Headline
RHSA-2022:4972: Red Hat Security Advisory: OpenShift Container Platform 4.9.38 packages and security update
Red Hat OpenShift Container Platform release 4.9.38 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Related CVEs:
- CVE-2022-1708: cri-o: memory exhaustion on the node when access to the kube api
Skip to navigation Skip to main content
Utilities
- Subscriptions
- Downloads
- Containers
- Support Cases
Infrastructure and Management
- Red Hat Enterprise Linux
- Red Hat Virtualization
- Red Hat Identity Management
- Red Hat Directory Server
- Red Hat Certificate System
- Red Hat Satellite
- Red Hat Subscription Management
- Red Hat Update Infrastructure
- Red Hat Insights
- Red Hat Ansible Automation Platform
Cloud Computing
- Red Hat OpenShift
- Red Hat CloudForms
- Red Hat OpenStack Platform
- Red Hat OpenShift Container Platform
- Red Hat OpenShift Data Science
- Red Hat OpenShift Online
- Red Hat OpenShift Dedicated
- Red Hat Advanced Cluster Security for Kubernetes
- Red Hat Advanced Cluster Management for Kubernetes
- Red Hat Quay
- Red Hat CodeReady Workspaces
- Red Hat OpenShift Service on AWS
Storage
- Red Hat Gluster Storage
- Red Hat Hyperconverged Infrastructure
- Red Hat Ceph Storage
- Red Hat OpenShift Data Foundation
Runtimes
- Red Hat Runtimes
- Red Hat JBoss Enterprise Application Platform
- Red Hat Data Grid
- Red Hat JBoss Web Server
- Red Hat Single Sign On
- Red Hat support for Spring Boot
- Red Hat build of Node.js
- Red Hat build of Thorntail
- Red Hat build of Eclipse Vert.x
- Red Hat build of OpenJDK
- Red Hat build of Quarkus
Integration and Automation
- Red Hat Process Automation
- Red Hat Process Automation Manager
- Red Hat Decision Manager
All Products
Issued:
2022-06-14
Updated:
2022-06-14
RHSA-2022:4972 - Security Advisory
- Overview
- Updated Packages
Synopsis
Moderate: OpenShift Container Platform 4.9.38 packages and security update
Type/Severity
Security Advisory: Moderate
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
View affected systems
Topic
Red Hat OpenShift Container Platform release 4.9.38 is now available with
updates to packages and images that fix several bugs and add enhancements.
This release includes a security update for Red Hat OpenShift Container
Platform 4.9.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
Description
Red Hat OpenShift Container Platform is Red Hat’s cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.
This advisory contains the RPM packages for Red Hat OpenShift Container
Platform 4.9.38. See the following advisory for the container images for
this release:
https://access.redhat.com/errata/RHBA-2022:4973
Security Fix(es):
- cri-o: memory exhaustion on the node when access to the kube api
(CVE-2022-1708)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s)
listed in the References section.
All OpenShift Container Platform 4.9 users are advised to upgrade to these
updated packages and images when they are available in the appropriate
release channel. To check for available updates, use the OpenShift Console
or the CLI oc command. Instructions for upgrading a cluster are available
at
https://docs.openshift.com/container-platform/4.9/updating/updating-cluster-cli.html
Affected Products
- Red Hat OpenShift Container Platform 4.9 for RHEL 8 x86_64
- Red Hat OpenShift Container Platform 4.9 for RHEL 7 x86_64
- Red Hat OpenShift Container Platform for Power 4.9 for RHEL 8 ppc64le
- Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.9 for RHEL 8 s390x
- Red Hat OpenShift Container Platform for ARM 64 4.9 aarch64
Fixes
- BZ - 2085361 - CVE-2022-1708 cri-o: memory exhaustion on the node when access to the kube api
Red Hat OpenShift Container Platform 4.9 for RHEL 8
SRPM
conmon-2.0.29-3.rhaos4.9.el8.src.rpm
SHA-256: c700c39eab907389652d9974681e48299856ff199f9b77aadadff834c3ccfc53
cri-o-1.22.5-3.rhaos4.9.gitb6d3a87.el8.src.rpm
SHA-256: d22e79308816bec13e6bd38747f445a87016581eaff56ce56c77375bf3556911
x86_64
conmon-2.0.29-3.rhaos4.9.el8.x86_64.rpm
SHA-256: 9b2cbf963ba78f1d51803958c85b2e23b98fdea8d9ba45d51c29dba843b0773d
conmon-debuginfo-2.0.29-3.rhaos4.9.el8.x86_64.rpm
SHA-256: 0e984446f7ce07d810aab62facd1e141a12c9daa6032fe6a662dea4a3927af1b
conmon-debugsource-2.0.29-3.rhaos4.9.el8.x86_64.rpm
SHA-256: cdbefdc4b3adff4a9f116600eef0d62cbd72c3c588793be27f58bb064e9bbb05
cri-o-1.22.5-3.rhaos4.9.gitb6d3a87.el8.x86_64.rpm
SHA-256: 0c8084055bf87cc168402f676b0e661d401b4ad757e3db7fc597dd6410dd512e
cri-o-debuginfo-1.22.5-3.rhaos4.9.gitb6d3a87.el8.x86_64.rpm
SHA-256: d327061a5a2d54bf2db8e80a988b7e2ff7f74db2595ad805ff99dbe22b0e8dec
cri-o-debugsource-1.22.5-3.rhaos4.9.gitb6d3a87.el8.x86_64.rpm
SHA-256: 802d45a12263835802b5cf500813ae9d6cf2a0c5691de88c7e2db51c5b2a757e
Red Hat OpenShift Container Platform 4.9 for RHEL 7
SRPM
conmon-2.0.29-3.rhaos4.9.el7.src.rpm
SHA-256: edad9c6a19f854eb4533d7cc4628e8da7c7e6b3fee0946904a89af14c4c25ee3
cri-o-1.22.5-3.rhaos4.9.gitb6d3a87.el7.src.rpm
SHA-256: 562dca34df92bf5a6033a14d3aa6a3558c60be40579ebe20a9cf71d95235ec56
x86_64
conmon-2.0.29-3.rhaos4.9.el7.x86_64.rpm
SHA-256: 954034a208b5907841988d83a80fded5ca0d5dd380be917979e8bfa818011fb0
conmon-debuginfo-2.0.29-3.rhaos4.9.el7.x86_64.rpm
SHA-256: 0286bb5dccf11e977bbd9650994ae346234e8c79b1b74732c433d06d6cf9e6a2
cri-o-1.22.5-3.rhaos4.9.gitb6d3a87.el7.x86_64.rpm
SHA-256: 429ac685edd00db0fdd195871ce9e1cb34d2d56e7206c4834386a4d923ffb531
cri-o-debuginfo-1.22.5-3.rhaos4.9.gitb6d3a87.el7.x86_64.rpm
SHA-256: a7f7b6eb1e96ff173305ea70b2e02aae9322dca76ce847ba0ca54e8b93c3223a
Red Hat OpenShift Container Platform for Power 4.9 for RHEL 8
SRPM
conmon-2.0.29-3.rhaos4.9.el8.src.rpm
SHA-256: c700c39eab907389652d9974681e48299856ff199f9b77aadadff834c3ccfc53
cri-o-1.22.5-3.rhaos4.9.gitb6d3a87.el8.src.rpm
SHA-256: d22e79308816bec13e6bd38747f445a87016581eaff56ce56c77375bf3556911
ppc64le
conmon-2.0.29-3.rhaos4.9.el8.ppc64le.rpm
SHA-256: 4538e6b4c5c386f0ca5ac20a62523b4cfca3e42119a4e5d1d7760dbc751d376a
conmon-debuginfo-2.0.29-3.rhaos4.9.el8.ppc64le.rpm
SHA-256: ba955a4563aba99e838ddd9446cb0572ce4e6566c738755c07fdca07ae8351da
conmon-debugsource-2.0.29-3.rhaos4.9.el8.ppc64le.rpm
SHA-256: 9c75c31a0395ee7befe4b4e1c58b9079ee93721b115d7d0521925b4a5db81d2d
cri-o-1.22.5-3.rhaos4.9.gitb6d3a87.el8.ppc64le.rpm
SHA-256: 9bd6d2207c3db9d0fa82da8b80ca296c0f18d2fe83220c4b9c887458dbf5dd1b
cri-o-debuginfo-1.22.5-3.rhaos4.9.gitb6d3a87.el8.ppc64le.rpm
SHA-256: 31dd1942fd8f65a89856821f3eb46397857ec52021089cbacfe32ebb19c53d20
cri-o-debugsource-1.22.5-3.rhaos4.9.gitb6d3a87.el8.ppc64le.rpm
SHA-256: 21eca076808270b24231a8095132ed573535885f0fca9b618bca16c0bce68285
Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.9 for RHEL 8
SRPM
conmon-2.0.29-3.rhaos4.9.el8.src.rpm
SHA-256: c700c39eab907389652d9974681e48299856ff199f9b77aadadff834c3ccfc53
cri-o-1.22.5-3.rhaos4.9.gitb6d3a87.el8.src.rpm
SHA-256: d22e79308816bec13e6bd38747f445a87016581eaff56ce56c77375bf3556911
s390x
conmon-2.0.29-3.rhaos4.9.el8.s390x.rpm
SHA-256: 34efc63e223aa6e590b7b46257d30b812f97de2ca44b4f6bda2602bc2ad61654
conmon-debuginfo-2.0.29-3.rhaos4.9.el8.s390x.rpm
SHA-256: 797c513f20fcfa73804479c6528117a97adc13f8e04b82daf87fbbc4d9983762
conmon-debugsource-2.0.29-3.rhaos4.9.el8.s390x.rpm
SHA-256: b5b36b0070d592db78c611f78cf7bd23f5b9f2deef9904ca313d5d3a394985d0
cri-o-1.22.5-3.rhaos4.9.gitb6d3a87.el8.s390x.rpm
SHA-256: d9c63319eca18105ca7efbb90c2fbf9f872d2cc00822b8b0c5eab7509d22f3c0
cri-o-debuginfo-1.22.5-3.rhaos4.9.gitb6d3a87.el8.s390x.rpm
SHA-256: 624ab9fc2477e1733025124a32732015dcb0299f5a436698db63ac915493ff9a
cri-o-debugsource-1.22.5-3.rhaos4.9.gitb6d3a87.el8.s390x.rpm
SHA-256: de9cf39296c681efc12a8b71165389fdf513eb735841a4d478f8fd63af89a560
Red Hat OpenShift Container Platform for ARM 64 4.9
SRPM
conmon-2.0.29-3.rhaos4.9.el8.src.rpm
SHA-256: c700c39eab907389652d9974681e48299856ff199f9b77aadadff834c3ccfc53
cri-o-1.22.5-3.rhaos4.9.gitb6d3a87.el8.src.rpm
SHA-256: d22e79308816bec13e6bd38747f445a87016581eaff56ce56c77375bf3556911
aarch64
conmon-2.0.29-3.rhaos4.9.el8.aarch64.rpm
SHA-256: b451ac2d1c66e4a3a20d1bb345ef76e4ef8c73511ff6c3b9ecf59a3231f09527
conmon-debuginfo-2.0.29-3.rhaos4.9.el8.aarch64.rpm
SHA-256: 668a32576825b4fb7f4d754d7c10e6694baf9ec28eb1259c8c1e6529ec397f36
conmon-debugsource-2.0.29-3.rhaos4.9.el8.aarch64.rpm
SHA-256: 6bcfef91fbb03cffb2e5ea4bf4b0ba4bb07ffa231434fd96478629055cc8b4ce
cri-o-1.22.5-3.rhaos4.9.gitb6d3a87.el8.aarch64.rpm
SHA-256: 637189af16a0a4866a20be2022b49e72a7ec65ad7c31e8d40d703095d1c77968
cri-o-debuginfo-1.22.5-3.rhaos4.9.gitb6d3a87.el8.aarch64.rpm
SHA-256: 1d5999fae8989f95e1967a35c636e55bb966dea73cae2fe1a7306e1f35356c7b
cri-o-debugsource-1.22.5-3.rhaos4.9.gitb6d3a87.el8.aarch64.rpm
SHA-256: f353b55a61c90342ec5df5e954e19926567655e001677af27050d6b5ed71ec07
The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.
Related news
Red Hat Security Advisory 2022-7457-01 - The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc. Issues addressed include information leakage and memory exhaustion vulnerabilities.
Red Hat Security Advisory 2022-7529-01 - The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc. Issues addressed include denial of service and memory exhaustion vulnerabilities.
An update for the container-tools:4.0 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1708: cri-o: memory exhaustion on the node when access to the kube api * CVE-2022-27191: golang: crash in a golang.org/x/crypto/ssh server * CVE-2022-29162: runc: incorrect handling of inheritable capabilities
Red Hat Advanced Cluster Management for Kubernetes 2.3.11 general availability release images, which provide security updates and bug fixes. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-0235: node-fetch: exposure of sensitive information to an unauthorized actor * CVE-2022-0536: follow-redirects: Exposure of Sensitive Information via Authorization Header leak * CVE-2022-21803: nconf: Prototype pollution in memory store * CVE-2022-23806: golang: crypto/elliptic IsOnCurv...
Red Hat OpenShift Container Platform release 3.11.715 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 3.11. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1708: cri-o: memory exhaustion on the node when access to the kube api
Red Hat Security Advisory 2022-4947-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.6.59. Issues addressed include cross site scripting and memory exhaustion vulnerabilities.
Red Hat Security Advisory 2022-4951-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.8.43. Issues addressed include a memory exhaustion vulnerability.
Red Hat Security Advisory 2022-4965-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.7.53. There are no images for this advisory. Issues addressed include a memory exhaustion vulnerability.
Red Hat Security Advisory 2022-4943-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.10.18. Issues addressed include a memory exhaustion vulnerability.
Red Hat Security Advisory 2022-4972-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.9.38. Issues addressed include a memory exhaustion vulnerability.
Red Hat OpenShift Container Platform release 4.6.59 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1708: cri-o: memory exhaustion on the node when access to the kube api * CVE-2022-29036: credentials: Stored XSS vulnerabilities in jenkins plugin * CVE-2022-29046: subversion: Stored XSS vu...
Red Hat OpenShift Container Platform release 4.8.43 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1708: cri-o: memory exhaustion on the node when access to the kube api
Red Hat OpenShift Container Platform release 4.7.53 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1708: cri-o: memory exhaustion on the node when access to the kube api
Red Hat OpenShift Container Platform release 4.10.18 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.10. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1708: cri-o: memory exhaustion on the node when access to the kube api
A vulnerability was found in CRI-O that causes memory or disk space exhaustion on the node for anyone with access to the Kube API. The ExecSync request runs commands in a container and logs the output of the command. This output is then read by CRI-O after command execution, and it is read in a manner where the entire file corresponding to the output of the command is read in. Thus, if the output of the command is large it is possible to exhaust the memory or the disk space of the node when CRI-O reads the output of the command. The highest threat from this vulnerability is system availability.
### Description An ExecSync request runs a command in a container and returns the output to the Kubelet. It is used for readiness and liveness probes within a pod. The way CRI-O runs ExecSync commands is through conmon. CRI-O asks conmon to start the process, and conmon writes the output to disk. CRI-O then reads the output and returns it to the Kubelet. If the output of the command is large enough, it is possible to exhaust the memory (or disk usage) of the node. The following deployment is an example yaml file that will output around 8GB of ‘A’ characters, which would be written to disk by conmon and read by CRI-O. ```yaml apiVersion: apps/v1 kind: Deployment metadata: name: nginx-deployment100 spec: selector: matchLabels: app: nginx replicas: 2 template: metadata: labels: app: nginx spec: containers: - name: nginx image: nginx:1.14.2 lifecycle: postStart: exec: command: ["/bin/s...