Red Hat 9062 Published by

An OpenShift Container Platform 4.3.40 security and bug fix update has been released.



RHSA-2020:4264-01: Low: OpenShift Container Platform 4.3.40 security and bug fix update



=====================================================================
Red Hat Security Advisory

Synopsis: Low: OpenShift Container Platform 4.3.40 security and bug fix update
Advisory ID: RHSA-2020:4264-01
Product: Red Hat OpenShift Enterprise
Advisory URL:   https://access.redhat.com/errata/RHSA-2020:4264
Issue date: 2020-10-20
CVE Names: CVE-2017-12652 CVE-2017-18190 CVE-2018-20843
CVE-2019-2974 CVE-2019-5094 CVE-2019-5188
CVE-2019-5482 CVE-2019-8675 CVE-2019-8696
CVE-2019-11068 CVE-2019-11719 CVE-2019-11727
CVE-2019-11756 CVE-2019-12450 CVE-2019-12749
CVE-2019-14822 CVE-2019-14866 CVE-2019-14973
CVE-2019-15903 CVE-2019-16935 CVE-2019-17006
CVE-2019-17023 CVE-2019-17498 CVE-2019-17546
CVE-2019-18197 CVE-2019-19126 CVE-2019-19956
CVE-2019-20386 CVE-2019-20388 CVE-2020-2181
CVE-2020-2182 CVE-2020-2224 CVE-2020-2225
CVE-2020-2226 CVE-2020-2574 CVE-2020-2752
CVE-2020-2780 CVE-2020-2812 CVE-2020-6829
CVE-2020-7595 CVE-2020-8492 CVE-2020-9283
CVE-2020-12243 CVE-2020-12400 CVE-2020-12401
CVE-2020-12402 CVE-2020-12403 CVE-2020-12825
CVE-2020-14352 CVE-2020-24750
=====================================================================

1. Summary:

An update is now available for Red Hat OpenShift Container Platform 4.3.

Red Hat Product Security has rated this update as having a security impact
of Low. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.

Security Fix(es):

* golang.org/x/crypto: Processing of crafted ssh-ed25519 public keys allows
for panic (CVE-2020-9283)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

Bug Fix(es):

* Gather image registry config (backport to 4.3) (BZ#1836815)

* Builds fail after running postCommit script if OCP cluster is configured
with a container registry whitelist (BZ#1849176)

* Login with OpenShift not working after cluster upgrade (BZ#1852429)

* Limit the size of gathered federated metrics from alerts in Insights
Operator (BZ#1874018)

* [4.3] Storage operator stops reconciling when going Upgradeable=False on
v1alpha1 CRDs (BZ#1879110)

* [release 4.3] OpenShift APIs become unavailable for more than 15 minutes
after one of master nodes went down(OAuth) (BZ#1880293)

You may download the oc tool and use it to inspect release image metadata
as follows:

(For x86_64 architecture)

$ oc adm release info
quay.io/openshift-release-dev/ocp-release:4.3.40-x86_64

The image digest is
sha256:9ff90174a170379e90a9ead6e0d8cf6f439004191f80762764a5ca3dbaab01dc

(For s390x architecture)

$ oc adm release info
quay.io/openshift-release-dev/ocp-release:4.3.40-s390x
The image digest is
sha256:605ddde0442e604cfe2d6bd1541ce48df5956fe626edf9cc95b1fca75d231b64

(For ppc64le architecture)

$ oc adm release info
quay.io/openshift-release-dev/ocp-release:4.3.40-ppc64le

The image digest is
sha256:d3c9e391c145338eae3feb7f6a4e487dadc8139a353117d642fe686d277bcccc

3. Solution:

For OpenShift Container Platform 4.3 see the following documentation, which
will be updated shortly for this release, for important instructions on how
to upgrade your cluster and fully apply this asynchronous errata update:

  https://docs.openshift.com/container-platform/4.3/release_notes/ocp-4-3-rel
ease-notes.html

Details on how to access this content are available at
  https://docs.openshift.com/container-platform/4.3/updating/updating-cluster
- -cli.html.

4. Bugs fixed (  https://bugzilla.redhat.com/):

1804533 - CVE-2020-9283 golang.org/x/crypto: Processing of crafted ssh-ed25519 public keys allows for panic
1836815 - Gather image registry config (backport to 4.3)
1849176 - Builds fail after running postCommit script if OCP cluster is configured with a container registry whitelist
1874018 - Limit the size of gathered federated metrics from alerts in Insights Operator
1874399 - [DR] etcd-member-recover.sh fails to pull image with unauthorized
1879110 - [4.3] Storage operator stops reconciling when going Upgradeable=False on v1alpha1 CRDs

5. References:

  https://access.redhat.com/security/cve/CVE-2017-12652
  https://access.redhat.com/security/cve/CVE-2017-18190
  https://access.redhat.com/security/cve/CVE-2018-20843
  https://access.redhat.com/security/cve/CVE-2019-2974
  https://access.redhat.com/security/cve/CVE-2019-5094
  https://access.redhat.com/security/cve/CVE-2019-5188
  https://access.redhat.com/security/cve/CVE-2019-5482
  https://access.redhat.com/security/cve/CVE-2019-8675
  https://access.redhat.com/security/cve/CVE-2019-8696
  https://access.redhat.com/security/cve/CVE-2019-11068
  https://access.redhat.com/security/cve/CVE-2019-11719
  https://access.redhat.com/security/cve/CVE-2019-11727
  https://access.redhat.com/security/cve/CVE-2019-11756
  https://access.redhat.com/security/cve/CVE-2019-12450
  https://access.redhat.com/security/cve/CVE-2019-12749
  https://access.redhat.com/security/cve/CVE-2019-14822
  https://access.redhat.com/security/cve/CVE-2019-14866
  https://access.redhat.com/security/cve/CVE-2019-14973
  https://access.redhat.com/security/cve/CVE-2019-15903
  https://access.redhat.com/security/cve/CVE-2019-16935
  https://access.redhat.com/security/cve/CVE-2019-17006
  https://access.redhat.com/security/cve/CVE-2019-17023
  https://access.redhat.com/security/cve/CVE-2019-17498
  https://access.redhat.com/security/cve/CVE-2019-17546
  https://access.redhat.com/security/cve/CVE-2019-18197
  https://access.redhat.com/security/cve/CVE-2019-19126
  https://access.redhat.com/security/cve/CVE-2019-19956
  https://access.redhat.com/security/cve/CVE-2019-20386
  https://access.redhat.com/security/cve/CVE-2019-20388
  https://access.redhat.com/security/cve/CVE-2020-2181
  https://access.redhat.com/security/cve/CVE-2020-2182
  https://access.redhat.com/security/cve/CVE-2020-2224
  https://access.redhat.com/security/cve/CVE-2020-2225
  https://access.redhat.com/security/cve/CVE-2020-2226
  https://access.redhat.com/security/cve/CVE-2020-2574
  https://access.redhat.com/security/cve/CVE-2020-2752
  https://access.redhat.com/security/cve/CVE-2020-2780
  https://access.redhat.com/security/cve/CVE-2020-2812
  https://access.redhat.com/security/cve/CVE-2020-6829
  https://access.redhat.com/security/cve/CVE-2020-7595
  https://access.redhat.com/security/cve/CVE-2020-8492
  https://access.redhat.com/security/cve/CVE-2020-9283
  https://access.redhat.com/security/cve/CVE-2020-12243
  https://access.redhat.com/security/cve/CVE-2020-12400
  https://access.redhat.com/security/cve/CVE-2020-12401
  https://access.redhat.com/security/cve/CVE-2020-12402
  https://access.redhat.com/security/cve/CVE-2020-12403
  https://access.redhat.com/security/cve/CVE-2020-12825
  https://access.redhat.com/security/cve/CVE-2020-14352
  https://access.redhat.com/security/cve/CVE-2020-24750
  https://access.redhat.com/security/updates/classification/#low

6. Contact:

The Red Hat security contact is . More contact
details at   https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.