Headline
RHSA-2023:1646: Red Hat Security Advisory: OpenShift Container Platform 4.12.11 security update
Red Hat OpenShift Container Platform release 4.12.11 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Related CVEs:
- CVE-2022-23524: A flaw was found in Helm, a tool for managing Charts, a pre-configured Kubernetes resources. Versions prior to 3.10.3 are subject to Uncontrolled Resource Consumption. Input to functions in the strvals package could cause a stack overflow that is unrecoverable by Go. Applications that use functions from the strvals package in Helm SDK may result in a denial of service.
- CVE-2022-23525: A flaw was found in Helm. Applications that use the repo package in Helm SDK to parse an index file may suffer a denial of service when that input causes a panic that cannot be recovered from. The Helm Client will panic with an index file that causes a memory violation panic.
- CVE-2022-23526: A flaw was found in Helm, a tool for managing Charts, a pre-configured Kubernetes resources. Versions prior to 3.10.3 are subject to NULL Pointer Dereference in the_chartutil_ package that could cause a segmentation violation. The chartutil package contains a parser that loads a JSON Schema validation files into structures Go can work with. Some schema files can cause array data structures to be created, causing a memory violation. Applications that use the chartutil package in the Helm SDK to parse a schema files may result in a denial of service.
Issued:
2023-04-11
Updated:
2023-04-11
RHSA-2023:1646 - Security Advisory
- Overview
- Updated Images
Synopsis
Moderate: OpenShift Container Platform 4.12.11 security update
Type/Severity
Security Advisory: Moderate
Topic
Red Hat OpenShift Container Platform release 4.12.11 is now available with updates to packages and images that fix several bugs and add enhancements.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
Red Hat OpenShift Container Platform is Red Hat’s cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.
This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.12.11. See the following advisory for the container images for this release:
https://access.redhat.com/errata/RHSA-2023:1645
Security Fix(es):
- helm: Denial of service through string value parsing (CVE-2022-23524)
- helm: Denial of service through through repository index file (CVE-2022-23525)
- helm: Denial of service through schema file (CVE-2022-23526)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
All OpenShift Container Platform 4.12 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.12/updating/updating-cluster-cli.html
Affected Products
- Red Hat OpenShift Container Platform 4.12 for RHEL 9 x86_64
- Red Hat OpenShift Container Platform 4.12 for RHEL 8 x86_64
- Red Hat OpenShift Container Platform for Power 4.12 for RHEL 9 ppc64le
- Red Hat OpenShift Container Platform for Power 4.12 for RHEL 8 ppc64le
- Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.12 for RHEL 9 s390x
- Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.12 for RHEL 8 s390x
- Red Hat OpenShift Container Platform for ARM 64 4.12 for RHEL 9 aarch64
- Red Hat OpenShift Container Platform for ARM 64 4.12 for RHEL 8 aarch64
Fixes
- BZ - 2154196 - CVE-2022-23526 helm: Denial of service through schema file
- BZ - 2154200 - CVE-2022-23524 helm: Denial of service through string value parsing
- BZ - 2154202 - CVE-2022-23525 helm: Denial of service through through repository index file
References
- https://access.redhat.com/security/updates/classification/#moderate
- https://docs.openshift.com/container-platform/4.12/release_notes/ocp-4-12-release-notes.html
aarch64
openshift4/metallb-rhel8@sha256:67529d6f0993ceab25b0a4dffb4615a12c3d630059e066e1d2ccf917a903a905
openshift-tech-preview/metallb-rhel8@sha256:67529d6f0993ceab25b0a4dffb4615a12c3d630059e066e1d2ccf917a903a905
openshift4/cloud-event-proxy-rhel8@sha256:90d36eac4bd83bdd16911998dcf5ea8c075af4cb77cf1cb6ecf2ec459a79c1be
openshift4/ose-cloud-event-proxy@sha256:90d36eac4bd83bdd16911998dcf5ea8c075af4cb77cf1cb6ecf2ec459a79c1be
openshift4/dpu-network-rhel8-operator@sha256:b347c006cc1f9edcc141f4d734ea6e55318625ec67e785c8816a7d9f7329251e
openshift4/frr-rhel8@sha256:7c90b6c83db41f181a87e37e6eb7ce7ec87f04f2b57c270fcac8a1d9e7d72821
openshift4/ingress-node-firewall@sha256:ec75b336be4e617d108cc62b85ed9d4f9cef072e370f33692bb320203a4f81a1
openshift4/ingress-node-firewall-rhel8-operator@sha256:8cd003aa8a7d21d2a7b9b6015a39269c2d1e33327bc8f6bfc37f7e40eb6d9329
openshift4/kubernetes-nmstate-rhel8-operator@sha256:8a5fd81be838a502b96965c094717d1409a5c3d5961e52653a90ee1c61ac6e11
openshift4/metallb-rhel8-operator@sha256:19684945a72c05cfdea9dee22ac550cb0ef2041c4c2b0799374c6ba82dcf1f12
openshift4/ose-ansible-operator@sha256:9b926e70f1580f8b52475686c7a86a841ba23d7e6d31a3ca53692cdb501607cc
openshift4/ose-aws-efs-csi-driver-container-rhel8@sha256:09cd7abee9c77c58090173a6acc2c3390bda2da6b7d97a9ec7e62f9edd2a7e41
openshift4/ose-aws-efs-csi-driver-rhel8-operator@sha256:4c4fa5e725f3272a57c88e989ea7df37f74fce9e0abd601a668a0a75f884d1d6
openshift4/ose-cluster-capacity@sha256:29fbd5d304ebbba428a433ffcc1a28bc6370822ad4d4d2a6ebc9d7920e2e9bb3
openshift4/ose-cluster-kube-descheduler-operator@sha256:4240e87d62605fa70fcace5c35eb7d5ca0e41c6a11a3ad53371a02a3a9d101bd
openshift4/ose-cluster-kube-descheduler-rhel8-operator@sha256:4240e87d62605fa70fcace5c35eb7d5ca0e41c6a11a3ad53371a02a3a9d101bd
openshift4/ose-cluster-nfd-operator@sha256:8d750595cef2226dc03e12bf14dbcfbcdf53ab28020ad6cf784124d2959276ab
openshift4/ose-clusterresourceoverride-rhel8@sha256:3ee76acbc5998c1e6742585b114720bbf50e85d35869212d615d9326fd714c37
openshift4/ose-clusterresourceoverride-rhel8-operator@sha256:9b0b8ddb6a08da85db811714dd4c2db73a35a62bc15f74a84e290ae928ab2c42
openshift4/ose-contour-rhel8@sha256:7cb2aed62097677e36b71cfd4bc69e29484ae7d81e1e5d095dcddf2f5b611ffe
openshift4/ose-csi-driver-shared-resource-mustgather-rhel8@sha256:49b54276d945e5c2248936648a4966458ab6063b28f5a84b0f3adfb32c1e22a3
openshift4/ose-descheduler@sha256:220e0201b92ac70abd8a9dfa527ddf8dbe685d9d14694a1221d169b84ef10450
openshift4/ose-egress-dns-proxy@sha256:ce7b4f8e284a278dc53f32e40c5a728449d482f8f2f3a4b9b7c1fca2f697833e
openshift4/ose-egress-http-proxy@sha256:25a67b085e02a9a25dfc0e4100131b8b64903065b2bf9d165cd0ad52c206b59d
openshift4/ose-egress-router@sha256:aa8c7396637c2eda3ec76e293c2393995462a5109b99723ada7f6352f0f3705c
openshift4/ose-helm-operator@sha256:8075c6d2c22cea22df8c38e9d95c092e6240d6c45568542f673c66db430058d1
openshift4/ose-kubernetes-nmstate-handler-rhel8@sha256:3b37adcd960328549a05c79871f5f0a46acbc0a54dfa328ebe9a7c78b7978cab
openshift4/ose-local-storage-diskmaker@sha256:d09de8f51996af6a6507f1b20d1e536c1ca188079c1cd986b7ea8072bebcaff2
openshift4/ose-local-storage-mustgather-rhel8@sha256:8e65e4e8c13b534e538c149c668ad47178144ca4f9c09b6dd20f3449b2af1ac1
openshift4/ose-local-storage-operator@sha256:8ca870353119f74c8e031324b9e99257bf10016f33cfd759c4babd345b088f81
openshift4/ose-node-feature-discovery@sha256:0628f98436dcfbfb18fde8b77c898ce46f4ef0c331691fb879038e021190c19b
openshift4/ose-node-problem-detector-rhel8@sha256:68c28a47dd1cba190ed008fb4f5207d2eda915537c07ff454692bf7cf568cdf6
openshift4/ose-openshift-proxy-pull-test-rhel8@sha256:478ca451f376acedb673388e2eff471b943386a943f38e87728728dd70abf4bd
openshift4/ose-operator-sdk-rhel8@sha256:d1a5ab843062ed7e4eb8e75d66190de7077bfa46a7405d2f17c01f8ce5c2cad4
openshift4/ose-ptp@sha256:7310e67c5916abc0fdb53b0cb13829aa81b837b4d849d637bc466389659cfa9d
openshift4/ose-ptp-operator@sha256:e883540e1155044415d2983bd5363a7f9bb5b6bfd24c64af0eaa42fc6290e12b
openshift4/ose-service-idler-rhel8@sha256:0f1665b2ce19a23d1348f8fac589c9f4f0f73005987d99a9c3febf87a372d265
openshift4/ose-sriov-cni@sha256:a6b452096134ada77fa254554ce214691f2dd3389bceb9f84a2bd946eacb5265
openshift4/ose-sriov-dp-admission-controller@sha256:792d2e2145ac24a96ac7014cf62a008f8447ab5c2ff2a152d21a0da2ee1d1552
openshift4/ose-sriov-infiniband-cni@sha256:6b41327976cc1ed72ff593c9a7f8e73bd298b8a4dd085ad5d80f4f913f81fccd
openshift4/ose-sriov-network-config-daemon@sha256:d0ec8886b34cd5747b7e521b8fdac6f92dbd7c51a061f6d2595dc353993f488e
openshift4/ose-sriov-network-device-plugin@sha256:e0c763cecd9a41bac773fe13caedc41010ac7a65a7f8685d064a736b78bedab0
openshift4/ose-sriov-network-operator@sha256:776b05ef53fb4eba33539808cfce0f9a38ff7a279751e9495b1f5763e4b7c4c6
openshift4/ose-sriov-network-webhook@sha256:2470cc4c171a14e1f2a38e331e7c55fd591931b4dff6bd32d7d06bdf8b11857e
openshift4/ose-vertical-pod-autoscaler-rhel8@sha256:196798b1595e612663916674fcfc4feb6a36c90b7fcdd982fe67cc851784a507
openshift4/ose-vertical-pod-autoscaler-rhel8-operator@sha256:6c6fc5f6783c042f6c8aff5a7136e4694881283708ba79a578a1be4aa96522de
openshift4/ptp-must-gather-rhel8@sha256:8cc6ec9b3b2065f16211ad9d897443307abfa3da251d00806effe541f5ac9e53
ppc64le
openshift4/metallb-rhel8@sha256:7941c0e174eb643bb466a933619145ffd3e789707505d7d724f9540e2d062f4f
openshift-tech-preview/metallb-rhel8@sha256:7941c0e174eb643bb466a933619145ffd3e789707505d7d724f9540e2d062f4f
openshift4/cloud-event-proxy-rhel8@sha256:b54b60b819d944702dc24184181e1bb7015d8c5a6fe5db2d518843842c415949
openshift4/ose-cloud-event-proxy@sha256:b54b60b819d944702dc24184181e1bb7015d8c5a6fe5db2d518843842c415949
openshift4/frr-rhel8@sha256:5617ff1836a11ffafe025ecc3c01c0febfcf4376810ce64d76aa6c4e789d6671
openshift4/ingress-node-firewall@sha256:5515b9d693c38409a833344f68ff984f6afda8e22010221c670fac661ad61ec2
openshift4/ingress-node-firewall-rhel8-operator@sha256:76afcaaf010cbc586c7316b3e62140168ada00de3a09675819baad26b31fb7b6
openshift4/kubernetes-nmstate-rhel8-operator@sha256:f70ac9bded108b561130e2c85b307f443f91ae2de3593a20f161bf35e2863ee5
openshift4/metallb-rhel8-operator@sha256:a8bd75e0ad02330565593ad62f907786693d71fe122932311ce464c887811de0
openshift4/ose-ansible-operator@sha256:a2b0b2bcc9571cd2fba76de149f6731087be9e6510d56e3fa2f76e480755b9c5
openshift4/ose-cluster-capacity@sha256:a841eb482194e05f4173c4e3288ed976d00453f9212733b83e0c6719dd65838d
openshift4/ose-cluster-kube-descheduler-operator@sha256:06aebb676ce8605b297df26cfec65e48922f6c89544613c33e0d8edb0dfd1442
openshift4/ose-cluster-kube-descheduler-rhel8-operator@sha256:06aebb676ce8605b297df26cfec65e48922f6c89544613c33e0d8edb0dfd1442
openshift4/ose-cluster-nfd-operator@sha256:9cf40830e30d6f08d649314a28dc580d07428c0861e8f9ab80e04370c40192f3
openshift4/ose-clusterresourceoverride-rhel8@sha256:3594f66d6be8162d93bcaae8f7985b33bf23066202934c5df389b7c7218c4b2e
openshift4/ose-clusterresourceoverride-rhel8-operator@sha256:d2a443c601db66ca306efde0f04228efd60b8507aaa30fb0edfa270375f2cd15
openshift4/ose-contour-rhel8@sha256:f6e9ad1e1abd2b7a63059f2d05171a75e64aef85e58fb09c86e286d4016d9ef4
openshift4/ose-csi-driver-shared-resource-mustgather-rhel8@sha256:2ccfc3add6cb2229712dc61e8a4d31ce7ed1c97f9e533bb2728da5394c2036cc
openshift4/ose-descheduler@sha256:608880aacc1cea01270ba24b10fbb6ab9e9ca5e6bd1507b63de17d8d81aeefd5
openshift4/ose-egress-dns-proxy@sha256:bb3710b73e395c39735307f783e7474d2ed9bc88dc6317468783170340cdf3c6
openshift4/ose-egress-http-proxy@sha256:4c4e4f630c0441004fcde6f53d0190542dfbec3ff6bea6ddb0381be9530d350b
openshift4/ose-egress-router@sha256:a32740b479106a60b20818e2b4d66667f30d6af256bc3b789a91ff2eba43deb0
openshift4/ose-gcp-filestore-csi-driver-rhel8@sha256:1d14832bf93c9407639db875ec4a7de763322b12c8a42dfd9816afa8758d7c1d
openshift4/ose-gcp-filestore-csi-driver-rhel8-operator@sha256:aa91781e09a427599804dfc5505a4ee391902c6b0bd5ce7ddf63219bd96a4065
openshift4/ose-helm-operator@sha256:493137835194a23d178b3540566222ec984218cc5fa7a1a7d5e41989849dfcfb
openshift4/ose-kubernetes-nmstate-handler-rhel8@sha256:7076d6cd84e9ed0cae7f19cac8f6ea472782a193a7dc3046586d2149865b761b
openshift4/ose-local-storage-diskmaker@sha256:12be8d7c6b7b266970e1cadaab96d38e33dd0c326da9361b5e97b23e1a194cb1
openshift4/ose-local-storage-mustgather-rhel8@sha256:771f9d88fba3eed20dd1e3c24168b91be7fd4f8dc250fa4b3c1fb82f42848ee1
openshift4/ose-local-storage-operator@sha256:02c83f30502c67b9567d64f3687458db7cda3b0d14238b8965cb0653f0c3af20
openshift4/ose-node-feature-discovery@sha256:9df8d0eeed0c4571992675383dce662c40f01c5a06780537fedbc1c304ab8be4
openshift4/ose-node-problem-detector-rhel8@sha256:c630a7506d8295a9858c804a6d2481f9512fa5232655fc15644c1054aaa620dd
openshift4/ose-openshift-proxy-pull-test-rhel8@sha256:420f4be14420093a43ec4bf2f972c9287fda054ba13503e6e087a42b4079a426
openshift4/ose-operator-sdk-rhel8@sha256:906c7ad289132564b1d6ca1568cef787e222dd7343ff427216d7648ef63df358
openshift4/ose-ptp@sha256:e14e1b6531160aa715dbd3314db759271096fb5e9a9c4d63c2de707176cf9974
openshift4/ose-ptp-operator@sha256:25ef32ebe0f1f3f81d0090218a33885d2502132b0e9c9c405f5ba04e7d5dd1c8
openshift4/ose-service-idler-rhel8@sha256:746b444cc0ae4cfe6af6ece01b86ef09cead7a2db0fbdaba3613102605db9f54
openshift4/ose-sriov-cni@sha256:aa2a222bd5bbc44f71a90d64e45c27370543638467cd80770e90d303563c8728
openshift4/ose-sriov-dp-admission-controller@sha256:a507feab497ef6bf72334095eb7fe990b79214ee8a6f99b39c8c9a39da18693f
openshift4/ose-sriov-infiniband-cni@sha256:24f5dfd7e42713b3e6d89ccc1bc86d7741efec276cd5e69f46cc419b864688d9
openshift4/ose-sriov-network-config-daemon@sha256:c90a062128b5ffe61c55b7b711220bfc80d1a2b27f3ae60d383de181e323ad00
openshift4/ose-sriov-network-device-plugin@sha256:62456b528116b8f5b6e6a98f7c23d67a57569959a425ca976de53db7655f5945
openshift4/ose-sriov-network-operator@sha256:2b27ada10ab88a76ae27b2409a4447d5e54cc42dc306a3aca29063ef030b2b3a
openshift4/ose-sriov-network-webhook@sha256:c0db9b8b700989c0c7eaa2d6489b24023d0f15729bc8a43db05eb307b25ad129
openshift4/ose-vertical-pod-autoscaler-rhel8@sha256:b8ca711d6c25b7d7d558f88ce81ae1ef4d19cb9ef02e3b8b353835e302fb4c02
openshift4/ose-vertical-pod-autoscaler-rhel8-operator@sha256:8d5e75e3f3eddbbbc2a413f4be77e13099e314212a79143c461404de815370d6
openshift4/ptp-must-gather-rhel8@sha256:05a0cbb5879de6a32143e7a6943d39134c905eac002948a3224aa60a094c74d1
s390x
openshift4/metallb-rhel8@sha256:799089906f62d5b9671e3a5760132e8caa1d1639f93eb72f13d1c2ab2e719065
openshift-tech-preview/metallb-rhel8@sha256:799089906f62d5b9671e3a5760132e8caa1d1639f93eb72f13d1c2ab2e719065
openshift4/frr-rhel8@sha256:aef02f93b084a70836e66e8bada38a5ddeef3d423b3e609f4c135a12bfcb2891
openshift4/ingress-node-firewall@sha256:e119752bfe9f3c18c05390f717320754ebf8da560e03a24261d2e05821d4ea8f
openshift4/ingress-node-firewall-rhel8-operator@sha256:442e1bb6c1436d45511b039f14bef927423acf61c7154f9757ffa94fb215d657
openshift4/kubernetes-nmstate-rhel8-operator@sha256:d2e4112b19550688c39ab618f4e9982c747f9398a8e3d20bb7869c64a3b6aa25
openshift4/metallb-rhel8-operator@sha256:c2bf337a1e49b2100fee5e2b815563ea656f5d3a33f2fc403a5ac25bc3b4be4f
openshift4/ose-ansible-operator@sha256:c5161d331d4af4cb8f061ab05ef16d4700578060c358dc85f86d8256320259bd
openshift4/ose-cluster-capacity@sha256:1271cec9bd04c72cef2878c18b3da2c101e9c855c4d432683091f63ee5664601
openshift4/ose-cluster-kube-descheduler-operator@sha256:0f6d4f90854f065f47bd44c81f639580156e6bfb0b870fc1d2539448e06faaec
openshift4/ose-cluster-kube-descheduler-rhel8-operator@sha256:0f6d4f90854f065f47bd44c81f639580156e6bfb0b870fc1d2539448e06faaec
openshift4/ose-cluster-nfd-operator@sha256:49e944af0e7bc8ee49c0db0a7b3b3b7756c9fbbe6309394144333dd078493bde
openshift4/ose-clusterresourceoverride-rhel8@sha256:16908b5c3388e9920c159ab49f764599742f39b56210ca1f73acb6ec4b1e29dd
openshift4/ose-clusterresourceoverride-rhel8-operator@sha256:76048bc1bf668abf1d4e11adfb5831f4cf9a441494c9830e0c46655721c43d4d
openshift4/ose-contour-rhel8@sha256:00a53377a28cfc33927a22529185f63b194d24756f110a63ebfce0cf08ca3efc
openshift4/ose-csi-driver-shared-resource-mustgather-rhel8@sha256:d118820505ed69671c169b245123773b97f8d1ce2920151d7e5b0e742c2eacfb
openshift4/ose-descheduler@sha256:4f7e9375e3e8d6bbee6f80aaf6bec72cc20883df7917cf57812080e7aed52c80
openshift4/ose-egress-dns-proxy@sha256:481ae35daf1e03c0b6f155236ba7bcab4ce1d2be98194373d3eb6d9df27367a7
openshift4/ose-egress-http-proxy@sha256:d7bbade49eafd8caf98fecfd9d950d4c19f19a53cf59ee49c79951c505748e32
openshift4/ose-egress-router@sha256:3ac0007c2d9ce448b6163cef66fbc3a68183b4616e8f303de38c650232b77b60
openshift4/ose-helm-operator@sha256:d66c83f5a2cf7576090ea186ec170f452db140c719d7007ea2d947f0a9944151
openshift4/ose-kubernetes-nmstate-handler-rhel8@sha256:59187afbeaaf60d6b3a34afc2350190bf99f437bcd8d0d6f64dca5ccd78143c8
openshift4/ose-local-storage-diskmaker@sha256:7a1a7c309ad2640291102cc95c3e2baf85f7c3e679ee88d69cb0425476a1bacd
openshift4/ose-local-storage-mustgather-rhel8@sha256:ea655624dbeaa3a53a85cafebd886e822e4d04b0c0a5a26a7ae856ec2f4eb589
openshift4/ose-local-storage-operator@sha256:a90eb5fa7786e68804f9811080ae04ee00df43e1c28e22f9ac9c5c6d4a60a89b
openshift4/ose-node-feature-discovery@sha256:ae01ade035bf12a533106ea6c8e2fd869beef43aa95b8da732e5f1d5df33bbf2
openshift4/ose-node-problem-detector-rhel8@sha256:a9fdfdd50a95f025d1bf66980031d71927d8da8cf40137449e0922f3acf18644
openshift4/ose-openshift-proxy-pull-test-rhel8@sha256:0ef51968a889311214cb740c1fba0e8fc9d75ec08778f2e9f792b441092f88ad
openshift4/ose-operator-sdk-rhel8@sha256:f8d15fe192b93c8741a593899e785d57319986f10677f7b339379d8fa7dd4699
openshift4/ose-service-idler-rhel8@sha256:76f35dad1e143292f60e3c727455d2d52376bf9b825beeb4d588cc13753f24fc
openshift4/ose-vertical-pod-autoscaler-rhel8@sha256:8d895412ac58269ce482f5e417cee87f2c72b119932ae83c6f475434d34b3261
openshift4/ose-vertical-pod-autoscaler-rhel8-operator@sha256:344e1092066e9ad0758e68b09373e1585784e6f4ffe8d0d4475bcf3c524a8d08
x86_64
openshift4/metallb-rhel8@sha256:b65f91a7ec161354540a4e59b71fc942fef2d82c0cf4a1d7a3b97f7c8f352167
openshift-tech-preview/metallb-rhel8@sha256:b65f91a7ec161354540a4e59b71fc942fef2d82c0cf4a1d7a3b97f7c8f352167
openshift4/cloud-event-proxy-rhel8@sha256:1c4523a8b2b85be0d054c9cf939de2410a071d036b7b0fc88b425cd3e4586a4b
openshift4/ose-cloud-event-proxy@sha256:1c4523a8b2b85be0d054c9cf939de2410a071d036b7b0fc88b425cd3e4586a4b
openshift4/dpu-network-rhel8-operator@sha256:546bb310a9fede34acf441cf3a7811da23499e8ff64494d6ebab610d4fd070da
openshift4/frr-rhel8@sha256:2d68f585eecb10124b20d1541b86ccfb5fcc51b8ba2482e6917657ca5aa74443
openshift4/ingress-node-firewall@sha256:2a1ee88272b2055ebf89ba07c7ff5119f5fc8709919d212b453071f6f1f7e0ce
openshift4/ingress-node-firewall-rhel8-operator@sha256:e85bc96ede44c517c2f08431536353f5011c56ecfa5ab65e2a546143bef38b81
openshift4/kubernetes-nmstate-rhel8-operator@sha256:7a6e437f13b97bb8242896638ab58da64798caf5b7cd3a45e89035950cc0ce44
openshift4/metallb-rhel8-operator@sha256:0ee39e2f6f3c0dc2bc65b385a3e0d66d53d6ea7c76764b5993d31e26e3cf9544
openshift4/ose-ansible-operator@sha256:5283e4f43c6e345820aaaa76fe3b844a571eaac40ff822b398850139e6e36b00
openshift4/ose-aws-efs-csi-driver-container-rhel8@sha256:20269e78023a9204db8ada903e27abffbf0170a2b27f8eb05d278eaef51a432d
openshift4/ose-aws-efs-csi-driver-rhel8-operator@sha256:d1ff7ae7b151424d4eecb9c1836db6c50e7a9c0ad005d1a2fc9ab0f3538b01e0
openshift4/ose-cluster-capacity@sha256:41c1ba188b00f96f8806a33fa0e74e757eb0a1f106aceabdaf9a5a41f460a53b
openshift4/ose-cluster-kube-descheduler-operator@sha256:c1fe81f151cbf962594d46759426f063d7f2bfb8281de45658d0ecc9ee8aec25
openshift4/ose-cluster-kube-descheduler-rhel8-operator@sha256:c1fe81f151cbf962594d46759426f063d7f2bfb8281de45658d0ecc9ee8aec25
openshift4/ose-cluster-nfd-operator@sha256:f1d21d47a8352d4a08a7f99552f54fe1d6bad1297fdd3e7fdec0155ae2f9e55f
openshift4/ose-clusterresourceoverride-rhel8@sha256:0b2c999a759e70b51ae08a45e7610756cb8060566f38f320aeb8747550250193
openshift4/ose-clusterresourceoverride-rhel8-operator@sha256:34d17122e5cb42d697826867d33c96df8f5f9e1f53ebf9f58b9b6fcd58350bd5
openshift4/ose-contour-rhel8@sha256:9414608fc2f84f4fff977682d3aab381ea3b3ac9d75895b61372582e772280a0
openshift4/ose-csi-driver-shared-resource-mustgather-rhel8@sha256:b8ae2a8233aab72cf6050b99ee4a996ce50e4550aab466a6ebadd8a228137dc5
openshift4/ose-descheduler@sha256:5e7da0d7f51863377ee3994565cb6d29fbe5166f01613e2b9156698e9ba9e617
openshift4/ose-egress-dns-proxy@sha256:7467c68aea71c190c69b79a6fad174a52dd6b7059b97f3a9ea1b7681d19717d2
openshift4/ose-egress-http-proxy@sha256:33ce84348a85bbe280061417c9ed865c1f7f44adbd333ee21770aa03d2dca310
openshift4/ose-egress-router@sha256:0ad00c8e363a482dd0c4f9c778f93b1114752ca41e8971a20e83248e9a58edbe
openshift4/ose-gcp-filestore-csi-driver-rhel8@sha256:4443976ecb48a72934fdf99ddf5ee12290b83a491ae82ff51e800d0e4761a0e1
openshift4/ose-gcp-filestore-csi-driver-rhel8-operator@sha256:e6465152554246caa95da8b634de354243a1a6ed4de8936ff0aca0c3dcd70c12
openshift4/ose-helm-operator@sha256:8aefab72dd8f804092a1790edcefde9f73d686a5a43c7c97d282bdbe751362ca
openshift4/ose-kubernetes-nmstate-handler-rhel8@sha256:6831cccfe22f79dbbf0faf78571a74b5e9cfbc30756c020da983a2f511f17fd9
openshift4/ose-local-storage-diskmaker@sha256:bb64cd62b0d7b33761e162923c5d207f30e36270a89a50039c78fb45328de0cc
openshift4/ose-local-storage-mustgather-rhel8@sha256:7b305edde576586951ba0f1552288f87ec2b61ff364c1ec550de29c2d8fb9e3d
openshift4/ose-local-storage-operator@sha256:2c090cd9dc3bd2aed61391ea99e1a97983be7f958c03e06042a8d69845f0848e
openshift4/ose-node-feature-discovery@sha256:aed7588629d7aaa4f00fb4ff8442c59479042059c4b58e7c7f7f254bc36aae1b
openshift4/ose-node-problem-detector-rhel8@sha256:ce67f36a12676adc3d55e7c7695bdf12a18aae6aca731ed1d627fadc116418e8
openshift4/ose-openshift-proxy-pull-test-rhel8@sha256:625a51138e8ae112b6cd49be29e6dd6873f65d7a189a4e4a801a738a2c57b744
openshift4/ose-operator-sdk-rhel8@sha256:698774bec985b893379afef38a9b1b44aa8841927619be4ec8f32208033b90d9
openshift4/ose-ptp@sha256:4e9dd768e1a6603b974c912f6d51d2dcbf5ce8a746637421fe3459c5cffeab46
openshift4/ose-ptp-operator@sha256:3f2e2d2b6bfcfe568b7b94cc1c07438205acf5f4fa7b37ab4ae253d36b75f951
openshift4/ose-service-idler-rhel8@sha256:6e26583cd201b90b780a61bd7b8578a7f8dd7ca8d5965cc0db6011d85ff9c885
openshift4/ose-sriov-cni@sha256:f3889964c02d0f45549fb86e36e8dbbcbec9477953438217f0c3270b365883d5
openshift4/ose-sriov-dp-admission-controller@sha256:d2aff0e39171753174b42ad083d994031adf8609fbd23c89ba6871b2ee9a4fd5
openshift4/ose-sriov-infiniband-cni@sha256:eea6c71f9c5512cb63edbaa4a02065a92b26babe07e50dcbe2c1f3ae3e173f4d
openshift4/ose-sriov-network-config-daemon@sha256:fc4be8d1c124992ad8a001bc4165684e408818a0d3d55939e810567cae4e2f73
openshift4/ose-sriov-network-device-plugin@sha256:cc5bc2c693cf603aade5ebcca022bade292d73ac0085b5489dff19828318577f
openshift4/ose-sriov-network-operator@sha256:3a6ba36ba5680017e35829b993d9d7002ebe477c3758321b7aea8b396fb7620b
openshift4/ose-sriov-network-webhook@sha256:a964bb935d3ebfd5cd8552884fc582f095f67872e5a90a1c93333bd005b95b08
openshift4/ose-vertical-pod-autoscaler-rhel8@sha256:63643dc69a88b9f2a410403583e1468bc34c9606674d066d382c9f8f48b03b3a
openshift4/ose-vertical-pod-autoscaler-rhel8-operator@sha256:42335863691ab1c7a6690927bb390670c1a06d360fb504ea657056fb0505ace9
openshift4/ptp-must-gather-rhel8@sha256:69c1d087204ee0458a6a00fdef6ca990360d69eb8efba5959dedbd3c525b72f5
The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.
Related news
Red Hat Security Advisory 2023-1326-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.13.0. Issues addressed include bypass, denial of service, information leakage, out of bounds read, and remote SQL injection vulnerabilities.
Red Hat OpenShift Container Platform release 4.13.0 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.13. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-4235: A flaw was found in go-yaml. This issue occurs due to unbounded alias chasing, where a maliciously crafted YAML file can cause the system to consume significant system resources. If p...
Red Hat Security Advisory 2023-1646-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.12.11. Issues addressed include a denial of service vulnerability.
Helm is a tool for managing Charts, pre-configured Kubernetes resources. Versions prior to 3.10.3 are subject to NULL Pointer Dereference in the_chartutil_ package that can cause a segmentation violation. The _chartutil_ package contains a parser that loads a JSON Schema validation file. For example, the Helm client when rendering a chart will validate its values with the schema file. The _chartutil_ package parses the schema file and loads it into structures Go can work with. Some schema files can cause array data structures to be created causing a memory violation. Applications that use the _chartutil_ package in the Helm SDK to parse a schema file can suffer a Denial of Service when that input causes a panic that cannot be recovered from. Helm is not a long running service so the panic will not affect future uses of the Helm client. This issue has been patched in 3.10.3. SDK users can validate schema files that are correctly formatted before passing them to the _chartutil_ functions...
Helm is a tool for managing Charts, pre-configured Kubernetes resources. Versions prior to 3.10.3 are subject to Uncontrolled Resource Consumption, resulting in Denial of Service. Input to functions in the _strvals_ package can cause a stack overflow. In Go, a stack overflow cannot be recovered from. Applications that use functions from the _strvals_ package in the Helm SDK can have a Denial of Service attack when they use this package and it panics. This issue has been patched in 3.10.3. SDK users can validate strings supplied by users won't create large arrays causing significant memory usage before passing them to the _strvals_ functions.
Helm is a tool for managing Charts, pre-configured Kubernetes resources. Versions prior to 3.10.3 are subject to NULL Pointer Dereference in the _repo_package. The _repo_ package contains a handler that processes the index file of a repository. For example, the Helm client adds references to chart repositories where charts are managed. The _repo_ package parses the index file of the repository and loads it into structures Go can work with. Some index files can cause array data structures to be created causing a memory violation. Applications that use the _repo_ package in the Helm SDK to parse an index file can suffer a Denial of Service when that input causes a panic that cannot be recovered from. The Helm Client will panic with an index file that causes a memory violation panic. Helm is not a long running service so the panic will not affect future uses of the Helm client. This issue has been patched in 3.10.3. SDK users can validate index files that are correctly formatted before pa...
Fuzz testing, by Ada Logics and sponsored by the CNCF, identified input to functions in the _chartutil_ package that can cause a segmentation violation. Applications that use functions from the _chartutil_ package in the Helm SDK can have a Denial of Service attack when they use this package and it panics. ### Impact The _chartutil_ package contains a parser that loads a JSON Schema validation file. For example, the Helm client when rendering a chart will validate its values with the schema file. The _chartutil_ package parses the schema file and loads it into structures Go can work with. Some schema files can cause array data structures to be created causing a memory violation. Applications that use the _chartutil_ package in the Helm SDK to parse a schema file can suffer a Denial of Service when that input causes a panic that cannot be recovered from. The Helm Client will panic with a schema file that causes a memory violation panic. Helm is not a long running service so the pani...
Fuzz testing, by Ada Logics and sponsored by the CNCF, identified input to functions in the _repo_ package that can cause a segmentation violation. Applications that use functions from the _repo_ package in the Helm SDK can have a Denial of Service attack when they use this package and it panics. ### Impact The _repo_ package contains a handler that processes the index file of a repository. For example, the Helm client adds references to chart repositories where charts are managed. The _repo_ package parses the index file of the repository and loads it into structures Go can work with. Some index files can cause array data structures to be created causing a memory violation. Applications that use the _repo_ package in the Helm SDK to parse an index file can suffer a Denial of Service when that input causes a panic that cannot be recovered from. The Helm Client will panic with an index file that causes a memory violation panic. Helm is not a long running service so the panic will no...
Fuzz testing, by Ada Logics and sponsored by the CNCF, identified input to functions in the _strvals_ package that can cause a stack overflow. In Go, a stack overflow cannot be recovered from. Applications that use functions from the _strvals_ package in the Helm SDK can have a Denial of Service attack when they use this package and it panics. ### Impact The _strvals_ package contains a parser that turns strings into Go structures. For example, the Helm client has command line flags like `--set`, `--set-string`, and others that enable the user to pass in strings that are merged into the values. The _strvals_ package converts these strings into structures Go can work with. Some string inputs can cause array data structures to be created causing a stack overflow. Applications that use the _strvals_ package in the Helm SDK to parse user supplied input can suffer a Denial of Service when that input causes a panic that cannot be recovered from. The Helm Client will panic with input to `...