-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   Red Hat Security Advisory

Synopsis:          Moderate: OpenShift Container Platform 4.13.1 bug fix and security update
Advisory ID:       RHSA-2023:3304-01
Product:           Red Hat OpenShift Enterprise
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:3304
Issue date:        2023-05-30
CVE Names:         CVE-2018-17419 CVE-2021-36157 CVE-2022-25147 
                   CVE-2022-41722 CVE-2022-41723 CVE-2023-25652 
                   CVE-2023-25815 CVE-2023-29007 
====================================================================
1. Summary:

Red Hat OpenShift Container Platform release 4.13.1 is now available with
updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container
Platform 4.13.

Red Hat Product Security has rated this update as having a security impact
of [impact]. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container
Platform 4.13.1. See the following advisory for the RPM packages for this
release:

https://access.redhat.com/errata/RHSA-2023:3303

Space precludes documenting all of the container images in this advisory.
See the following Release Notes documentation, which will be updated
shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.13/release_notes/ocp-4-13-release-notes.html

Security Fix(es):

* dns: Denial of Service (DoS) (CVE-2018-17419)

* cortex: Grafana Cortex directory traversal (CVE-2021-36157)

* golang: path/filepath: path-filepath filepath.Clean path traversal
(CVE-2022-41722)

* net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK
decoding (CVE-2022-41723)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section. All OpenShift Container Platform
4.13 users are advised to upgrade to these updated packages and images when
they are available in the appropriate release channel. To check for
available updates, use the OpenShift CLI (oc) or web console. Instructions
for upgrading a cluster are available at
https://docs.openshift.com/container-platform/4.13/updating/updating-cluster-cli.html

3. Solution:

For OpenShift Container Platform 4.13 see the following documentation,
which will be updated shortly for this release, for important instructions
on how to upgrade your cluster and fully apply this asynchronous errata
update:

https://docs.openshift.com/container-platform/4.13/release_notes/ocp-4-13-release-notes.html

You may download the oc tool and use it to inspect release image metadata
for x86_64, s390x, ppc64le, and aarch64 architectures. The image digests
may be found at
https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags.

The sha values for the release are:

(For x86_64 architecture)
The image digest is
sha256:9c92b5ec203ee7f81626cc4e9f02086484056a76548961e5895916f136302b1f

(For s390x architecture)
The image digest is
sha256:dbc768473b99538c15a35ea1be7ff656a6ac01e5001af4fac117c51f461c6054

(For ppc64le architecture)
The image digest is
sha256:dc4bab40680fb4ed84665abc34aefef5e0689eafef1c878776c3685ddaa759d5

(For aarch64 architecture)
The image digest is
sha256:5415fb0c33370014b9be83bc3120cc9d35a95922b2e93e218cac603e4179717a

All OpenShift Container Platform 4.13 users are advised to upgrade to these
updated packages and images when they are available in the appropriate
release channel. To check for available updates, use the OpenShift CLI (oc)
or web console. Instructions for upgrading a cluster are available at
https://docs.openshift.com/container-platform/4.13/updating/updating-cluster-cli.html

4. Bugs fixed (https://bugzilla.redhat.com/):

2178358 - CVE-2022-41723 net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding
2183169 - CVE-2021-36157 cortex: Grafana Cortex directory traversal
2188523 - CVE-2018-17419 dns: Denial of Service (DoS)
2203008 - CVE-2022-41722 golang: path/filepath: path-filepath filepath.Clean path traversal

5. JIRA issues fixed (https://issues.redhat.com/):

OCPBUGS-11294 - [4.13] Missing metric for CSI migration opt-in
OCPBUGS-11302 - Incorrect domain resolution by the coredns/Corefile in Vsphere IPI Clusters | openshift-vsphere-infra
OCPBUGS-11336 - NTO: PAO e2e: profile update tests are flaky (time out)
OCPBUGS-11353 - --external-cloud-volume-plugin for out-of tree providersOCPBUGS-11387 - build regression on 4.13: ERROR: bash-5.0.11-r1.post-install: script exited with error 127
OCPBUGS-11432 - hostpath and node-driver-registrar containers are not pinned to mgmt cores - no WLP annotation
OCPBUGS-11775 - wait-for command doesn't handle installing-pending-user-action
OCPBUGS-12363 - structured logs are borked in BMO
OCPBUGS-12461 - Improve telemetry epic (ODC-7171) doesn't work without PrometheusRule (4.13)
OCPBUGS-12722 - Wrong cleanup of stale conditions from OCPBUGS-2783
OCPBUGS-12770 - Create BuildConfig button in the Devconsole opens the form in default namespace
OCPBUGS-13082 - Root device hints should accept by-path device alias
OCPBUGS-13083 - Assisted Root device hints should accept by-path device alias
OCPBUGS-13085 - hypershift_hostedclusters_failure_conditions metric incorrectly reports multiple clusters for a single cluster
OCPBUGS-13086 - Bootstrap on aws should have same metadata service type as on other nodes
OCPBUGS-13127 - EgressIP was NOT migrated to correct workers after deleting machine it was assigned in GCP XPN cluster.
OCPBUGS-13138 - 4.13.0-RC.6 Enter to Cluster status: error while trying to install cluster with agent base installer
OCPBUGS-13150 - EgressNetworkPolicy DNS resolution does not fall back to TCP for truncated responses
OCPBUGS-13155 - CNO doesn't handle nodeSelector in HyperShift
OCPBUGS-13162 - Rebase vSphere CSI driver to 3.0.1
OCPBUGS-13170 - Routes are not restored to new vNIC by hybrid-overlay on Windows nodes
OCPBUGS-13222 - NTO profiles not removed when node is removed in hypershift guest cluster
OCPBUGS-13312 - Failing test [bz-Machine Config Operator] Nodes should reach OSUpdateStaged in a timely fashion
OCPBUGS-13321 - collect-profiles pods causing regular CPU bursts
OCPBUGS-13410 - 'vendor' root device hint does not work correctly in ZTP/ABI
OCPBUGS-13427 - kuryr-controller crashes on KuryrPort cleanup when subport is already gone: Request requires an ID but none was found
OCPBUGS-13497 - kube-apiserver isn't healthy after a cluster comes up
OCPBUGS-13531 - AWS VPC endpoint service not cleaned up when access to customer credentials lost
OCPBUGS-13563 - [vmware csi driver] vsphere-syncher does not retry populate the CSINodeTopology with topology information when registration fails
OCPBUGS-13591 - [TELCO:CASE]  Limit the nested repository path while mirroring the images using oc-mirror for those who cant have nested paths in their container registry
OCPBUGS-13598 - OSD clusters' Ingress health checks & routes fail after swapping application router between public and private
OCPBUGS-13683 - Yum Config Manager Not Found
OCPBUGS-13692 - Failed to create STS resources on AWS GovCloud regions using ccoctl
OCPBUGS-13731 - unusual error log in cluster-policy-controller
OCPBUGS-13742 - [4.13] container_network* metrics fail to report
OCPBUGS-13783 - [Hypershift Guest] OperatorHub details page returns error
OCPBUGS-13828 - 4.13: aws-ebs-csi-driver-controller-sa ServiceAccount does not include the HCP pull-secret in its imagePullSecrets
OCPBUGS-13887 - Verify that upstream gRPC issue #4632 (leak of net.Conn) is fixed in 4.13
OCPBUGS-13888 - CPMS?create two replace machines when deleting a master machine on vSphere
OCPBUGS-13959 - [CI Watcher]:  logs in as 'test' user via htpasswd identity provider: Auth test logs in as 'test' user via htpasswd identity provider
OCPBUGS-1598 - Resourse added toast always have text "Deployment created successfully." irrespective of any resource type selected in the form
OCPBUGS-2290 - IPI for Power VS: Deploy fails when there is are certain preexisting resources
OCPBUGS-3160 - In some directories(under /run/containers/storage/overlay-containers/) on two of the Infra nodes permissions are rw for other user
OCPBUGS-3166 - assisted-installer: pod creation fails due to violations of security policies in 4.12
OCPBUGS-7147 - [Descheduler] ? The minKubeVersion should be 1.26.0 for descheduler operator

6. References:

https://access.redhat.com/security/cve/CVE-2018-17419
https://access.redhat.com/security/cve/CVE-2021-36157
https://access.redhat.com/security/cve/CVE-2022-25147
https://access.redhat.com/security/cve/CVE-2022-41722
https://access.redhat.com/security/cve/CVE-2022-41723
https://access.redhat.com/security/cve/CVE-2023-25652
https://access.redhat.com/security/cve/CVE-2023-25815
https://access.redhat.com/security/cve/CVE-2023-29007
https://access.redhat.com/security/updates/classification/#moderate
https://docs.openshift.com/container-platform/4.13/release_notes/ocp-4-13-release-notes.html

7. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBZHsD8dzjgjWX9erEAQiTfA//duDVDDmwhcaooaY8TSJ3Pof/t84/zILB
Mxt5PJaJ2nkRZmjADWML8LxBGQ9QpBQEiLPauevwTJJOQnLL2gWgs0mS+RKoIu+V
M0V6cs/LrsdrekgiaxDkbQGO8Vq9V6SKPoM6WKf6Z70P6gTdDG0uy5BzwNYkVldf
/skqH+cUxKOszgadiFHWaoWU1qh0zUCpCNtRMr0nQ64UuP9061bs3L3vfYwmC6vY
rLyejSHAw6rSOS/P9USTbrq1NVdNfFdHwqVDAZa/uS0GgstbAhwXPqe1XG4KGIDu
sILeX/XK04QWdhfWJh5Tvwv+B1ZNp9g1vu/gJgFQ+E+ToGCFMFXgfy10R+KhYU4t
yjZUGSZ1EuIKpdYAlgAsqxLrNaoLuW5rlGxjQpsKI/CoD3EaJOOqWUN3NsXe+n5c
hpzdCmA6nJ3ld9o/7ew+vD2i7xqRlKot5KVV3FGhDZ/kvcMq6JqckLqeGvdMBCxN
MNC3EKbbFzDLcBCsCxl5CK3T94mP4jtu3Gq9aWw4uqIHFqvDqnEIf3Qzv3OzUfRs
BPRwXSiYyUAx9qZmOJoEmudH2MF0wzCNUDkP2TxS1hJE5vBKxOWjdQmyGZgNcbaV
8g7zF3EpIItRDbCqtfnoHtbGYXy3n7QEkdMkTytTEngnq7ZMM0nrk7Qu4mYbj1l1
io3sLp+fdQU=dITn
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce