[RHSA-2023:3537-01] Moderate: OpenShift Container Platform 4.13.3 bug fix and security update

Wed Jun 14 04:42:03 UTC 2023

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: OpenShift Container Platform 4.13.3 bug fix and security update
Advisory ID:       RHSA-2023:3537-01
Product:           Red Hat OpenShift Enterprise
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:3537
Issue date:        2023-06-13
CVE Names:         CVE-2022-41723 CVE-2023-25173 CVE-2023-26054 
=====================================================================

1. Summary:

Red Hat OpenShift Container Platform release 4.13.3 is now available with
updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container
Platform 4.13.

Red Hat Product Security has rated this update as having a security impact
of [impact]. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container
Platform 4.13.3. See the following advisory for the RPM packages for this
release:

https://access.redhat.com/errata/RHSA-2023:3536

Space precludes documenting all of the container images in this advisory.
See the following Release Notes documentation, which will be updated
shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.13/release_notes/ocp-4-13-release-notes.html
Security Fix(es):

* net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK
decoding (CVE-2022-41723)
* containerd: Supplementary groups are not set up properly (CVE-2023-25173)
* buildkit: Data disclosure in provenance attestation describing a build
(CVE-2023-26054)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

All OpenShift Container Platform 4.13 users are advised to upgrade to these
updated packages and images when they are available in the appropriate
release channel. To check for available updates, use the OpenShift CLI (oc)
or web console. Instructions for upgrading a cluster are available at
https://docs.openshift.com/container-platform/4.13/updating/updating-cluster-cli.html

3. Solution:

For OpenShift Container Platform 4.13 see the following documentation,
which will be updated shortly for this release, for important instructions
on how to upgrade your cluster and fully apply this asynchronous errata
update:

https://docs.openshift.com/container-platform/4.13/release_notes/ocp-4-13-release-notes.html

You may download the oc tool and use it to inspect release image metadata
for x86_64, s390x, ppc64le, and aarch64 architectures. The image digests
may be found at
https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags

The sha values for the release are:

(For x86_64 architecture)
The image digest is
sha256:bc9835804046aa844c874d2cc37387ec95fe7e87d8ce96129fba78d465c932fa

(For s390x architecture)
The image digest is
sha256:c26d48b04d8864fc20145204b543957824d1d86696c82efdd9738d096796326d

(For ppc64le architecture)
The image digest is
sha256:2bf60fe7b0c72a301aa26544e3faabb61fe750e449ee130ee6945b588a727e67

(For aarch64 architecture)
The image digest is
sha256:f61d496a3b69582f0f1c54da973a58241b3e6001d8d1a696368d604b9ae774f2

All OpenShift Container Platform 4.13 users are advised to upgrade to these
updated packages and images when they are available in the appropriate
release channel. To check for available updates, use the OpenShift Console
or the CLI oc command. Instructions for upgrading a cluster are available
at
https://docs.openshift.com/container-platform/4.13/updating/updating-cluster-cli.html

4. Bugs fixed (https://bugzilla.redhat.com/):

2174485 - CVE-2023-25173 containerd: Supplementary groups are not set up properly
2176447 - CVE-2023-26054 buildkit: Data disclosure in provenance attestation describing a build
2178358 - CVE-2022-41723 net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding

5. JIRA issues fixed (https://issues.redhat.com/):

OCPBUGS-10527 - When there are 2 pipelines displayed in the dropdown menu, selecting one, unchecks the Add Pipeline checkbox
OCPBUGS-11530 - GCP usage api response include other projects and can causes negative quota calculation
OCPBUGS-11851 - [4.13] nto: makefile: fix render-sync make target
OCPBUGS-12918 - [GWAPI] OSSM 2.4 spec.techPreview.controlPlaneMode field not supported anymore
OCPBUGS-13011 - Azure cloud node manager stopped applying beta topology labels
OCPBUGS-13168 - Invalid CA certificate bundle provided by service account token
OCPBUGS-13399 - Error logs related to NTO Service during HostedCluster creation
OCPBUGS-13727 - Invalid docker ref parsing when tag and sha are both provided
OCPBUGS-13735 - Cluster-api SA can't create events
OCPBUGS-13749 - NTO does not include PerformanceProfiles in oc adm must-gather
OCPBUGS-13765 - IPI baremetal install root device hints should accept by-path device alias
OCPBUGS-13811 - Volume unmount repeats after successful unmount, preventing pod delete
OCPBUGS-13964 - mtls CRL not working when using an intermediate CA
OCPBUGS-13967 - CRL configmap is limited by 1MB max, not allowing for multiple public CRLS. 
OCPBUGS-14000 - Package openvswitch2.17 conflicts with openvswitch2.15 during the 4.12 to 4.13 upgrade of RHEL worker
OCPBUGS-14085 - Log vcenter version in raw string format in problem-detector
OCPBUGS-14098 - The vsphere-problem-detector-operator panics if vsphere Infrastructure field is empty
OCPBUGS-14135 - SCOS times out during provisioning of BM nodes
OCPBUGS-14165 - Labels added in the Git import flow are not propagated to the pipeline resources
OCPBUGS-14171 - gracefully fail when iam:GetRole is denied
OCPBUGS-14173 - [4.13] Fast track BZ#2196441 (Network Manager)
OCPBUGS-14195 - Topology UI doesn't recognize Serverless Rust function for proper UI icon
OCPBUGS-14249 - oc does not preserve a speficic release image provided with --to-image=''
OCPBUGS-14258 - Adjust vSphere connection plugin to OCP 4.13  - backport
OCPBUGS-14315 - IPv6 interface and address missing in all pods - OCP 4.12-ec-2 BM IPI
OCPBUGS-14438 - 4.13.z: [Clone of OCPBugs-8287]SNO 4.10: Power cycle node and MAC address of NIC not available when VDU application starts on Intel E810-C Nic

6. References:

https://access.redhat.com/security/cve/CVE-2022-41723
https://access.redhat.com/security/cve/CVE-2023-25173
https://access.redhat.com/security/cve/CVE-2023-26054
https://access.redhat.com/security/updates/classification/#moderate
https://docs.openshift.com/container-platform/4.13/release_notes/ocp-4-13-release-notes.html

7. Contact:

The Red Hat security contact is <secalert at redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBZIlFG9zjgjWX9erEAQjFHg/+JD8RnnEEsvLQK8UlMG1kcmCTXfPA4xHu
U6d3UjOzpFkUqJKS7VA+pOPCo5rhhR+ysE3hhSqrYeFIVLBX73vzfnYTvEHO0PpU
gWbHIrMAplWa8dZ5g6h0U8zXB+2DAFLTJjs/28GGKS4/VHMwJSWDiMZKDsTA3V1l
hM/Lz6aflcLkXDExxIXk1Q0WIy3TLx/RX9dbMlHe8oU/bh+rPuXfBc7XakfhnEOt
oHgAJqTjziAcsfleCyh4/5wmrUofNZBekV1S5CZn/23nDoctKDCsiF3ndNt8wokp
u3wbwMdgmaaiI/wqrmiY3gAV6+/AvsqMUsViEiAEh1iwAvN38pl3ALWI1R8pUtxR
D0TKP2aetv7zdYrcRXptB9w/lH5QEHipYhyqqbtrjXbF8XDggORYsbXi1KLqYHZa
vI0TVCM4bcbeDzF/VqF3mnyBGkYzbuiY9PNLymBsrtQ5SEfLfMuB0nWxMnEaAEaq
uhEtCZadYZ6JtI2REbPFvMzBLWfX2HR2Ajwy0Efe0Uj1oOe3jy5Zvsi5TiW3klVI
6o+g4pUGPixVSixBcNXqPKyKDZeEEtLPo3l1ZIyp7E/dZKElI/7nMROVyWkMZX79
UBpztFnPjpHtXsgEUhsZ7wLPR/YrClqmxl0Sb+0zfhqSM3qpjQwlMVSHOMERyjfw
OeqeVYbjEpU=
=YSnm
-----END PGP SIGNATURE-----