[RHSA-2022:7874-01] Important: OpenShift Container Platform 4.8.53 bug fix and security update

[Security announcements for all Red Hat products and services.]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: OpenShift Container Platform 4.8.53 bug fix and security update
Advisory ID:       RHSA-2022:7874-01
Product:           Red Hat OpenShift Enterprise
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:7874
Issue date:        2022-11-18
CVE Names:         CVE-2021-45485 CVE-2021-45486 CVE-2022-2588 
                   CVE-2022-21123 CVE-2022-21125 CVE-2022-21166 
                   CVE-2022-21618 CVE-2022-21619 CVE-2022-21624 
                   CVE-2022-21626 CVE-2022-21628 CVE-2022-26945 
                   CVE-2022-30321 CVE-2022-30322 CVE-2022-30323 
                   CVE-2022-39399 CVE-2022-41974 
=====================================================================

1. Summary:

Red Hat OpenShift Container Platform release 4.8.53 is now available with
updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container
Platform 4.8.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container
Platform 4.8.53. See the following advisory for the RPM packages for this
release:

https://access.redhat.com/errata/RHBA-2022:7873

Space precludes documenting all of the container images in this advisory.
See the following Release Notes documentation, which will be updated
shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html

Security Fix(es):

* go-getter: command injection vulnerability (CVE-2022-26945)
* go-getter: unsafe download (issue 1 of 3) (CVE-2022-30321)
* go-getter: unsafe download (issue 2 of 3) (CVE-2022-30322)
* go-getter: unsafe download (issue 3 of 3) (CVE-2022-30323)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s)
listed in the References section.

3. Solution:

For OpenShift Container Platform 4.8 see the following documentation, which
will be updated shortly for this release, for important instructions on how
to upgrade your cluster and fully apply this asynchronous errata update:

https://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html

You may download the oc tool and use it to inspect release image metadata
for x86_64, s390x, and ppc64le architectures. The image digests
may be found at
https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags

The sha values for the release are:

(For x86_64 architecture)
The image digest is 
sha256:ac2bbfa7036c64bbdb44f9a74df3dbafcff1b851d812bf2a48c4fabcac3c7a53

(For s390x architecture)
The image digest is 
sha256:ac2c74a664257cea299126d4f789cdf9a5a4efc4a4e8c2361b943374d4eb21e4

(For ppc64le architecture)
The image digest is 
sha256:53adc42ed30ad39d7117837dbf5a6db6943a8f0b3b61bc0d046b83394f5c28b2

All OpenShift Container Platform 4.8 users are advised to upgrade to these
updated packages and images when they are available in the appropriate
release channel. To check for available updates, use the OpenShift Console
or the CLI oc command. Instructions for upgrading a cluster are available
at
https://docs.openshift.com/container-platform/4.8/updating/updating-cluster-cli.html

4. Bugs fixed (https://bugzilla.redhat.com/):

2077100 - Console backend check for Web Terminal Operator incorrectly returns HTTP 204
2092918 - CVE-2022-30321 go-getter: unsafe download (issue 1 of 3)
2092923 - CVE-2022-30322 go-getter: unsafe download (issue 2 of 3)
2092925 - CVE-2022-30323 go-getter: unsafe download (issue 3 of 3)
2092928 - CVE-2022-26945 go-getter: command injection vulnerability

5. JIRA issues fixed (https://issues.jboss.org/):

OCPBUGS-2205 - Prefer local dns does not work expectedly on OCPv4.8
OCPBUGS-2347 - [cluster-api-provider-baremetal] fix 4.8 build
OCPBUGS-2577 - [4.8] ETCD Operator goes degraded when a second internal node ip is added 
OCPBUGS-2773 - e2e tests: Installs Red Hat Integration - 3scale operator test is failing due to change of Operator name
OCPBUGS-2989 - [4.8] cri-o should report the stage of container and pod creation it's stuck at

6. References:

https://access.redhat.com/security/cve/CVE-2021-45485
https://access.redhat.com/security/cve/CVE-2021-45486
https://access.redhat.com/security/cve/CVE-2022-2588
https://access.redhat.com/security/cve/CVE-2022-21123
https://access.redhat.com/security/cve/CVE-2022-21125
https://access.redhat.com/security/cve/CVE-2022-21166
https://access.redhat.com/security/cve/CVE-2022-21618
https://access.redhat.com/security/cve/CVE-2022-21619
https://access.redhat.com/security/cve/CVE-2022-21624
https://access.redhat.com/security/cve/CVE-2022-21626
https://access.redhat.com/security/cve/CVE-2022-21628
https://access.redhat.com/security/cve/CVE-2022-26945
https://access.redhat.com/security/cve/CVE-2022-30321
https://access.redhat.com/security/cve/CVE-2022-30322
https://access.redhat.com/security/cve/CVE-2022-30323
https://access.redhat.com/security/cve/CVE-2022-39399
https://access.redhat.com/security/cve/CVE-2022-41974
https://access.redhat.com/security/updates/classification/#important

7. Contact:

The Red Hat security contact is <secalert at redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBY3csZNzjgjWX9erEAQgVQg//dfbbERoUaVbqbL5MAgN43BOuYuiK0zT2
wkUXSTkIyLGkEqCU6KGhwbrUvMqye1Fef7MomJ0sXUj1MfUuV4FInczZmioJf59d
JAKdJQ8wEsqCaedwB+an5bVY6CEGdhsiN4a3JubKfGNkWcVOEr55acdgmu+n0hMJ
6zGQKgJLfBLPU7V/OG5zb/F2/GE6gwvqDsrrCMe6yZ7O2RTHDDnVI+bG1twhOjNb
M/wxjxMc3KxAl/32EQXQQnDdicl8Fg3KSCLnVfKwQMfN3O9Fj5AFdW3kT27MKKrF
DVsXTEeiLPvvUcfbu2KoLUqwXNajIDLNPYmwdWHrVZpOJcSSwDKxd3TRD1X8a5FO
2ZCpqk/InKz/mzhun+XSsyqY/KrevPFxiBzhfbPZE2EhBRXARUad4ycBlfSCacf9
wwFHEwPDzZ4NygYc1s+2dI9P5tDB+K21XB0d/41yq5XheYonBSu3Ji9+dqMIq/4R
Hb+xisN5QoaB+3pf6PMIrhlvNestYQ4TzOHdmEpJRZOehIJ49bJXtIRXq6uDj52b
7gvzoKpRdy3QZNBLNcrJPB0be9yE8chRaxMa++fviQbNamJm3NPVL5jBzBNrEINr
a9u8YMzpCzskWP3HdBUZ2bLT2zTnvb3Qj0vKQcUzO/hwl2z3hNbE2L+zOfXfWypj
jBUti9NswAw=
=uJJL
-----END PGP SIGNATURE-----