Red Hat 9039 Published by

An OpenShift Container Platform 4.7.16 security and bug fix update has been released.



RHSA-2021:2286-01: Moderate: OpenShift Container Platform 4.7.16 security and bug fix update



=====================================================================
Red Hat Security Advisory

Synopsis: Moderate: OpenShift Container Platform 4.7.16 security and bug fix update
Advisory ID: RHSA-2021:2286-01
Product: Red Hat OpenShift Enterprise
Advisory URL:   https://access.redhat.com/errata/RHSA-2021:2286
Issue date: 2021-06-15
CVE Names: CVE-2021-3121 CVE-2021-3501 CVE-2021-3543
CVE-2021-27219
=====================================================================

1. Summary:

Red Hat OpenShift Container Platform release 4.7.16 is now available with
updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container
Platform 4.7.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container
Platform 4.7.16. See the following advisories for the RPM packages for this
release:

  https://access.redhat.com/errata/RHBA-2287

Space precludes documenting all of the container images in this advisory.
See the following Release Notes documentation for details about these
changes:

  https://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-rel
ease-notes.html

This update fixes the following bugs among others:

Security Fix(es):

* gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index
validation (CVE-2021-3121)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

Additional Changes:

This update also fixes several bugs. Documentation for these changes is
available from the Release Notes document linked to in the References
section.

3. Solution:

For OpenShift Container Platform 4.7 see the following documentation, which
will be updated shortly for this release, for important instructions on how
to upgrade your cluster and fully apply this asynchronous errata update:

  https://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-rel
ease-notes.html

Details on how to access this content are available at
  https://docs.openshift.com/container-platform/4.7/updating/updating-cluster
- -cli.html

4. Bugs fixed (  https://bugzilla.redhat.com/):

1889659 - [Assisted-4.6] [cluster validation] Number of hosts validation is not enforced when Automatic role assigned
1921650 - CVE-2021-3121 gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation
1932638 - Removing ssh keys MC does not remove the key from authorized_keys
1934180 - vsphere-problem-detector should check if datastore is part of datastore cluster
1937396 - when kuryr quotas are unlimited, we should not sent alerts
1939014 - [OSP] First public endpoint is used to fetch ignition config from Glance URL (with multiple endpoints) on OSP
1939553 - Binary file uploaded to a secret in OCP 4 GUI is not properly converted to Base64-encoded string
1940275 - [IPI Baremetal] Revert Sending full ignition to masters
1942603 - [4.7z] Network policies in ovn-kubernetes don't support external traffic from router when the endpoint publishing strategy is HostNetwork
1944046 - Warn users when using an unsupported browser such as IE
1944575 - Duplicate alert rules are displayed on console for thanos-querier api return wrong results
1945702 - Operator dependency not consistently chosen from default channel
1946682 - [OVN] Source IP is not EgressIP if configured allow 0.0.0.0/0 in the EgressFirewall
1947091 - Incorrect skipped status for conditional tasks in the pipeline run
1947427 - Bootstrap ignition shim doesn't follow proxy settings
1948398 - [oVirt] remove ovirt_cafile from ovirt-credentials secret
1949541 - Kuryr-Controller crashes when it's missing the status object
1950290 - KubeClientCertificateExpiration alert is confusing, without explanation in the documentation
1951210 - Pod log filename no longer in -.log format
1953475 - worker pool went degraded due to no rpm-ostree on rhel worker during applying new mc
1954121 - [ceo] [release-4.7] Operator goes degraded when a second internal node ip is added after install
1955210 - OCP 4.6 Build fails when filename contains an umlaut
1955418 - 4.8 -> 4.7 rollbacks broken on unrecognized flowschema openshift-etcd-operator
1955482 - [4.7] Drop high-cardinality metrics from kube-state-metrics which aren't used
1955600 - e2e unidling test flakes in CI
1956565 - Need ACM Managed Cluster Info metric enabled for OCP monitoring telemetry
1956980 - OVN-Kubernetes leaves stale AddressSets around if the deletion was missed.
1957308 - Customer tags cannot be seen in S3 level when set spec.managementState from Managed-> Removed-> Managed in configs.imageregistry with high ratio
1957499 - OperatorHub - console accepts any value for "Infrastructure features" annotation
1958416 - openshift-oauth-apiserver apiserver pod crashloopbackoffs
1958467 - [4.7] Webscale: sriov vfs are not created and sriovnetworknodestate indicates sync succeeded - state is not correct
1958873 - Device Replacemet UI, The status of the disk is "replacement ready" before I clicked on "start replacement"
1959546 - [4.7] storage-operator/vsphere-problem-detector causing upgrades to fail that would have succeeded in past versions
1959737 - Unable to assign nodes for EgressIP even if the egress-assignable label is set
1960093 - Console not works well against a proxy in front of openshift clusters
1960111 - Port 8080 of oVirt CSI driver is causing collisions with other services
1960542 - manifests: invalid selector in ServiceMonitor makes CVO hotloop
1960544 - Overly generic CSS rules for dd and dt elements breaks styling elsewhere in console
1960562 - manifests: invalid selector in ServiceMonitor makes CVO hotloop
1960589 - manifests: extra "spec.version" in console quickstarts makes CVO hotloop
1960645 - [Backport 4.7] Add virt_platform metric to the collected metrics
1960686 - GlobalConfigPage is constantly requesting resources
1961069 - CMO end-to-end tests work only on AWS
1961367 - Conformance tests for OpenStack require the Cinder client that is not included in the "tests" image
1961518 - manifests: invalid selector in ServiceMonitor makes CVO hotloop
1961557 - [release-4.7] respect the shutdown-delay-duration from OpenShiftAPIServerConfig
1961719 - manifests: invalid namespace in ClusterRoleBinding makes CVO hotloop
1961887 - TaskRuns Tab in PipelineRun Details Page makes cluster based calls for TaskRuns
1962314 - openshift-marketplace pods in CrashLoopBackOff state after RHACS installed with an SCC with readOnlyFileSystem set to true
1962493 - Kebab menu of taskrun contains Edit options which should not be present
1962637 - Nodes tainted after configuring additional host iface
1962819 - OCP v4.7 installation with OVN-Kubernetes fails with error "egress bandwidth restriction -1 is not equals"
1962949 - e2e-metal-ipi and related jobs fail to bootstrap due to multipe VIP's
1963141 - packageserver clusteroperator Available condition set to false on any Deployment spec change
1963243 - HAproxy pod logs showing error "another server named 'pod:httpd-7c7ccfffdc-wdkvk:httpd:8080-tcp:10.128.x.x:8080' was already defined at line 326, please use distinct names"
1964322 - UI, The status of "Used Capacity Breakdown [Pods]" is "Not available"
1964568 - Failed to upgrade from 4.6.25 to 4.7.8 due to the machine-config degradation
1965075 - [4.7z] After upgrade from 4.5.16 to 4.6.17, customer's application is seeing re-transmits
1965932 - [oauth-server] bump k8s.io/apiserver to 1.20.3
1966358 - Build failure on s390x
1966798 - [tests] Release 4.7 broken due to the usage of wrong OCS version
1966810 - Failing Test vendor/k8s.io/kube-aggregator/pkg/apiserver TestProxyCertReload due to hardcoded certificate expiration
1967328 - [IBM][ROKS] Enable volume snapshot controllers on IBM Cloud
1967966 - prometheus-k8s pods can't be scheduled due to volume node affinity conflict
1967972 - [calico] rbac-proxy container in kube-proxy fails to create tokenreviews
1970322 - [OVN]EgressFirewall doesn't work well as expected

5. References:

  https://access.redhat.com/security/cve/CVE-2021-3121
  https://access.redhat.com/security/cve/CVE-2021-3501
  https://access.redhat.com/security/cve/CVE-2021-3543
  https://access.redhat.com/security/cve/CVE-2021-27219
  https://access.redhat.com/security/updates/classification/#moderate

6. Contact:

The Red Hat security contact is . More contact
details at   https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.