Red Hat 9038 Published by

An OpenShift Serverless security update has been released.



RHSA-2021:3556-01: Moderate: Release of OpenShift Serverless 1.17.0



=====================================================================
Red Hat Security Advisory

Synopsis: Moderate: Release of OpenShift Serverless 1.17.0
Advisory ID: RHSA-2021:3556-01
Product: Red Hat OpenShift Serverless
Advisory URL:   https://access.redhat.com/errata/RHSA-2021:3556
Issue date: 2021-09-16
CVE Names: CVE-2016-10228 CVE-2017-14502 CVE-2019-2708
CVE-2019-9169 CVE-2019-25013 CVE-2020-8231
CVE-2020-8284 CVE-2020-8285 CVE-2020-8286
CVE-2020-8927 CVE-2020-13434 CVE-2020-15358
CVE-2020-27618 CVE-2020-28196 CVE-2020-29361
CVE-2020-29362 CVE-2020-29363 CVE-2021-3326
CVE-2021-3421 CVE-2021-3449 CVE-2021-3450
CVE-2021-3516 CVE-2021-3517 CVE-2021-3518
CVE-2021-3520 CVE-2021-3537 CVE-2021-3541
CVE-2021-3703 CVE-2021-20271 CVE-2021-20305
CVE-2021-27218 CVE-2021-27918 CVE-2021-31525
CVE-2021-33195 CVE-2021-33196 CVE-2021-33197
CVE-2021-33198 CVE-2021-34558
=====================================================================

1. Summary:

Release of OpenShift Serverless 1.17.0

Red Hat Product Security has rated this update as having a security impact
of
Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE
link(s) in the References section.

2. Description:

Red Hat OpenShift Serverless 1.17.0 release of the OpenShift Serverless
Operator. This version of the OpenShift Serverless Operator is supported on
Red Hat OpenShift Container Platform versions 4.6, 4.7 and 4.8, and
includes security and bug fixes and enhancements. For more information, see
the documentation listed in the References section.

Security Fix(es):

* golang: crypto/tls: certificate of wrong type is causing TLS client to
panic
(CVE-2021-34558)
* golang: net: lookup functions may return invalid host names
(CVE-2021-33195)
* golang: net/http/httputil: ReverseProxy forwards connection headers if
first one is empty (CVE-2021-33197)
* golang: match/big.Rat: may cause a panic or an unrecoverable fatal error
if passed inputs with very large exponents (CVE-2021-33198)
* golang: encoding/xml: infinite loop when using xml.NewTokenDecoder with a
custom TokenReader (CVE-2021-27918)
* golang: net/http: panic in ReadRequest and ReadResponse when reading a
very large header (CVE-2021-31525)
* golang: archive/zip: malformed archive may cause panic or memory
exhaustion (CVE-2021-33196)

It was found that the CVE-2021-27918, CVE-2021-31525 and CVE-2021-33196
have been incorrectly mentioned as fixed in RHSA for Serverless client kn
1.16.0. This has been fixed (CVE-2021-3703).

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

See the Red Hat OpenShift Container Platform 4.6 documentation at:
  https://access.redhat.com/documentation/en-us/openshift_container_platform/
4.6/html/serverless/index
See the Red Hat OpenShift Container Platform 4.7 documentation at:
  https://access.redhat.com/documentation/en-us/openshift_container_platform/
4.7/html/serverless/index
See the Red Hat OpenShift Container Platform 4.8 documentation at:
  https://access.redhat.com/documentation/en-us/openshift_container_platform/
4.8/html/serverless/index

4. Bugs fixed (  https://bugzilla.redhat.com/):

1983596 - CVE-2021-34558 golang: crypto/tls: certificate of wrong type is causing TLS client to panic
1983651 - Release of OpenShift Serverless Serving 1.17.0
1983654 - Release of OpenShift Serverless Eventing 1.17.0
1989564 - CVE-2021-33195 golang: net: lookup functions may return invalid host names
1989570 - CVE-2021-33197 golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty
1989575 - CVE-2021-33198 golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents
1992955 - CVE-2021-3703 serverless: incomplete fix for CVE-2021-27918 / CVE-2021-31525 / CVE-2021-33196

5. References:

  https://access.redhat.com/security/cve/CVE-2016-10228
  https://access.redhat.com/security/cve/CVE-2017-14502
  https://access.redhat.com/security/cve/CVE-2019-2708
  https://access.redhat.com/security/cve/CVE-2019-9169
  https://access.redhat.com/security/cve/CVE-2019-25013
  https://access.redhat.com/security/cve/CVE-2020-8231
  https://access.redhat.com/security/cve/CVE-2020-8284
  https://access.redhat.com/security/cve/CVE-2020-8285
  https://access.redhat.com/security/cve/CVE-2020-8286
  https://access.redhat.com/security/cve/CVE-2020-8927
  https://access.redhat.com/security/cve/CVE-2020-13434
  https://access.redhat.com/security/cve/CVE-2020-15358
  https://access.redhat.com/security/cve/CVE-2020-27618
  https://access.redhat.com/security/cve/CVE-2020-28196
  https://access.redhat.com/security/cve/CVE-2020-29361
  https://access.redhat.com/security/cve/CVE-2020-29362
  https://access.redhat.com/security/cve/CVE-2020-29363
  https://access.redhat.com/security/cve/CVE-2021-3326
  https://access.redhat.com/security/cve/CVE-2021-3421
  https://access.redhat.com/security/cve/CVE-2021-3449
  https://access.redhat.com/security/cve/CVE-2021-3450
  https://access.redhat.com/security/cve/CVE-2021-3516
  https://access.redhat.com/security/cve/CVE-2021-3517
  https://access.redhat.com/security/cve/CVE-2021-3518
  https://access.redhat.com/security/cve/CVE-2021-3520
  https://access.redhat.com/security/cve/CVE-2021-3537
  https://access.redhat.com/security/cve/CVE-2021-3541
  https://access.redhat.com/security/cve/CVE-2021-3703
  https://access.redhat.com/security/cve/CVE-2021-20271
  https://access.redhat.com/security/cve/CVE-2021-20305
  https://access.redhat.com/security/cve/CVE-2021-27218
  https://access.redhat.com/security/cve/CVE-2021-27918
  https://access.redhat.com/security/cve/CVE-2021-31525
  https://access.redhat.com/security/cve/CVE-2021-33195
  https://access.redhat.com/security/cve/CVE-2021-33196
  https://access.redhat.com/security/cve/CVE-2021-33197
  https://access.redhat.com/security/cve/CVE-2021-33198
  https://access.redhat.com/security/cve/CVE-2021-34558
  https://access.redhat.com/security/updates/classification/#moderate
  https://access.redhat.com/documentation/en-us/openshift_container_platform/4.6/html/serverless/index
  https://access.redhat.com/documentation/en-us/openshift_container_platform/4.7/html/serverless/index
  https://access.redhat.com/documentation/en-us/openshift_container_platform/4.8/html/serverless/index

6. Contact:

The Red Hat security contact is . More contact
details at   https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.