat Security Advisory: container-tools:4.0 security and bug fix update

An update for the container-tools:4.0 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1708: cri-o: memory exhaustion on the node when access to the kube api * CVE-2022-27191: golang: crash in a golang.org/x/crypto/ssh server * CVE-2022-29162: runc: incorrect handling of inheritable capabilities

RHSA-2022:5392: Red Hat Security Advisory: Red Hat Advanced Cluster Management 2.3.11 security updates and bug fixes

Red Hat Advanced Cluster Management for Kubernetes 2.3.11 general availability release images, which provide security updates and bug fixes. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-0235: node-fetch: exposure of sensitive information to an unauthorized actor * CVE-2022-0536: follow-redirects: Exposure of Sensitive Information via Authorization Header leak * CVE-2022-21803: nconf: Prototype pollution in memory store * CVE-2022-23806: golang: crypto/elliptic IsOnCurv...

RHSA-2022:4999: Red Hat Security Advisory: OpenShift Container Platform 3.11.715 packages and security update

Red Hat OpenShift Container Platform release 3.11.715 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 3.11. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1708: cri-o: memory exhaustion on the node when access to the kube api

Red Hat Security Advisory 2022-4947-01

Red Hat Security Advisory 2022-4947-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.6.59. Issues addressed include cross site scripting and memory exhaustion vulnerabilities.

Red Hat Security Advisory 2022-4951-01

Red Hat Security Advisory 2022-4951-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.8.43. Issues addressed include a memory exhaustion vulnerability.

Red Hat Security Advisory 2022-4965-01

Red Hat Security Advisory 2022-4965-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.7.53. There are no images for this advisory. Issues addressed include a memory exhaustion vulnerability.

Red Hat Security Advisory 2022-4943-01

Red Hat Security Advisory 2022-4943-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.10.18. Issues addressed include a memory exhaustion vulnerability.

Red Hat Security Advisory 2022-4972-01

Red Hat Security Advisory 2022-4972-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.9.38. Issues addressed include a memory exhaustion vulnerability.

RHSA-2022:4947: Red Hat Security Advisory: OpenShift Container Platform 4.6.59 security update

Red Hat OpenShift Container Platform release 4.6.59 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1708: cri-o: memory exhaustion on the node when access to the kube api * CVE-2022-29036: credentials: Stored XSS vulnerabilities in jenkins plugin * CVE-2022-29046: subversion: Stored XSS vu...

RHSA-2022:4951: Red Hat Security Advisory: OpenShift Container Platform 4.8.43 packages and security update

Red Hat OpenShift Container Platform release 4.8.43 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1708: cri-o: memory exhaustion on the node when access to the kube api

RHSA-2022:4965: Red Hat Security Advisory: OpenShift Container Platform 4.7.53 packages and security update

Red Hat OpenShift Container Platform release 4.7.53 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1708: cri-o: memory exhaustion on the node when access to the kube api

RHSA-2022:4943: Red Hat Security Advisory: OpenShift Container Platform 4.10.18 packages and security update

Red Hat OpenShift Container Platform release 4.10.18 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.10. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1708: cri-o: memory exhaustion on the node when access to the kube api

CVE-2022-1708: Merge pull request from GHSA-fcm2-6c3h-pg6j · cri-o/cri-o@f032cf6

A vulnerability was found in CRI-O that causes memory or disk space exhaustion on the node for anyone with access to the Kube API. The ExecSync request runs commands in a container and logs the output of the command. This output is then read by CRI-O after command execution, and it is read in a manner where the entire file corresponding to the output of the command is read in. Thus, if the output of the command is large it is possible to exhaust the memory or the disk space of the node when CRI-O reads the output of the command. The highest threat from this vulnerability is system availability.

GHSA-fcm2-6c3h-pg6j: Node DOS by way of memory exhaustion through ExecSync request in CRI-O

### Description An ExecSync request runs a command in a container and returns the output to the Kubelet. It is used for readiness and liveness probes within a pod. The way CRI-O runs ExecSync commands is through conmon. CRI-O asks conmon to start the process, and conmon writes the output to disk. CRI-O then reads the output and returns it to the Kubelet. If the output of the command is large enough, it is possible to exhaust the memory (or disk usage) of the node. The following deployment is an example yaml file that will output around 8GB of ‘A’ characters, which would be written to disk by conmon and read by CRI-O. ```yaml apiVersion: apps/v1 kind: Deployment metadata: name: nginx-deployment100 spec: selector: matchLabels: app: nginx replicas: 2 template: metadata: labels: app: nginx spec: containers: - name: nginx image: nginx:1.14.2 lifecycle: postStart: exec: command: ["/bin/s...