Headline
RHSA-2023:5390: Red Hat Security Advisory: OpenShift Container Platform 4.12.36 bug fix and security update
Red Hat OpenShift Container Platform release 4.12.36 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.12. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Related CVEs:
- CVE-2023-2253: A flaw was found in the
/v2/_catalogendpoint in distribution/distribution, which accepts a parameter to control the maximum number of records returned (query string:n). This vulnerability allows a malicious user to submit an unreasonably large value forn,causing the allocation of a massive string array, possibly causing a denial of service through excessive use of memory.
Skip to navigation Skip to main content
Utilities
- Subscriptions
- Downloads
- Containers
- Support Cases
Infrastructure and Management
- Red Hat Enterprise Linux
- Red Hat Satellite
- Red Hat Subscription Management
- Red Hat Insights
- Red Hat Ansible Automation Platform
Cloud Computing
- Red Hat OpenShift
- Red Hat OpenStack Platform
- Red Hat OpenShift Container Platform
- Red Hat OpenShift Data Science
- Red Hat OpenShift Dedicated
- Red Hat Advanced Cluster Security for Kubernetes
- Red Hat Advanced Cluster Management for Kubernetes
- Red Hat Quay
- OpenShift Dev Spaces
- Red Hat OpenShift Service on AWS
Storage
- Red Hat Gluster Storage
- Red Hat Hyperconverged Infrastructure
- Red Hat Ceph Storage
- Red Hat OpenShift Data Foundation
Runtimes
- Red Hat Runtimes
- Red Hat JBoss Enterprise Application Platform
- Red Hat Data Grid
- Red Hat JBoss Web Server
- Red Hat Single Sign On
- Red Hat support for Spring Boot
- Red Hat build of Node.js
- Red Hat build of Quarkus
Integration and Automation
All Products
Issued:
2023-10-04
Updated:
2023-10-04
RHSA-2023:5390 - Security Advisory
- Overview
- Updated Images
Synopsis
Moderate: OpenShift Container Platform 4.12.36 bug fix and security update
Type/Severity
Security Advisory: Moderate
Topic
Red Hat OpenShift Container Platform release 4.12.36 is now available with updates to packages and images that fix several bugs and add enhancements.
This release includes a security update for Red Hat OpenShift Container Platform 4.12.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
Red Hat OpenShift Container Platform is Red Hat’s cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.
This advisory contains the container images for Red Hat OpenShift Container Platform 4.12.36. See the following advisory for the RPM packages for this release:
https://access.redhat.com/errata/RHBA-2023:5392
Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes:
https://docs.openshift.com/container-platform/4.12/release_notes/ocp-4-12-release-notes.html
Security Fix(es):
- distribution/distribution: DoS from malicious API request (CVE-2023-2253)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
All OpenShift Container Platform 4.12 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.12/updating/updating-cluster-cli.html
Solution
For OpenShift Container Platform 4.12 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:
https://docs.openshift.com/container-platform/4.12/release_notes/ocp-4-12-release-notes.html
You may download the oc tool and use it to inspect release image metadata for x86_64, s390x, ppc64le, and aarch64 architectures. The image digests may be found at https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags.
The sha values for the release are:
(For x86_64 architecture)
The image digest is sha256:38ccab25d5895a216a465a9f297541fbbebe7aa115fdaa9f2015c8d5a5d036eb
(For s390x architecture)
The image digest is sha256:91e9a38e4333cac73c9320a713247d6652017081cd573f892dae2a866142de45
(For ppc64le architecture)
The image digest is sha256:674a2972728709445f1bf008d0b8740f3b7c3d7f5781f8a4235b11d47779038e
(For aarch64 architecture)
The image digest is sha256:e515ccfd4923cfb91b54fad78835338ec99ec204544d53691f81a92bfdd6f9f4
All OpenShift Container Platform 4.12 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.12/updating/updating-cluster-cli.html
Affected Products
- Red Hat OpenShift Container Platform 4.12 for RHEL 9 x86_64
- Red Hat OpenShift Container Platform 4.12 for RHEL 8 x86_64
- Red Hat OpenShift Container Platform for Power 4.12 for RHEL 9 ppc64le
- Red Hat OpenShift Container Platform for Power 4.12 for RHEL 8 ppc64le
- Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.12 for RHEL 9 s390x
- Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.12 for RHEL 8 s390x
- Red Hat OpenShift Container Platform for ARM 64 4.12 for RHEL 9 aarch64
- Red Hat OpenShift Container Platform for ARM 64 4.12 for RHEL 8 aarch64
Fixes
- BZ - 2189886 - CVE-2023-2253 distribution/distribution: DoS from malicious API request
- OCPBUGS-10992 - SCOS bootstrap should skip pivot when root is not writable
- OCPBUGS-16376 - Avoid retry of Network Policy event
- OCPBUGS-19045 - Web console slowness on Project>Project access page
- OCPBUGS-19405 - [release-4.12] Extend workload-info gatherer to collect image repository info
- OCPBUGS-19511 - 4.12: Upgrade blocked: csi-snapshot-controller fails with read-only filesystem
- OCPBUGS-19557 - CBO crashes if internal IP is nil
- OCPBUGS-19770 - After Adding the FIP to existing Node, The CSR get generated, It should be approved automatically.
References
- https://access.redhat.com/security/updates/classification/#moderate
- https://docs.openshift.com/container-platform/4.12/release_notes/ocp-4-12-release-notes.html
aarch64
openshift4/network-tools-rhel8@sha256:a5054b6d031832c329471ebb8bbbe1ffd8ea689edd7f2a17a46bee2f34cdc3c5
openshift4/ose-apiserver-network-proxy-rhel8@sha256:ca0860d0e5102ada3d6b80f93b9d3d8407af9503efc1783f97a3b3abfbfd3d0f
openshift4/ose-baremetal-installer-rhel8@sha256:448bad1a0046eea977f0c0220440f97b0af41d4e3543408756fd51cbb6a209b2
openshift4/ose-cluster-baremetal-operator-rhel8@sha256:69459974e98aff4d0d274fbd9ff80ab1d811626088569e6a495d0aa9bd2fff45
openshift4/ose-cluster-node-tuning-operator@sha256:47bb7f1af29aa508bb8f4a1e8e6b9d57a5083009b863ce72f91f34852ae71336
openshift4/ose-console@sha256:8b627bbe762ad1eb6692617f8872b054350ba9113a704d406511cf0c07bab9a2
openshift4/ose-docker-registry@sha256:0bec5d225aa6db33b1d489a5501ceeaf1fdee10bebe24629b448bfcb7eb3590f
openshift4/ose-hypershift-rhel8@sha256:ba16a27877009816f49a51bdfabfffd99c6a6468941afbdd8ff59f0a49a9db35
openshift4/ose-insights-rhel8-operator@sha256:530ea5bb9a36691c3aea3cb8894c7dc10fbd7c365a3c758c8c117bd15efa8ef3
openshift4/ose-installer@sha256:73da55da55f56ede347a11a9d1c540e3cbaa100bb010508d696ac7ee01f24e4b
openshift4/ose-installer-artifacts@sha256:b4bfbfbe4562d4b41381dd79156113ad51b62728b0a464f92694a0ee0e69db41
openshift4/ose-machine-api-provider-openstack-rhel8@sha256:cb8f32e23089128f9c948c25f6cbfb687037a22e193a122f79900d8b3f0fbfa0
openshift4/ose-machine-config-operator@sha256:308cc282d5454cc514495d6fbed5c22e7a494e2a797b8b7edf8ce33af5c3c428
openshift4/ose-machine-os-images-rhel8@sha256:105b6d28c37b438caf395608238e757e0e358cf7e6460087589be336c814c5fa
openshift4/ose-ovn-kubernetes@sha256:92e36c487bff9421903beb6c9294ab90a17c03c8cac2b745c29c46353b4ad4c3
openshift4/ose-ovn-kubernetes-microshift-rhel8@sha256:ce07dfe330463cf11d6e34eb86dde1fa35972a61fa9909018e4fa0b8a4f1e28c
ppc64le
openshift4/network-tools-rhel8@sha256:1b2c5e4c252f6c9709699777bfdc8ea6b10f5c4cb13d711c7424a4ec6303942f
openshift4/ose-apiserver-network-proxy-rhel8@sha256:96307d84eaace7b125ffbbe652f5a0640812f2262aaf83a90357d8994fc07081
openshift4/ose-baremetal-installer-rhel8@sha256:0087e8c4497a1805101681025f4042fe86f496196ccbb49547b6135d37fa8b32
openshift4/ose-cluster-baremetal-operator-rhel8@sha256:aebe52b19d2a258fe5ad6667bb3f2ab1618a8d33b7ae07a39d4866f798458049
openshift4/ose-cluster-node-tuning-operator@sha256:fe6708612bee0120f08eb034c765456fb522ce861fcc963189633691c04ebfb6
openshift4/ose-console@sha256:1b50c97caa6e3d3ea3a838f6dc43c3ce2c6f3d28d257133ac57c56aad1f37968
openshift4/ose-docker-registry@sha256:d1ad5a735b4b7fc506da3d6dde93ca714d51cfd6231cca260f7f8d8faf433077
openshift4/ose-hypershift-rhel8@sha256:55e3dd78ad4455463a502050e0947f3ff2b0f815136e985895b25c0a2ecd5464
openshift4/ose-insights-rhel8-operator@sha256:b3e8b64396a90e5513fe82a80a3b3ff303336cc50455ec793e0258f7bedee619
openshift4/ose-installer@sha256:0028f4a966bfa296779e6aa6431a47f8c34397e4de21c67384c0510417261e76
openshift4/ose-installer-artifacts@sha256:4993b8762828d74c0980ab96baed60f966551dd26c791a8165d2dac69c8fc923
openshift4/ose-kuryr-cni-rhel8@sha256:0d35eeda03c2c54a68db9e157755c3fa4f87a58433bfd14f75d6dbb9a4bc1cdc
openshift4/ose-kuryr-controller-rhel8@sha256:192d39afb0c83169c9241e9ad76a3f3abf2369a417846f1e02a30f08a9bd7a3a
openshift4/ose-machine-api-provider-openstack-rhel8@sha256:b4eea4d528e39cf46d21dd3d6304c0e78df82fc3c44904f5abab30302a9cb5d5
openshift4/ose-machine-config-operator@sha256:5d99730bae5fc5128c33c64e24f665cd06706caf747b17ca91849ddaa5f172a1
openshift4/ose-machine-os-images-rhel8@sha256:a6e6d78c37370b9319034608a836694821f1cf8c00a176169e70b9d61a082846
openshift4/ose-ovn-kubernetes@sha256:eedfbd7464e8c47ac0b2ab328e6b017077e28aa0db22a6b297e997f47a23fc3e
openshift4/ose-ovn-kubernetes-microshift-rhel8@sha256:32ce8a90295446cca4bd3fef5bfe6f451f8bd84b93a00d869179eef3e550d84a
s390x
openshift4/network-tools-rhel8@sha256:35842b4338bd67a0dca0435204388f363469bd5fa97bbd1f8087199bbb5de1b5
openshift4/ose-apiserver-network-proxy-rhel8@sha256:b5831b3bb6ff5e91b83acf0fb51d1b25582d84a6b890d30a809a7aa7209a5d58
openshift4/ose-baremetal-installer-rhel8@sha256:c538c9de9f4940cc4b161617a3568fd2a146c452135d8175cfc99041bbdf4978
openshift4/ose-cluster-baremetal-operator-rhel8@sha256:317cf16b81a1eb0e536b217d7fbf08449ede5628e4848ca8e8525baeb420224d
openshift4/ose-cluster-node-tuning-operator@sha256:f703a4faded3c7eae3dcd32752cd6e1600092cf2bf2ad73998b216dd597f08e2
openshift4/ose-console@sha256:2cd0daa224aec631ea258229e8362e3f82754e44632daa7e75870cb1c6f27f6f
openshift4/ose-docker-registry@sha256:77ae3147e62bce3e8e7f58478128abb4ee8c47c3501661eb4d1acf59bb53c8fe
openshift4/ose-hypershift-rhel8@sha256:d54c7ebc52e144814922f49dc27471215ac29972aac180c28819da3bb0b93f51
openshift4/ose-insights-rhel8-operator@sha256:02ab568cef37622d999efa28e38e7c59580bdf92a46bbaaeb821a3a5dcaf96ed
openshift4/ose-installer@sha256:6578789272ce81a777350fddf54f20d2063ae859985ef2f9374d67882371c5b2
openshift4/ose-installer-artifacts@sha256:f69e95be4ec161eb6f495c09b78ada8c81c6b1dbf4eb0f4f346b7b99e2c49766
openshift4/ose-machine-api-provider-openstack-rhel8@sha256:45c48778a27bcd866b6ce189b9d5f3ca508d933ec68f01580913960e151a2a40
openshift4/ose-machine-config-operator@sha256:3eedfb0833a57318c38d8f4216d4c50df54dfb463d89e35a394b4813689e7a11
openshift4/ose-ovn-kubernetes@sha256:edaa5fc7a54cabe8fce6823032dec74e785914cc2c6c3a4fed0c1bd4f3611a94
openshift4/ose-ovn-kubernetes-microshift-rhel8@sha256:a04b87ba2f0c537fdc846782da5c2b2a85ce4b72b1fdf126e347b7f17b02e7b9
x86_64
openshift4/network-tools-rhel8@sha256:1ef20449dc6fcf5b2a2bdb38afb523a2d82e6f1bed703fde2a196d9ea5df903d
openshift4/ose-apiserver-network-proxy-rhel8@sha256:5b26090a6ffad17ddbe25458dc2c0dd0e60235569537011721a406186c402f01
openshift4/ose-baremetal-installer-rhel8@sha256:16716642f603d194b2876f317a132138d26a7ee0afb498cfee6b7a344f76cf7a
openshift4/ose-cluster-baremetal-operator-rhel8@sha256:e36eecb1d894adaef0f2583609790a6b9e4e17e47dc43ed37351dc38d60d7bb4
openshift4/ose-cluster-node-tuning-operator@sha256:6721182ba2688ed8b79fade985a010ed6b56ea10cb3a7d9b4bda291ca810baac
openshift4/ose-console@sha256:28179971d52cd09388c40c6ad0d1f1442470d26ce8a5e28a71f82903457eea73
openshift4/ose-docker-registry@sha256:90a8c254437063837077fb8e8bc06a4af25da9397211b52a91ae8bb6d554a1d9
openshift4/ose-hypershift-rhel8@sha256:5d610746b61c954dc58bbcff8069d669febe86292f8fdc9e93f4150e55b1cfa8
openshift4/ose-insights-rhel8-operator@sha256:b164df0434429bed1e44ade80bd39689b2871aad615bed515f36ddb3e46f8f5c
openshift4/ose-installer@sha256:256671e9350ae4168e35df1ae34f72b88f7a5a8cfc84e295ed8d6f042a94fe9d
openshift4/ose-installer-artifacts@sha256:97ded3d08e00bfe4e45419fa47dc502545f5ffaaf5e544a23681e920f618083f
openshift4/ose-kuryr-cni-rhel8@sha256:18b9294f09c03fc3112dc391a01f0b7e97738520a9016046a4197b819553c8d2
openshift4/ose-kuryr-controller-rhel8@sha256:26b04e63415afea0142fa1aaa6f325f89be16a072bfda271c5b3d42b2f9f52a9
openshift4/ose-machine-api-provider-openstack-rhel8@sha256:9cab97735315251aa36f7c8189217a8b397f9fb8da70822dd0b99b34dfdf0bc5
openshift4/ose-machine-config-operator@sha256:a5031a63f8ccf9c22d0e3afc50f402fbff1b2a0ec73cde4ebd976e1b92733223
openshift4/ose-machine-os-images-rhel8@sha256:05f477b1087594ad40ca8f301032f195ba5724c452b5f64ab19a335ddb95fde6
openshift4/ose-ovn-kubernetes@sha256:4624d41a76c02b0da3b4ff22f0d6655c5f37df44a7d7ce1ec1b52b564295fb16
openshift4/ose-ovn-kubernetes-microshift-rhel8@sha256:70f43ad9fd90d77a6bb32e1a503a47134fe5df348037ed8a9b519790cf39600b
The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.
Related news
Red Hat Security Advisory 2023-5390-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.12.36. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-5314-01 - OpenShift API for Data Protection enables you to back up and restore application resources, persistent volume data, and internal container images to external backup storage. OADP enables both file system-based and snapshot-based backups for persistent volumes. Issues addressed include a denial of service vulnerability.
OpenShift API for Data Protection (OADP) 1.1.6 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-21698: A denial of service attack was found in prometheus/client_golang. This flaw allows an attacker to produce a denial of service attack on an HTTP server by exploiting the InstrumentHandlerCounter function in the version below 1.11.1, resulting in a loss of availability. * CVE-2022-41723: A flaw was found in golang. A maliciously crafted HTTP/2 stream cou...
Red Hat Security Advisory 2023-5155-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.13.13. Issues addressed include a denial of service vulnerability.
Red Hat OpenShift Container Platform release 4.13.13 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.13. Red Hat Product Security has rated this update as having a security impact of [impact]. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-2253: A flaw was found in the `/v2/_catalog` endpoint in distribution/distribution, which accepts a parameter to control the maximum number of records returned (query string: `n`). This vul...
Ubuntu Security Notice 6336-1 - It was discovered that Docker Registry incorrectly handled certain crafted input, A remote attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 16.04 LTS. It was discovered that Docker Registry incorrectly handled certain crafted input. An attacker could possibly use this issue to cause a denial of service.
Red Hat Security Advisory 2023-4091-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.13.5. Issues addressed include a denial of service vulnerability.
Red Hat OpenShift Container Platform release 4.13.5 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.13. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41717: A flaw was found in the net/http library of the golang package. This flaw allows an attacker to cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server c...
A flaw was found in the `/v2/_catalog` endpoint in distribution/distribution, which accepts a parameter to control the maximum number of records returned (query string: `n`). This vulnerability allows a malicious user to submit an unreasonably large value for `n,` causing the allocation of a massive string array, possibly causing a denial of service through excessive use of memory.
Debian Linux Security Advisory 5414-1 - Jose Gomez discovered that the Catalog API endpoint in the Docker registry implementation did not sufficiently enforce limits, which could result in denial of service.
### Impact Systems that run `distribution` built after a specific commit running on memory-restricted environments can suffer from denial of service by a crafted malicious `/v2/_catalog` API endpoint request. ### Patches Upgrade to at least 2.8.2-beta.1 if you are running `v2.8.x` release. If you use the code from the main branch, update at least to the commit after [f55a6552b006a381d9167e328808565dd2bf77dc](https://github.com/distribution/distribution/commit/f55a6552b006a381d9167e328808565dd2bf77dc). ### Workarounds There is no way to work around this issue without patching. Restrict access to the affected API endpoint: see the recommendations section. ### References `/v2/_catalog` endpoint accepts a parameter to control the maximum amount of records returned (query string: `n`). When not given the default `n=100` is used. The server trusts that `n` has an acceptable value, however when using a maliciously large value, it allocates an array/slice of `n` of strings before fi...