An OpenShift Container Platform 4.6.16 security and bug fix update has been released.
RHSA-2021:0308-01: Important: OpenShift Container Platform 4.6.16 security and bug fix update
=====================================================================
Red Hat Security Advisory
Synopsis: Important: OpenShift Container Platform 4.6.16 security and bug fix update
Advisory ID: RHSA-2021:0308-01
Product: Red Hat OpenShift Enterprise
Advisory URL: https://access.redhat.com/errata/RHSA-2021:0308
Issue date: 2021-02-08
CVE Names: CVE-2015-8011 CVE-2016-2183 CVE-2020-14382
CVE-2021-3344 CVE-2021-20198
=====================================================================
1. Summary:
Red Hat OpenShift Container Platform release 4.6.16 is now available with
updates to packages and images that fix several bugs.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Description:
Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.
This advisory contains the container images for Red Hat OpenShift Container
Platform 4.6.16. See the following advisory for the RPM packages for this
release:
https://access.redhat.com/errata/RHBA-2021:0309
Space precludes documenting all of the container images in this advisory.
See the following Release Notes documentation, which will be updated
shortly for this release, for details about these changes:
https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-rel
ease-notes.html
You may download the oc tool and use it to inspect release image metadata
as follows:
(For x86_64 architecture)
$ oc adm release info
quay.io/openshift-release-dev/ocp-release:4.6.16-x86_64
The image digest is
sha256:3e855ad88f46ad1b7f56c312f078ca6adaba623c5d4b360143f9f82d2f349741
(For s390x architecture)
$ oc adm release info
quay.io/openshift-release-dev/ocp-release:4.6.16-s390x
The image digest is
sha256:2335685cda334ecf9e12c056b148c483fb81412fbfc96c885dc669d775e1f1ee
(For ppc64le architecture)
$ oc adm release info
quay.io/openshift-release-dev/ocp-release:4.6.16-ppc64le
The image digest is
sha256:953ccacf79467b3e8ebfb8def92013f1574d75e24b3ea9a455aa8931f7f17b88
All OpenShift Container Platform 4.6 users are advised to upgrade to these
updated packages and images when they are available in the appropriate
release channel. To check for available updates, use the OpenShift Console
or the CLI oc command. Instructions for upgrading a cluster are available
at
https://docs.openshift.com/container-platform/4.6/updating/updating-cluster
- -between-minor.html#understanding-upgrade-channels_updating-cluster-between
- -minor.
Security Fix(es):
* SSL/TLS: Birthday attack against 64-bit block ciphers (SWEET32)
(CVE-2016-2183)
* openshift/builder: privilege escalation during container image builds via
mounted secrets (CVE-2021-3344)
* openshift/installer: Bootstrap nodes allow anonymous authentication on
kubelet port 10250 (CVE-2021-20198)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
3. Solution:
For OpenShift Container Platform 4.6 see the following documentation, which
will be updated shortly for this release, for important instructions on how
to upgrade your cluster and fully apply this asynchronous errata update:
https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-rel
ease-notes.html
Details on how to access this content are available at
https://docs.openshift.com/container-platform/4.6/updating/updating-cluster
- -cli.html.
4. Bugs fixed ( https://bugzilla.redhat.com/):
1369383 - CVE-2016-2183 SSL/TLS: Birthday attack against 64-bit block ciphers (SWEET32)
1873004 - [downstream] Should indicate the version info instead of the commit info
1887759 - [release 4.6] Gather MachineConfigPools
1889676 - [release 4.6] Gather top installplans and their count
1889865 - operator-registry image needs clean up in /tmp
1890274 - [4.6] External IP doesn't work if the IP address is not assigned to a node
1890452 - Adding BYOK disk encryption through DES
1891697 - Handle missing labels as empty.
1891892 - The windows oc.exe binary does not have version metadata
1893409 - [release-4.6] MCDPivotError alert/metric missing
1893738 - Examining agones helm chart resources results in "Oh no!"
1894916 - [4.6] Panic output due to timeouts in openshift-apiserver
1896919 - start creating new-style Secrets for AWS
1898672 - Pod gets stuck in ContainerCreating state with exhausted Whereabouts IPAM range with a daemonset
1899107 - [4.6] ironic-api used by metal3 is over provisioned and consumes a lot of RAM
1899535 - ds/machine-config-daemon takes 100+ minutes to rollout on 250 node cluster
1901602 - Extra reboot during 4.5 -> 4.6 upgrade
1901605 - CNO blocks editing Kuryr options
1903649 - Automated cleaning is disabled by default
1903887 - dns daemonset rolls out slowly in large clusters
1904091 - Missing registry v1 protocol usage metric on telemetry
1904577 - [4.6] Local storage operator doesn't include correctly populate LocalVolumeDiscoveryResult in console
1905031 - (release-4.6) Collect spec config for clusteroperator resources
1905195 - [release-4.6] Detecting broken connections to the Kube API takes up to 15 minutes
1905573 - [4.6] Changing the bound token service account issuer invalids previously issued bound tokens
1905788 - Role name missing on create role binding form
1906332 - update discovery burst to reflect lots of CRDs on openshift clusters
1906741 - KeyError: 'nodeName' on NP deletion
1906796 - [SA] verify-image-signature using service account does not work
1907827 - Kn resources are not showing in Topology if triggers has KSVC and IMC as subscriber
1907830 - "Evaluating rule failed" for "record: cluster:kube_persistentvolumeclaim_resource_requests_storage_bytes:provisioner:sum" and "record: cluster:kubelet_volume_stats_used_bytes:provisioner:sum"
1909673 - scale up / down buttons available on pod details side panel
1912388 - [OVN]: `make check` broken on 4.6
1912430 - thanosRuler.resources.requests does not take effect in user-workload-monitoring-config confimap
1913109 - oc debug of an init container no longer works
1913645 - Improved Red Hat image and crashlooping OpenShift pod collection
1915560 - OCP 4.4.9: EtcdMemberIPMigratorDegraded: rpc error: code = Canceled desc = grpc: the client connection is closing
1916096 - [oVirt] csi operator panics if ovirt-engine suddenly becomes unavailable.
1916100 - [oVirt] Consume 23-10 ovirt sdk - csi operator
1916347 - Updating scheduling component builder & base images to be consistent with ART
1916857 - configs.imageregistry.operator.openshift.io cluster does not update its status fields after URL change
1916907 - dns-node-resolver corrupts /etc/hosts if internal registry is not in use
1917240 - [4.6] Network Policies are not working as expected with OVN-Kubernetes when traffic hairpins back to the same source through a service
1917498 - Regression OLM uses scoped client for CRD installation
1917547 - oc adm catalog mirror does not mirror the index image itself
1917548 - [4.6] Cannot filter the platform/arch of the index image
1917549 - Failed to mirror operator catalog - error: destination registry required
1917550 - oc adm catalog mirror command attempts to pull from registry.redhat.io when using --from-dir option
1917609 - [4.6z] Deleting an exgw causes pods to no longer route to other exgws
1918194 - with sharded ingresscontrollers, all shards reload when any endpoint changes
1918202 - Grafana - The resulting dataset is too large to graph (OCS RBD volumes being counted as disks)
1918525 - OLM enters infinite loop if Pending CSV replaces itself
1918779 - [Negative Test] After deleting metal3 pod, scaling worker stuck on provisioning state
1918792 - [BUG] Thanos having possible memory leak consuming huge amounts of node's memory and killing them
1918961 - [IPI on vsphere] Executing 'openshift-installer destroy cluster' leaves installer tag categories in vsphere
1920764 - CVE-2021-20198 openshift/installer: Bootstrap nodes allow anonymous authentication on kubelet port 10250
1920873 - Failure to upgrade operator when a Service is included in a Bundle
1920995 - kuryr-cni pods using unreasonable amount of CPU
1921450 - CVE-2021-3344 openshift/builder: privilege escalation during container image builds via mounted secrets
1921473 - test-cmd is failing on volumes.sh pretty consistently
1921599 - OCP 4.5 to 4.6 upgrade for "aws-ebs-csi-driver-operator" fails when "defaultNodeSelector" is set
5. References:
https://access.redhat.com/security/cve/CVE-2015-8011
https://access.redhat.com/security/cve/CVE-2016-2183
https://access.redhat.com/security/cve/CVE-2020-14382
https://access.redhat.com/security/cve/CVE-2021-3344
https://access.redhat.com/security/cve/CVE-2021-20198
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/articles/2548661
6. Contact:
The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2021 Red Hat, Inc.