[RHSA-2022:6103-01] Moderate: OpenShift Container Platform 4.11.1 bug fix and security update

Security announcements for all Red Hat products and services. rhsa-announce at redhat.com
Tue Aug 23 18:07:50 UTC 2022 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: OpenShift Container Platform 4.11.1 bug fix and security update
Advisory ID:       RHSA-2022:6103-01
Product:           Red Hat OpenShift Enterprise
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6103
Issue date:        2022-08-23
CVE Names:         CVE-2022-1012 CVE-2022-1292 CVE-2022-1586 
                   CVE-2022-1785 CVE-2022-1897 CVE-2022-1927 
                   CVE-2022-2068 CVE-2022-2097 CVE-2022-30629 
                   CVE-2022-30631 CVE-2022-32250 
=====================================================================

1. Summary:

Red Hat OpenShift Container Platform release 4.11.1 is now available with
updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container
Platform 4.11.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container
Platform 4.11.1. See the following advisory for the RPM packages for this
release:

https://access.redhat.com/errata/RHSA-2022:6102

Space precludes documenting all of the container images in this advisory.
See the following Release Notes documentation, which will be updated
shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.11/release_notes/ocp-4-11-release-notes.html

Security Fix(es):

* golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)
* golang: crypto/tls: session tickets lack random ticket_age_add
(CVE-2022-30629)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s)
listed in the References section.

You may download the oc tool and use it to inspect release image metadata
as follows:

(For x86_64 architecture)

$ oc adm release info
quay.io/openshift-release-dev/ocp-release:4.11.1-x86_64

The image digest is
sha256:97410a5db655a9d3017b735c2c0747c849d09ff551765e49d5272b80c024a844

(For s390x architecture)

$ oc adm release info
quay.io/openshift-release-dev/ocp-release:4.11.1-s390x

The image digest is
sha256:13734de7e796e46f5403ef9ee918be88c12fdc9b73acb8777e0cc7c56a276794

(For ppc64le architecture)

$ oc adm release info
quay.io/openshift-release-dev/ocp-release:4.11.1-ppc64le

The image digest is
sha256:d0019b6b8b32cc9fea06562e6ce175086fa7de7b2b7dce171a8ac1a57f92f10b

(For aarch64 architecture)

$ oc adm release info
quay.io/openshift-release-dev/ocp-release:4.11.1-aarch64

The image digest is
sha256:3394a79e173ac17bc96a7256665701d3d7e2a95535a12f2ceb19ceb41dcd6b79

All OpenShift Container Platform 4.11 users are advised to upgrade to these
updated packages and images when they are available in the appropriate
release channel. To check for available updates, use the OpenShift Console
or the CLI oc command. Instructions for upgrading a cluster are available
at
https://docs.openshift.com/container-platform/4.11/updating/updating-cluster-cli.html

3. Solution:

For OpenShift Container Platform 4.11 see the following documentation,
which will be updated shortly for this release, for important instructions
on how to upgrade your cluster and fully apply this asynchronous errata
update:

https://docs.openshift.com/container-platform/4.11/release_notes/ocp-4-11-release-notes.html

Details on how to access this content are available at
https://docs.openshift.com/container-platform/4.11/updating/updating-cluster-cli.html

4. Bugs fixed (https://bugzilla.redhat.com/):

2033256 - openshift-installer intermittent failure on AWS with "Error: Provider produced inconsistent result after apply" when creating the module.vpc.aws_route_table.private_routes resource
2040715 - post 1.23 rebase: regression in service-load balancer reliability
2063622 - Failed to install the podman package from repo rhocp-4.10-for-rhel-8-x86_64-rpms
2092793 - CVE-2022-30629 golang: crypto/tls: session tickets lack random ticket_age_add
2102576 - [4.11] [Cluster storage Operator] DefaultStorageClassController report fake message "No default StorageClass for this platform" on azure and openstack
2103638 - No need to pass to-image-base for `oc adm release new` command when use --from-release
2103899 - [OVN] bonding fails after active-backup fail-over and reboot,  kargs static IP
2104386 - OVS-Configure doesn't iterate connection names containing spaces correctly
2104435 - [dpu-network-operator] Updating images to be consistent with ART
2104510 - Update ose-machine-config-operator images to be consistent with ART
2104687 - MCP upgrades can stall waiting for master node reboots since MCC no longer gets drained
2105056 - Openshift-Ansible RHEL 8 CI update
2105444 - [OVN] Node to service traffic is blocked if service is "internalTrafficPolicy: Local" even backed pod is on the same node
2106772 - openshift4/ose-operator-registry image is vulnerable to multiple CVEs
2106795 - crio umask sometimes set to 0000
2107003 - The bash completion doesn't work for get subcommand
2107045 - OLM updates namespace labels even if they haven't changed
2107342 - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read
2107777 - Pipeline status filter and status colors doesn't work correctly with non-english languages
2107871 - Import: Advanced option sentence is splited into two parts and headlines has no padding
2108021 - Machine Controller stuck with Terminated Instances while Provisioning on AWS
2109052 - Add to application dropdown options are not visible on application-grouping sidebar action dropdown.
2109205 - HTTPS_PROXY ENV missing in some CSI driver operators
2109270 - Kube controllers crash when nodes are shut off in OpenStack
2109489 - Reply to arp requests on interfaces with no ip
2109709 - Namespace value is missing on the list when selecting "All namespaces" for operators
2109731 - alertmanager-main pods failing to start due to startupprobe timeout
2109866 - Cannot delete a Machine if a VM got stuck in ERROR
2109977 - storageclass should not be created for unsupported vsphere version
2110482 - [vsphere] failed to create cluster if datacenter is embedded in a Folder
2110723 - openshift-tests: allow -f to match tests for any test suite
2110737 - Master node in SchedulingDisabled after upgrade from 4.10.24 -> 4.11.0-rc.4
2111037 - Affinity rule created in console deployment for single-replica infrastructure
2111347 - dummy bug for 4.10.z bz2111335
2111471 - Node internal DNS address is not set for machine
2111475 - Fetch internal IPs of vms from dhcp server
2111587 - [4.11] Export OVS metrics
2111619 - Pods are unable to reach clusterIP services, ovn-controller isn't installing the group mod flows correctly
2111992 - OpenShift controller manager needs permissions to get/create/update leases for leader election
2112297 - bond-cni: Backport "mac duplicates" 4.11
2112353 - lifecycle.posStart hook does not have network connectivity.
2112908 - Search resource "virtualmachine" in "Home -> Search" crashes the console
2112912 - sum_irate doesn't work in OCP 4.8
2113926 - hypershift cluster deployment hang due to nil pointer dereference for hostedControlPlane.Spec.Etcd.Managed
2113938 - Fix e2e tests for [reboots][machine_config_labels] (tsc=nowatchdog)
2114574 - can not upgrade. Incorrect reading of olm.maxOpenShiftVersion
2114602 - Upgrade failing because restrictive scc is injected into version pod
2114964 - kola dhcp.propagation test failing
2115315 - README file for helm charts coded in Chinese shows messy characters when viewing in developer perspective.
2115435 - [4.11] INIT container stuck forever
2115564 - ClusterVersion availableUpdates is stale: PromQL conditional risks vs. slow/stuck Thanos
2115817 - Updates / config metrics are not available in 4.11
2116009 - Node Tuning Operator(NTO) - OCP upgrade failed due to node-tuning CO still progressing
2116557 - Order of config attributes are not maintained during conversion of PT4l from ptpconfig to ptp4l.0.config file
2117223 - kubernetes-nmstate-operator fails to install with error "no channel heads (entries not replaced by another entry) found in channel"
2117324 - catalog-operator fatal error: concurrent map writes
2117353 - kola dhcp.propagation test out of memory
2117370 - Migrate openshift-ansible to ansible-core
2117746 - Bump to latest k8s.io 1.24 release
2118214 - dummy bug for 4.10.z bz2118209
2118375 - pass the "--quiet" option via the buildconfig for s2i

5. JIRA issues fixed (https://issues.jboss.org/):

OCPBUGS-1 - Test Bug

6. References:

https://access.redhat.com/security/cve/CVE-2022-1012
https://access.redhat.com/security/cve/CVE-2022-1292
https://access.redhat.com/security/cve/CVE-2022-1586
https://access.redhat.com/security/cve/CVE-2022-1785
https://access.redhat.com/security/cve/CVE-2022-1897
https://access.redhat.com/security/cve/CVE-2022-1927
https://access.redhat.com/security/cve/CVE-2022-2068
https://access.redhat.com/security/cve/CVE-2022-2097
https://access.redhat.com/security/cve/CVE-2022-30629
https://access.redhat.com/security/cve/CVE-2022-30631
https://access.redhat.com/security/cve/CVE-2022-32250
https://access.redhat.com/security/updates/classification/#moderate

7. Contact:

The Red Hat security contact is <secalert at redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYwUXddzjgjWX9erEAQhaVQ/+LoSAe5mCgjPe0+gupmu0jxSmErna51Gz
LBlcOWhmgSi2LDYiLl0x5fIg1rQuFX87rSqo0397m7k4Wcon7ztOeDBAtc120fbP
i3N+2C+t2wrRPkObvGYKwiCj15+CZP/pIoTQqBlwzqcMAOBLPkXmyXgPaGiA12W7
MoZlSyeEfyx2r636op+e9GC6ysmP2Jq7v+IU2H5/fK7fwPb2lnEIqZV/VXQB4+n7
U7x4Rlng+iLwqalJjCgWY8VLHBQPbIkAQoWS1rMj4f/VEzdbJf7tXNwJOBlPaaJ0
qn8aVZt0b0DMnW0NERm08jg6SYIx8jwMjC/E9Y+JkLdI4nO7f22TOEXgocKHpSMi
jm6yLG6Klvjio8rT0+tYB9QBgo8owR5QxhTH3+ffcdlNqDWk33wt8da2n0vCKY4w
iC1p3bTxCFdxkPz8FkF/p+nVrI5ZGTNd94Q29YiK+BtlGVAVGGqk208YVcQ85RH2
8YQminXLeLt/RA4cKm/4eq5PlGW7lXAsKVM4UxiYZdqWe/WFuW5zoaF1IdcbNL1p
dZaaS1Dy9KvEzF6LPeVFcBg7ouGkdWtBwWQcEGV4bzPjbik8HkiIOkd4J1uT6KHs
di3yYWJc3Q1mHuXV7byNUhaQQtpkiB/jDAUiQ0ggOfTawBbwleBMgxwUt38sMtpV
6FmWxlUydm8=
=6nTC
-----END PGP SIGNATURE-----

More information about the RHSA-announce mailing list