[RHSA-2023:2138-01] Moderate: OpenShift Container Platform 4.13.0 CNF vRAN extras security update

Thu May 18 05:53:21 UTC 2023

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: OpenShift Container Platform 4.13.0 CNF vRAN extras security update
Advisory ID:       RHSA-2023:2138-01
Product:           Red Hat OpenShift Enterprise
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:2138
Issue date:        2023-05-18
CVE Names:         CVE-2020-16251 CVE-2021-43998 
=====================================================================

1. Summary:

An update for ztp-site-generate-container, topology-aware-lifecycle-manager
and bare-metal-event-relay is now available for Red Hat OpenShift Container
Platform 4.13.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.

This advisory contains the extra low-latency container images for Red Hat
OpenShift Container Platform 4.13. See the following advisory for the
container images for this release:

https://access.redhat.com/errata/RHSA-2023:1326

All OpenShift Container Platform users are advised to upgrade to these
updated packages and images.

Security Fix(es):

* vault: GCP Auth Method Allows Authentication Bypass (CVE-2020-16251)
* vault: incorrect policy enforcement (CVE-2021-43998)

3. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2028193 - CVE-2021-43998 vault: incorrect policy enforcement
2167340 - CVE-2020-16251 vault: GCP Auth Method Allows Authentication Bypass

5. JIRA issues fixed (https://issues.jboss.org/):

OCPBUGS-10819 - TALM SNO Backup Fails on Managed Cluster Running CoreOS 9.2
OCPBUGS-11890 - TALM keeps spinning with the hub template error when unsupported hub template function is being used in the second policy
OCPBUGS-2336 - dataset_comparison should be G.8275.x in ptpconfig source crs
OCPBUGS-3005 - step_threshold should be changed from 0.0 to 2.0 in in ptpconfig source crs
OCPBUGS-3047 - TALM spent 42 minutes precaching when there was no precaching work to be done.
OCPBUGS-3092 - TALM precaching pulls more content than needed
OCPBUGS-3210 - TALM attempting to approve PAO installplan for 4.11 operator upgrade
OCPBUGS-3885 - After CGU timed out it got stuck in a loop and kept adding duplicates to status field 
OCPBUGS-3954 - Precaching status missing for temporarily unavailable clusters 
OCPBUGS-4197 - CGU pod goes to CrashLoopBackOff when incorrect channel is provided for OCP precaching
OCPBUGS-4200 - Segfault from TALM after CGU timeout
OCPBUGS-4246 - Precaching spec error due to invalid policy combination reported as precaching/backup failures on spokes
OCPBUGS-4329 - Cannot install LVMO through gitops ZTP
OCPBUGS-4406 - ptp configs should match reference configs
OCPBUGS-4704 - TALM - precache does not begin if catalogsource config policy is Compliant
OCPBUGS-4821 - TALM getImageForVersionFromUpdateGraph func making insecure external calls
OCPBUGS-5797 - TALM backup CGU only indicates status of one cluster when two clusters are being backed up
OCPBUGS-6612 - Default backup timeout too short for large scale upgrade
OCPBUGS-6769 - TALM 4.11 pre-cache fails on 4.10 cluster
OCPBUGS-6944 - TALM backup - recovery script fails due to unable to find running container even though it is running
OCPBUGS-7217 - TALM cli state is not correct when cgu is enabled after backup
OCPBUGS-7464 - Unable to deploy 4.11 spoke using ZTP 4.13 due to new spec added to performanceprofile
OCPBUGS-7933 - Image Precaching Fails Due To Missing check_space Script
OCPBUGS-7948 - 4.13 bmer build does not include 4.13 sidecar changes
OCPBUGS-8006 - TALM applies a 5 minute reconciliation loop to monitor cluster readiness and start policy application 
OCPBUGS-8032 - TALM Fails to Report Low Disk Space during Image Precaching 
OCPBUGS-8414 - BMER - operator upgrade from 4.12 to 4.13 does not work - subs stays at AtLatestKnown and no installplan is created
OCPBUGS-8525 - TALM may miss MCP reconcile after change to PerformanceProfile or operator upgrade
OCPBUGS-9428 - ignition reports warning at $.systemd.units.22.contents, line 1 col 363575: unit "container-mount-namespace.service" is enabled, but has no install section so enable does nothing
OCPBUGS-9943 - Remove duplicated field macAddress from Siteconfigs

6. References:

https://access.redhat.com/security/cve/CVE-2020-16251
https://access.redhat.com/security/cve/CVE-2021-43998
https://access.redhat.com/security/updates/classification/#moderate

7. Contact:

The Red Hat security contact is <secalert at redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBZGW9UdzjgjWX9erEAQi5/A/+KKaHyRl+23u8Wj3rxjrnEcz9KPFU+ZUc
UUW1MvuqmFqCX+0Sb98agk5faDIQfhAPuE4ShcwduR8w39ftxFAQWEaDfBqZBuul
1Nptw0Ammrh0btDaQnjXF5vLTcF1sv5GWtkICpoTXg6qcVnIsibw9f1G/hBidiG2
u35ThWipKMp0N9DMDTSBr8Fy0Mffw5+ny05QU18DegHRVFupt1XF8SnW4lh/UlhD
LiR9iJ2K1xnfvDr+BdMhFWiqH7xZzZHMX0s2FEcBvUMW6/DYYLzaiUSFbh6TYiIK
5fwCXQKXLlls0+oUbBquoYG64beXOMxSgYEiI4B+bFblqfzTN4ev+vJOqCfjt7ye
BG1B7350xgMhHxBV8stMoY5mQMLoYjZHzBvQ9KU672ze0gLlIspTLjzlN2fhUr3/
bfiVsX8T9pJJOszDmbyrRXaFHbgEtR1SYJVMC/0G49koPrSX6JwasGHq/b5yMSIH
v+cLWsQ7YTRdC7zUc54j2ILP75VeLxxm4Rxm4pWTHvUo0h48GFn92AYWbW4Vt9Yn
6ZVcEuNSJK1iVd67L9P9Y+hX3nlrt/PBkbMYO0IcTFhCf97Xo76O84iqovuRHGRX
rst63r8Zjx0GfT2OA8ewcxBMf5hCs3zBO8Psr6Wx8oMccd6brME9RdzqgNpo9pEW
TXwdOxzzbkI=
=59Dl
-----END PGP SIGNATURE-----