[RHSA-2022:0577-01] Moderate: Windows Container Support for Red Hat OpenShift 5.0.0 [security update]

Security announcements for all Red Hat products and services. rhsa-announce at redhat.com
Mon Mar 28 15:30:17 UTC 2022 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: Windows Container Support for Red Hat OpenShift 5.0.0 [security update]
Advisory ID:       RHSA-2022:0577-01
Product:           Red Hat OpenShift Enterprise
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:0577
Issue date:        2022-03-28
CVE Names:         CVE-2020-28851 CVE-2020-28852 CVE-2021-3121 
                   CVE-2021-3521 CVE-2021-3712 CVE-2021-29923 
                   CVE-2021-31525 CVE-2021-33195 CVE-2021-33197 
                   CVE-2021-33198 CVE-2021-34558 CVE-2021-36221 
                   CVE-2021-42574 CVE-2022-24407 
=====================================================================

1. Summary:

The components for Windows Container Support for Red Hat OpenShift 5.0.0
are now available. This product release includes bug fixes and a moderate
security update for the following packages: windows-machine-config-operator
and windows-machine-config-operator-bundle.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

Windows Container Support for Red Hat OpenShift allows you to deploy
Windows container workloads running on Windows Server containers.

Security Fix(es):

* gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index
validation (CVE-2021-3121)
* golang.org/x/text: Panic in language.ParseAcceptLanguage while parsing
- -u- extension (CVE-2020-28851)
* golang.org/x/text: Panic in language.ParseAcceptLanguage while processing
bcp47 tag (CVE-2020-28852)
* golang: net: incorrect parsing of extraneous zero characters at the
beginning of an IP address octet (CVE-2021-29923)
* golang: net/http: panic in ReadRequest and ReadResponse when reading a
very large header (CVE-2021-31525)
* golang: net: lookup functions may return invalid host names
(CVE-2021-33195)
* golang: net/http/httputil: ReverseProxy forwards connection headers if
first one is empty (CVE-2021-33197)
* golang: math/big.Rat: may cause a panic or an unrecoverable fatal error
if passed inputs with very large exponents (CVE-2021-33198)
* golang: crypto/tls: certificate of wrong type is causing TLS client to
panic (CVE-2021-34558)
* golang: net/http/httputil: panic due to racy read of persistConn after
handler panic (CVE-2021-36221)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

For Windows Machine Config Operator upgrades, see the following
documentation:
https://docs.openshift.com/container-platform/latest/windows_containers/windows-node-upgrades.html

4. Bugs fixed (https://bugzilla.redhat.com/):

1913333 - CVE-2020-28851 golang.org/x/text: Panic in language.ParseAcceptLanguage while parsing -u- extension
1913338 - CVE-2020-28852 golang.org/x/text: Panic in language.ParseAcceptLanguage while processing bcp47 tag
1921650 - CVE-2021-3121 gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation
1958341 - CVE-2021-31525 golang: net/http: panic in ReadRequest and ReadResponse when reading a very large header
1983596 - CVE-2021-34558 golang: crypto/tls: certificate of wrong type is causing TLS client to panic
1989564 - CVE-2021-33195 golang: net: lookup functions may return invalid host names
1989570 - CVE-2021-33197 golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty
1989575 - CVE-2021-33198 golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents
1990573 - Username annotation error when byoh Windows have uppercase hostname
1992006 - CVE-2021-29923 golang: net: incorrect parsing of extraneous zero characters at the beginning of an IP address octet
1992841 - Deleting Machine Node object throws reconciliation error after WMCO restart
1994859 - Windows Containers on Windows Nodes get assigned the DNS Server IP “172.30.0.10”, which is wrong, if the default kubernetes subnet is not used
1995656 - CVE-2021-36221 golang: net/http/httputil: panic due to racy read of persistConn after handler panic
2000772 - WMCO fails to configure VMs with Powershell set as the default SSH shell
2001547 - BYOH Windows instance configured with DNS name got deconfigured immediately on UPI baremetal
2002961 - CSR reconciler report error constantly when BYOH CSR approved by other Approver
2005360 - BYOH Windows instance configured twice with DNS name
2008601 - WMCO ignores delete events for machines with invalid IP addresses
2015772 - Replacing private key reconcile 2 Windows nodes in parallel
2032048 - CSR approval failures caused by update conflicts

5. JIRA issues fixed (https://issues.jboss.org/):

WINC-747 - Windows Container Support for Red Hat OpenShift 5.0.0 release

6. References:

https://access.redhat.com/security/cve/CVE-2020-28851
https://access.redhat.com/security/cve/CVE-2020-28852
https://access.redhat.com/security/cve/CVE-2021-3121
https://access.redhat.com/security/cve/CVE-2021-3521
https://access.redhat.com/security/cve/CVE-2021-3712
https://access.redhat.com/security/cve/CVE-2021-29923
https://access.redhat.com/security/cve/CVE-2021-31525
https://access.redhat.com/security/cve/CVE-2021-33195
https://access.redhat.com/security/cve/CVE-2021-33197
https://access.redhat.com/security/cve/CVE-2021-33198
https://access.redhat.com/security/cve/CVE-2021-34558
https://access.redhat.com/security/cve/CVE-2021-36221
https://access.redhat.com/security/cve/CVE-2021-42574
https://access.redhat.com/security/cve/CVE-2022-24407
https://access.redhat.com/security/updates/classification/#moderate

7. Contact:

The Red Hat security contact is <secalert at redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYkHUidzjgjWX9erEAQgguhAApk3+HqFLF4+2BufU+cXbfR3ikPOum2aR
dtT/kEd17ELemORjgGNt3mfEaFl0yc+kmq59r4BQRc4kSVa0rtD5gY8loW81R/V9
QVJOO4uu160Ho92n/7M33IKNM3MJuB6Puezm6GiTiRBCE6YcggWn3f8DqSQiqcH6
GAjDfomv+WfMhDBvoZKqY+rDiFleZqOcTZT5StcZNntXEpDkJE95jttCOIB1GjjR
DbBqk2Yya78gfMMarAIjGupYoMq6Byk4ebGVjnNvQVFvmPFdalTnCjBBkuN/FHFv
QXBOQfMDZW7eYPD7Hztz7o6FgRQNctie2i2n/UtU4qhEgei97e/CFN77mdBD7zaN
9pqsz63ZNx7rhKIvrVBXktyZuV3PETPxDakH13JFFbW2pKrDr0d6lHYq9H9mHmbr
RUPObMpM3yOXI0nm0MPfAHp/PYI0GyPi6mKVJLLKiXQw7nM3t9J4RPn51ZIDdq8H
s4bFvA0cev5dZholKPPdjEkH9XfPBecXFlKFT2a+91w7d0LAAKUCk1yEsDuwlYEN
gu+uO6s7xN2qMg6S0KWf3dkBgrJjiBgWg9lUhin/CFnRmmCxjWnDzgUOiMbJfD4c
oAKvrdZ8oqe9Fl63oIFggre+fJIVl817DaHHmc6QptcrUBogdXQgsneK/86xjsZi
OzqkIK5j4RU=
=uE/t
-----END PGP SIGNATURE-----

More information about the RHSA-announce mailing list