Red Hat 9041 Published by

A Red Hat OpenShift Container Storage 4.6.5 security and bug fix update has been released for Red Hat Enterprise Linux 8.



RHSA-2021:2479-01: Moderate: Red Hat OpenShift Container Storage 4.6.5 security and bug fix update



=====================================================================
Red Hat Security Advisory

Synopsis: Moderate: Red Hat OpenShift Container Storage 4.6.5 security and bug fix update
Advisory ID: RHSA-2021:2479-01
Product: Red Hat OpenShift Container Storage
Advisory URL:   https://access.redhat.com/errata/RHSA-2021:2479
Issue date: 2021-06-17
CVE Names: CVE-2016-10228 CVE-2017-14502 CVE-2019-2708
CVE-2019-3842 CVE-2019-9169 CVE-2019-13012
CVE-2019-14866 CVE-2019-25013 CVE-2020-8231
CVE-2020-8284 CVE-2020-8285 CVE-2020-8286
CVE-2020-8927 CVE-2020-9948 CVE-2020-9951
CVE-2020-9983 CVE-2020-13434 CVE-2020-13543
CVE-2020-13584 CVE-2020-13776 CVE-2020-15358
CVE-2020-24977 CVE-2020-25659 CVE-2020-25678
CVE-2020-26116 CVE-2020-26137 CVE-2020-27618
CVE-2020-27619 CVE-2020-27783 CVE-2020-28196
CVE-2020-29361 CVE-2020-29362 CVE-2020-29363
CVE-2020-36242 CVE-2021-3139 CVE-2021-3177
CVE-2021-3326 CVE-2021-3449 CVE-2021-3450
CVE-2021-3528 CVE-2021-20305 CVE-2021-23239
CVE-2021-23240 CVE-2021-23336
=====================================================================

1. Summary:

Updated images that fix one security issue and several bugs are now
available for Red Hat OpenShift Container Storage 4.6.5 on Red Hat
Enterprise Linux 8 from Red Hat Container Registry.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Container Storage is software-defined storage integrated
with and optimized for the Red Hat OpenShift Container Platform. Red Hat
OpenShift Container Storage is a highly scalable, production-grade
persistent storage for stateful applications running in the Red Hat
OpenShift Container Platform. In addition to persistent storage, Red Hat
OpenShift Container Storage provisions a multicloud data management service
with an S3 compatible API.

Security Fix(es):

* NooBaa: noobaa-operator leaking RPC AuthToken into log files
(CVE-2021-3528)

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.

Bug Fix(es):

* Currently, a newly restored PVC cannot be mounted if some of the
OpenShift Container Platform nodes are running on a version of Red Hat
Enterprise Linux which is less than 8.2, and the snapshot from which the
PVC was restored is deleted.
Workaround: Do not delete the snapshot from which the PVC was restored
until the restored PVC is deleted. (BZ#1962483)

* Previously, the default backingstore was not created on AWS S3 when
OpenShift Container Storage was deployed, due to incorrect identification
of AWS S3. With this update, the default backingstore gets created when
OpenShift Container Storage is deployed on AWS S3. (BZ#1927307)

* Previously, log messages were printed to the endpoint pod log even if the
debug option was not set. With this update, the log messages are printed to
the endpoint pod log only when the debug option is set. (BZ#1938106)

* Previously, the PVCs could not be provisioned as the `rook-ceph-mds` did
not register the pod IP on the monitor servers, and hence every mount on
the filesystem timed out, resulting in CephFS volume provisioning failure.
With this update, an argument `--public-addr=podIP` is added to the MDS pod
when the host network is not enabled, and hence the CephFS volume
provisioning does not fail. (BZ#1949558)

* Previously, OpenShift Container Storage 4.2 clusters were not updated
with the correct cache value, and hence MDSs in standby-replay might report
an oversized cache, as rook did not apply the `mds_cache_memory_limit`
argument during upgrades. With this update, the `mds_cache_memory_limit`
argument is applied during upgrades and the mds daemon operates normally.
(BZ#1951348)

* Previously, the coredumps were not generated in the correct location as
rook was setting the config option `log_file` to an empty string since
logging happened on stdout and not on the files, and hence Ceph read the
value of the `log_file` to build the dump path. With this update, rook does
not set the `log_file` and keeps Ceph's internal default, and hence the
coredumps are generated in the correct location and are accessible under
`/var/log/ceph/`. (BZ#1938049)

* Previously, Ceph became inaccessible, as the mons lose quorum if a mon
pod was drained while another mon was failing over. With this update,
voluntary mon drains are prevented while a mon is failing over, and hence
Ceph does not become inaccessible. (BZ#1946573)

* Previously, the mon quorum was at risk, as the operator could erroneously
remove the new mon if the operator was restarted during a mon failover.
With this update, the operator completes the same mon failover after the
operator is restarted, and hence the mon quorum is more reliable in the
node drains and mon failover scenarios. (BZ#1959983)

All users of Red Hat OpenShift Container Storage are advised to pull these
new images from the Red Hat Container Registry.

3. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

  https://access.redhat.com/articles/11258

4. Bugs fixed (  https://bugzilla.redhat.com/):

1938106 - [GSS][RFE]Reduce debug level for logs of Nooba Endpoint pod
1950915 - XSS Vulnerability with Noobaa version 5.5.0-3bacc6b
1951348 - [GSS][CephFS] health warning "MDS cache is too large (3GB/1GB); 0 inodes in use by clients, 0 stray files" for the standby-replay
1951600 - [4.6.z][Clone of BZ #1936545] setuid and setgid file bits are not retained after a OCS CephFS CSI restore
1955601 - CVE-2021-3528 NooBaa: noobaa-operator leaking RPC AuthToken into log files
1957189 - [Rebase] Use RHCS4.2z1 container image with OCS 4..6.5[may require doc update for external mode min supported RHCS version]
1959980 - When a node is being drained, increase the mon failover timeout to prevent unnecessary mon failover
1959983 - [GSS][mon] rook-operator scales mons to 4 after healthCheck timeout
1962483 - [RHEL7][RBD][4.6.z clone] FailedMount error when using restored PVC on app pod

5. References:

  https://access.redhat.com/security/cve/CVE-2016-10228
  https://access.redhat.com/security/cve/CVE-2017-14502
  https://access.redhat.com/security/cve/CVE-2019-2708
  https://access.redhat.com/security/cve/CVE-2019-3842
  https://access.redhat.com/security/cve/CVE-2019-9169
  https://access.redhat.com/security/cve/CVE-2019-13012
  https://access.redhat.com/security/cve/CVE-2019-14866
  https://access.redhat.com/security/cve/CVE-2019-25013
  https://access.redhat.com/security/cve/CVE-2020-8231
  https://access.redhat.com/security/cve/CVE-2020-8284
  https://access.redhat.com/security/cve/CVE-2020-8285
  https://access.redhat.com/security/cve/CVE-2020-8286
  https://access.redhat.com/security/cve/CVE-2020-8927
  https://access.redhat.com/security/cve/CVE-2020-9948
  https://access.redhat.com/security/cve/CVE-2020-9951
  https://access.redhat.com/security/cve/CVE-2020-9983
  https://access.redhat.com/security/cve/CVE-2020-13434
  https://access.redhat.com/security/cve/CVE-2020-13543
  https://access.redhat.com/security/cve/CVE-2020-13584
  https://access.redhat.com/security/cve/CVE-2020-13776
  https://access.redhat.com/security/cve/CVE-2020-15358
  https://access.redhat.com/security/cve/CVE-2020-24977
  https://access.redhat.com/security/cve/CVE-2020-25659
  https://access.redhat.com/security/cve/CVE-2020-25678
  https://access.redhat.com/security/cve/CVE-2020-26116
  https://access.redhat.com/security/cve/CVE-2020-26137
  https://access.redhat.com/security/cve/CVE-2020-27618
  https://access.redhat.com/security/cve/CVE-2020-27619
  https://access.redhat.com/security/cve/CVE-2020-27783
  https://access.redhat.com/security/cve/CVE-2020-28196
  https://access.redhat.com/security/cve/CVE-2020-29361
  https://access.redhat.com/security/cve/CVE-2020-29362
  https://access.redhat.com/security/cve/CVE-2020-29363
  https://access.redhat.com/security/cve/CVE-2020-36242
  https://access.redhat.com/security/cve/CVE-2021-3139
  https://access.redhat.com/security/cve/CVE-2021-3177
  https://access.redhat.com/security/cve/CVE-2021-3326
  https://access.redhat.com/security/cve/CVE-2021-3449
  https://access.redhat.com/security/cve/CVE-2021-3450
  https://access.redhat.com/security/cve/CVE-2021-3528
  https://access.redhat.com/security/cve/CVE-2021-20305
  https://access.redhat.com/security/cve/CVE-2021-23239
  https://access.redhat.com/security/cve/CVE-2021-23240
  https://access.redhat.com/security/cve/CVE-2021-23336
  https://access.redhat.com/security/updates/classification/#moderate

6. Contact:

The Red Hat security contact is . More contact
details at   https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.