RHSA-2023:1409: Red Hat Security Advisory: OpenShift Container Platform 4.12.9 security update

Synopsis

Moderate: OpenShift Container Platform 4.12.9 security update

Type/Severity

Security Advisory: Moderate

Topic

Red Hat OpenShift Container Platform release 4.12.9 is now available with updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container Platform 4.12.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat OpenShift Container Platform is Red Hat’s cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container Platform 4.12.9. See the following advisory for the RPM packages for this release:

https://access.redhat.com/errata/RHSA-2023:1408

Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.12/release_notes/ocp-4-12-release-notes.html

Security Fix(es):

• mongo-go-driver: specific cstrings input may not be properly validated (CVE-2021-20329)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

All OpenShift Container Platform 4.12 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.12/updating/updating-cluster-cli.html

Solution

For OpenShift Container Platform 4.12 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:

https://docs.openshift.com/container-platform/4.12/release_notes/ocp-4-12-release-notes.html

You may download the oc tool and use it to inspect release image metadata for x86_64, s390x, ppc64le, and aarch64 architectures. The image digests may be found at https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags.

The sha values for the release are

(For x86_64 architecture)
The image digest is sha256:96bf74ce789ccb22391deea98e0c5050c41b67cc17defbb38089d32226dba0b8

(For s390x architecture)
The image digest is sha256:3212a1f7b5dd35e6fc1821d6479792d615fe7fb987c9c202b8bba6e310cb8234

(For ppc64le architecture)
The image digest is sha256:82afa12a5c172ef53df9a9bb366c64210fdf164b03b1caf56e0f33ef3f2ad4d4

(For aarch64 architecture)
The image digest is sha256:049dda19feec94ab7767e5426a46c24e40e15f8f6a3471f325bfcdd7977f90bb

All OpenShift Container Platform 4.12 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.12/updating/updating-cluster-cli.html

Affected Products

• Red Hat OpenShift Container Platform 4.12 for RHEL 9 x86_64
• Red Hat OpenShift Container Platform 4.12 for RHEL 8 x86_64
• Red Hat OpenShift Container Platform for Power 4.12 for RHEL 9 ppc64le
• Red Hat OpenShift Container Platform for Power 4.12 for RHEL 8 ppc64le
• Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.12 for RHEL 9 s390x
• Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.12 for RHEL 8 s390x
• Red Hat OpenShift Container Platform for ARM 64 4.12 for RHEL 9 aarch64
• Red Hat OpenShift Container Platform for ARM 64 4.12 for RHEL 8 aarch64

Fixes

• BZ - 1971033 - CVE-2021-20329 mongo-go-driver: specific cstrings input may not be properly validated
• OCPBUGS-10241 - Backport request for 4.12 version - BZ#2116562
• OCPBUGS-10289 - Broken link for Ansible tagging
• OCPBUGS-10318 - node healthz server is missing in ovnk
• OCPBUGS-10372 - Newly provisioned machines unable to join cluster
• OCPBUGS-10490 - 4.12 cleanup: Move checkForStaleOVSInterfaces and related code to node.go
• OCPBUGS-10496 - [release-4.12] Uploading large layers fails with “blob upload invalid”
• OCPBUGS-10497 - aws: mismatch between RHCOS and AWS SDK regions
• OCPBUGS-10505 - 4.1 born cluster fails to scale-up due to podman run missing `–authfile` flag
• OCPBUGS-10514 - Risk cache warming takes too long on channel changes
• OCPBUGS-10587 - Console shows x509 error when requesting token from oauth endpoint
• OCPBUGS-6036 - Project dropdown order is not as smart as project list page order
• OCPBUGS-676 - cluster-machine-approver doesn’t ignore case for CSR hostnames
• OCPBUGS-7445 - MTU migration configuration is cleaned up prematurely while in progress
• OCPBUGS-7469 - GCP XPN should only be available with Tech Preview
• OCPBUGS-7481 - [gcp][CORS-1988] “create manifests” without an existing “install-config.yaml” missing 4 YAML files in “<install dir>/openshift” which leads to “create cluster” failure
• OCPBUGS-7650 - Redhat-operators are failing regularly due to startup probe timing out which in turn increases CPU/Mem usage on Master nodes
• OCPBUGS-7800 - Project Access tab cannot differentiate between users and groups
• OCPBUGS-8014 - add default noProxy config for Azure
• OCPBUGS-8015 - Azure: VIP 168.63.129.16 should be noProxy to all clouds except Public
• OCPBUGS-8339 - Bug with Red Hat Integration - 3scale - Managed Application Services causes operator-install-single-namespace.spec.ts to fail
• OCPBUGS-9927 - Enable node healthz server for ovnk in CNO
• OCPBUGS-2439 - “Failed to open directory, disabling udev device properties” in node-exporter logs

References

• https://access.redhat.com/security/updates/classification/#moderate
• https://docs.openshift.com/container-platform/4.12/release_notes/ocp-4-12-release-notes.html

aarch64

openshift4/driver-toolkit-rhel8@sha256:ccdb5e3417c1fc62b7cec3e22ade3d7bc52952d4721b1df1d5039a2b41303b4c

openshift4/network-tools-rhel8@sha256:a316872b778970d8eb9a41d7a2464421fa3413bb819da4188755de92999fd33e

openshift4/ose-agent-installer-api-server-rhel8@sha256:fb547f4277d65c118c139e1b306de8fe9f857bd423e89387d1a46408adfd12a7

openshift4/ose-agent-installer-node-agent-rhel8@sha256:b58794e6ea17f47f2284977a38c64261621c9de2fc655347e0e8f56f7b366bb1

openshift4/ose-baremetal-installer-rhel8@sha256:75c7097b9cfb9240ad52191a9d4a7012f1a41d2c5e755d27de4dfff6027c24a7

openshift4/ose-baremetal-rhel8-operator@sha256:87d626cb355352d17bc9e282d7bfaa543beb4235a5c648e4a5dabae1d13cc21f

openshift4/ose-cluster-baremetal-operator-rhel8@sha256:d4bd506304e29c305dc49a0a678985104b1fbd9b0ea594fd54c2288ac918553a

openshift4/ose-cluster-network-operator@sha256:7bf09a62f19cac6a3d2040874a98a2bb3f7fdb530b777a4e5b1533474374ec5f

openshift4/ose-cluster-node-tuning-operator@sha256:779583b74b5cc634af1f5f3df9c3e2d3d8804d65120b0e0d3ecf98c804a2f2b3

openshift4/ose-cluster-storage-operator@sha256:c536aaaf475199a27eb2bbfc3fa8602ce58a60ad727448b996a76efb2ffeaf11

openshift4/ose-cluster-version-operator@sha256:0ec818585b2c5fedff90e1d5444d176baf7777134b3575246c4f947536b49547

openshift4/ose-console@sha256:32554ccdfab83290c5ad851d84b926322dd8c516ff2ba59b6d796f398e0c2432

openshift4/ose-docker-registry@sha256:8904fed95ea7ae8ca2e0e020855774a88fb8277d8809dd8f9143cc8a680de1dc

openshift4/ose-haproxy-router@sha256:d3faec5d72b2ff7589e2fc664124f3374265fdf73d01c22dcd4bce2aa60d0366

openshift4/ose-hypershift-rhel8@sha256:36ab6969bacf8024accc035be0f1f0d339395aa0e0b1e0d0fa17164046497a2b

openshift4/ose-image-customization-controller-rhel8@sha256:1cfec904c94893f1cf21cfebb332c5ca928da163d2b85cade378dba9e5deef6e

openshift4/ose-installer@sha256:8007e3ee6d5040b16edd220f713af8e5df8087d7297da7afa17359f59cafef9b

openshift4/ose-installer-artifacts@sha256:58ea73354af206aad6198d59d377b2c1c590a208af412a2870af2c8e14cf34d7

openshift4/ose-machine-config-operator@sha256:c663345d0aa61f5d6a49516e4c51333a71a07d0d14cd61f3f02d9f1d9b42605c

openshift4/ose-machine-os-images-rhel8@sha256:3b21afa1d9ea9db5f52518ff8a99a171eabf083a8f0892b04f0314107638e555

openshift4/ose-multus-cni@sha256:ff31c280c2dbbd553c8b4798b46dac7c84ccbf11340c5b6218cefca8d2e18d44

openshift4/ose-operator-lifecycle-manager@sha256:aeb73b0c348d1f038186e69a0bc95d67449bc1a2d0103297ca4ac58056e209f3

openshift4/ose-operator-registry@sha256:932f4302e74117f5571c03a4e46687fb4dce3c56abf77f1ce16ce517fb49bb8f

openshift4/ose-ovn-kubernetes@sha256:92496b163d9eb7f93436d03460942f8456271600dfd3138fdbbc4feadc482930

openshift4/ose-ovn-kubernetes-microshift-rhel8@sha256:a935a0c2afc8376d7e276198666720577cbdeea9e60c26103d75a279227f5284

openshift4/ose-sdn-rhel8@sha256:9219bc72a65f9f9c6736b70f2ac6e5ea7b5fa319b12a3f9a1ec63ef2cb42a176

openshift4/ose-tests@sha256:3f7074a7d28d968e325f064aa40164a9bf04812708323bd10406ad446921ac43

openshift4/ose-tools-rhel8@sha256:6fa71688912c59556b018ee1312431873a15818f6f4615a5950c03dc9dfe789d

ppc64le

openshift4/driver-toolkit-rhel8@sha256:e8152529e313092e46d993d11f7a0170a936ab5fc482a1a4ab809fbb7fecc650

openshift4/network-tools-rhel8@sha256:be0bb04380d3aef1f7d11ed9bf74a319bfe2c362b4e8e3ca69193106232c3485

openshift4/ose-agent-installer-api-server-rhel8@sha256:e48d750744911f12b7f1392a07080f388e0b2d93250d37bd697b866d7f566742

openshift4/ose-agent-installer-node-agent-rhel8@sha256:c8dbc4e2d9302a4b224f9899eb22b19d47a22f88c798e613ac89c18c901432c8

openshift4/ose-baremetal-installer-rhel8@sha256:fc2ae834a1183dcc691cf035f5283bba7b491e274cf41f9da6eb0288aefd8554

openshift4/ose-baremetal-rhel8-operator@sha256:b729986b91a05c8cbc8756b0bd5c8c75907da240490b066bfd5d953d72b862a2

openshift4/ose-cluster-baremetal-operator-rhel8@sha256:e288e6b9bf3268953dce40f455b6b0828a4b4026dc6e515d915db7a9afdc771c

openshift4/ose-cluster-network-operator@sha256:06472af566439230b598baa2603000b06093ee7302d4f2d0b3549754b9ab5fe5

openshift4/ose-cluster-node-tuning-operator@sha256:2622f3189aeb68f2c0437215fcc0f8a6646559f404803be0e458a68c442f8299

openshift4/ose-cluster-storage-operator@sha256:6263095875bff6ecc20b6b3be0e3c8f63132417718cfe0e5e2c43ed194deaead

openshift4/ose-cluster-version-operator@sha256:be8864afede0d94ce514c4e28fa075cfc96ca6d14c99904190d06dd564c5deb9

openshift4/ose-console@sha256:fd6b64f0d73c6eac9f2866b312513b7aed84aab20dd301fcabdda5296efaa4c9

openshift4/ose-csi-driver-manila-rhel8-operator@sha256:d577b843a37e21bac221796e7201b116d84620c05ab3da523512e576bfc7016b

openshift4/ose-docker-registry@sha256:f7bdf11b7f56f1f0d1dfef0c8c01f1ba14bb0caf2af9f0f440dcc9db13467924

openshift4/ose-haproxy-router@sha256:cb42368042598936a40dac9726f47df616496cbf9b20fe9c114596e0f111a4cc

openshift4/ose-hypershift-rhel8@sha256:85bb0aa814ada05e4417b36265365b48be0d7fca90adce88d9f23e816db026b3

openshift4/ose-installer@sha256:d5aa711d7ffb989946ce089e551557783255c2c1f84b307176ead384e34751d9

openshift4/ose-installer-artifacts@sha256:a3dbf667c49dd15c8bdefa8020354a538ab0957e5d0c4e5a87984e7fa246026a

openshift4/ose-kuryr-cni-rhel8@sha256:9d6f8fd618f44c4e20dc558040fba2e1295b8e5a4a6d3acc7351daa215d7212f

openshift4/ose-kuryr-controller-rhel8@sha256:0f14c0645a9826bb516d0b3cc06264121bd0eaad9f5d9e299086d1edf9f4e9d9

openshift4/ose-machine-config-operator@sha256:a3cb5ffb6f1cc254b1b75684733e9cd53b24c8285271745fe43b2a99b71e22c7

openshift4/ose-machine-os-images-rhel8@sha256:91725f3009467492bea068ac849510f79dac0ba4b128afe96fd212c82301fec9

openshift4/ose-multus-cni@sha256:7bb2a4be20eb032b9d8df1812ede24e44ff8d3ef592250d92288e01a5ebaa344

openshift4/ose-operator-lifecycle-manager@sha256:3c70037dc2f28ea52e2f0537aa8de8e9dc67722ce34dff40d9667fa9b4b35d27

openshift4/ose-operator-registry@sha256:200b185d1d2c5b23116de9771b1c303e1e1f000f134743483de19bb1d3e4784b

openshift4/ose-ovn-kubernetes@sha256:74e44ebfdd90575e82949fd5a7cba2f7f9777afff901fa3208f591e33c2bd9c3

openshift4/ose-ovn-kubernetes-microshift-rhel8@sha256:f70127d1e54755415c8332a97138d5b9bdb760aafed9c917d7612d959c172d07

openshift4/ose-sdn-rhel8@sha256:12d7ff9451631f748a89fb3dede560e2fdc1c470ca187ab52866d4b5eb53b196

openshift4/ose-tests@sha256:9f469ead739cd01ee5cf9567de8cf09607c614cc215b75f52611cc81dbc955af

openshift4/ose-tools-rhel8@sha256:a6d11034b54d6afc182cc842ffced42fcd56aa52acd4adca36eb1c61c54934ed

s390x

openshift4/driver-toolkit-rhel8@sha256:685b0c6da28f96f444f9328f4fc9d4ecbf8e766501bb503b65fe0717a1f7695d

openshift4/network-tools-rhel8@sha256:b5cde9867e8daa8001617712277dd2f23f61b6fb893288d840a39d787885a535

openshift4/ose-agent-installer-api-server-rhel8@sha256:695afedef52b9862838aa90a8375dbfa992a6ede922ba8bf6b5a6dadaa9c6597

openshift4/ose-agent-installer-node-agent-rhel8@sha256:075180fac89ab5e6da473a6dab18081a5a2dd0c5e52f86c66838b9ac2eaac2d5

openshift4/ose-baremetal-installer-rhel8@sha256:8c06fbeba942283e1ade75740872b6cc16793e6bc1386f7b232ef79c7188a033

openshift4/ose-baremetal-rhel8-operator@sha256:83b01ed020dc993861a93ee2bcf1c1ccdb7c5f92cd7d732918a7d77efbcdc5d4

openshift4/ose-cluster-baremetal-operator-rhel8@sha256:134085b0d59cf9c68aa7b7abd17c133e34c768ab0401dc2504ef49a6b51771f8

openshift4/ose-cluster-network-operator@sha256:ec8608aa32a9ea8d42aa8091384a62d8cae3ee8aad45a632bfb6d0ffc54cc55b

openshift4/ose-cluster-node-tuning-operator@sha256:d2168cd2632c2b0bdeeeba66d49f616c6c0e84b2c8c121f474cfa07fa5906bca

openshift4/ose-cluster-storage-operator@sha256:e131af8464072ba65e606f1a92bf87e830460029e4431017fe1b1ee20e5580ca

openshift4/ose-cluster-version-operator@sha256:fae709d85a7311226406726ff31726ed095e661163960b84effdd05bb6d0a298

openshift4/ose-console@sha256:01679c3304b9b686fdd6ad8f5dad08c213f4961a6c0415177ff85a19d5599785

openshift4/ose-docker-registry@sha256:d10ddfe03182a6e90cee2b6bb11f945f5b2388165296902e112bf3383fc24829

openshift4/ose-haproxy-router@sha256:378da9a5fdc1ce7d9207f0e9711e3935b353a3ede2c932d64e88fa6fa7d79f0d

openshift4/ose-hypershift-rhel8@sha256:0cbbde6ec266a459a6137861162bea0457184d9bfb7c6dc18e4e24df5c573c65

openshift4/ose-installer@sha256:e8e99fa943adc40f75be36967e2164c622e25885742411df52760c82610657f2

openshift4/ose-installer-artifacts@sha256:25964763fa9495cd96af1a0ff8ad39147d8e6ec436a29c4e6be95351568ebf3e

openshift4/ose-machine-config-operator@sha256:bb0da7dafbea037649869968b3475d83ec5948846fa02e7d123f9c56602a7a23

openshift4/ose-multus-cni@sha256:ab901d001547efea2b627f3c649b301e9d04190257ca64eae82e39dd7201ec8d

openshift4/ose-operator-lifecycle-manager@sha256:45d98b7167ab36b15051f1b1130dbc7abb557b49715db9d5d38f854b8df402cf

openshift4/ose-operator-registry@sha256:e48cf985b0b6333b8ea165ec1b4b6e5e6283363e5c238fe962b9ddcf46e1ce8f

openshift4/ose-ovn-kubernetes@sha256:94c733a56917fec70f0fc82e03de72f82634b8f8d49a55033ccd5a8afddae781

openshift4/ose-ovn-kubernetes-microshift-rhel8@sha256:fcd7fef17f8b8579f548a75a9afb8b1234a6919493569679a9278b45ea6a0013

openshift4/ose-sdn-rhel8@sha256:3ed9b31220da7d1eebe864915d623670e23b6e842662f501037b2a992747f3c6

openshift4/ose-tests@sha256:8febb134515e2337334e3c049b54e2ced077cb721bfe4107934185740d32cc35

openshift4/ose-tools-rhel8@sha256:604dc570f40a8d0dccba4e4683ed5c9b1c359bf07625c16a7f47482915e4acd6

x86_64

openshift4/driver-toolkit-rhel8@sha256:f99b9459e6df9ea63728701cf20c75a4b910ecec7fb6fc726bcbbacf24104c96

openshift4/network-tools-rhel8@sha256:fd68e9ff6552e17155730e6e67f2b96a527e2018ff9f8191d17b324fdfa79bdf

openshift4/ose-agent-installer-api-server-rhel8@sha256:a271abfcc0dfa79344edb6accc02e3e9d45a51275b14b82139e969151c35b349

openshift4/ose-agent-installer-node-agent-rhel8@sha256:4d80fc6c740b3a7e5601bca57b6e83c64a36d235655a832d54137924e522433e

openshift4/ose-baremetal-installer-rhel8@sha256:62e9884bdbcafbcea5cd6b4d8afd988acd946cb7d5321bb417f8854c28ed3de5

openshift4/ose-baremetal-rhel8-operator@sha256:bd650a9ad784ee53bada9b2cc8d3c70cba0b9bdf9cc8935f83e8df3bf158fe22

openshift4/ose-cluster-baremetal-operator-rhel8@sha256:acc858a82698dc0010b8b0e8088df9aba42c2900040e6d168a7d0c44fa03dd77

openshift4/ose-cluster-network-operator@sha256:c70a4c8a29b3d54e3044d4453a165e1bdd5984cfa0ceadf4864c224999f66db7

openshift4/ose-cluster-node-tuning-operator@sha256:7c63fdade857b6dc5e490037a4bab0904279eea097414e67992e5623eff2591d

openshift4/ose-cluster-storage-operator@sha256:ef543e770dc8eaa90e52a5c5025af9f5c71281acddd6718993cbf73f33e9975d

openshift4/ose-cluster-version-operator@sha256:bd361acb2323998583ed1f3448ebbfac89e7c90e7018412f1f07c57549aba2c4

openshift4/ose-console@sha256:eee0819e9e50f625919a7f610d8575f4d8269c85feec436d17606b84f2b9015b

openshift4/ose-csi-driver-manila-rhel8-operator@sha256:7bcb04e13f6c99666c815fddfda56947c962285b26f4b5befa1f462afc265bc3

openshift4/ose-docker-registry@sha256:2bda26570df5a3951b9ee01cbfef29b447eb284de679e4593d60a3fe5baf08d8

openshift4/ose-haproxy-router@sha256:01f84a78de43f2e932738b2924e0af49728f8ac362521179542952f98d62ea12

openshift4/ose-hypershift-rhel8@sha256:1d38d0364851311fc431e7d5ab0d5d575fb1621e27c667d7cc3ccc967cd5e8da

openshift4/ose-image-customization-controller-rhel8@sha256:7ba5330ba2fee0827a1ad4b1fe0a213e2b413ee0794a37a23ec52bbbe571d575

openshift4/ose-installer@sha256:8d9f83d4228e746719250c5d53dad5884c8392db0a6e7cda0dad9761c332deda

openshift4/ose-installer-artifacts@sha256:d1d409400b5b10dbf5cea1a1bf8a8f265fc4a4d77e60654f244b8fd1bfb6ce68

openshift4/ose-kuryr-cni-rhel8@sha256:1bc0a85ec7eddb7f77e888bd29291ca9c3d44644edb21a38d2b97ff1524f69bb

openshift4/ose-kuryr-controller-rhel8@sha256:31733faed062bc6bf3e04e30a451659ba1cc7b28700f5bb9939788317a148cb7

openshift4/ose-machine-config-operator@sha256:b9f9153f7f265cfa068c202b9f5236ebf9dd6f116b8b0488716eb0ddd0c0bf5a

openshift4/ose-machine-os-images-rhel8@sha256:052130abddf741195b6753888cf8a00757dedeb7010f7d4dcc4b842b5bc705f6

openshift4/ose-multus-cni@sha256:5c001a354831172b22393264c90380247bda648099bfc26f6244d2e273564bcc

openshift4/ose-operator-lifecycle-manager@sha256:520ee9b70d2bffc0c95229879f5a06c5996174c6c435cc05790b2f9cb6723b21

openshift4/ose-operator-registry@sha256:6b8eaf6b6a373d83fb87e5b1723ac13487939b23d3ec8f2bda5894b3f9202989

openshift4/ose-ovn-kubernetes@sha256:23b50a1254073267622b15bfce3e0052eecb09d9bc637b8d35419db0316b9db3

openshift4/ose-ovn-kubernetes-microshift-rhel8@sha256:3f37d7dbecd25a686aeaf5ae34e1775d2e54114edc294cb6922dac90381042b7

openshift4/ose-sdn-rhel8@sha256:9b54b897c1648e25fc40896f260ba6a6bbc9444200ed957a1503755ed56c7d37

openshift4/ose-tests@sha256:e75f97d3715d60c81ff8cdecbac7df2201a14023bd6c7e4ed1b68e545e0615ba

openshift4/ose-tools-rhel8@sha256:52bae04b3fb721ff53a5447515494d18a6db6ac1a4aed693d9bb99d0173ba15c