An OpenShift Container Platform 4.7.13 bug fix and security update has been released.

RHSA-2021:2121-01: Moderate: OpenShift Container Platform 4.7.13 bug fix and security update

=====================================================================
Red Hat Security Advisory

Synopsis: Moderate: OpenShift Container Platform 4.7.13 bug fix and security update
Advisory ID: RHSA-2021:2121-01
Product: Red Hat OpenShift Enterprise
Advisory URL:   https://access.redhat.com/errata/RHSA-2021:2121
Issue date: 2021-06-01
CVE Names: CVE-2016-10228 CVE-2019-2708 CVE-2019-3842
CVE-2019-9169 CVE-2019-13012 CVE-2019-14866
CVE-2019-18811 CVE-2019-19523 CVE-2019-19528
CVE-2019-25013 CVE-2019-25032 CVE-2019-25034
CVE-2019-25035 CVE-2019-25036 CVE-2019-25037
CVE-2019-25038 CVE-2019-25039 CVE-2019-25040
CVE-2019-25041 CVE-2019-25042 CVE-2020-0431
CVE-2020-8231 CVE-2020-8284 CVE-2020-8285
CVE-2020-8286 CVE-2020-8927 CVE-2020-9948
CVE-2020-9951 CVE-2020-9983 CVE-2020-10543
CVE-2020-10878 CVE-2020-11608 CVE-2020-12114
CVE-2020-12362 CVE-2020-12464 CVE-2020-13434
CVE-2020-13543 CVE-2020-13584 CVE-2020-13776
CVE-2020-14314 CVE-2020-14344 CVE-2020-14345
CVE-2020-14346 CVE-2020-14347 CVE-2020-14356
CVE-2020-14360 CVE-2020-14361 CVE-2020-14362
CVE-2020-14363 CVE-2020-15358 CVE-2020-15437
CVE-2020-15586 CVE-2020-16845 CVE-2020-24330
CVE-2020-24331 CVE-2020-24332 CVE-2020-24394
CVE-2020-24977 CVE-2020-25212 CVE-2020-25284
CVE-2020-25285 CVE-2020-25643 CVE-2020-25659
CVE-2020-25704 CVE-2020-25712 CVE-2020-26116
CVE-2020-26137 CVE-2020-27618 CVE-2020-27619
CVE-2020-27783 CVE-2020-27786 CVE-2020-27835
CVE-2020-28196 CVE-2020-28935 CVE-2020-28974
CVE-2020-29361 CVE-2020-29362 CVE-2020-29363
CVE-2020-35508 CVE-2020-36242 CVE-2020-36322
CVE-2021-0342 CVE-2021-3121 CVE-2021-3177
CVE-2021-3326 CVE-2021-21642 CVE-2021-21643
CVE-2021-21644 CVE-2021-21645 CVE-2021-23336
CVE-2021-25215 CVE-2021-30465
=====================================================================

1. Summary:

Red Hat OpenShift Container Platform release 4.7.13 is now available with
updates to packages and images that fix several bugs.

This release includes a security update for Red Hat OpenShift Container
Platform 4.7.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

This advisory contains the container images for Red Hat OpenShift Container
Platform 4.7.13. See the following advisory for the RPM packages for this
release:

  https://access.redhat.com/errata/RHSA-2021:2122

Space precludes documenting all of the container images in this advisory.
See the following Release Notes documentation, which will be updated
shortly for this release, for details about these changes:

  https://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-rel
ease-notes.html

This update fixes the following bug among others:

* Previously, resources for the ClusterOperator were being created early in
the update process, which led to update failures when the ClusterOperator
had no status condition while Operators were updating. This bug fix changes
the timing of when these resources are created. As a result, updates can
take place without errors. (BZ#1959238)

Security Fix(es):

* gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index
validation (CVE-2021-3121)

You may download the oc tool and use it to inspect release image metadata
as follows:

(For x86_64 architecture)

$ oc adm release info
quay.io/openshift-release-dev/ocp-release:4.7.13-x86_64

The image digest is
sha256:783a2c963f35ccab38e82e6a8c7fa954c3a4551e07d2f43c06098828dd986ed4

(For s390x architecture)

$ oc adm release info
quay.io/openshift-release-dev/ocp-release:4.7.13-s390x

The image digest is
sha256:4cf44e68413acad063203e1ee8982fd01d8b9c1f8643a5b31cd7ff341b3199cd

(For ppc64le architecture)

$ oc adm release info
quay.io/openshift-release-dev/ocp-release:4.7.13-ppc64le

The image digest is
sha256:d47ce972f87f14f1f3c5d50428d2255d1256dae3f45c938ace88547478643e36

All OpenShift Container Platform 4.7 users are advised to upgrade to these
updated packages and images when they are available in the appropriate
release channel. To check for available updates, use the OpenShift Console
or the CLI oc command. Instructions for upgrading a cluster are available
at
  https://docs.openshift.com/container-platform/4.7/updating/updating-cluster
- -between-minor.html#understanding-upgrade-channels_updating-cluster-between
- -minor

3. Solution:

For OpenShift Container Platform 4.7 see the following documentation, which
will be updated shortly for this release, for important instructions on how
to upgrade your cluster and fully apply this asynchronous errata update:

  https://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-rel
ease-notes.html

Details on how to access this content are available at
  https://docs.openshift.com/container-platform/4.7/updating/updating-cluster
- -cli.html

4. Bugs fixed (  https://bugzilla.redhat.com/):

1921650 - CVE-2021-3121 gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation
1923268 - [Assisted-4.7] [Staging] Using two both spelling "canceled" "cancelled"
1947216 - [AWS] Missing iam:ListAttachedRolePolicies permission in permissions.go
1953963 - Enable/Disable host operations returns cluster resource with incomplete hosts list
1957749 - ovn-kubernetes pod should have CPU and memory requests set but not limits
1959238 - CVO creating cloud-controller-manager too early causing upgrade failures
1960103 - SR-IOV obliviously reboot the node
1961941 - Local Storage Operator using LocalVolume CR fails to create PV's when backend storage failure is simulated
1962302 - packageserver clusteroperator does not set reason or message for Available condition
1962312 - Deployment considered unhealthy despite being available and at latest generation
1962435 - Public DNS records were not deleted when destroying a cluster which is using byo private hosted zone
1963115 - Test verify /run filesystem contents failing

5. References:

  https://access.redhat.com/security/cve/CVE-2016-10228
  https://access.redhat.com/security/cve/CVE-2019-2708
  https://access.redhat.com/security/cve/CVE-2019-3842
  https://access.redhat.com/security/cve/CVE-2019-9169
  https://access.redhat.com/security/cve/CVE-2019-13012
  https://access.redhat.com/security/cve/CVE-2019-14866
  https://access.redhat.com/security/cve/CVE-2019-18811
  https://access.redhat.com/security/cve/CVE-2019-19523
  https://access.redhat.com/security/cve/CVE-2019-19528
  https://access.redhat.com/security/cve/CVE-2019-25013
  https://access.redhat.com/security/cve/CVE-2019-25032
  https://access.redhat.com/security/cve/CVE-2019-25034
  https://access.redhat.com/security/cve/CVE-2019-25035
  https://access.redhat.com/security/cve/CVE-2019-25036
  https://access.redhat.com/security/cve/CVE-2019-25037
  https://access.redhat.com/security/cve/CVE-2019-25038
  https://access.redhat.com/security/cve/CVE-2019-25039
  https://access.redhat.com/security/cve/CVE-2019-25040
  https://access.redhat.com/security/cve/CVE-2019-25041
  https://access.redhat.com/security/cve/CVE-2019-25042
  https://access.redhat.com/security/cve/CVE-2020-0431
  https://access.redhat.com/security/cve/CVE-2020-8231
  https://access.redhat.com/security/cve/CVE-2020-8284
  https://access.redhat.com/security/cve/CVE-2020-8285
  https://access.redhat.com/security/cve/CVE-2020-8286
  https://access.redhat.com/security/cve/CVE-2020-8927
  https://access.redhat.com/security/cve/CVE-2020-9948
  https://access.redhat.com/security/cve/CVE-2020-9951
  https://access.redhat.com/security/cve/CVE-2020-9983
  https://access.redhat.com/security/cve/CVE-2020-10543
  https://access.redhat.com/security/cve/CVE-2020-10878
  https://access.redhat.com/security/cve/CVE-2020-11608
  https://access.redhat.com/security/cve/CVE-2020-12114
  https://access.redhat.com/security/cve/CVE-2020-12362
  https://access.redhat.com/security/cve/CVE-2020-12464
  https://access.redhat.com/security/cve/CVE-2020-13434
  https://access.redhat.com/security/cve/CVE-2020-13543
  https://access.redhat.com/security/cve/CVE-2020-13584
  https://access.redhat.com/security/cve/CVE-2020-13776
  https://access.redhat.com/security/cve/CVE-2020-14314
  https://access.redhat.com/security/cve/CVE-2020-14344
  https://access.redhat.com/security/cve/CVE-2020-14345
  https://access.redhat.com/security/cve/CVE-2020-14346
  https://access.redhat.com/security/cve/CVE-2020-14347
  https://access.redhat.com/security/cve/CVE-2020-14356
  https://access.redhat.com/security/cve/CVE-2020-14360
  https://access.redhat.com/security/cve/CVE-2020-14361
  https://access.redhat.com/security/cve/CVE-2020-14362
  https://access.redhat.com/security/cve/CVE-2020-14363
  https://access.redhat.com/security/cve/CVE-2020-15358
  https://access.redhat.com/security/cve/CVE-2020-15437
  https://access.redhat.com/security/cve/CVE-2020-15586
  https://access.redhat.com/security/cve/CVE-2020-16845
  https://access.redhat.com/security/cve/CVE-2020-24330
  https://access.redhat.com/security/cve/CVE-2020-24331
  https://access.redhat.com/security/cve/CVE-2020-24332
  https://access.redhat.com/security/cve/CVE-2020-24394
  https://access.redhat.com/security/cve/CVE-2020-24977
  https://access.redhat.com/security/cve/CVE-2020-25212
  https://access.redhat.com/security/cve/CVE-2020-25284
  https://access.redhat.com/security/cve/CVE-2020-25285
  https://access.redhat.com/security/cve/CVE-2020-25643
  https://access.redhat.com/security/cve/CVE-2020-25659
  https://access.redhat.com/security/cve/CVE-2020-25704
  https://access.redhat.com/security/cve/CVE-2020-25712
  https://access.redhat.com/security/cve/CVE-2020-26116
  https://access.redhat.com/security/cve/CVE-2020-26137
  https://access.redhat.com/security/cve/CVE-2020-27618
  https://access.redhat.com/security/cve/CVE-2020-27619
  https://access.redhat.com/security/cve/CVE-2020-27783
  https://access.redhat.com/security/cve/CVE-2020-27786
  https://access.redhat.com/security/cve/CVE-2020-27835
  https://access.redhat.com/security/cve/CVE-2020-28196
  https://access.redhat.com/security/cve/CVE-2020-28935
  https://access.redhat.com/security/cve/CVE-2020-28974
  https://access.redhat.com/security/cve/CVE-2020-29361
  https://access.redhat.com/security/cve/CVE-2020-29362
  https://access.redhat.com/security/cve/CVE-2020-29363
  https://access.redhat.com/security/cve/CVE-2020-35508
  https://access.redhat.com/security/cve/CVE-2020-36242
  https://access.redhat.com/security/cve/CVE-2020-36322
  https://access.redhat.com/security/cve/CVE-2021-0342
  https://access.redhat.com/security/cve/CVE-2021-3121
  https://access.redhat.com/security/cve/CVE-2021-3177
  https://access.redhat.com/security/cve/CVE-2021-3326
  https://access.redhat.com/security/cve/CVE-2021-21642
  https://access.redhat.com/security/cve/CVE-2021-21643
  https://access.redhat.com/security/cve/CVE-2021-21644
  https://access.redhat.com/security/cve/CVE-2021-21645
  https://access.redhat.com/security/cve/CVE-2021-23336
  https://access.redhat.com/security/cve/CVE-2021-25215
  https://access.redhat.com/security/cve/CVE-2021-30465
  https://access.redhat.com/security/updates/classification/#moderate

6. Contact:

The Red Hat security contact is . More contact
details at   https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.