Home / mailings [RHSA-2022:6287-01] Moderate: OpenShift Container Platform 4.11.3 packages and security update
Posted on 08 September 2022
RedHat===================================================================== Red Hat Security Advisory
Synopsis: Moderate: OpenShift Container Platform 4.11.3 packages and security update
Advisory ID: RHSA-2022:6287-01
Product: Red Hat OpenShift Enterprise
Advisory URL: https://access.redhat.com/errata/RHSA-2022:6287
Issue date: 2022-09-07
CVE Names: CVE-2021-38561 CVE-2022-2526 CVE-2022-29154
CVE-2022-32206 CVE-2022-32208
=====================================================================
1. Summary:
Red Hat OpenShift Container Platform release 4.11.3 is now available with
updates to packages and images that fix several bugs and add enhancements.
This release includes a security update for Red Hat OpenShift Container
Platform 4.11.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Description:
Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.
This advisory contains the container images for Red Hat OpenShift Container
Platform 4.11.3. See the following advisory for the RPM packages for this
release:
https://access.redhat.com/errata/RHBA-2022:6286
Space precludes documenting all of the container images in this advisory.
See the following Release Notes documentation, which will be updated
shortly for this release, for details about these changes:
https://docs.openshift.com/container-platform/4.11/release_notes/ocp-4-11-release-notes.html
Security Fix(es):
* golang: out-of-bounds read in golang.org/x/text/language leads to DoS
(CVE-2021-38561)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s)
listed in the References section.
You may download the oc tool and use it to inspect release image metadata
as follows:
(For x86_64 architecture)
$ oc adm release info
quay.io/openshift-release-dev/ocp-release:4.11.3-x86_64
The image digest is
sha256:1ce5676839bca4f389cdc1c3ddc1a78ab033d4c554453ca7ef61a23e34da0803
(For s390x architecture)
$ oc adm release info
quay.io/openshift-release-dev/ocp-release:4.11.3-s390x
The image digest is
sha256:a1aa4c51af3b69b3dfc998c533b40ce7123f0a5e5e70910a4ea42e37493307b7
(For ppc64le architecture)
$ oc adm release info
quay.io/openshift-release-dev/ocp-release:4.11.3-ppc64le
The image digest is
sha256:b80afcee6747011412d703745acad28beacd6c659462fe341ffdb3fdb7fbb288
All OpenShift Container Platform 4.11 users are advised to upgrade to these
updated packages and images when they are available in the appropriate
release channel. To check for available updates, use the OpenShift Console
or the CLI oc command. Instructions for upgrading a cluster are available
at
https://docs.openshift.com/container-platform/4.11/updating/updating-cluster-cli.html
3. Solution:
For OpenShift Container Platform 4.11 see the following documentation,
which will be updated shortly for this release, for important instructions
on how to upgrade your cluster and fully apply this asynchronous errata
update:
https://docs.openshift.com/container-platform/4.11/release_notes/ocp-4-11-release-notes.html
Details on how to access this content are available at
https://docs.openshift.com/container-platform/4.11/updating/updating-cluster-cli.html
4. Bugs fixed (https://bugzilla.redhat.com/):
1989398 - .indexignore is not ingore when opm command load dc configuration
2062152 - Azure CI can't provision volumes in parallel
2076402 - Don't warn on failure to create pod logical port when pod isn't scheduled
2096456 - [HyperShift] Election timeouts on OVNKube masters for Hypershift guests post statefulset recreation
2100495 - CVE-2021-38561 golang: out-of-bounds read in golang.org/x/text/language leads to DoS
2103127 - TechPreview feature is not enabled, but find "failed to list *v1alpha1.AlertingRule: alertingrules.monitoring.openshift.io is forbidden" in cmo logs
2105972 - [Azure-file CSI Driver] Read/Write permission denied for non-admin user on azure file csi provisioned volume with fsType=ext4,ext3,ext2,xfs
2107564 - [GCP] create gcpcluster get error
2108014 - Nutanix: the e2e-nutanix-operator webhooks test suite does not support provider Nutanix
2109642 - Fix two issues in hybrid overlay
2109943 - MetaLLB: Validation unable to create BGPPeers with spec.peerASN Value in OCP 4.10
2110407 - metal3-dnsmasq: workers are not provisioned during the cluster installation when BootMacAddress is not provided lower-case
2110524 - [AWS] CCM cannot work on Commercial Cloud Services (C2S) Top Secret Region
2111901 - Split the route controllers out from OCM
2114681 - Kernel parm needs to be added when a pao performance profile is applied, rcutree.kthread_prio=11
2115481 - ovnkube direct-lists pods on a node when the node object changes
2115561 - Pipelines (Multi-column table) column titles are not aligned with the column content (input fields) starting with 4.9
2115807 - OKD: update FCOS to latest stable
2116265 - Failed PipelineRun logs text is not visible in light mode
2116288 - Monitoring Alert decorator in Topology color is grey instead of red
2117462 - [4.11 backport] percpu Memory leak CRIO due to no garbage collection in /run/crio/exits for exited containers
2117594 - Upgrade golangci-lint to 1.47.3 in image-customization-controller
2117823 - oc adm release extract should handle ccoctl
5. JIRA issues fixed (https://issues.jboss.org/):
OCPBUGS-263 - [4.11] Tuned overwriting IRQBALANCE_BANNED_CPUS
OCPBUGS-306 - Cluster-version operator ClusterOperator checks are unecessarily slow on update
OCPBUGS-429 - Release 4.11 : Backport Insights Operator should collect helm upgrade and uninstall metric
OCPBUGS-433 - Nutanix platform validations run at `create manifests` stage
OCPBUGS-453 - [4.11] update ironic to latest available
OCPBUGS-465 - PDB warning alert when CR replica count is set to zero (edit)
OCPBUGS-515 - [OCPonRHV] CSI provisioned disks are effectively preallocated due to go-ovirt-client setting Provisioned and Initial size of the disk to the same value
OCPBUGS-516 - Setting a telemeter proxy in the cluster-monitoring-config config map does not work as expected
OCPBUGS-658 - [release-4.11] OVN master trying to deleteLogicalPort for object which is already gone
OCPBUGS-688 - Adding day2 remote worker node requires manually approving CSRs
OCPBUGS-727 - [4.11] Kubelet cannot be started on worker nodes after upgrade to OCP 4.11 (RHCOS 8.6) when custom SELinux policies are applied
OCPBUGS-737 - machineconfig service is failed to start because Podman storage gets corrupted
OCPBUGS-756 - MetaLLB: Validation unable to create BGPPeers with spec.peerASN Value in OCP 4.10
6. References:
https://access.redhat.com/security/cve/CVE-2021-38561
https://access.redhat.com/security/cve/CVE-2022-2526
https://access.redhat.com/security/cve/CVE-2022-29154
https://access.redhat.com/security/cve/CVE-2022-32206
https://access.redhat.com/security/cve/CVE-2022-32208
https://access.redhat.com/security/updates/classification/#moderate
7. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2022 Red Hat, Inc.